diff options
Diffstat (limited to 'deploy')
| -rw-r--r-- | deploy/food-mcp.service | 18 | ||||
| -rw-r--r-- | deploy/food.tomflux.xyz.nginx | 71 |
2 files changed, 89 insertions, 0 deletions
diff --git a/deploy/food-mcp.service b/deploy/food-mcp.service new file mode 100644 index 0000000..0bef140 --- /dev/null +++ b/deploy/food-mcp.service @@ -0,0 +1,18 @@ +[Unit] +Description=Food MCP service (FastMCP — claude.ai connector) +After=network.target food.service + +[Service] +Type=simple +User=openclaw +Group=openclaw +WorkingDirectory=/var/lib/food +Environment="PATH=/var/lib/food/.venv/bin:/usr/bin" +# FOOD_API_TOKEN (the caine DRF token), optional FOOD_API_BASE / FOOD_MCP_PORT. +EnvironmentFile=-/var/lib/food/.env +ExecStart=/var/lib/food/.venv/bin/python -m mcp_server +Restart=on-failure +RestartSec=5 + +[Install] +WantedBy=multi-user.target diff --git a/deploy/food.tomflux.xyz.nginx b/deploy/food.tomflux.xyz.nginx new file mode 100644 index 0000000..0d4a357 --- /dev/null +++ b/deploy/food.tomflux.xyz.nginx @@ -0,0 +1,71 @@ +# nginx config for food.tomflux.xyz +# Adds the MCP location to the existing web-app server block. +# +# The MCP connector is "authless" from claude.ai's side — the long secret in the +# URL path IS the credential. Only that exact prefix is proxied to the FastMCP +# service; everything else under /mcp/ falls through to the catch-all 301. +# Generate the secret once and keep it out of git, e.g.: +# python -c "import secrets; print(secrets.token_urlsafe(32))" +# then replace REPLACE_WITH_LONG_SECRET below and in the claude.ai connector URL: +# https://food.tomflux.xyz/mcp/REPLACE_WITH_LONG_SECRET/ + +server { + server_name food.tomflux.xyz; + + location /app/ { + proxy_pass http://127.0.0.1:8042; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + + location /accounts/ { + proxy_pass http://127.0.0.1:8042; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + + location /static/ { + proxy_pass http://127.0.0.1:8042; + } + + # --- MCP server (claude.ai cooking-mode connector) --- + # Trailing slashes on both sides strip the secret prefix, so the FastMCP + # service (serving at "/") sees clean paths. + location /mcp/REPLACE_WITH_LONG_SECRET/ { + proxy_pass http://127.0.0.1:8765/; + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_buffering off; # MCP Streamable HTTP / SSE + proxy_read_timeout 3600s; + } + + location / { + return 301 /app/; + } + + # Block API and admin from external access (MCP reaches the API over + # localhost, so this does not affect it). + location /api/ { return 404; } + location /admin/ { return 404; } + + listen 443 ssl; # managed by Certbot + ssl_certificate /etc/letsencrypt/live/dav.jihakuz.xyz/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/dav.jihakuz.xyz/privkey.pem; # managed by Certbot + include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot +} + +server { + if ($host = food.tomflux.xyz) { + return 301 https://$host$request_uri; + } # managed by Certbot + + server_name food.tomflux.xyz; + listen 80; + return 404; # managed by Certbot +} |
