feat(flatpak): host a signed OSTree repo at flatpak.unom.io for flatpak update

The CI only shipped a single-file .flatpak bundle, which has no remote — users couldn't `flatpak update`. Keep the bundle (Decky fallback) but also sign the OSTree repo flatpak-builder already produces and publish it to a shared, reusable unom-wide remote. - flatpak.yml: pin --default-branch=stable; import the signing key and build-update-repo --gpg-sign; generate unom.flatpakrepo + the app .flatpakref + index.html; rsync the repo to unom-1 and bring up a static Caddy container. The step no-ops until FLATPAK_GPG_PRIVATE_KEY/DEPLOY_* exist (build stays green). - packaging/flatpak/server/: compose.production.yml + Caddyfile (static file server on :3230, mirrors docker.yml deploy-docs). - unom-flatpak.gpg: committed public signing key (base64 -> GPGKey= in the descriptors). - README: hosted repo is now the recommended install; documents the one-time infra (edge Caddy vhost, infra port 3230, DNS, the GPG secret). Edge Caddy vhost + infra port allowlist + the secret are applied out-of-band. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-18 21:07:27 +00:00
parent 9c8fa9340c
commit d9d495a53e
5 changed files with 176 additions and 20 deletions
@@ -0,0 +1,15 @@
+# Inner Caddy (plain HTTP on :3230); the edge proxy on home-reverse-proxy-1 does TLS.
+:3230 {
+	root * /srv
+	file_server browse
+
+	# OSTree summary/refs change every publish — keep them fresh; objects are immutable.
+	@mutable path /repo/summary* /repo/refs/*
+	header @mutable Cache-Control "public, max-age=30"
+	@objects path /repo/objects/* /repo/deltas/*
+	header @objects Cache-Control "public, max-age=31536000, immutable"
+
+	# Serve the install descriptors as text so browsers show them / flatpak fetches cleanly.
+	@descriptors path *.flatpakref *.flatpakrepo
+	header @descriptors Content-Type "text/plain; charset=utf-8"
+}
@@ -0,0 +1,14 @@
+# Static file server for the punktfunk Flatpak OSTree repo, on unom-1 (the DMZ services VM).
+# Caddy on home-reverse-proxy-1 terminates TLS for flatpak.punktfunk.unom.io and reverse_proxies
+# to 192.168.50.50:3230 (port must be in unom/infra caddy_target_ports). This inner Caddy just
+# serves the bind-mounted ./site tree (repo/ + the .flatpakrepo/.flatpakref + index.html) over
+# plain HTTP. CI rsyncs into ./site and runs `docker compose up -d` (idempotent).
+services:
+  flatpak:
+    image: caddy:2-alpine
+    restart: unless-stopped
+    ports:
+      - "3230:3230"
+    volumes:
+      - ./Caddyfile:/etc/caddy/Caddyfile:ro
+      - ./site:/srv:ro