unom/punktfunk
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases 3 Wiki Activity
Files
b2e587871155aa78f57751e808471dee6eb521c0
punktfunk/web/vite.config.ts
T
enricobuehler 95c4058582
apple / swift (push) Successful in 54s
Details
android / android (push) Failing after 54s
Details
ci / web (push) Successful in 38s
Details
ci / docs-site (push) Successful in 34s
Details
ci / rust (push) Failing after 2m30s
Details
ci / bench (push) Failing after 1m15s
Details
decky / build-publish (push) Failing after 4s
Details
docker / build-push (--build-arg FEDORA_VERSION=44, ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora44-rpm) (push) Failing after 0s
Details
docker / build-push (., web/Dockerfile, punktfunk-web) (push) Failing after 1s
Details
docker / build-push (ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora-rpm) (push) Failing after 0s
Details
docker / build-push (ci, ci/rust-ci.Dockerfile, punktfunk-rust-ci) (push) Failing after 1s
Details
docker / build-push (docs-site, docs-site/Dockerfile, punktfunk-docs) (push) Failing after 0s
Details
docker / deploy-docs (push) Has been skipped
Details
flatpak / build-publish (push) Failing after 0s
Details
rpm / build-publish (bazzite, punktfunk-fedora-rpm) (push) Failing after 1s
Details
rpm / build-publish (fedora-44, punktfunk-fedora44-rpm) (push) Failing after 0s
Details
deb / build-publish (push) Successful in 3m22s
Details
fix(web): default mgmt proxy to the HTTPS self-signed mgmt API 
The mgmt API serves HTTPS with the host's self-signed identity cert and requires
mTLS-or-bearer auth (the mTLS work), but the web console's proxy still defaulted to
`http://127.0.0.1:47990` — so a deployment copying .env.example got a plain-HTTP
request to an HTTPS port (→ 502 Bad Gateway, observed live on the Bazzite box).

- .env.example + server/util/auth.ts + vite.config.ts: default PUNKTFUNK_MGMT_URL to
  https://127.0.0.1:47990.
- vite dev proxy: `secure: false` (the host cert is self-signed).
- Document that the deployment needs PUNKTFUNK_MGMT_TOKEN (matching the host's) and
  NODE_TLS_REJECT_UNAUTHORIZED=0 — the web server's only outbound TLS is the loopback
  hop to the host's own self-signed cert, so disabling verify there is scoped + safe.

The running Bazzite box is already fixed live (web.env → https + token + cert-skip,
verified: login 200, /api/v1/status 200). This makes fresh deployments correct.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-15 07:50:41 +00:00

54 lines
2.5 KiB
TypeScript
Raw Blame History

import { fileURLToPath } from 'node:url'
import { defineConfig } from 'vite'
import { tanstackStart } from '@tanstack/react-start/plugin/vite'
import { nitroV2Plugin } from '@tanstack/nitro-v2-vite-plugin'
import viteReact from '@vitejs/plugin-react'
import viteTsConfigPaths from 'vite-tsconfig-paths'
import tailwindcss from '@tailwindcss/vite'
import { paraglideVitePlugin } from '@inlang/paraglide-js'
// Absolute path to our Nitro server source (middleware + routes). Passed as a scanDir
// because the TanStack Nitro plugin doesn't auto-scan a server/ dir.
const serverDir = fileURLToPath(new URL('./server', import.meta.url))
// The management API the console drives. The browser always talks same-origin (/api/...):
// in `vite dev` the dev server proxies it (below); in the built Bun/Nitro server a Nitro
// route-rule proxies it (below). Override the upstream with PUNKTFUNK_MGMT_URL.
const MGMT_URL = process.env.PUNKTFUNK_MGMT_URL ?? 'https://127.0.0.1:47990'
export default defineConfig({
server: {
proxy: {
// `secure: false`: the host serves its own self-signed identity cert on loopback.
'/api': { target: MGMT_URL, changeOrigin: true, secure: false },
},
},
plugins: [
viteTsConfigPaths({ projects: ['./tsconfig.json'] }),
tailwindcss(),
paraglideVitePlugin({
project: './project.inlang',
outdir: './src/paraglide',
strategy: ['localStorage', 'preferredLanguage', 'baseLocale'],
}),
// Full SSR on the TanStack Start runtime (the management console's data queries run
// client-side after hydration — React Query doesn't fetch during SSR — so the server
// renders a data-free shell that hydrates in the browser).
tanstackStart(),
// Nitro v2 is the deployment target: the `bun` preset bundles a Bun-runnable server to
// .output/ (`bun run .output/server/index.mjs`). Auth + the /api proxy live in the
// scanned `server/` dir (middleware/auth.ts gates every request; routes/api/[...].ts
// proxies to the management host injecting the bearer token server-side) — NOT a static
// routeRule, so the proxy runs behind the login gate and reads env at runtime.
nitroV2Plugin({
preset: 'bun',
compatibilityDate: '2026-06-10',
// Scan server/{middleware,routes} for the auth gate + the /api proxy.
scanDirs: [serverDir],
}),
// Must come AFTER tanstackStart — provides the React JSX transform + Refresh runtime
// that Start's dev mode requires (omitting it leaves the client JS unable to load).
viteReact(),
],
})
Reference in New Issue View Git Blame Copy Permalink