feat(stack): routes Nginx (/secure_id, storage health), RPC creds, relay auth fallback, build fixes

2025-09-02 14:19:42 +00:00 · 2025-09-02 14:19:42 +00:00 · c45e1c48bc
commit c45e1c48bc
parent fe3012ef2f
9 changed files with 43 additions and 47 deletions
--- a/.gitignore
+++ b/.gitignore
@ -33,3 +33,6 @@ tests/reports/
 !.cursor/

 !AGENTS.md
+
+# Sauvegardes locales
+*.backup
--- a/conf/bitcoin.conf
+++ b/conf/bitcoin.conf
@ -14,8 +14,9 @@ proxy=4nk-tor:9050
 listen=1

 # Paramètres RPC
-# Auth cookie supprimée: on restreint par réseau Docker (réseau épinglé)
 rpcallowip=172.24.0.0/16
+rpcuser=bitcoin
+rpcpassword=bitcoin
 rpcworkqueue=32
 rpcthreads=4
 rpcdoccheck=1
--- a/conf/nginx.conf
+++ b/conf/nginx.conf
@ -16,45 +16,22 @@ http {
    gzip on;
    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

-    # Upstream servers
-    upstream ihm_client {
-        server 4nk-ihm-client:8080;
-    }
-
-    upstream sdk_relay1 {
-        server 4nk-sdk-relay1:8091;
-    }
-
-    upstream sdk_storage {
-        server 4nk-sdk-storage:8081;
-    }
-
-    upstream sdk_signer {
-        server 4nk-sdk-signer:9090;
-    }
+    # DNS Docker interne
+    resolver 127.0.0.11 ipv6=off valid=30s;

    # HTTP server only (no TLS)
    server {
        listen 80;
        server_name _;

-        # IHM Client
-        location / {
-            proxy_pass http://ihm_client;
-            proxy_set_header Host $host;
-            proxy_set_header X-Real-IP $remote_addr;
-            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-            proxy_set_header X-Forwarded-Proto $scheme;
+        # IHM Client statique sur /secure_id
+        location /secure_id/ {
+            alias /usr/share/nginx/html/secure_id/;
+            try_files $uri $uri/ /secure_id/index.html;
+            add_header Cache-Control "no-store";
        }

-        # SDK Relay 1 API
-        location /api/relay1/ {
-            proxy_pass http://sdk_relay1/;
-            proxy_set_header Host $host;
-            proxy_set_header X-Real-IP $remote_addr;
-            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-            proxy_set_header X-Forwarded-Proto $scheme;
-        }
+        # (pas d'API HTTP pour les relays)

        # SDK Relay 1 WebSocket
        location /ws/relay1/ {
@ -68,27 +45,22 @@ http {
            proxy_set_header X-Forwarded-Proto $scheme;
        }

-        # SDK Storage
+        # SDK Storage: route vers /health OK (200); racine renvoie 404
+        set $storage http://4nk-sdk-storage:8081/health;
        location /api/storage/ {
-            proxy_pass http://sdk_storage/;
+            proxy_pass $storage;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }

-        # SDK Signer
-        location /api/signer/ {
-            proxy_pass http://sdk_signer/;
-            proxy_set_header Host $host;
-            proxy_set_header X-Real-IP $remote_addr;
-            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-            proxy_set_header X-Forwarded-Proto $scheme;
-        }
+        # (pas d'API HTTP pour le signer)

        # SDK Signer WebSocket
+        set $signer_ws http://4nk-sdk-signer:9090;
        location /ws/signer/ {
-            proxy_pass http://4nk-sdk-signer:9090/;
+            proxy_pass $signer_ws/;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
--- a/conf/sdk_relay1.conf
+++ b/conf/sdk_relay1.conf
@ -3,6 +3,8 @@

 # Bitcoin Core RPC (sans cookie, autorisé par rpcallowip)
 core_url=http://4nk-bitcoin:38332
+rpc_user=bitcoin
+rpc_password=bitcoin
 core_wallet=relay_wallet
 ws_url=0.0.0.0:8090
 http_url=0.0.0.0:8091
--- a/conf/sdk_relay2.conf
+++ b/conf/sdk_relay2.conf
@ -3,6 +3,8 @@

 # Bitcoin Core RPC (sans cookie, autorisé par rpcallowip)
 core_url=http://4nk-bitcoin:38332
+rpc_user=bitcoin
+rpc_password=bitcoin
 core_wallet=relay_wallet
 ws_url=0.0.0.0:8090
 http_url=0.0.0.0:8091
--- a/conf/sdk_relay3.conf
+++ b/conf/sdk_relay3.conf
@ -3,6 +3,8 @@

 # Bitcoin Core RPC (sans cookie, autorisé par rpcallowip)
 core_url=http://4nk-bitcoin:38332
+rpc_user=bitcoin
+rpc_password=bitcoin
 core_wallet=relay_wallet
 ws_url=0.0.0.0:8090
 http_url=0.0.0.0:8091
--- a/conf/sdk_signer.conf
+++ b/conf/sdk_signer.conf
@ -11,8 +11,8 @@ blindbit_url = "http://4nk-blindbit:8000"
 bitcoin_rpc_url = "http://4nk-bitcoin:38332"

 # Authentification Bitcoin
-bitcoin_rpc_user = ""
-bitcoin_rpc_password = ""
+bitcoin_rpc_user = "bitcoin"
+bitcoin_rpc_password = "bitcoin"

 # Mode développement
 dev_mode = true
--- a/conf/sdk_storage.conf
+++ b/conf/sdk_storage.conf
@ -9,8 +9,8 @@ db_path = "/home/bitcoin/.4nk/storage.db"
 # URLs des services
 relay_urls = ["http://4nk-sdk-relay1:8091", "http://4nk-sdk-relay2:8093", "http://4nk-sdk-relay3:8095"]
 bitcoin_rpc_url = "http://4nk-bitcoin:38332"
-bitcoin_rpc_user = ""
-bitcoin_rpc_password = ""
+bitcoin_rpc_user = "bitcoin"
+bitcoin_rpc_password = "bitcoin"

 # Mode développement
 dev_mode = true
--- a/modules/blindbit/Dockerfile
+++ b/modules/blindbit/Dockerfile
@ -1 +1,15 @@
 FROM rust:1.75-alpine AS builder
+WORKDIR /app
+RUN apk add --no-cache musl-dev openssl-dev pkgconfig
+COPY Cargo.toml ./
+COPY src ./src
+RUN cargo build --release
+
+FROM alpine:3.19 AS runtime
+WORKDIR /home/bitcoin
+RUN adduser -D blindbit && \
+    mkdir -p /home/bitcoin/.bitcoin && chown -R blindbit:blindbit /home/bitcoin
+COPY --from=builder /app/target/release/blindbit /usr/local/bin/blindbit
+EXPOSE 8000
+USER blindbit
+CMD ["/usr/local/bin/blindbit", "--config", "/home/bitcoin/blindbit.toml"]