From 1e8d18ac8d63001669922ce9fb62a4ead5467610 Mon Sep 17 00:00:00 2001
From: Till JS <tills95@gmail.com>
Date: Thu, 7 May 2026 14:39:50 +0200
Subject: [PATCH] fix(monitoring): photon via Cloudflare-Tunnel, drop dead
 whopxl
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Two cleanups against the status-page DOWN list:

photon-self (photon.mana.how route):
  mana-geocoding's /health/photon-self pings the photon backend, which
  lives as a Docker container on the GPU-Box (port 2322). PHOTON_SELF_API_URL
  was http://192.168.178.11:2322 — Mini-host can hit that fine but
  Mini-Docker-containers can't (Colima-NAT-quirk we keep running into).
  Routed photon through the mana-gpu-server tunnel (config v26) and
  flipped the env var to https://photon.mana.how. Probe goes UP, geocoding
  for sensitive queries (privacy:'local' provider tier) actually works
  now too — was effectively orphaned before.

whopxl removed everywhere it still lingered:
  Container hasn't existed on the Mini in months (no compose service,
  no source dir under apps/, no listener on :5100 — only the dead
  cloudflared route + a stale CORS_ORIGINS entry on mana-auth). Cleaned
  cloudflared-config.yml, prometheus.yml blackbox-web target, and the
  mana-auth CORS list. Old DNS CNAME for whopxl.mana.how stays for now;
  no harm.

Plus while we were here: who-api.mana.how/api/decks was the right probe
for who-server's deck catalogue (root /api/decks lives on who-api, not
who.mana.how which is the SSR shell).

Live: status.mana.how shows 58/59 UP; the last 'whopxl' entry will
fall off after VM's TSDB rolls past the probe_success staleness window.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 cloudflared-config.yml           |  3 ---
 docker-compose.macmini.yml       | 12 +++++++-----
 docker/prometheus/prometheus.yml |  3 +--
 3 files changed, 8 insertions(+), 10 deletions(-)

diff --git a/cloudflared-config.yml b/cloudflared-config.yml
index 5141ef694..1e85a1580 100644
--- a/cloudflared-config.yml
+++ b/cloudflared-config.yml
@@ -187,9 +187,6 @@ ingress:
     service: http://localhost:5050
   - hostname: manavoxel.mana.how
     service: http://localhost:5028
-  - hostname: whopxl.mana.how
-    service: http://localhost:5100
-
   # ============================================
   # Who? Game (Standalone-Bun-Stack, native auf Mac Mini unter PM2)
   # Source: ~/projects/who/, Deploy-Doc: who/docs/MAC_MINI_DEPLOY.md
diff --git a/docker-compose.macmini.yml b/docker-compose.macmini.yml
index d404a91c0..ac54f7b47 100644
--- a/docker-compose.macmini.yml
+++ b/docker-compose.macmini.yml
@@ -250,7 +250,7 @@ services:
       # Enforced by services/mana-auth/src/auth/sso-config.spec.ts.
       # All productivity modules now live under mana.how (path-based) —
       # no per-module subdomain entries required here.
-      CORS_ORIGINS: https://mana.how,https://auth.mana.how,https://whopxl.mana.how,https://cards.mana.how
+      CORS_ORIGINS: https://mana.how,https://auth.mana.how,https://cards.mana.how
     ports:
       - "3001:3001"
     healthcheck:
@@ -460,10 +460,12 @@ services:
     environment:
       TZ: Europe/Berlin
       PORT: 3018
-      # Self-hosted Photon on mana-gpu (cross-LAN). When set, registers
-      # as `photon-self` provider with privacy: 'local' — eligible for
-      # sensitive queries. Empty value = slot disabled.
-      PHOTON_SELF_API_URL: ${PHOTON_SELF_API_URL:-}
+      # Self-hosted Photon. Läuft als Docker-Container auf der GPU-Box
+      # (mana-server-gpu, WSL2). Mini-Container können die GPU-LAN-IP
+      # nicht direkt routen (Colima-NAT-Quirk), daher via Cloudflare-
+      # Tunnel — `photon.mana.how` schickt direkt an den GPU-tunnel.
+      # Empty value = slot disabled.
+      PHOTON_SELF_API_URL: ${PHOTON_SELF_API_URL:-https://photon.mana.how}
       # Cold-start cross-LAN fetches to photon-self consistently take
       # >10s on the first probe; the 8s default false-marked it unhealthy
       # on every cold path. 20s leaves headroom while still cutting off
diff --git a/docker/prometheus/prometheus.yml b/docker/prometheus/prometheus.yml
index f8c0c2440..8a507d896 100644
--- a/docker/prometheus/prometheus.yml
+++ b/docker/prometheus/prometheus.yml
@@ -276,7 +276,6 @@ scrape_configs:
           - https://mana.how/mail
           - https://mana.how/playground
           # ─── Standalone Apps / Games (separate Container, eigene Tunnel-Hostnames) ───
-          - https://whopxl.mana.how
           - https://manavoxel.mana.how
           # Memoro Standalone-Stack (Phase 2 mana e.V. Plattform-Migration)
           - https://memoro.mana.how
@@ -307,7 +306,7 @@ scrape_configs:
           - https://memoro-api.mana.how/health
           - https://memoro-audio.mana.how/health
           # who.mana.how API on /api/decks — root is 404 by design (Phaser-Cantina mounts at /cantina)
-          - https://who.mana.how/api/decks
+          - https://who-api.mana.how/api/decks
           # Verein backoffice (mana e.V. Plattform); only /health returns 200, root is auth-walled
           - https://admin.mana.how/health
     relabel_configs: