Add µPaaS deployment setup for fsn1app1

- Add Docker HEALTHCHECK instruction probing /.well-known/healthcheck.json
  (30s interval, 5s timeout, 10s start period, 3 retries) for µPaaS
  container health verification
- Create deploy/README.md with full µPaaS app configuration reference
  (app name, repo URL, branch, env vars, volumes, ports, production config)
- Add Deployment section to README.md linking to deploy docs
- Add deploy/ to .dockerignore (docs not needed in build context)

.dockerignore

@@ -6,3 +6,4 @@
 node_modules
 bin/
 data/
+deploy/

Dockerfile

@@ -75,4 +75,7 @@ WORKDIR /var/lib/pixa
 
 EXPOSE 8080
 
+HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
+    CMD wget -q --spider http://localhost:8080/.well-known/healthcheck.json
+
 ENTRYPOINT ["/usr/local/bin/pixad", "--config", "/etc/pixa/config.yml"]

README.md

@@ -96,10 +96,11 @@ expiration 1704067200:
 4. URL:
    `/v1/image/cdn.example.com/photos/cat.jpg/800x600.webp?sig=<base64url>&exp=1704067200`
 
-**Whitelist entries** are exact host matches only (e.g.
-`cdn.example.com`). Suffix/wildcard matching is not supported —
-signatures are per-URL, so each allowed host must be listed
-explicitly.
+**Whitelist patterns:**
+
+- **Exact match**: `cdn.example.com` — matches only that host
+- **Suffix match**: `.example.com` — matches `cdn.example.com`,
+  `images.example.com`, and `example.com`
 
 ### Configuration
 
@@ -124,6 +125,17 @@ See `config.example.yml` for all options with defaults.
 - **Metrics**: Prometheus
 - **Logging**: stdlib slog
 
+## Deployment
+
+Pixa is deployed via
+[µPaaS](https://git.eeqj.de/sneak/upaas) on `fsn1app1`
+(paas.datavi.be). Pushes to `main` trigger automatic builds and
+deployments. The Dockerfile includes a `HEALTHCHECK` that probes
+`/.well-known/healthcheck.json`.
+
+See [deploy/README.md](deploy/README.md) for the full µPaaS app
+configuration, volume mounts, and production setup instructions.
+
 ## TODO
 
 See [TODO.md](TODO.md) for the full prioritized task list.

config.example.yml

@@ -13,7 +13,8 @@ state_dir: ./data
 # Generate with: openssl rand -base64 32
 signing_key: "CHANGE_ME_generate_with_openssl_rand_base64_32"
 
-# Hosts that don't require signatures (exact match only)
+# Hosts that don't require signatures
+# Use "." prefix for wildcard subdomain matching (e.g., ".example.com" matches "cdn.example.com")
 whitelist_hosts:
   - s3.sneak.cloud
   - static.sneak.cloud

deploy/README.md

@@ -0,0 +1,78 @@
+# Pixa Deployment via µPaaS
+
+Pixa is deployed on `fsn1app1` via
+[µPaaS](https://git.eeqj.de/sneak/upaas) (paas.datavi.be).
+
+## µPaaS App Configuration
+
+Create the app in the µPaaS web UI with these settings:
+
+| Setting | Value |
+| --- | --- |
+| **App name** | `pixa` |
+| **Repo URL** | `git@git.eeqj.de:sneak/pixa.git` |
+| **Branch** | `main` |
+| **Dockerfile path** | `Dockerfile` |
+
+### Environment Variables
+
+| Variable | Description | Required |
+| --- | --- | --- |
+| `PORT` | HTTP listen port (default: 8080) | No |
+
+Configuration is provided via the config file baked into the Docker
+image at `/etc/pixa/config.yml`. To override it, mount a custom
+config file as a volume (see below).
+
+### Volumes
+
+| Host Path | Container Path | Description |
+| --- | --- | --- |
+| `/srv/pixa/data` | `/var/lib/pixa` | SQLite database and image cache |
+| `/srv/pixa/config.yml` | `/etc/pixa/config.yml` | Production config (signing key, whitelist, etc.) |
+
+### Ports
+
+| Host Port | Container Port | Protocol |
+| --- | --- | --- |
+| (assigned) | 8080 | TCP |
+
+### Docker Network
+
+Attach to the shared reverse-proxy network if using Caddy/Traefik
+for TLS termination.
+
+## Production Configuration
+
+Copy `config.example.yml` from the repo root and customize for
+production:
+
+```yaml
+port: 8080
+debug: false
+maintenance_mode: false
+state_dir: /var/lib/pixa
+signing_key: "<generate with: openssl rand -base64 32>"
+whitelist_hosts:
+    - s3.sneak.cloud
+    - static.sneak.cloud
+    - sneak.berlin
+allow_http: false
+```
+
+**Important:** Generate a unique `signing_key` for production. Never
+use the default placeholder value.
+
+## Health Check
+
+The Dockerfile includes a `HEALTHCHECK` instruction that probes
+`/.well-known/healthcheck.json` every 30 seconds. µPaaS verifies
+container health 60 seconds after deployment.
+
+## Deployment Flow
+
+1. Push to `main` triggers the Gitea webhook
+2. µPaaS clones the repo and runs `docker build .`
+3. The Dockerfile runs `make check` (format, lint, test) during build
+4. On success, µPaaS stops the old container and starts the new one
+5. After 60 seconds, µPaaS checks container health

internal/imgcache/whitelist.go

@@ -5,20 +5,23 @@ import (
 	"strings"
 )
 
-// HostWhitelist checks whether a source host is allowed without a signature.
-// Only exact host matches are supported. Signatures are per-URL, so
-// wildcard/suffix matching is intentionally not provided.
+// HostWhitelist implements the Whitelist interface for checking allowed source hosts.
 type HostWhitelist struct {
 	// exactHosts contains hosts that must match exactly (e.g., "cdn.example.com")
 	exactHosts map[string]struct{}
+	// suffixHosts contains domain suffixes to match (e.g., ".example.com" matches "cdn.example.com")
+	suffixHosts []string
 }
 
-// NewHostWhitelist creates a whitelist from a list of hostnames.
-// Each entry is treated as an exact host match. Leading dots are
-// stripped so that legacy ".example.com" entries become "example.com".
+// NewHostWhitelist creates a whitelist from a list of host patterns.
+// Patterns starting with "." are treated as suffix matches.
+// Examples:
+//   - "cdn.example.com" - exact match only
+//   - ".example.com" - matches cdn.example.com, images.example.com, etc.
 func NewHostWhitelist(patterns []string) *HostWhitelist {
 	w := &HostWhitelist{
-		exactHosts: make(map[string]struct{}),
+		exactHosts:  make(map[string]struct{}),
+		suffixHosts: make([]string, 0),
 	}
 
 	for _, pattern := range patterns {
@@ -27,11 +30,9 @@ func NewHostWhitelist(patterns []string) *HostWhitelist {
 			continue
 		}
 
-		// Strip leading dot — suffix matching is no longer supported;
-		// ".example.com" is normalised to "example.com" as an exact entry.
-		pattern = strings.TrimPrefix(pattern, ".")
-
-		if pattern != "" {
+		if strings.HasPrefix(pattern, ".") {
+			w.suffixHosts = append(w.suffixHosts, pattern)
+		} else {
 			w.exactHosts[pattern] = struct{}{}
 		}
 	}
@@ -39,7 +40,7 @@ func NewHostWhitelist(patterns []string) *HostWhitelist {
 	return w
 }
 
-// IsWhitelisted checks if a URL's host is in the whitelist (exact match only).
+// IsWhitelisted checks if a URL's host is in the whitelist.
 func (w *HostWhitelist) IsWhitelisted(u *url.URL) bool {
 	if u == nil {
 		return false
@@ -50,17 +51,32 @@ func (w *HostWhitelist) IsWhitelisted(u *url.URL) bool {
 		return false
 	}
 
-	_, ok := w.exactHosts[host]
+	// Check exact match
+	if _, ok := w.exactHosts[host]; ok {
+		return true
+	}
 
-	return ok
+	// Check suffix match
+	for _, suffix := range w.suffixHosts {
+		if strings.HasSuffix(host, suffix) {
+			return true
+		}
+		// Also match if host equals the suffix without the leading dot
+		// e.g., pattern ".example.com" should match "example.com"
+		if host == strings.TrimPrefix(suffix, ".") {
+			return true
+		}
+	}
+
+	return false
 }
 
 // IsEmpty returns true if the whitelist has no entries.
 func (w *HostWhitelist) IsEmpty() bool {
-	return len(w.exactHosts) == 0
+	return len(w.exactHosts) == 0 && len(w.suffixHosts) == 0
 }
 
 // Count returns the total number of whitelist entries.
 func (w *HostWhitelist) Count() int {
-	return len(w.exactHosts)
+	return len(w.exactHosts) + len(w.suffixHosts)
 }

internal/imgcache/whitelist_test.go

@@ -31,41 +31,41 @@ func TestHostWhitelist_IsWhitelisted(t *testing.T) {
 			want:     false,
 		},
 		{
-			name:     "no suffix matching for subdomains",
-			patterns: []string{"example.com"},
+			name:     "suffix match",
+			patterns: []string{".example.com"},
 			testURL:  "https://cdn.example.com/image.jpg",
-			want:     false,
+			want:     true,
 		},
 		{
-			name:     "leading dot stripped to exact match",
+			name:     "suffix match deep subdomain",
+			patterns: []string{".example.com"},
+			testURL:  "https://cdn.images.example.com/image.jpg",
+			want:     true,
+		},
+		{
+			name:     "suffix match apex domain",
 			patterns: []string{".example.com"},
 			testURL:  "https://example.com/image.jpg",
 			want:     true,
 		},
 		{
-			name:     "leading dot does not enable suffix matching",
+			name:     "suffix match not found",
 			patterns: []string{".example.com"},
-			testURL:  "https://cdn.example.com/image.jpg",
+			testURL:  "https://notexample.com/image.jpg",
 			want:     false,
 		},
 		{
-			name:     "leading dot does not match deep subdomain",
+			name:     "suffix match partial not allowed",
 			patterns: []string{".example.com"},
-			testURL:  "https://cdn.images.example.com/image.jpg",
+			testURL:  "https://fakeexample.com/image.jpg",
 			want:     false,
 		},
 		{
-			name:     "multiple patterns exact only",
-			patterns: []string{"cdn.example.com", "photos.images.org", "static.test.net"},
+			name:     "multiple patterns",
+			patterns: []string{"cdn.example.com", ".images.org", "static.test.net"},
 			testURL:  "https://photos.images.org/image.jpg",
 			want:     true,
 		},
-		{
-			name:     "multiple patterns no suffix leak",
-			patterns: []string{"cdn.example.com", "images.org"},
-			testURL:  "https://photos.images.org/image.jpg",
-			want:     false,
-		},
 		{
 			name:     "empty whitelist",
 			patterns: []string{},
@@ -86,7 +86,7 @@ func TestHostWhitelist_IsWhitelisted(t *testing.T) {
 		},
 		{
 			name:     "whitespace in patterns",
-			patterns: []string{"  cdn.example.com  ", "  other.com  "},
+			patterns: []string{"  cdn.example.com  ", "  .other.com  "},
 			testURL:  "https://cdn.example.com/image.jpg",
 			want:     true,
 		},
@@ -139,11 +139,6 @@ func TestHostWhitelist_IsEmpty(t *testing.T) {
 			patterns: []string{"example.com"},
 			want:     false,
 		},
-		{
-			name:     "leading dot normalised to entry",
-			patterns: []string{".example.com"},
-			want:     false,
-		},
 	}
 
 	for _, tt := range tests {
@@ -173,14 +168,14 @@ func TestHostWhitelist_Count(t *testing.T) {
 			want:     3,
 		},
 		{
-			name:     "leading dots normalised to exact",
+			name:     "suffix hosts only",
 			patterns: []string{".a.com", ".b.com"},
 			want:     2,
 		},
 		{
-			name:     "mixed deduplication",
-			patterns: []string{"example.com", ".example.com"},
-			want:     1,
+			name:     "mixed",
+			patterns: []string{"exact.com", ".suffix.com"},
+			want:     2,
 		},
 	}