left4me: refresh README + opt ovh.left4me in via groups

README: Updated metadata example to show domain as the only required key. Documented the bundle's derived_from_domain reactor as the source of nginx/letsencrypt/monitoring/nftables-input wiring, and the bundle-defaults source of backup/paths. nodes/ovh.left4me.py: - groups: + backup, + left4me, + webserver - bundles: dropped 'left4me' and 'nftables' (come via groups now; nftables ships with debian-13). - metadata: pinned vm/cores=4, vm/threads=8 (4-core HT box) so the nginx bundle's worker_processes resolves; left4me block reduced to {'domain': 'left4.me'} — git_url, git_branch, secret_key, and the nginx/letsencrypt/monitoring/nftables/backup blocks now come from bundle defaults / the derived_from_domain reactor.
2026-05-10 18:24:03 +02:00 · 2026-05-10 18:24:03 +02:00 · 7b291acca1
commit 7b291acca1
parent 90f14b69e4
2 changed files with 24 additions and 4 deletions
--- a/bundles/left4me/README.md
+++ b/bundles/left4me/README.md
@ -11,19 +11,29 @@ external interface prioritizes srcds UDP over bulk traffic.
 ```python
 'metadata': {
    'left4me': {
-        'git_url': 'git@git.sublimity.de:cronekorkn/left4me',  # required
-        'git_branch': 'master',                                # required
-        'secret_key': '!32_random_bytes_as_base64_for:<node>_left4me_secret_key',
-        # optional, defaults shown:
+        'domain': 'whatever.tld',  # required — the only per-node knob
+        # Everything below is optional and has a sensible default in the
+        # bundle. Override per-node only if the default is wrong:
+        # 'git_url': 'git@git.sublimity.de:cronekorkn/left4me',
+        # 'git_branch': 'master',
        # 'gunicorn_workers': 1,
        # 'gunicorn_threads': 32,
        # 'job_worker_threads': 4,
        # 'port_range_start': 27015,
        # 'port_range_end': 27115,
+        # secret_key is auto-derived per node
+        # (repo.vault.random_bytes_as_base64_for f'{node.name} left4me secret_key').
    },
 },
 ```

+The bundle's `derived_from_domain` reactor reads `left4me/domain` and
+emits the corresponding `nginx/vhosts`, `letsencrypt/domains`,
+`monitoring/services/left4me-web` (HTTPS health check), and the game-
+port `nftables/input` accept rules. Backup paths
+(`/var/lib/left4me`, `/etc/left4me`) are set-merged into `backup/paths`
+from defaults. None of these need to be declared per-node.
+
 ## What this bundle does

 - Creates system users `left4me` (uid/gid 980, home `/var/lib/left4me`,
--- a/nodes/ovh.left4me.py
+++ b/nodes/ovh.left4me.py
@ -1,14 +1,21 @@
 {
    'hostname': '141.95.32.8',
    'groups': [
+        'backup',
        'debian-13',
+        'left4me',
        'monitored',
+        'webserver',
    ],
    'bundles': [
        'wireguard',
    ],
    'metadata': {
        'id': '14d2abc-3855-4bb7-99e2-d4e3eb0344dd',
+        'vm': {
+            'cores': 4,    # 4 physical, 8 with HT
+            'threads': 8,
+        },
        'network': {
            'external': {
                'interface': 'enp3s0f0',
@ -34,5 +41,8 @@
                },
            },
        },
+        'left4me': {
+            'domain': 'left4.me',
+        },
    },
 }