self/infra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request 'master' (#43) from master into dev

Browse Source 
Reviewed-on: #43
This commit is contained in:
emmatveev 2025-06-01 19:39:33 +03:00
commit 05571ceb34
9 changed files with 156 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
.deploy-infra/deploy-prod.yaml
View File

@ -189,6 +189,35 @@ services:
parallelism: 1
order: start-first
keycloak:
image: quay.io/keycloak/keycloak
ports:
- "8443:3000"
environment:
KC_DB: postgres
KC_DB_URL: jdbc:postgresql://0.0.0.0:5432/keycloak
KC_DB_USERNAME: postgres
KC_DB_PASSWORD: $DB_PASSWORD_PROD
KC_HOSTNAME: keycloak.sprinthub.ru
JAVA_OPTS_KC_HEAP: "-XX:MaxHeapFreeRatio=50 -XX:MaxRAMPercentage=65"
command: start
deploy:
mode: replicated
placement:
constraints: [node.labels.stage == production]
restart_policy:
condition: any
update_config:
parallelism: 1
order: start-first
resources:
limits:
cpus: '1.0'
memory: 250M
reservations:
cpus: '0.50'
memory: 125M
volumes:
minio_data:
driver: local

29
.deploy-nginx/deploy-dev.yaml Normal file
View File

@ -0,0 +1,29 @@
version: "3.6"
services:
nginx:
image: mathwave/sprint-repo:sprint-infra-nginx-dev
networks:
- common-infra-nginx-development
ports:
- published: 80
target: 80
mode: host
- published: 443
target: 443
mode: host
deploy:
mode: replicated
replicas: 1
restart_policy:
condition: any
placement:
constraints: [node.labels.stage == development]
update_config:
parallelism: 1
# order: stop-first
networks:
common-infra-nginx-development:
external: true

29
.deploy-nginx/deploy-prod.yaml Normal file
View File

@ -0,0 +1,29 @@
version: "3.6"
services:
nginx:
image: mathwave/sprint-repo:sprint-infra-nginx-prod
networks:
- common-infra-nginx
ports:
- published: 80
target: 80
mode: host
- published: 443
target: 443
mode: host
deploy:
mode: replicated
replicas: 1
restart_policy:
condition: any
placement:
constraints: [node.labels.stage == production]
update_config:
parallelism: 1
# order: start-first
networks:
common-infra-nginx:
external: true

3
nginx/nginx-dev/Dockerfile
View File

@ -1,4 +1,7 @@
FROM nginx
RUN apt-get update
RUN apt-get install certbot --yes
RUN apt-get install python3-certbot-nginx --yes
COPY ./config /etc/nginx
COPY ./privkey.pem /etc/nginx/privkey.pem
COPY ./fullchain.pem /etc/nginx/fullchain.pem

40
nginx/nginx-dev/fullchain.pem
View File

@ -1,24 +1,24 @@
-----BEGIN CERTIFICATE-----
MIIDjTCCAxOgAwIBAgISBFOrEAaTGvrTDKdeolnTvP2tMAoGCCqGSM49BAMDMDIx
MIIDmTCCAx+gAwIBAgISBmM6pAg0qa3+cxLar5nvn27GMAoGCCqGSM49BAMDMDIx
CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF
NTAeFw0yNTAyMTMyMDMxMTNaFw0yNTA1MTQyMDMxMTJaMCExHzAdBgNVBAMMFiou
ZGV2ZWxvcC5zcHJpbnRodWIucnUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQW
CTHej6yeHgUhHJlGrI3/8cFlPdoVWeb4J+5DOaEKhpdeL90JWNMVIrbz4yaa9LTi
Yezrr5pXocvdS9fBT/zHo4ICGDCCAhQwDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQW
MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRY
7KU/E/kLjq27+Bsr5myR/sry4TAfBgNVHSMEGDAWgBSfK1/PPCFPnQS37SssxMZw
i9LXDTBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9lNS5vLmxl
bmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL2U1LmkubGVuY3Iub3JnLzAhBgNV
HREEGjAYghYqLmRldmVsb3Auc3ByaW50aHViLnJ1MBMGA1UdIAQMMAowCAYGZ4EM
AQIBMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHYAzPsPaoVxCWX+lZtTzumyfCLp
hVwNl422qX5UwP5MDbAAAAGVATe42wAABAMARzBFAiAvPfNaVjzr1bjZLfQuZku5
1raR2QS3oPhfFcYfsKzPAgIhAJ6E1t/yKiuc3JScuUl26S4+s2noeAGhmIxB/uk+
9KCMAHYATnWjJ1yaEMM4W2zU3z9S6x3w4I4bjWnAsfpksWKaOd8AAAGVATe4xwAA
BAMARzBFAiASyvhckbFMsgtb7FGbF2nl0KAboDqiJK9ekpHLu41YSQIhANJjOl3+
HHBPrLR2oMi3vE1jkJxhFYNeoQzxGGeKVstpMAoGCCqGSM49BAMDA2gAMGUCMQC2
4UIBvoCAl54QjeXlpadTbL5hE2bsh1bEF3XNtaIsVVlBFQZwly2fp2Qil9m34BcC
MEF4eFmSQmAjc++mRA9m4qo4P5KeeakU1ccrWEypfIHnLn/UtQlG8K2+ceAQc/9K
pg==
NTAeFw0yNTA1MzAyMTEzMjZaFw0yNTA4MjgyMTEzMjVaMCExHzAdBgNVBAMMFiou
ZGV2ZWxvcC5zcHJpbnRodWIucnUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATy
YXxx4cfN6ga0duaq7STjZxNwtFQ7c0ZAO+D7ulmdf/jpK8Xfkj5d0KMX0jhTmTEg
DUwvBMsH/fpyuuEdHNPWo4ICJDCCAiAwDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQW
MBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBT1
FLWsp0ksteuVXXd3pZokXOhj2DAfBgNVHSMEGDAWgBSfK1/PPCFPnQS37SssxMZw
i9LXDTAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAKGFmh0dHA6Ly9lNS5pLmxl
bmNyLm9yZy8wIQYDVR0RBBowGIIWKi5kZXZlbG9wLnNwcmludGh1Yi5ydTATBgNV
HSAEDDAKMAgGBmeBDAECATAtBgNVHR8EJjAkMCKgIKAehhxodHRwOi8vZTUuYy5s
ZW5jci5vcmcvNzEuY3JsMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHYAEvFONL1T
ckyEBhnDjz96E/jntWKHiJxtMAWE6+WGJjoAAAGXI0B2OwAABAMARzBFAiBcMmQQ
PiKhuqhi3fs4yL6lfnQdZ1VlJTBifu8T6t4H3QIhAL/BdDUOafC+9nrlP7USrlCT
Oo1TA5JG/Yvxk5a/Oe1yAHYA7TxL1ugGwqSiAFfbyyTiOAHfUS/txIbFcA8g3bc+
P+AAAAGXI0CF1gAABAMARzBFAiAHI0Z170KObyMHOQM6w/GhsazTzUpBilyQnv/b
Wr+kdwIhALS4DQNUNfiJoea0wszwoTxcnowGI7Whx8qH4Ut6st88MAoGCCqGSM49
BAMDA2gAMGUCMGdO7CfUNB8wcMaHtED7/dy2ojOtofMze0kN0rzt2I/On55Ce84K
ZJ0Uj+Bcv/66qwIxAJ9YJTSJ1+owoICDbJekE+ejgzA+GgU2Z+RviZUTNXIdbWbX
etMXbXfP7WJPjxZ+ng==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEVzCCAj+gAwIBAgIRAIOPbGPOsTmMYgZigxXJ/d4wDQYJKoZIhvcNAQELBQAw
@ -45,4 +45,4 @@ K1BcaJ6fJZsmbjRgD5p3mvEf5vdQM7MCEvU0tHbsx2I5mHHJoABHb8KVBgWp/lcX
GWiWaeOyB7RP+OfDtvi2OsapxXiV7vNVs7fMlrRjY1joKaqmmycnBvAq14AEbtyL
sVfOS66B8apkeFX2NY4XPEYV4ZSCe8VHPrdrERk2wILG3T/EGmSIkCYVUMSnjmJd
VQD9F6Na/+zmXCc=
-----END CERTIFICATE-----
-----END CERTIFICATE-----

8
nginx/nginx-dev/privkey.pem
View File

@ -1,5 +1,5 @@
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIPXF013iLs5Jvxsj7K8xdzqyUBQxFILJ3dEyTriIJQaDoAoGCCqGSM49
AwEHoUQDQgAEFgkx3o+snh4FIRyZRqyN//HBZT3aFVnm+CfuQzmhCoaXXi/dCVjT
FSK28+MmmvS04mHs66+aV6HL3UvXwU/8xw==
-----END EC PRIVATE KEY-----
MHcCAQEEIPtfut2MheT8iyX6/EXDHHDR9yvtYLxMUg34mLeCpngpoAoGCCqGSM49
AwEHoUQDQgAE8mF8ceHHzeoGtHbmqu0k42cTcLRUO3NGQDvg+7pZnX/46SvF35I+
XdCjF9I4U5kxIA1MLwTLB/36crrhHRzT1g==
-----END EC PRIVATE KEY-----

38
nginx/nginx-prod/fullchain.pem
View File

@ -1,23 +1,23 @@
-----BEGIN CERTIFICATE-----
MIIDfDCCAwKgAwIBAgISA7RNvbxsQFQcAVy4rIt/qik2MAoGCCqGSM49BAMDMDIx
MIIDhzCCAw6gAwIBAgISBXELtGOqEI5IsXNFUC7cue03MAoGCCqGSM49BAMDMDIx
CzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQDEwJF
NTAeFw0yNTAyMTMyMTAzMzdaFw0yNTA1MTQyMTAzMzZaMBkxFzAVBgNVBAMMDiou
c3ByaW50aHViLnJ1MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEnOOljp3cFclh
repAoo/OTovyU5RVDTKNc7p01odoygI5z4ZsIiiZL0lQ8Qfvj1fVlVtah9LPuz5c
hLMNK2KoLaOCAg8wggILMA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEF
BQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUEvxI9gbpB3pH
nRkSwmBUDxbqiZMwHwYDVR0jBBgwFoAUnytfzzwhT50Et+0rLMTGcIvS1w0wVQYI
KwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8vZTUuby5sZW5jci5vcmcw
IgYIKwYBBQUHMAKGFmh0dHA6Ly9lNS5pLmxlbmNyLm9yZy8wGQYDVR0RBBIwEIIO
Ki5zcHJpbnRodWIucnUwEwYDVR0gBAwwCjAIBgZngQwBAgEwggEDBgorBgEEAdZ5
AgQCBIH0BIHxAO8AdQDehYHXUCR8a83Lr1Y3xeeBxkzkbtYXY5+PNKcmyeK9NwAA
AZUBVWFvAAAEAwBGMEQCIG/0w/LD2GbEa6OPYUzrQyQFbHvlCQHI8fZ9poUQ/79o
AiAQnczLXxcowqIYF+K5ppeDdVJjs9YfAX0l+7MlNiExOAB2ABNK3xq1mEIJeAxv
70x6kaQWtyNJzlhXat+u2qfCq+AiAAABlQFVYjEAAAQDAEcwRQIgSlaJ8jTrR4cb
E65bZZcqufKCDTsUIrasTjgB5wPR/CUCIQDKoTiZvY2J+CUOazRAMCLuKknvnlWb
15C9fsy1e5ZhXTAKBggqhkjOPQQDAwNoADBlAjEAh8H95ADLd8IXWPk2OG94VQ35
ukNHsIreck5DHo/0HxKBuD+mjp8SG/vEJ0UB/65iAjBywTkv3JeaLV1SX+QUUUiF
5aNTztnM6d3vHalb+pJJ0LtO32c1iY7pQ47wqXk8fbs=
NTAeFw0yNTA1MzAyMTQ3MzZaFw0yNTA4MjgyMTQ3MzVaMBkxFzAVBgNVBAMMDiou
c3ByaW50aHViLnJ1MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEoS3M+thgeup/
F6JS7kVNJCWee8xzLkoIUcZNgNqmoovVSP02K9azdDRAp+c2OlzJqJQC+ZefswCB
2xvjNSoL2aOCAhswggIXMA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAUBggrBgEF
BQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUu+3qfzUyaCAb
POu7GPUO6ZI2WfswHwYDVR0jBBgwFoAUnytfzzwhT50Et+0rLMTGcIvS1w0wMgYI
KwYBBQUHAQEEJjAkMCIGCCsGAQUFBzAChhZodHRwOi8vZTUuaS5sZW5jci5vcmcv
MBkGA1UdEQQSMBCCDiouc3ByaW50aHViLnJ1MBMGA1UdIAQMMAowCAYGZ4EMAQIB
MC0GA1UdHwQmMCQwIqAgoB6GHGh0dHA6Ly9lNS5jLmxlbmNyLm9yZy81Ni5jcmww
ggEDBgorBgEEAdZ5AgQCBIH0BIHxAO8AdgDd3Mo0ldfhFgXnlTL6x5/4PRxQ39sA
OhQSdgosrLvIKgAAAZcjX78RAAAEAwBHMEUCIDNC6e7jNcTXW1bti1nkseruXw84
b8dsVzBt96FtE4+aAiEAr7ugvtozhmp6JdkIEfdHKecym9TxcL1h43j6rbKU3d8A
dQAaBP9J0FQdQK/2oMO/8djEZy9O7O4jQGiYaxdALtyJfQAAAZcjX8BoAAAEAwBG
MEQCIDezeAIFZ25OWXVV9hmtzEE5ujP0IyFaLxebyXAflYZMAiAy09hFLQXapebE
5YDtvqfmefapEsr4OaWyfusWjmeaiDAKBggqhkjOPQQDAwNnADBkAjAobO18Vk18
BG7lBbXEQ0O8RYy+CEV/ef1ni2CBQp+MtmG/ZCWAbfEXFaj2WKng5Q0CMFRR9icx
p6/tLUixnJfAusGudEtD5Leh2foPDT2jzgazaROaVFVTrCJMGcdgVukuPQ==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEVzCCAj+gAwIBAgIRAIOPbGPOsTmMYgZigxXJ/d4wDQYJKoZIhvcNAQELBQAw
@ -44,4 +44,4 @@ K1BcaJ6fJZsmbjRgD5p3mvEf5vdQM7MCEvU0tHbsx2I5mHHJoABHb8KVBgWp/lcX
GWiWaeOyB7RP+OfDtvi2OsapxXiV7vNVs7fMlrRjY1joKaqmmycnBvAq14AEbtyL
sVfOS66B8apkeFX2NY4XPEYV4ZSCe8VHPrdrERk2wILG3T/EGmSIkCYVUMSnjmJd
VQD9F6Na/+zmXCc=
-----END CERTIFICATE-----
-----END CERTIFICATE-----

19
nginx/nginx-prod/nginx-prod.conf
View File

@ -164,6 +164,25 @@ http {
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name keycloak.sprinthub.ru;
ssl_certificate /etc/nginx/fullchain.pem;
ssl_certificate_key /etc/nginx/privkey.pem;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-refferer-when-downgrade" always;
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
location / {
proxy_pass http://dev.sprinthub.ru:8443/;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;

8
nginx/nginx-prod/privkey.pem
View File

@ -1,5 +1,5 @@
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEINNyhRc5/bs0M7kOOl2bh1BkcFyHG6m0+VSVNuMEN+E1oAoGCCqGSM49
AwEHoUQDQgAEnOOljp3cFclhrepAoo/OTovyU5RVDTKNc7p01odoygI5z4ZsIiiZ
L0lQ8Qfvj1fVlVtah9LPuz5chLMNK2KoLQ==
-----END EC PRIVATE KEY-----
MHcCAQEEIL0TAduonJLmbcDpRxDjSfa8bMIqLOh1KQcGQvAeQTIQoAoGCCqGSM49
AwEHoUQDQgAEoS3M+thgeup/F6JS7kVNJCWee8xzLkoIUcZNgNqmoovVSP02K9az
dDRAp+c2OlzJqJQC+ZefswCB2xvjNSoL2Q==
-----END EC PRIVATE KEY-----