diff --git a/.deploy-infra/deploy-dev.yaml b/.deploy-infra/deploy-dev.yaml index c2ec820..645b139 100644 --- a/.deploy-infra/deploy-dev.yaml +++ b/.deploy-infra/deploy-dev.yaml @@ -31,6 +31,7 @@ services: image: clickhouse networks: - clickhouse-development + - common-infra-nginx-development volumes: - /sprint-data/clickhouse:/var/lib/clickhouse environment: diff --git a/.deploy-infra/deploy-prod.yaml b/.deploy-infra/deploy-prod.yaml old mode 100644 new mode 100755 index 249bd18..887f027 --- a/.deploy-infra/deploy-prod.yaml +++ b/.deploy-infra/deploy-prod.yaml @@ -27,6 +27,29 @@ services: parallelism: 1 # order: start-first + grafana: + image: grafana/grafana + networks: + - common-infra-nginx + - clickhouse + volumes: + - /sprint-data/grafana:/var/lib/grafana + environment: + GF_SERVER_ROOT_URL: https://grafana.chocomarsh.com + GF_CORS_ENABLED: "false" + GF_AUTH_DISABLE_LOGIN_FORM: "false" + GF_CORS_ALLOW_ORIGINS: "*" + GF_SECURITY_CONTENT_SECURITY_POLICY: "false" + deploy: + mode: replicated + replicas: 1 + restart_policy: + condition: any + placement: + constraints: [node.labels.stage == production] + update_config: + parallelism: 1 + clickhouse: image: clickhouse networks: diff --git a/.gitea/workflows/deploy-prod.yaml b/.gitea/workflows/deploy-prod.yaml index 613ea59..5a3e0d5 100644 --- a/.gitea/workflows/deploy-prod.yaml +++ b/.gitea/workflows/deploy-prod.yaml @@ -16,7 +16,7 @@ jobs: - name: checkout uses: actions/checkout@v4 with: - ref: dev + ref: prod - name: build nginx prod run: docker build -t mathwave/sprint-repo:sprint-infra-nginx-prod nginx/nginx-prod - name: build gitea runner @@ -40,7 +40,7 @@ jobs: - name: checkout uses: actions/checkout@v4 with: - ref: dev + ref: prod - name: prepare run: chmod 777 ./prepare/run-production.sh && ./prepare/run-production.sh deploy-prod: diff --git a/nginx/nginx-dev/prepare.py b/nginx/nginx-dev/prepare.py index 1f4671b..c0d7946 100644 --- a/nginx/nginx-dev/prepare.py +++ b/nginx/nginx-dev/prepare.py @@ -43,7 +43,10 @@ for host, params in hosts.items(): add_header X-XSS-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; location / {{ resolver 127.0.0.11; diff --git a/nginx/nginx-prod/prepare.py b/nginx/nginx-prod/prepare.py index d4ea956..10566b0 100644 --- a/nginx/nginx-prod/prepare.py +++ b/nginx/nginx-prod/prepare.py @@ -43,7 +43,10 @@ for host, params in hosts.items(): add_header X-XSS-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; location / {{ resolver 127.0.0.11; diff --git a/prepare/run-production.sh b/prepare/run-production.sh index c28854d..7e3d074 100644 --- a/prepare/run-production.sh +++ b/prepare/run-production.sh @@ -5,6 +5,7 @@ docker network create -d overlay --attachable common-infra-nginx-development || docker network create -d overlay --attachable queues || true docker network create -d overlay --attachable queues-development || true docker network create -d overlay --attachable configurator || true +docker network create -d overlay --attachable monitoring || true docker network create -d overlay --attachable configurator-development || true docker network create -d overlay --attachable clickhouse || true docker network create -d overlay --attachable clickhouse-development || true @@ -14,7 +15,9 @@ mkdir /sprint-data/rabbitmq || true mkdir /sprint-data/certs || true mkdir /sprint-data/gitea || true mkdir /sprint-data/clickhouse || true +mkdir /sprint-data/grafana || true chmod 777 /sprint-data/redis chmod 777 /sprint-data/rabbitmq chmod 777 /sprint-data/gitea chmod 777 /sprint-data/clickhouse +chmod 777 /sprint-data/grafana