staging

deploy-server

@@ -12,7 +12,7 @@ fi
 rm -rf build
 ./gradlew build
 
-[email protected]
+remote=root@staging.attestation.app
 path=/opt/attestation
 active=$(ssh $remote readlink $path/deploy)
 

deploy-static

@@ -12,20 +12,20 @@ fi
 
 ./process-static $fd
 
-[email protected]
+remote=root@staging.attestation.app
 
 # use last modified timestamps from attestation.app
-rsync -rptcv --chmod=D755,F644 --delete --fsync --preallocate $remote:/srv/attestation.app/ static-production
-rsync -pcv --chmod=D755,F644 --fsync --preallocate static-production/sitemap.xml{,.gz,.br} static-tmp/
-rsync -rpcv --chmod=D755,F644 --delete --fsync --preallocate static-tmp/ static-production
-for f in static-production/**.*(br|gz); do
+rsync -rptcv --chmod=D755,F644 --delete --fsync --preallocate $remote:/srv/attestation.app/ static-staging
+rsync -pcv --chmod=D755,F644 --fsync --preallocate static-staging/sitemap.xml{,.gz,.br} static-tmp/
+rsync -rpcv --chmod=D755,F644 --delete --fsync --preallocate static-tmp/ static-staging
+for f in static-staging/**.*(br|gz); do
     touch -r "${f%.*}" "$f"
 done
 changed="$(./generate-sitemap)"
 xmllint --noblanks static-tmp/sitemap.xml --output static-tmp/sitemap.xml
 brotli -f static-tmp/sitemap.xml
 zopfli static-tmp/sitemap.xml
-rsync -pcv --chmod=D755,F644 --fsync --preallocate static-tmp/sitemap.xml{,.gz,.br} static-production/
+rsync -pcv --chmod=D755,F644 --fsync --preallocate static-tmp/sitemap.xml{,.gz,.br} static-staging/
 
 active=$(ssh $remote readlink /srv/attestation.app)
 
@@ -40,7 +40,7 @@ echo target is $target
 echo
 
 ssh $remote "rm -rf $target && cp -a $active $target"
-rsync -rpcv --chmod=D755,F644 --delete --fsync --preallocate static-production/ $remote:$target
+rsync -rpcv --chmod=D755,F644 --delete --fsync --preallocate static-staging/ $remote:$target
 ssh $remote "ln -snf $target /srv/attestation.app && sync /srv/attestation.app"
 
 echo "root $target;" > nginx-tmp/root_attestation.app.conf
@@ -53,8 +53,3 @@ echo active is now $target
 rsync -pcv --chmod=755 --fsync --preallocate remote-backup $remote:/usr/local/bin/
 rsync -pcv --chmod=644 --fsync --preallocate systemd/system/remote-backup.timer $remote:/etc/systemd/system/remote-backup.timer
 rsync -pcv --chmod=644 --fsync --preallocate systemd/system/remote-backup.service $remote:/etc/systemd/system/remote-backup.service
-rsync -pcv --chmod=644 --chown attestation:attestation --fsync --preallocate backup-public-key.txt cloud-archive.sh $remote:/var/lib/attestation/
-
-if [[ -n "$changed" ]]; then
-    ./indexnow <<< "$changed"
-fi

generate-sitemap

@@ -25,7 +25,7 @@ entries = []
 for page in pages:
     path = page[0]
     loc = base + path
-    filepath = "static-production" + path
+    filepath = "static-staging" + path
     if path[-1] == '/':
         filepath += "index.html"
     elif "." not in path:

nginx/nginx.conf

@@ -70,8 +70,8 @@ http {
     ssl_prefer_server_ciphers on;
     ssl_conf_command Options PrioritizeChaCha;
 
-    ssl_certificate /etc/letsencrypt/live/attestation.app/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/attestation.app/privkey.pem;
+    ssl_certificate /etc/letsencrypt/live/staging.attestation.app/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/staging.attestation.app/privkey.pem;
 
     # maintained by nginx-rotate-session-ticket-keys in ramfs
     ssl_session_ticket_key session-ticket-keys/4.key;
@@ -81,11 +81,11 @@ http {
     ssl_session_timeout 1d;
     ssl_buffer_size 4k;
 
-    ssl_trusted_certificate /etc/letsencrypt/live/attestation.app/chain.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/staging.attestation.app/chain.pem;
     ssl_stapling on;
     ssl_stapling_verify on;
     # maintained by certbot-ocsp-fetcher
-    ssl_stapling_file /var/cache/certbot-ocsp-fetcher/attestation.app.der;
+    ssl_stapling_file /var/cache/certbot-ocsp-fetcher/staging.attestation.app.der;
 
     log_format main '$connection-$connection_requests $remote_addr $remote_user $ssl_session_reused $ssl_protocol $server_protocol '
         '$host $request_method "$request_uri" $status $request_length $body_bytes_sent/$bytes_sent '
@@ -125,7 +125,7 @@ http {
     server {
         listen 80;
         listen [::]:80;
-        server_name attestation.app www.attestation.app;
+        server_name staging.attestation.app;
 
         location /.well-known/acme-challenge/ {
             root /srv/certbot;
@@ -152,24 +152,7 @@ http {
         listen 443 ssl;
         listen [::]:443 ssl;
         http2 on;
-        server_name www.attestation.app;
-
-        keepalive_timeout 3m;
-
-        include snippets/security-headers.conf;
-        add_header Cross-Origin-Resource-Policy "same-origin" always;
-
-        # https://trac.nginx.org/nginx/ticket/2012
-        location / {
-            return 301 https://attestation.app$request_uri;
-        }
-    }
-
-    server {
-        listen 443 ssl;
-        listen [::]:443 ssl;
-        http2 on;
-        server_name attestation.app;
+        server_name staging.attestation.app;
 
         include root_attestation.app.conf;
         error_page 403 =404 /404;

nginx/snippets/security-headers.conf

@@ -1,3 +1,6 @@
+# staging site (not a security header)
+add_header X-Robots-Tag "noindex" always;
+
 add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
 add_header X-Content-Type-Options "nosniff" always;
 # Firefox applies Referrer-Policy to the Origin header

src/main/java/app/attestation/server/AttestationServer.java

@@ -84,7 +84,7 @@ public class AttestationServer {
     private static final int HISTORY_PER_PAGE = 20;
     private static final long MMAP_SIZE = 1024 * 1024 * 1024;
 
-    static final String DOMAIN = "attestation.app";
+    static final String DOMAIN = "staging.attestation.app";
     private static final String ORIGIN = "https://" + DOMAIN;
 
     private static final Logger logger = Logger.getLogger(AttestationServer.class.getName());