From c45e1c48bcea988b94fbb7c6b700c7c243e65b2b Mon Sep 17 00:00:00 2001
From: Debian <debian@dev4.novalocal>
Date: Tue, 2 Sep 2025 14:19:42 +0000
Subject: [PATCH] feat(stack): routes Nginx (/secure_id, storage health), RPC
 creds, relay auth fallback, build fixes

---
 .gitignore                  |  3 ++
 conf/bitcoin.conf           |  3 +-
 conf/nginx.conf             | 56 ++++++++++---------------------------
 conf/sdk_relay1.conf        |  2 ++
 conf/sdk_relay2.conf        |  2 ++
 conf/sdk_relay3.conf        |  2 ++
 conf/sdk_signer.conf        |  4 +--
 conf/sdk_storage.conf       |  4 +--
 modules/blindbit/Dockerfile | 14 ++++++++++
 9 files changed, 43 insertions(+), 47 deletions(-)

diff --git a/.gitignore b/.gitignore
index 2aa3df53..7417d541 100644
--- a/.gitignore
+++ b/.gitignore
@@ -33,3 +33,6 @@ tests/reports/
 !.cursor/
 
 !AGENTS.md
+
+# Sauvegardes locales
+*.backup
diff --git a/conf/bitcoin.conf b/conf/bitcoin.conf
index c2ab61b2..3b8c91fe 100644
--- a/conf/bitcoin.conf
+++ b/conf/bitcoin.conf
@@ -14,8 +14,9 @@ proxy=4nk-tor:9050
 listen=1
 
 # Paramètres RPC
-# Auth cookie supprimée: on restreint par réseau Docker (réseau épinglé)
 rpcallowip=172.24.0.0/16
+rpcuser=bitcoin
+rpcpassword=bitcoin
 rpcworkqueue=32
 rpcthreads=4
 rpcdoccheck=1
diff --git a/conf/nginx.conf b/conf/nginx.conf
index de0ec80e..c0d6c50e 100644
--- a/conf/nginx.conf
+++ b/conf/nginx.conf
@@ -16,45 +16,22 @@ http {
     gzip on;
     gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
 
-    # Upstream servers
-    upstream ihm_client {
-        server 4nk-ihm-client:8080;
-    }
-
-    upstream sdk_relay1 {
-        server 4nk-sdk-relay1:8091;
-    }
-
-    upstream sdk_storage {
-        server 4nk-sdk-storage:8081;
-    }
-
-    upstream sdk_signer {
-        server 4nk-sdk-signer:9090;
-    }
+    # DNS Docker interne
+    resolver 127.0.0.11 ipv6=off valid=30s;
 
     # HTTP server only (no TLS)
     server {
         listen 80;
         server_name _;
 
-        # IHM Client
-        location / {
-            proxy_pass http://ihm_client;
-            proxy_set_header Host $host;
-            proxy_set_header X-Real-IP $remote_addr;
-            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-            proxy_set_header X-Forwarded-Proto $scheme;
+        # IHM Client statique sur /secure_id
+        location /secure_id/ {
+            alias /usr/share/nginx/html/secure_id/;
+            try_files $uri $uri/ /secure_id/index.html;
+            add_header Cache-Control "no-store";
         }
 
-        # SDK Relay 1 API
-        location /api/relay1/ {
-            proxy_pass http://sdk_relay1/;
-            proxy_set_header Host $host;
-            proxy_set_header X-Real-IP $remote_addr;
-            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-            proxy_set_header X-Forwarded-Proto $scheme;
-        }
+        # (pas d'API HTTP pour les relays)
 
         # SDK Relay 1 WebSocket
         location /ws/relay1/ {
@@ -68,27 +45,22 @@ http {
             proxy_set_header X-Forwarded-Proto $scheme;
         }
 
-        # SDK Storage
+        # SDK Storage: route vers /health OK (200); racine renvoie 404
+        set $storage http://4nk-sdk-storage:8081/health;
         location /api/storage/ {
-            proxy_pass http://sdk_storage/;
+            proxy_pass $storage;
             proxy_set_header Host $host;
             proxy_set_header X-Real-IP $remote_addr;
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_set_header X-Forwarded-Proto $scheme;
         }
 
-        # SDK Signer
-        location /api/signer/ {
-            proxy_pass http://sdk_signer/;
-            proxy_set_header Host $host;
-            proxy_set_header X-Real-IP $remote_addr;
-            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-            proxy_set_header X-Forwarded-Proto $scheme;
-        }
+        # (pas d'API HTTP pour le signer)
 
         # SDK Signer WebSocket
+        set $signer_ws http://4nk-sdk-signer:9090;
         location /ws/signer/ {
-            proxy_pass http://4nk-sdk-signer:9090/;
+            proxy_pass $signer_ws/;
             proxy_http_version 1.1;
             proxy_set_header Upgrade $http_upgrade;
             proxy_set_header Connection "upgrade";
diff --git a/conf/sdk_relay1.conf b/conf/sdk_relay1.conf
index 49353092..b6055d3c 100644
--- a/conf/sdk_relay1.conf
+++ b/conf/sdk_relay1.conf
@@ -3,6 +3,8 @@
 
 # Bitcoin Core RPC (sans cookie, autorisé par rpcallowip)
 core_url=http://4nk-bitcoin:38332
+rpc_user=bitcoin
+rpc_password=bitcoin
 core_wallet=relay_wallet
 ws_url=0.0.0.0:8090
 http_url=0.0.0.0:8091
diff --git a/conf/sdk_relay2.conf b/conf/sdk_relay2.conf
index d2ed2f36..619026bf 100644
--- a/conf/sdk_relay2.conf
+++ b/conf/sdk_relay2.conf
@@ -3,6 +3,8 @@
 
 # Bitcoin Core RPC (sans cookie, autorisé par rpcallowip)
 core_url=http://4nk-bitcoin:38332
+rpc_user=bitcoin
+rpc_password=bitcoin
 core_wallet=relay_wallet
 ws_url=0.0.0.0:8090
 http_url=0.0.0.0:8091
diff --git a/conf/sdk_relay3.conf b/conf/sdk_relay3.conf
index bc583f94..3c94c061 100644
--- a/conf/sdk_relay3.conf
+++ b/conf/sdk_relay3.conf
@@ -3,6 +3,8 @@
 
 # Bitcoin Core RPC (sans cookie, autorisé par rpcallowip)
 core_url=http://4nk-bitcoin:38332
+rpc_user=bitcoin
+rpc_password=bitcoin
 core_wallet=relay_wallet
 ws_url=0.0.0.0:8090
 http_url=0.0.0.0:8091
diff --git a/conf/sdk_signer.conf b/conf/sdk_signer.conf
index 16356cd7..67d262b7 100644
--- a/conf/sdk_signer.conf
+++ b/conf/sdk_signer.conf
@@ -11,8 +11,8 @@ blindbit_url = "http://4nk-blindbit:8000"
 bitcoin_rpc_url = "http://4nk-bitcoin:38332"
 
 # Authentification Bitcoin
-bitcoin_rpc_user = ""
-bitcoin_rpc_password = ""
+bitcoin_rpc_user = "bitcoin"
+bitcoin_rpc_password = "bitcoin"
 
 # Mode développement
 dev_mode = true
diff --git a/conf/sdk_storage.conf b/conf/sdk_storage.conf
index 321c4c49..2915892c 100644
--- a/conf/sdk_storage.conf
+++ b/conf/sdk_storage.conf
@@ -9,8 +9,8 @@ db_path = "/home/bitcoin/.4nk/storage.db"
 # URLs des services
 relay_urls = ["http://4nk-sdk-relay1:8091", "http://4nk-sdk-relay2:8093", "http://4nk-sdk-relay3:8095"]
 bitcoin_rpc_url = "http://4nk-bitcoin:38332"
-bitcoin_rpc_user = ""
-bitcoin_rpc_password = ""
+bitcoin_rpc_user = "bitcoin"
+bitcoin_rpc_password = "bitcoin"
 
 # Mode développement
 dev_mode = true
diff --git a/modules/blindbit/Dockerfile b/modules/blindbit/Dockerfile
index 96eb3772..8b9d8cf1 100644
--- a/modules/blindbit/Dockerfile
+++ b/modules/blindbit/Dockerfile
@@ -1 +1,15 @@
 FROM rust:1.75-alpine AS builder
+WORKDIR /app
+RUN apk add --no-cache musl-dev openssl-dev pkgconfig
+COPY Cargo.toml ./
+COPY src ./src
+RUN cargo build --release
+
+FROM alpine:3.19 AS runtime
+WORKDIR /home/bitcoin
+RUN adduser -D blindbit && \
+    mkdir -p /home/bitcoin/.bitcoin && chown -R blindbit:blindbit /home/bitcoin
+COPY --from=builder /app/target/release/blindbit /usr/local/bin/blindbit
+EXPOSE 8000
+USER blindbit
+CMD ["/usr/local/bin/blindbit", "--config", "/home/bitcoin/blindbit.toml"]