infra: nginx configs mirror the live certbot-managed versions (cicd-playbook now idempotent); drop infra/** from deploy-staging's path filter

- the repo's pre-certbot HTTP-only gitea/woodpecker confs CLOBBERED the live SSL config on every cicd-playbook run, and the certbot task's creates: guard meant TLS never came back — verified by live diff 2026-06-10. Both confs now carry the certbot 443 blocks + the live 1G client_max_body_size, so the play converges instead of clobbering - deploy-staging listed infra/** in when.path while its dependency build-and-push did not → an infra-only push (1536fea) pruned build-and-push but selected deploy-staging → "depends on unknown step" config error (pipeline #385). deploy-staging's paths are now a subset of its dependency chain's; ansible changes are applied by hand, not CI, and a deploy without a fresh image is a no-op re-pull Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-10 13:20:20 -04:00
parent 1536feaf21
commit 65dd18cdb7
3 changed files with 55 additions and 4 deletions
--- a/.woodpecker/main.yaml
+++ b/.woodpecker/main.yaml
@@ -230,11 +230,16 @@ steps:
    when:
      - branch: main
        event: push
+        # NO infra/** here — this path list must stay a SUBSET of
+        # build-and-push's (and transitively the test steps'): an infra-only
+        # push otherwise selects deploy-staging while pruning its dependency
+        # → "depends on unknown step 'build-and-push'" config error
+        # (pipeline #385). Ansible changes are applied by hand, not by CI,
+        # and deploying without a fresh image is a no-op re-pull anyway.
        path:
          - "src/**"
          - "requirements.txt"
          - "Dockerfile"
-          - "infra/**"
          - ".woodpecker/main.yaml"

  - name: deploy-prod
--- a/infra/cicd/nginx/gitea.conf
+++ b/infra/cicd/nginx/gitea.conf
@@ -1,8 +1,11 @@
+# Mirrors the LIVE certbot-managed config on the CI droplet (synced
+# 2026-06-10) so cicd-playbook.yaml's copy task is idempotent — the previous
+# pre-certbot HTTP-only version CLOBBERED the live SSL config on every play
+# run (and the certbot task's `creates:` guard meant TLS never came back).
 server {
-    listen 80;
    server_name gitea.earthmanrpg.me;

-    client_max_body_size 100m;
+    client_max_body_size 1G;

    location / {
        proxy_pass http://127.0.0.1:3000;
@@ -11,4 +14,23 @@ server {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
+
+    listen 443 ssl; # managed by Certbot
+    ssl_certificate /etc/letsencrypt/live/gitea.earthmanrpg.me/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/gitea.earthmanrpg.me/privkey.pem; # managed by Certbot
+    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+
+}
+server {
+    if ($host = gitea.earthmanrpg.me) {
+        return 301 https://$host$request_uri;
+    } # managed by Certbot
+
+
+    listen 80;
+    server_name gitea.earthmanrpg.me;
+    return 404; # managed by Certbot
+
+
 }
--- a/infra/cicd/nginx/woodpecker.conf
+++ b/infra/cicd/nginx/woodpecker.conf
@@ -1,5 +1,10 @@
+# Mirrors the LIVE certbot-managed config on the CI droplet (synced
+# 2026-06-10) so cicd-playbook.yaml's copy task is idempotent — the previous
+# pre-certbot HTTP-only version CLOBBERED the live SSL config on every play
+# run (and the certbot task's `creates:` guard meant TLS never came back).
+# NB the cert pair is the gitea.earthmanrpg.me lineage — one certbot cert
+# covers both -d domains.
 server {
-    listen 80;
    server_name ci.earthmanrpg.me;

    location / {
@@ -13,4 +18,23 @@ server {
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
+
+    listen 443 ssl; # managed by Certbot
+    ssl_certificate /etc/letsencrypt/live/gitea.earthmanrpg.me/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/gitea.earthmanrpg.me/privkey.pem; # managed by Certbot
+    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+
+}
+server {
+    if ($host = ci.earthmanrpg.me) {
+        return 301 https://$host$request_uri;
+    } # managed by Certbot
+
+
+    listen 80;
+    server_name ci.earthmanrpg.me;
+    return 404; # managed by Certbot
+
+
 }