docs(license): PR 2 deploy + operator instructions
ADMIN.md gains a "Running a Gumroad webhook" section: how the URL secret works, how to add a SKU to products.yaml, how to inspect gumroad_events (recent activity + failures-only queries), how to replay a failed delivery, and how to test without buyers via Gumroad's "Send Test Ping" button. The deployed-vs-queued matrix flips Gumroad + Postmark to "code merged, deploy pending" so it's clear the bits exist on main but the live box still runs PR 1. SETUP-LICENSE-SERVER.md §3 commits the eventual compose.yml shape with PR 2 environment + secrets lines included but commented out, ready to uncomment at deploy time. The §3 chown step already covers the new secret files because it uses `chmod 400 secrets/*` / `chown 10001:10001 secrets/*`. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -204,13 +204,18 @@ services:
|
||||
DATABASE_URL: postgresql+psycopg://datatools_api@postgres:5432/datatools_licenses
|
||||
PG_PASSWORD_FILE: /run/secrets/pg_password
|
||||
DATATOOLS_ADMIN_TOKEN_FILE: /run/secrets/admin_token
|
||||
# PR 2 adds: POSTMARK_TOKEN_FILE, GUMROAD_WEBHOOK_SECRET_FILE.
|
||||
# PR 2 — uncomment when Postmark + Gumroad are provisioned.
|
||||
# POSTMARK_TOKEN_FILE: /run/secrets/postmark_token
|
||||
# GUMROAD_WEBHOOK_SECRET_FILE: /run/secrets/gumroad_secret
|
||||
# Production keypair (replaces in-tree dev key): set
|
||||
# DATATOOLS_LICENSE_PRIVKEY_FILE: /run/secrets/license_privkey
|
||||
# and DATATOOLS_LICENSE_PUBKEY: <hex> before shipping v1.0.
|
||||
secrets:
|
||||
- pg_password
|
||||
- admin_token
|
||||
# PR 2:
|
||||
# - postmark_token
|
||||
# - gumroad_secret
|
||||
ports:
|
||||
- "127.0.0.1:8090:8000" # localhost-only; nginx is the only path in
|
||||
healthcheck:
|
||||
@@ -222,8 +227,11 @@ services:
|
||||
secrets:
|
||||
pg_password: { file: ./secrets/pg_password }
|
||||
admin_token: { file: ./secrets/admin_token }
|
||||
# PR 2 adds: postmark_token, gumroad_secret. Production keypair
|
||||
# rotation adds: license_privkey.
|
||||
# PR 2:
|
||||
# postmark_token: { file: ./secrets/postmark_token }
|
||||
# gumroad_secret: { file: ./secrets/gumroad_secret }
|
||||
# Production keypair rotation adds:
|
||||
# license_privkey: { file: ./secrets/license_privkey }
|
||||
|
||||
volumes:
|
||||
datatools_pg_data:
|
||||
@@ -244,10 +252,12 @@ openssl rand -hex 32 > secrets/pg_password
|
||||
# on your laptop to talk to /internal/* via the SSH tunnel.
|
||||
openssl rand -hex 32 > secrets/admin_token
|
||||
|
||||
# --- PR 2 / production-key follow-ups (skip for PR 1 bring-up) ---
|
||||
# echo -n "<postmark-server-token>" > secrets/postmark_token
|
||||
# --- PR 2 secrets ---
|
||||
# echo -n "<postmark-server-token>" > secrets/postmark_token # from postmarkapp.com
|
||||
# openssl rand -hex 32 > secrets/gumroad_secret # paste into Gumroad's Ping URL: ?secret=<this>
|
||||
#
|
||||
# --- production-key follow-up (defer until v1.0 cutover) ---
|
||||
# echo -n "<ed25519-private-hex>" > secrets/license_privkey
|
||||
# openssl rand -hex 32 > secrets/gumroad_secret
|
||||
|
||||
# Lock everything down. The numeric 10001 matches the in-container
|
||||
# `app` user (Dockerfile-defined), letting the API read the file
|
||||
|
||||
Reference in New Issue
Block a user