@ts-cloud/core 0.2.24 → 0.2.26

package/dist/types.d.ts

@@ -1538,6 +1538,79 @@ export interface ComputeConfig {
      * Set to `true` only if you need traditional SSH access.
      */
     allowSsh?: boolean;
+    /**
+     * Reverse-proxy gateway to provision on the box. When set to an engine,
+     * `buddy deploy` generates the gateway's route config from the `sites` model
+     * (mapping each non-bucket site to a route by `domain`/`path`) and installs +
+     * starts the gateway on :80/:443.
+     *
+     * Opt-in and **off by default** (`undefined` → no gateway provisioned, the
+     * operator runs their own), so existing deploys are unaffected.
+     *
+     * Currently the only engine is `rpx` (`@stacksjs/rpx`), which natively
+     * supports path-based routing within a host, on-demand TLS, and serving
+     * static dirs — so an app, docs, and a public site can share one domain.
+     */
+    proxy?: ComputeProxyConfig;
+}
+/**
+ * Reverse-proxy gateway provisioning for a compute box. The gateway is
+ * generated from the `sites` model and installed by the driver's cloud-init /
+ * deploy flow. See {@link ComputeConfig.proxy}.
+ */
+export interface ComputeProxyConfig {
+    /**
+     * Gateway engine. `rpx` provisions `@stacksjs/rpx` as a systemd service
+     * (`rpx-gateway.service`) reading a generated config. This is the only
+     * supported engine today.
+     */
+    engine: 'rpx';
+    /**
+     * npm version/range of `@stacksjs/rpx` to install on the box.
+     * @default 'latest'
+     */
+    version?: string;
+    /**
+     * Directory on the box holding real TLS certs (PEM `<domain>.crt`/`.key`),
+     * served per-SNI by rpx. @default '/etc/rpx/certs'
+     */
+    certsDir?: string;
+    /**
+     * Enable rpx on-demand TLS: lazily issue a real (Let's Encrypt) cert for an
+     * approved host the first time it's needed. The site domains are used as the
+     * allowlist. Off by default.
+     */
+    onDemandTls?: boolean;
+    /** Contact email for the ACME account when {@link onDemandTls} is enabled. */
+    onDemandTlsEmail?: string;
+    /**
+     * Put a CDN (CloudFront) in front of this self-hosted gateway. A CDN custom
+     * origin can't be a bare IP and can't be one of the public aliases (it would
+     * resolve back to the CDN — an infinite loop), so it needs a dedicated origin
+     * hostname pointing at this box. Requests then flow
+     * `viewer → CDN → originDomain (this box)`.
+     *
+     * When {@link CdnFrontConfig.secret} is set, the CDN injects it as a header
+     * on the origin hop and the gateway rejects any request to the fronted hosts
+     * that lacks it — so the publicly-resolvable origin can't be used to bypass
+     * the CDN (origin lockdown via rpx `createOriginGuard`). Pair with
+     * `buildCloudFrontOriginConfig` for the matching AWS distribution config.
+     */
+    cdn?: CdnFrontConfig;
+}
+/** CDN-in-front-of-gateway configuration (see {@link ComputeProxyConfig.cdn}). */
+export interface CdnFrontConfig {
+    /**
+     * Hostname the CDN connects to (e.g. `origin.example.com`). MUST resolve to
+     * this box and MUST NOT be one of {@link frontedHosts} (else the CDN loops).
+     */
+    originDomain: string;
+    /** Public hosts served through the CDN (its aliases) — locked down when {@link secret} is set. */
+    frontedHosts: string[];
+    /** Shared secret the CDN injects on the origin hop; the gateway enforces it on {@link frontedHosts}. */
+    secret?: string;
+    /** Header name carrying {@link secret}. @default 'X-Origin-Verify' */
+    secretHeader?: string;
 }
 export interface DatabaseItemConfig {
     engine?: 'dynamodb' | 'postgres' | 'mysql';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ts-cloud/core",
-  "version": "0.2.24",
+  "version": "0.2.26",
   "type": "module",
   "description": "Core CloudFormation generation library for ts-cloud",
   "author": "Chris Breuer <chris@stacksjs.com>",
@@ -31,7 +31,7 @@
     "typecheck": "tsc --noEmit"
   },
   "dependencies": {
-    "@ts-cloud/aws-types": "0.2.24"
+    "@ts-cloud/aws-types": "0.2.26"
   },
   "devDependencies": {
     "typescript": "^5.9.3"