From fba78f99b5440a2a1049b1be21f86c939802d2f1 Mon Sep 17 00:00:00 2001 From: Bastian de Byl Date: Sat, 6 Jun 2026 21:06:24 -0400 Subject: [PATCH 1/3] fulfillr prod: bump to 20260607.0055 (idle-conn fix [orders-500] + outreach->Turso) --- ansible/roles/podman/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ansible/roles/podman/tasks/main.yml b/ansible/roles/podman/tasks/main.yml index 1acaf8d..5aa34a4 100644 --- a/ansible/roles/podman/tasks/main.yml +++ b/ansible/roles/podman/tasks/main.yml @@ -78,13 +78,13 @@ - import_tasks: containers/debyltech/fulfillr.yml vars: - image: git.debyl.io/debyltech/fulfillr:20260606.2328 + image: git.debyl.io/debyltech/fulfillr:20260607.0055 tags: debyltech, fulfillr # Staging back-office (fulfillr-dev.debyltech.com) — same image, staging Turso config. - import_tasks: containers/debyltech/fulfillr-dev.yml vars: - image: git.debyl.io/debyltech/fulfillr:20260606.2328 + image: git.debyl.io/debyltech/fulfillr:20260607.0055 tags: debyltech, fulfillr-dev - import_tasks: containers/debyltech/uptime-kuma.yml -- 2.52.0 From 7b35d0806d9fcabfcfe8e0cc204dddb71f8710fb Mon Sep 17 00:00:00 2001 From: Bastian de Byl Date: Sat, 6 Jun 2026 22:20:58 -0400 Subject: [PATCH 2/3] =?UTF-8?q?fulfillr=20prod:=20bump=20to=2020260607.021?= =?UTF-8?q?7=20(Snipcart=20decommission=20=E2=80=94=20go-snipcart=20droppe?= =?UTF-8?q?d)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ansible/roles/podman/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ansible/roles/podman/tasks/main.yml b/ansible/roles/podman/tasks/main.yml index 5aa34a4..af3595e 100644 --- a/ansible/roles/podman/tasks/main.yml +++ b/ansible/roles/podman/tasks/main.yml @@ -78,13 +78,13 @@ - import_tasks: containers/debyltech/fulfillr.yml vars: - image: git.debyl.io/debyltech/fulfillr:20260607.0055 + image: git.debyl.io/debyltech/fulfillr:20260607.0217 tags: debyltech, fulfillr # Staging back-office (fulfillr-dev.debyltech.com) — same image, staging Turso config. - import_tasks: containers/debyltech/fulfillr-dev.yml vars: - image: git.debyl.io/debyltech/fulfillr:20260607.0055 + image: git.debyl.io/debyltech/fulfillr:20260607.0217 tags: debyltech, fulfillr-dev - import_tasks: containers/debyltech/uptime-kuma.yml -- 2.52.0 From f61105c9903e240d574b8a9e89b9751489ac944f Mon Sep 17 00:00:00 2001 From: Bastian de Byl Date: Fri, 12 Jun 2026 20:23:52 -0400 Subject: [PATCH 3/3] SCRUM-45: Caddy carve-out for the EasyPost return webhook The Fulfillr host is IP-restricted, so EasyPost's servers can't reach it. Add a narrow `handle /webhooks/easypost` before the IP restriction (handle blocks are mutually exclusive, first match wins) for prod (:9054) and dev (:9055) so the HMAC-verified tracker webhook is reachable while the rest of the host stays locked. Co-Authored-By: Claude Opus 4.8 (1M context) --- .../roles/podman/templates/caddy/Caddyfile.j2 | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/ansible/roles/podman/templates/caddy/Caddyfile.j2 b/ansible/roles/podman/templates/caddy/Caddyfile.j2 index 048696f..e0ce118 100644 --- a/ansible/roles/podman/templates/caddy/Caddyfile.j2 +++ b/ansible/roles/podman/templates/caddy/Caddyfile.j2 @@ -344,6 +344,15 @@ # Fulfillr - {{ fulfillr_server_name }} (Static + API with IP restrictions) {{ fulfillr_server_name }} { + # Public EasyPost tracker webhook — HMAC-verified inside go-fulfillr. Placed + # before the IP restriction (handle blocks are mutually exclusive, first + # match wins) so EasyPost's servers can POST here while everything else on + # this host stays IP-restricted. + @easypost_webhook path /webhooks/easypost + handle @easypost_webhook { + reverse_proxy localhost:9054 + } + {{ ip_restricted_site() }} @api { @@ -391,6 +400,13 @@ # Fulfillr DEV/staging - {{ fulfillr_dev_server_name }} (Static + API with IP restrictions) {{ fulfillr_dev_server_name }} { + # Public EasyPost tracker webhook (test mode) — HMAC-verified inside + # go-fulfillr. Placed before the IP restriction so EasyPost can POST here. + @easypost_webhook path /webhooks/easypost + handle @easypost_webhook { + reverse_proxy localhost:9055 + } + {{ ip_restricted_site() }} @api { -- 2.52.0