glm-5.1
d3633b7839
Update four existing specs (overview, server, napi-and-pubsub, call-protocol) to reflect Phase 0 decisions: three-layer model, IdentityProvider, ForwardingPolicy, OperationEnv, static/dynamic config split. Review all 9 Phase 0a ADRs (026-034) for consistency. Fix 4 critical issues from architecture review: missing OQ-SVC-05 in open-questions.md, deprecated hub terminology, undefined AuthService and noq terms. Replace inline OQ text with cross-references per format rules. Add ConfigServiceImpl definition to configuration.md. Port absolute workspace paths to project-relative links by copying referenced docs (feasibility, certbot, fail2ban, event_source_types) into docs/research/.
1.2 KiB
1.2 KiB
Certbot — dev1
Overview
Let's Encrypt SSL certificates managed by certbot. Used by nginx for HTTPS.
Installed
certbot (snap package on Ubuntu 24.04)
Certificates
| Domain | Expiry | Path |
|---|---|---|
| git.alk.dev | 2026-06-18 | /etc/letsencrypt/live/git.alk.dev/ |
File Locations
/etc/letsencrypt/live/git.alk.dev/
├── fullchain.pem # Server cert + chain
├── privkey.pem # Private key
├── cert.pem # Server cert only
├── chain.pem # Chain only
└── README
Renewal config: /etc/letsencrypt/renewal/git.alk.dev.conf
Renewal
Certbot auto-renews via systemd timer. Certificates renew when <30 days remaining.
# Check certificates and expiry
sudo certbot certificates
# Dry run renewal
sudo certbot renew --dry-run
# Force renewal (if needed)
sudo certbot renew --force-renewal
# Reload nginx after renewal
sudo systemctl reload nginx
Initial Certificate
If adding a new domain, obtain the cert with the standalone plugin (nginx doesn't need to be running):
sudo certbot certonly --standalone -d <domain> --agree-tos -m <email>
Port 80 must be open for the ACME challenge. The api.alk.dev UFW rule allows HTTP for this purpose.