alkdev/alknet
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs: complete Phase 0 architecture — spec updates, review fixes, and link portability

Browse Source 
Update four existing specs (overview, server, napi-and-pubsub, call-protocol) to
reflect Phase 0 decisions: three-layer model, IdentityProvider, ForwardingPolicy,
OperationEnv, static/dynamic config split. Review all 9 Phase 0a ADRs (026-034)
for consistency. Fix 4 critical issues from architecture review: missing OQ-SVC-05
in open-questions.md, deprecated hub terminology, undefined AuthService and noq
terms. Replace inline OQ text with cross-references per format rules. Add
ConfigServiceImpl definition to configuration.md. Port absolute workspace paths
to project-relative links by copying referenced docs (feasibility, certbot,
fail2ban, event_source_types) into docs/research/.
This commit is contained in:
glm-5.1
2026-06-07 11:27:52 +00:00
parent 835724d087
commit d3633b7839
22 changed files with 1508 additions and 115 deletions
Download Patch File Download Diff File Expand all files Collapse all files

56
docs/research/ops/certbot.md Normal file
View File

@@ -0,0 +1,56 @@
# Certbot — dev1
## Overview
Let's Encrypt SSL certificates managed by certbot. Used by nginx for HTTPS.
## Installed
certbot (snap package on Ubuntu 24.04)
## Certificates
| Domain | Expiry | Path |
|--------|--------|------|
| git.alk.dev | 2026-06-18 | /etc/letsencrypt/live/git.alk.dev/ |
## File Locations
```
/etc/letsencrypt/live/git.alk.dev/
├── fullchain.pem # Server cert + chain
├── privkey.pem # Private key
├── cert.pem # Server cert only
├── chain.pem # Chain only
└── README
```
Renewal config: `/etc/letsencrypt/renewal/git.alk.dev.conf`
## Renewal
Certbot auto-renews via systemd timer. Certificates renew when <30 days remaining.
```bash
# Check certificates and expiry
sudo certbot certificates
# Dry run renewal
sudo certbot renew --dry-run
# Force renewal (if needed)
sudo certbot renew --force-renewal
# Reload nginx after renewal
sudo systemctl reload nginx
```
## Initial Certificate
If adding a new domain, obtain the cert with the standalone plugin (nginx doesn't need to be running):
```bash
sudo certbot certonly --standalone -d <domain> --agree-tos -m <email>
```
Port 80 must be open for the ACME challenge. The api.alk.dev UFW rule allows HTTP for this purpose.