fix: nginx-config drift surfaced by first M0-5/M1-6 deploy#76
Merged
Conversation
Two drift items the 2026-06-11 deploy hit on Pearl and patched live, left unfixed in the repo (would re-bite the next deploy): 1. phase4-coordinator/dist/nginx-coordinator.streamvc.live.conf re-declared `ws_provider_rate` and `ws_provider_conn` zones that the api.streamvc.live vhost already declares. Two vhosts on the same nginx instance cannot redeclare the same http-context zone — `nginx -t` fails with "limit_conn_zone is already bound." Removed the dup declarations; left a comment explaining the cross-vhost sharing and the restore step if the coordinator vhost is ever deployed standalone. 2. phase5-gateway/dist/deploy-pearl-vps.sh was missing the ssl_certificate sed-uncomment block that the coordinator script has. nginx-api.streamvc.live.conf ships with those lines commented for first-deploy ACME ordering; without the sed, post-cert deploys fail `nginx -t` with "no ssl_certificate is defined for the listen ... ssl" directive. Added the same idempotent sed pair the coordinator script uses at its step 6b. Both surfaced in PR #75's "companion findings" block. The deploy session worked around #1 by editing nginx config in place on Pearl and #2 by switching to a binary-only swap (skipping the script's nginx step. This commit closes the drift in source. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> EOF )
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two drift items the 2026-06-11 Pearl deploy patched live but left unfixed in the repo. Both would re-bite the next deploy. Companion to PR #75, which surfaced them in its description but explicitly didn't carry the fixes.
1. Coordinator nginx config redeclares zones the api vhost already owns
phase4-coordinator/dist/nginx-coordinator.streamvc.live.confdeclaredlimit_req_zone ws_provider_rateandlimit_conn_zone ws_provider_connat lines 18-19. Theapi.streamvc.livevhost (phase5-gateway/dist/nginx-api.streamvc.live.conf:10-11) already declares them. nginx http-context zones are visible across all vhosts on the same instance — re-declaring failsnginx -twith"limit_conn_zone is already bound". The Pearl coordinator vhost had been dedup'd in place earlier on 2026-06-11 (.bak-pre-dedup-20260611T135903Zartifact survives); the deploy script overwrote that with the still-duped local file and tripped step 6b'snginx -t. Fixed in-place by sed-deleting the two lines on Pearl.This commit removes the dup declarations from the local file and leaves a comment block explaining the cross-vhost sharing — so a future operator deploying the coordinator vhost standalone (no api vhost on the same nginx) knows to add them back.
2. Gateway deploy script missing the
ssl_certificatesed-uncomment that the coordinator script hasphase5-gateway/dist/nginx-api.streamvc.live.conf:34-35ships those lines commented (first-deploy ACME ordering —nginx -tmust pass before certbot has a cert). The coordinator script handles this at its step 6b with an idempotentsed; the gateway scriptphase5-gateway/dist/deploy-pearl-vps.shat step 4 justinstalls the file as-shipped. End-to-end, that would failnginx -twith"no ssl_certificate is defined for the listen ... ssl". The 2026-06-11 deploy avoided this by switching to a binary-only swap (skipping the nginx step entirely).This commit adds the same
sedpair the coordinator script uses, with a comment cross-referencing the coordinator script's step 6b.Test plan
bash -n phase5-gateway/dist/deploy-pearl-vps.sh— no syntax errorsnginx -tcleanly (noalready bounderror)nginx -tcleanly (no missingssl_certificateerror)Out of scope
UPDATE provider_tokens SET revoked_at = ...on Pearl's coordinator.db; no code change needed for the immediate unblock. Any persistent operator-facing CLI work (coordinator-clishipped to Pearl) is a separate follow-up.🤖 Generated with Claude Code