Wire up palinks.app custom domain via Hetzner edge proxy (umbrella) #28

New issue

Open

opened 2026-06-08 03:19:45 +00:00 by ldraney · 2 comments

ldraney commented 2026-06-08 03:19:45 +00:00

Owner

Copy link

Type

Feature

Lineage

Follow-up from spike #15 (docs/custom-domain.md). Supersedes the original GoDaddy-redirect approach after Hetzner edge decision (pal-e-platform #419).

Repo

Multi-repo umbrella — see sub-tickets for per-repo scope.

User Story

As Lucas
I want palinks.app to serve the app directly via the Hetzner edge proxy
So that users get a clean URL with proper TLS and no redirect chain

Context

The Hetzner edge node (edge-proxy, 178.156.129.142) is live on the tailnet and running Caddy. The infra is provisioned (pal-e-platform #419 done). What remains is DNS, Caddy config, Rails host allowlisting, and Keycloak redirect URIs.

Sub-Tickets (Execution Order)

#	Ticket	Repo	Scope
1	palinks #50	GoDaddy	Set DNS A records for palinks.app → 178.156.129.142
2	pal-e-platform #425	pal-e-platform	Configure Caddy reverse proxy on edge-proxy (Salt state or manual SSH)
3	palinks #51	palinks + pal-e-services	Add palinks.app to Rails config.hosts + Keycloak redirect URIs in k3s.tfvars

Dependencies: #50 (DNS) must complete before #425 (Caddy) can provision TLS. #51 (Rails/Keycloak) is independent but must be deployed before e2e verification.

File Targets

See individual sub-tickets for concrete file paths:

• #50: GoDaddy dashboard (no code)
• #425: /etc/caddy/Caddyfile on edge-proxy, or salt/states/caddy/ in pal-e-platform
• #51: config/environments/production.rb (palinks), terraform/k3s.tfvars (pal-e-services)

Feature Flag

None — infrastructure change.

Acceptance Criteria

• https://palinks.app serves the palinks app directly (no redirect)
• https://www.palinks.app redirects to https://palinks.app
• TLS via Let's Encrypt (Caddy automatic)
• Rails accepts requests from palinks.app host
• Keycloak login/logout works from palinks.app origin

Test Expectations

• curl -I https://palinks.app returns 200
• curl -I https://www.palinks.app returns 301 → https://palinks.app
• Browser: full page load, login flow, link CRUD all work from palinks.app

Constraints

• Edge node is already provisioned — no Hetzner infra changes needed
• Caddy handles TLS automatically via ACME — no cert provisioning
• DNS propagation may take up to 48h (usually minutes with GoDaddy)

Checklist

• #50 — GoDaddy DNS A records set
• #425 — Caddy site block configured on edge-proxy
• #51 — Rails config.hosts + Keycloak redirect URIs updated
• End-to-end verification from browser

Related

• project-palinks — project page
• docs/custom-domain.md — architecture doc
• pal-e-platform/docs/hetzner-edge.md — edge node architecture
• ldraney/pal-e-platform #419 — Hetzner edge provisioning (done)

### Type Feature ### Lineage Follow-up from spike #15 (`docs/custom-domain.md`). Supersedes the original GoDaddy-redirect approach after Hetzner edge decision (pal-e-platform #419). ### Repo Multi-repo umbrella — see sub-tickets for per-repo scope. ### User Story As Lucas I want palinks.app to serve the app directly via the Hetzner edge proxy So that users get a clean URL with proper TLS and no redirect chain ### Context The Hetzner edge node (`edge-proxy`, 178.156.129.142) is live on the tailnet and running Caddy. The infra is provisioned (pal-e-platform #419 done). What remains is DNS, Caddy config, Rails host allowlisting, and Keycloak redirect URIs. ### Sub-Tickets (Execution Order) | # | Ticket | Repo | Scope | |---|--------|------|-------| | 1 | palinks #50 | GoDaddy | Set DNS A records for palinks.app → 178.156.129.142 | | 2 | pal-e-platform #425 | pal-e-platform | Configure Caddy reverse proxy on edge-proxy (Salt state or manual SSH) | | 3 | palinks #51 | palinks + pal-e-services | Add palinks.app to Rails `config.hosts` + Keycloak redirect URIs in `k3s.tfvars` | Dependencies: #50 (DNS) must complete before #425 (Caddy) can provision TLS. #51 (Rails/Keycloak) is independent but must be deployed before e2e verification. ### File Targets See individual sub-tickets for concrete file paths: - **#50**: GoDaddy dashboard (no code) - **#425**: `/etc/caddy/Caddyfile` on edge-proxy, or `salt/states/caddy/` in pal-e-platform - **#51**: `config/environments/production.rb` (palinks), `terraform/k3s.tfvars` (pal-e-services) ### Feature Flag None — infrastructure change. ### Acceptance Criteria - [ ] `https://palinks.app` serves the palinks app directly (no redirect) - [ ] `https://www.palinks.app` redirects to `https://palinks.app` - [ ] TLS via Let's Encrypt (Caddy automatic) - [ ] Rails accepts requests from `palinks.app` host - [ ] Keycloak login/logout works from `palinks.app` origin ### Test Expectations - [ ] `curl -I https://palinks.app` returns 200 - [ ] `curl -I https://www.palinks.app` returns 301 → `https://palinks.app` - [ ] Browser: full page load, login flow, link CRUD all work from `palinks.app` ### Constraints - Edge node is already provisioned — no Hetzner infra changes needed - Caddy handles TLS automatically via ACME — no cert provisioning - DNS propagation may take up to 48h (usually minutes with GoDaddy) ### Checklist - [ ] #50 — GoDaddy DNS A records set - [ ] #425 — Caddy site block configured on edge-proxy - [ ] #51 — Rails `config.hosts` + Keycloak redirect URIs updated - [ ] End-to-end verification from browser ### Related - `project-palinks` — project page - `docs/custom-domain.md` — architecture doc - `pal-e-platform/docs/hetzner-edge.md` — edge node architecture - `ldraney/pal-e-platform #419` — Hetzner edge provisioning (done)

ldraney referenced this issue 2026-06-08 03:21:52 +00:00

Deploy Cloudflare Tunnel for canonical palinks.app #38

ldraney referenced this issue from a pull request that will close it, 2026-06-08 12:18:04 +00:00

Hetzner edge infrastructure design for custom domains (#28) #39

ldraney referenced this issue 2026-06-08 12:19:45 +00:00

Hetzner edge infrastructure design for custom domains (#28) #39

ldraney referenced this issue from a pull request that will close it, 2026-06-12 04:13:20 +00:00

Hetzner edge infrastructure design for custom domains (#28) #39

ldraney changed title from Configure GoDaddy 301 redirect for palinks.app to Wire up palinks.app custom domain via Hetzner edge proxy 2026-06-13 13:22:30 +00:00

ldraney commented 2026-06-13 13:25:23 +00:00

Author

Owner

Copy link

Scope Review: NEEDS_REFINEMENT

Review note: review-1392-2026-06-13
Multi-repo ticket exceeds decomposition thresholds -- 4+ file targets across 4 systems, no single agent can execute.

• [DECOMPOSE] 4 systems (palinks, pal-e-platform, pal-e-services, GoDaddy DNS) -- route to skill-decompose-ticket for sub-ticket creation
• [BODY] Missing specific file path for Caddy config in pal-e-platform
• [BODY] Unclear Keycloak redirect URI update mechanism (Terraform? admin UI? config file?)
• [LABEL] Points mismatch: scored at 1 but multi-repo scope warrants at least 3

## Scope Review: NEEDS_REFINEMENT Review note: `review-1392-2026-06-13` Multi-repo ticket exceeds decomposition thresholds -- 4+ file targets across 4 systems, no single agent can execute. - **[DECOMPOSE]** 4 systems (palinks, pal-e-platform, pal-e-services, GoDaddy DNS) -- route to `skill-decompose-ticket` for sub-ticket creation - **[BODY]** Missing specific file path for Caddy config in pal-e-platform - **[BODY]** Unclear Keycloak redirect URI update mechanism (Terraform? admin UI? config file?) - **[LABEL]** Points mismatch: scored at 1 but multi-repo scope warrants at least 3

ldraney referenced this issue 2026-06-13 13:39:26 +00:00

Set GoDaddy DNS A records for palinks.app #50

ldraney referenced this issue 2026-06-13 13:39:51 +00:00

Add palinks.app to Rails config.hosts #51

ldraney changed title from Wire up palinks.app custom domain via Hetzner edge proxy to Wire up palinks.app custom domain via Hetzner edge proxy (umbrella) 2026-06-13 13:40:17 +00:00

ldraney commented 2026-06-13 13:42:54 +00:00

Author

Owner

Copy link

Scope Review: APPROVED

Review note: review-1392-2026-06-13-b

Re-review after refinement -- all 4 prior findings resolved. Umbrella is well-decomposed into 3 sub-tickets (#50, #425, #51) with concrete file targets, correct repo placement, and documented execution order. Points updated to 5. Ready for execution.

Non-blocking observations:

• Minor: pal-e-platform #425 Constraints references "palinks #49" but should be "#50" (DNS sub-ticket)
• Persistent: arch-palinks note still missing in pal-e-docs (flagged across 5+ reviews, platform housekeeping item)

## Scope Review: APPROVED Review note: `review-1392-2026-06-13-b` Re-review after refinement -- all 4 prior findings resolved. Umbrella is well-decomposed into 3 sub-tickets (#50, #425, #51) with concrete file targets, correct repo placement, and documented execution order. Points updated to 5. Ready for execution. **Non-blocking observations:** - Minor: pal-e-platform #425 Constraints references "palinks #49" but should be "#50" (DNS sub-ticket) - Persistent: `arch-palinks` note still missing in pal-e-docs (flagged across 5+ reviews, platform housekeeping item)

ldraney referenced this issue 2026-06-15 23:51:08 +00:00

feat: add palinks.app to Rails config.hosts (#51) #53

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

40-canvas-view-activity-sizing

28-custom-domain-reverse-proxy

No results found.

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

ldraney/palinks#28

No description provided.