till/managarten
1
0
Fork 0
mirror of https://github.com/Memo-2023/mana-monorepo.git synced 2026-05-14 19:41:09 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 4
managarten/cloudflared-config.yml
Till JS 0a544ac410 feat(cards): Phase-1 Spinoff — standalone cards.mana.how + cards-core extraction 
Builds out the Cards spinoff end-to-end so the standalone app at
cards.mana.how shares its data layer with the in-mana cards module
through a single pure-utility package.

Why a spinoff and not just a deeper module: per the GUIDELINES, Cards
gets its own brand + URL while reusing mana-auth, mana-sync, and the
mana-credits/billing stack. The in-mana module under mana.how/cards
stays untouched as the integrated experience.

Phase 0 — mana-modul foundation
  • New tables cardReviews + cardStudyBlocks (Dexie v61) + plaintext
    classification in the crypto registry.
  • LocalCard learns a {type, fields} shape; legacy front/back columns
    kept as a back-compat mirror so older builds keep rendering.
  • FSRS v6 scheduler + Cloze parser + Markdown render pipeline.
  • UI in apps/mana/.../routes/(app)/cards/ gets a learn session
    (learn/[deckId]), 4-type card editor, due-counter, markdown lists.

Phase 1 — standalone (apps/cards/apps/web)
  • SvelteKit 2 + Svelte 5 + Tailwind 4, port 5180.
  • Own Dexie 'cards' DB with a slim 5-table schema.
  • Own sync engine: pending-changes hooks, 1 s push / 5 s pull against
    POST /sync/cards, server-apply with suppression to avoid ping-pong.
  • Auth-Gate via @mana/shared-auth-ui (LoginPage / RegisterPage).
  • Encryption hooks at every write/read/apply path, currently no-op
    stubs — flipping to real vault-backed AES-GCM is a single-file
    change in src/lib/data/crypto.ts.

Shared package — @mana/cards-core
  • Pulls types, cloze, card-reviews, FSRS wrapper, and Markdown
    renderer out of the mana module so both frontends import from one
    source. mana-modul keeps thin re-export shims so consumers don't
    need to change imports.
  • 19 vitest tests carried over from the mana module.

Server-side wiring
  • cards.mana.how added to mana-auth PRODUCTION_TRUSTED_ORIGINS and
    its CORS_ORIGINS env (sso-config.spec.ts stays green).
  • New cards-web container in docker-compose.macmini.yml (mirrors
    manavoxel-web pattern, 128m, depends on mana-auth healthy).
  • cloudflared-config.yml repoints cards.mana.how from :5000 (the
    unified mana-web container) to :5180. mana.how/cards is unchanged.

Cleanup
  • Removed an unrelated 2026-03/04 NestJS+Supabase+Expo experiment
    that was lingering under apps/cards/ (apps/landing, supabase/,
    .github/workflows, MANA_CORE_*.md, etc.). It predated this plan
    and would have confused future readers.

Validation
  • svelte-check on mana-web: 0 errors over 7697 files
  • svelte-check on cards-web: 0 errors over 3481 files
  • vitest on cards-core: 19/19 pass
  • pnpm check:crypto: 214 tables classified
  • bun test sso-config.spec.ts: 8/8 pass
  • vite build on cards-web: green

Not done in this commit (deliberate)
  • Real encryption (vault roundtrip) — Phase 2.
  • WebSocket-driven pull (5 s polling for now).
  • Mobile/landing standalone surfaces — Phase 2/3.
  • The actual production cutover on the Mac mini (build, deploy,
    cloudflared sync) — config is staged, deploy is a user action.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-07 01:20:43 +02:00

237 lines
9.1 KiB
YAML
Raw Blame History

# Cloudflare Tunnel Configuration for the Mac Mini production server.
#
# This file is the SINGLE SOURCE OF TRUTH for which public hostnames
# the tunnel exposes. The cloudflared launchd plist is started with
# `--config <this-file> run` so any change here is one `git pull` +
# `launchctl kickstart -k gui/501/com.cloudflare.cloudflared` away
# from being live in production.
#
# Adding a new public hostname:
# 1. Append the hostname / service line below in the matching section
# 2. Make sure the corresponding Cloudflare DNS record exists (the
# tunnel needs the hostname pointing at its CNAME — see
# `cloudflared tunnel route dns <tunnel-id> <hostname>` if not)
# 3. Run `./scripts/mac-mini/sync-tunnel-config.sh` to copy this file
# onto the Mac Mini and reload cloudflared
# 4. Verify with `curl -sI https://<hostname>/health` (or the route's
# equivalent) — expect a non-404 status line
#
# Removing a hostname: same steps, just delete the lines.
#
# Catch-all at the bottom returns http_status:404 for any hostname
# Cloudflare routes here that we don't have an explicit ingress rule
# for. This is the desired failure mode.
tunnel: 1435166a-0e3f-4222-8de6-744f32cea5c9
credentials-file: /Users/mana/.cloudflared/1435166a-0e3f-4222-8de6-744f32cea5c9.json
ingress:
# ============================================
# SSH (requires cloudflared on the client)
# ============================================
- hostname: ssh.mana.how
service: ssh://localhost:22
# ============================================
# Unified Mana Web App (Port 5000)
# ============================================
# Every per-product subdomain points at the same SvelteKit container.
# The container's hooks.server.ts reads the host header and renders
# the matching module surface. mana.how itself is the dashboard.
- hostname: mana.how
service: http://localhost:5000
- hostname: chat.mana.how
service: http://localhost:5000
- hostname: todo.mana.how
service: http://localhost:5000
- hostname: calendar.mana.how
service: http://localhost:5000
- hostname: clock.mana.how
service: http://localhost:5000
- hostname: contacts.mana.how
service: http://localhost:5000
- hostname: quotes.mana.how
service: http://localhost:5000
- hostname: skilltree.mana.how
service: http://localhost:5000
- hostname: plants.mana.how
service: http://localhost:5000
# cards.mana.how → standalone Cards SvelteKit container (apps/cards/apps/web).
# Was pointed at :5000 (the unified mana-web) until the standalone spinoff
# landed. mana.how/cards still serves the in-mana cards module.
- hostname: cards.mana.how
service: http://localhost:5180
- hostname: storage.mana.how
service: http://localhost:5000
- hostname: presi.mana.how
service: http://localhost:5000
- hostname: food.mana.how
service: http://localhost:5000
- hostname: photos.mana.how
service: http://localhost:5000
- hostname: mukke.mana.how
service: http://localhost:5000
- hostname: picture.mana.how
service: http://localhost:5000
- hostname: calc.mana.how
service: http://localhost:5000
- hostname: citycorners.mana.how
service: http://localhost:5000
- hostname: inventar.mana.how
service: http://localhost:5000
- hostname: times.mana.how
service: http://localhost:5000
- hostname: uload.mana.how
service: http://localhost:5000
# memoro.mana.how moved off the unified mana web app (5000) to the
# Memoro Astro landing container (Code/memoro/apps/landing → :3120) on
# 2026-05-06. The standalone Memoro stack lives at memoro-api/audio
# below; the landing is the public marketing site.
# NB: keep this entry in the Memoro section, not the unified-app block.
- hostname: context.mana.how
service: http://localhost:5000
- hostname: questions.mana.how
service: http://localhost:5000
- hostname: moodlit.mana.how
service: http://localhost:5000
# ============================================
# Auth Service (Hono/Bun)
# ============================================
- hostname: auth.mana.how
service: http://localhost:3001
# ============================================
# Unified Backend API (Hono/Bun, port 3060)
# ============================================
# apps/api hosts every product compute module (calendar, chat,
# picture, planta, news, who, …) under /api/v1/{module}/*. The
# unified web app's PUBLIC_MANA_API_URL_CLIENT points here.
- hostname: mana-api.mana.how
service: http://localhost:3060
# ============================================
# mana-ai — background AI Mission Runner
# ============================================
# Serves the user-facing decrypt-audit endpoint
# /api/v1/me/ai-audit that powers the Workbench "Datenzugriff" tab.
# The background tick loop + /metrics stay internal; only the
# JWT-gated user endpoint is public.
- hostname: mana-ai.mana.how
service: http://localhost:3067
# ============================================
# API Gateway (Go)
# ============================================
# Older gateway in front of the per-service compute layer. New
# services should go directly through mana-api above; this gateway
# only handles legacy entry points.
- hostname: api.mana.how
service: http://localhost:3016
# ============================================
# Forgejo (Git + CI/CD)
# ============================================
- hostname: git.mana.how
service: http://localhost:3041
# ============================================
# Standalone microservices
# ============================================
- hostname: uload-api.mana.how
service: http://localhost:3070
- hostname: media.mana.how
service: http://localhost:3011
- hostname: llm.mana.how
service: http://localhost:3025
- hostname: sync.mana.how
service: http://localhost:3010
- hostname: credits.mana.how
service: http://localhost:3002
- hostname: subscriptions.mana.how
service: http://localhost:3063
- hostname: events.mana.how
service: http://localhost:3065
- hostname: research.mana.how
service: http://localhost:3068
- hostname: feedback.mana.how
service: http://localhost:3064
# ============================================
# mana e.V. platform (Code/mana, separate repo)
# Lives under ~/projects/mana-platform/ on the Mac Mini, deployed via
# infrastructure/docker-compose.macmini.yml. Coexists with this stack.
# ============================================
- hostname: admin.mana.how
service: http://localhost:3071
- hostname: npm.mana.how
service: http://localhost:4873
# ============================================
# Memoro (Code/memoro, separate repo)
# ~/projects/memoro-deploy/ on the Mac Mini.
# ============================================
- hostname: memoro.mana.how
service: http://localhost:3120
# Web-App (SvelteKit static SPA). Lives next to memoro-api/memoro-audio
# at first-level subdomain depth so Cloudflare Universal SSL covers it.
- hostname: memoro-app.mana.how
service: http://localhost:3130
- hostname: memoro-api.mana.how
service: http://localhost:3110
- hostname: memoro-audio.mana.how
service: http://localhost:3101
# ============================================
# Standalone web apps (separate containers)
# ============================================
- hostname: playground.mana.how
service: http://localhost:5050
- hostname: manavoxel.mana.how
service: http://localhost:5028
- hostname: whopxl.mana.how
service: http://localhost:5100
# ============================================
# Self-hosted landing pages (Nginx on port 4400)
# ============================================
- hostname: status.mana.how
service: http://localhost:4400
- hostname: it.mana.how
service: http://localhost:4400
- hostname: chats.mana.how
service: http://localhost:4400
- hostname: pics.mana.how
service: http://localhost:4400
- hostname: quotess.mana.how
service: http://localhost:4400
- hostname: presis.mana.how
service: http://localhost:4400
- hostname: clocks.mana.how
service: http://localhost:4400
- hostname: docs.mana.how
service: http://localhost:4400
# ============================================
# Monitoring & observability
# ============================================
- hostname: grafana.mana.how
service: http://localhost:8000
- hostname: stats.mana.how
service: http://localhost:8010
- hostname: glitchtip.mana.how
service: http://localhost:8020
# ============================================
# GPU services (NOT in this tunnel)
# ============================================
# gpu-llm / gpu-stt / gpu-tts / gpu-img / gpu-video / gpu-ollama
# are served by a SEPARATE cloudflared tunnel running on the Windows
# GPU box itself (`mana-gpu-server` tunnel ID 83454e8e-...). Routing
# them via the Mac Mini's tunnel would cause DNS routing conflicts
# because each Cloudflare DNS CNAME can only point at one tunnel.
# ============================================
# Catch-all (returns 404 for any unmapped hostname)
# ============================================
- service: http_status:404
Reference in a new issue View git blame Copy permalink