gnezim
03eeddfbf8
Two design pivots discovered during Phase B prerequisites: Routing: Replace static-route + NAT plan with persistent ssh -L tunnel from pve-201 to webzavod (deployment/systemd/flights-tim-tunnel.service). nginx proxies /api/ and /map/api/ to https://127.0.0.1:8443 with SNI/Host overrides so cert validation still targets the real hostname. No webzavod kernel changes (no ip_forward/MASQUERADE), no /etc/hosts pin needed. Workflow B: Drop Jenkins trigger/poll automation (operator lacks Jenkins job-configure access and user API token access). release.yml now stops after MR merge with a Telegram message containing the Jenkins job URL. release-verify.yml (new, workflow_dispatch only) runs the customer-URL e2e suite once the operator has triggered Jenkins manually and it has completed. Other: - SSR loopback port 8081 -> 3002 (8081 was taken by openwebui on pve-201) - notify-telegram.sh skips cleanly when TG secrets unset (was: hard-fail) - README + spec addendum cover the new prereqs and removed steps