summaryrefslogtreecommitdiff
path: root/deploy/food.tomflux.xyz.nginx
diff options
context:
space:
mode:
authorTom Flux <tom@tomflux.xyz>2026-06-23 21:16:30 +0100
committerTom Flux <tom@tomflux.xyz>2026-06-23 21:16:30 +0100
commiteed90569f7dafa7eb9c8358c152efac1a49f0405 (patch)
treee8b6cbe4c63e243a79322a7238b986385ae7fb6f /deploy/food.tomflux.xyz.nginx
parentd118726d3010d5b0133c7665fc20008c055f2757 (diff)
Phase 3b: FastMCP "ai service" for claude.ai cooking mode
A standalone MCP server (no Django import) exposing 7 tools over Streamable HTTP, backed by the Django REST API via the caine token. - mcp_server/: client.py (httpx wrapper over /api/), server.py (the tools + FastMCP app + main), __main__.py, tests.py. - Tools: get_pantry, set_item_state, add_to_pantry, what_can_i_cook, get_recipes, log_cook (suggests, never mutates), create_meta_recipe (brainstorm -> commit). Each description says when to call it. - deploy/food-mcp.service: systemd unit (own process, runs .venv python -m mcp_server, loads /var/lib/food/.env). - deploy/food.tomflux.xyz.nginx: current config + an authless /mcp/<secret>/ location proxying to 127.0.0.1:8765 (the URL secret is the credential; SSE-friendly buffering/timeout). - pyproject: [dependency-groups] mcp = [fastmcp, httpx]; deploy with `uv sync --group mcp`. Verified: 7 tools register on fastmcp 3.x, run() accepts transport/ host/port/path, 6 FoodClient unit tests pass (httpx MockTransport). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Diffstat (limited to 'deploy/food.tomflux.xyz.nginx')
-rw-r--r--deploy/food.tomflux.xyz.nginx71
1 files changed, 71 insertions, 0 deletions
diff --git a/deploy/food.tomflux.xyz.nginx b/deploy/food.tomflux.xyz.nginx
new file mode 100644
index 0000000..0d4a357
--- /dev/null
+++ b/deploy/food.tomflux.xyz.nginx
@@ -0,0 +1,71 @@
+# nginx config for food.tomflux.xyz
+# Adds the MCP location to the existing web-app server block.
+#
+# The MCP connector is "authless" from claude.ai's side — the long secret in the
+# URL path IS the credential. Only that exact prefix is proxied to the FastMCP
+# service; everything else under /mcp/ falls through to the catch-all 301.
+# Generate the secret once and keep it out of git, e.g.:
+# python -c "import secrets; print(secrets.token_urlsafe(32))"
+# then replace REPLACE_WITH_LONG_SECRET below and in the claude.ai connector URL:
+# https://food.tomflux.xyz/mcp/REPLACE_WITH_LONG_SECRET/
+
+server {
+ server_name food.tomflux.xyz;
+
+ location /app/ {
+ proxy_pass http://127.0.0.1:8042;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ }
+
+ location /accounts/ {
+ proxy_pass http://127.0.0.1:8042;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ }
+
+ location /static/ {
+ proxy_pass http://127.0.0.1:8042;
+ }
+
+ # --- MCP server (claude.ai cooking-mode connector) ---
+ # Trailing slashes on both sides strip the secret prefix, so the FastMCP
+ # service (serving at "/") sees clean paths.
+ location /mcp/REPLACE_WITH_LONG_SECRET/ {
+ proxy_pass http://127.0.0.1:8765/;
+ proxy_http_version 1.1;
+ proxy_set_header Host $host;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_buffering off; # MCP Streamable HTTP / SSE
+ proxy_read_timeout 3600s;
+ }
+
+ location / {
+ return 301 /app/;
+ }
+
+ # Block API and admin from external access (MCP reaches the API over
+ # localhost, so this does not affect it).
+ location /api/ { return 404; }
+ location /admin/ { return 404; }
+
+ listen 443 ssl; # managed by Certbot
+ ssl_certificate /etc/letsencrypt/live/dav.jihakuz.xyz/fullchain.pem; # managed by Certbot
+ ssl_certificate_key /etc/letsencrypt/live/dav.jihakuz.xyz/privkey.pem; # managed by Certbot
+ include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+ ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+}
+
+server {
+ if ($host = food.tomflux.xyz) {
+ return 301 https://$host$request_uri;
+ } # managed by Certbot
+
+ server_name food.tomflux.xyz;
+ listen 80;
+ return 404; # managed by Certbot
+}