first commit

deploy/Caddyfile

@@ -0,0 +1,34 @@
+# Caddy alternative to nginx. Replace example.com with your DOMAIN.
+#
+# Caddy auto-issues TLS via Let's Encrypt by default.
+
+example.com {
+    encode gzip zstd
+
+    header {
+        X-Content-Type-Options nosniff
+        X-Frame-Options DENY
+        Referrer-Policy strict-origin-when-cross-origin
+        # Strict-Transport-Security "max-age=31536000; includeSubDomains"
+    }
+
+    request_body {
+        max_size 1MB
+    }
+
+    @nostrjson path /.well-known/nostr.json
+    handle @nostrjson {
+        reverse_proxy 127.0.0.1:8080
+        header Cache-Control "public, max-age=60"
+        header Access-Control-Allow-Origin "*"
+    }
+
+    @api path /v1/* /healthz /openapi.json /docs /docs/*
+    handle @api {
+        reverse_proxy 127.0.0.1:8080
+    }
+
+    handle {
+        respond "Not found" 404
+    }
+}

deploy/nginx.conf

@@ -0,0 +1,62 @@
+# Example nginx config for nip05api.
+# Replace example.com with your DOMAIN.
+
+upstream nip05api {
+    server 127.0.0.1:8080;
+    keepalive 16;
+}
+
+# HTTP → HTTPS redirect (assumes certbot or equivalent has terminated TLS).
+server {
+    listen 80;
+    listen [::]:80;
+    server_name example.com;
+    return 301 https://$host$request_uri;
+}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name example.com;
+
+    ssl_certificate     /etc/letsencrypt/live/example.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_prefer_server_ciphers off;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 1d;
+
+    # HSTS — opt in once you're confident HTTPS is permanent.
+    # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-Frame-Options "DENY" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+
+    client_max_body_size 1m;
+
+    # NIP-05 well-known endpoint MUST be served on the apex domain.
+    location = /.well-known/nostr.json {
+        proxy_pass http://nip05api;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_http_version 1.1;
+        proxy_set_header Connection "";
+
+        add_header Access-Control-Allow-Origin "*" always;
+        add_header Cache-Control "public, max-age=60" always;
+    }
+
+    location ~ ^/(v1/|healthz|version|openapi.json|docs) {
+        proxy_pass http://nip05api;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_http_version 1.1;
+        proxy_set_header Connection "";
+        proxy_read_timeout 30s;
+    }
+}

deploy/nip05api.service

@@ -0,0 +1,45 @@
+[Unit]
+Description=NIP-05 API
+Documentation=https://github.com/noderunners/nip05api
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+User=nip05
+Group=nip05
+WorkingDirectory=/opt/nip05api
+EnvironmentFile=/opt/nip05api/.env
+ExecStart=/opt/nip05api/bin/nip05api
+Restart=on-failure
+RestartSec=5
+
+# Hardening
+NoNewPrivileges=true
+PrivateTmp=true
+PrivateDevices=true
+ProtectSystem=strict
+ProtectHome=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+ReadWritePaths=/opt/nip05api/.data
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=true
+RestrictRealtime=true
+LockPersonality=true
+MemoryDenyWriteExecute=true
+SystemCallArchitectures=native
+CapabilityBoundingSet=
+AmbientCapabilities=
+
+# Limits
+LimitNOFILE=65536
+TimeoutStopSec=45
+
+# Logging to stdout/stderr → journald
+StandardOutput=journal
+StandardError=journal
+
+[Install]
+WantedBy=multi-user.target