diff --git a/deploy/DEPLOYMENT.md b/deploy/DEPLOYMENT.md index fa87a62..a7c9bb3 100644 --- a/deploy/DEPLOYMENT.md +++ b/deploy/DEPLOYMENT.md @@ -141,16 +141,30 @@ existing seed. ## Deploy the Joining Service +Copy and fill in `deploy/joining-service-config.example.json` for your hApp: + ```bash -source deploy/.env.acme-staging -hdeploy deploy-joining-service --deployment acme-staging \ - --tofu-dir deploy/tofu \ - --joining-service-dir ../joining-service +cp deploy/joining-service-config.example.json deploy/acme-mewsfeed-joining-config.json +$EDITOR deploy/acme-mewsfeed-joining-config.json ``` -This deploys the joining service Worker via wrangler and writes -`linker_registrations` to the sessions KV namespace. Safe to re-run after -infrastructure changes that affect linker URLs. +The config needs at minimum: `happ.id`, `happ.name`, `happ.happ_bundle_url`, and +`auth_methods`. See `joining-service-config.example.json` for membrane proof and +invite code variants. + +`network_seed` and `linker_registrations` are injected automatically — do not set +them in the config file. + +```bash +source deploy/.env.acme-mewsfeed-staging +hdeploy deploy-joining-service -d acme-mewsfeed-staging \ + --joining-service-dir ../joining-service \ + --joining-config deploy/acme-mewsfeed-joining-config.json +``` + +This deploys the joining service Worker via wrangler and writes `joining_config` +(including the network seed from deployment KV and linker URLs from tofu outputs) +to the sessions KV namespace. Safe to re-run after infrastructure changes. --- @@ -220,10 +234,10 @@ harvester_image = "ghcr.io/holo-host/edgenode-harvester:v1.2.3" ### Joining service update ```bash -source deploy/.env.acme-staging -hdeploy deploy-joining-service --deployment acme-staging \ - --tofu-dir deploy/tofu \ - --joining-service-dir ../joining-service +source deploy/.env.acme-mewsfeed-staging +hdeploy deploy-joining-service -d acme-mewsfeed-staging \ + --joining-service-dir ../joining-service \ + --joining-config deploy/acme-mewsfeed-joining-config.json ``` ### Staging → production @@ -239,9 +253,9 @@ hdeploy provision --deployment acme-prod \ --tofu-dir deploy/tofu \ --log-collector-src docker/log-collector hdeploy init-deployment --deployment acme-prod --tofu-dir deploy/tofu -hdeploy deploy-joining-service --deployment acme-prod \ - --tofu-dir deploy/tofu \ - --joining-service-dir ../joining-service +hdeploy deploy-joining-service -d acme-mewsfeed-prod \ + --joining-service-dir ../joining-service \ + --joining-config deploy/acme-mewsfeed-joining-config.json hdeploy bootstrap-harvester --deployment acme-prod \ --tofu-dir deploy/tofu \ --bootstrap-image ghcr.io/holo-host/bootstrap:latest diff --git a/deploy/joining-service-config.example.json b/deploy/joining-service-config.example.json new file mode 100644 index 0000000..b7fc58d --- /dev/null +++ b/deploy/joining-service-config.example.json @@ -0,0 +1,40 @@ +{ + "_comment": "Joining service config passed to: hdeploy deploy-joining-service -d --joining-config . Copy, rename, and fill in values for your hApp. network_seed and linker_registrations are injected automatically by hdeploy — do not set them here.", + + "happ": { + "id": "mewsfeed", + "name": "Mewsfeed", + "happ_bundle_url": "https://github.com/GeekGene/mewsfeed/releases/download/v0.14.0/mewsfeed.webhapp" + }, + + "auth_methods": ["open"], + + "_auth_method_variants": { + "_comment": "Replace auth_methods above with one of these for non-open deployments.", + "invite_code_only": ["invite_code"], + "membrane_proof_only": ["membrane_proof"], + "invite_code_or_membrane_proof": [{ "any_of": ["invite_code", "membrane_proof"] }] + }, + + "_membrane_proof": { + "_comment": "Required when auth_methods includes 'membrane_proof'. The signing key is generated once via: cd ../joining-service && npm run gen-signing-key. Its derived public key must be baked into the DNA properties as the progenitor before the hApp bundle is compiled — see ../joining-service/DEPLOYMENT.md.", + "enabled": true, + "signing_key_path": "/path/to/signing-key.hex" + }, + + "_dna_hashes": { + "_comment": "Required when membrane_proof.enabled is true. Base64-encoded DNA hashes the signing key is authorised to sign membrane proofs for.", + "example": ["uhCkk..."] + }, + + "_invite_codes": { + "_comment": "Invite codes are NOT stored here. They are stored in deployment KV via the INVITE_CODES env var and read by the joining service Worker at runtime." + }, + + "_network": { + "_comment": "Optional. Exposes bootstrap and relay URLs in /v1/info. Off by default — enabling increases DDoS surface area for the listed services.", + "bootstrap_url": "", + "relay_url": "", + "reveal_in_info": false + } +} diff --git a/deploy/mewsfeed-config.json.example b/deploy/mewsfeed-config.json.example deleted file mode 100644 index 5f42e41..0000000 --- a/deploy/mewsfeed-config.json.example +++ /dev/null @@ -1,12 +0,0 @@ -{ - "_comment": "Reference hApp configuration for a Mewsfeed edgenode deployment. Copy and adapt for your own hApp.", - "happ_id": "mewsfeed", - "happ_name": "Mewsfeed", - "happ_bundle_url": "https://github.com/holochain-apps/mewsfeed/releases/download/v0.15.1/mewsfeed.happ", - "network_seed": "REPLACE_WITH_NETWORK_SEED", - "joining_service": { - "auth_methods": ["invite_code"], - "invite_codes": ["REPLACE_WITH_INVITE_CODES"], - "session": { "store": "cloudflare-kv" } - } -}