Merge pull request 'master' (#45) from master into dev

Reviewed-on: #45
2025-06-02 01:36:18 +03:00 · 2025-06-02 01:36:18 +03:00 · 500d894e91
commit 500d894e91
parent 05571ceb34 a4b4bfbaeb
7 changed files with 60 additions and 165 deletions
--- a/.deploy-infra/deploy-dev.yaml
+++ b/.deploy-infra/deploy-dev.yaml
@ -6,6 +6,9 @@ services:
    image: mathwave/sprint-repo:sprint-infra-nginx-dev
    networks:
      - common-infra-nginx-development
+      - configurator
+    environment:
+      MINIO_SECRET_KEY: $MINIO_SECRET_KEY_DEV
    ports:
      - published: 80
        target: 80
@ -164,3 +167,5 @@ volumes:
 networks:
  common-infra-nginx-development:
    external: true
+  configurator:
+    external: true
--- a/.gitea/workflows/deploy-dev.yaml
+++ b/.gitea/workflows/deploy-dev.yaml
@ -59,6 +59,7 @@ jobs:
          MONGO_PASSWORD_DEV: ${{ secrets.MONGO_PASSWORD_DEV }}
          DB_PASSWORD_DEV: ${{ secrets.POSTGRES_PASSWORD_DEV }}
          MINIO_PASSWORD_DEV: ${{ secrets.MINIO_PASSWORD_DEV }}
+          MINIO_SECRET_KEY_DEV: ${{ secrets.MINIO_SECRET_KEY_DEV }}
          REDIS_PASSWORD_DEV: ${{ secrets.REDIS_PASSWORD_DEV }}
          RABBITMQ_PASSWORD_DEV: ${{ secrets.RABBITMQ_PASSWORD_DEV }}
          REGISTRATION_TOKEN: ${{ secrets.REGISTRATION_TOKEN }}
--- a/nginx/nginx-dev/Dockerfile
+++ b/nginx/nginx-dev/Dockerfile
@ -2,6 +2,8 @@ FROM nginx
 RUN apt-get update
 RUN apt-get install certbot --yes
 RUN apt-get install python3-certbot-nginx --yes
+RUN pip3 install requests minio
 COPY ./config /etc/nginx
-COPY ./privkey.pem /etc/nginx/privkey.pem
-COPY ./fullchain.pem /etc/nginx/fullchain.pem
+COPY prepare.py prepare.py
+COPY run.sh run.sh
+CMD ["run.sh"]
--- a/nginx/nginx-dev/config/guavo.conf
+++ b/nginx/nginx-dev/config/guavo.conf
@ -1,162 +0,0 @@
-
-    # server {
-    #     listen 80;
-    #     server_name *.develop.guavo.tech;
-    #     return 301 https://$host$request_uri;
-    # }
-
-    server {
-        listen      443 ssl http2;
-        listen      [::]:443 ssl http2;
-        server_name swarmpit.develop.guavo.tech;
-
-        ssl_certificate     /etc/nginx/fullchain.pem;
-        ssl_certificate_key /etc/nginx/privkey.pem;
-
-        add_header X-Frame-Options "SAMEORIGIN" always;
-        add_header X-XSS-Protection "1; mode=block" always;
-        add_header X-Content-Type-Options "nosniff" always;
-        add_header Referrer-Policy "no-refferer-when-downgrade" always;
-        add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
-
-        location / {
-            proxy_pass http://develop.guavo.tech:888/;
-        }
-    }
-
-    server {
-        listen      443 ssl http2;
-        listen      [::]:443 ssl http2;
-        server_name portainer.develop.guavo.tech;
-
-        ssl_certificate     /etc/nginx/fullchain.pem;
-        ssl_certificate_key /etc/nginx/privkey.pem;
-
-        add_header X-Frame-Options "SAMEORIGIN" always;
-        add_header X-XSS-Protection "1; mode=block" always;
-        add_header X-Content-Type-Options "nosniff" always;
-        add_header Referrer-Policy "no-refferer-when-downgrade" always;
-        add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
-
-        location / {
-            proxy_pass http://develop.guavo.tech:8888/;
-        }
-
-        location /api/websocket/ {
-            proxy_http_version 1.1;
-            proxy_set_header Upgrade $http_upgrade;
-            proxy_set_header Connection $connection_upgrade;
-            proxy_set_header Host $host;
-            proxy_pass http://develop.guavo.tech:8888/api/websocket/;
-        }
-    }
-
-    server {
-        listen      443 ssl http2;
-        listen      [::]:443 ssl http2;
-        server_name rabbitmq.develop.guavo.tech;
-
-        ssl_certificate     /etc/nginx/fullchain.pem;
-        ssl_certificate_key /etc/nginx/privkey.pem;
-
-        add_header X-Frame-Options "SAMEORIGIN" always;
-        add_header X-XSS-Protection "1; mode=block" always;
-        add_header X-Content-Type-Options "nosniff" always;
-        add_header Referrer-Policy "no-refferer-when-downgrade" always;
-        add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
-
-        location / {
-            proxy_pass http://develop.guavo.tech:15672/;
-        }
-    }
-
-    server {
-        listen      443 ssl http2;
-        listen      [::]:443 ssl http2;
-        server_name minio.develop.guavo.tech;
-
-        ssl_certificate     /etc/nginx/fullchain.pem;
-        ssl_certificate_key /etc/nginx/privkey.pem;
-
-        add_header X-Frame-Options "SAMEORIGIN" always;
-        add_header X-XSS-Protection "1; mode=block" always;
-        add_header X-Content-Type-Options "nosniff" always;
-        add_header Referrer-Policy "no-refferer-when-downgrade" always;
-        add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
-
-        location / {
-            proxy_pass http://develop.guavo.tech:9001/;
-        }
-    }
-
-    server {
-        listen      443 ssl http2;
-        listen      [::]:443 ssl http2;
-        server_name grafana.develop.guavo.tech;
-
-        ssl_certificate     /etc/nginx/fullchain.pem;
-        ssl_certificate_key /etc/nginx/privkey.pem;
-
-        proxy_set_header Host $http_host;
-        add_header X-Frame-Options "SAMEORIGIN" always;
-        add_header X-XSS-Protection "1; mode=block" always;
-        add_header X-Content-Type-Options "nosniff" always;
-        add_header Referrer-Policy "no-refferer-when-downgrade" always;
-        add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
-
-        location / {
-            proxy_pass http://develop.guavo.tech:3000/;
-        }
-
-        location /api/live/ws {
-            proxy_http_version 1.1;
-            proxy_set_header Upgrade $http_upgrade;
-            proxy_set_header Connection $connection_upgrade;
-            proxy_set_header Host $host;
-            proxy_pass http://develop.guavo.tech:3000/api/live/ws;
-        }
-    }
-
-    server {
-        listen      443 ssl http2;
-        listen      [::]:443 ssl http2;
-        server_name ~^(?<domain>.*)\.develop\.guavo\.tech$;
-
-        resolver 127.0.0.11 ipv6=off;
-
-        ssl_certificate     /etc/nginx/fullchain.pem;
-        ssl_certificate_key /etc/nginx/privkey.pem;
-
-        add_header X-Frame-Options "SAMEORIGIN" always;
-        add_header X-XSS-Protection "1; mode=block" always;
-        add_header X-Content-Type-Options "nosniff" always;
-        add_header Referrer-Policy "no-refferer-when-downgrade" always;
-        add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
-        proxy_set_header Host            $host;
-        proxy_set_header X-Forwarded-For $remote_addr;
-        proxy_set_header        X-Real-IP       $remote_addr;
-
-        location / {
-            proxy_pass http://$domain-nginx:1238$request_uri;
-        }
-    }
-
-    server {
-        listen      80;
-        server_name ~^(?<domain>.*)\.develop\.guavo\.tech$;
-
-        resolver 127.0.0.11 ipv6=off;
-
-        add_header X-Frame-Options "SAMEORIGIN" always;
-        add_header X-XSS-Protection "1; mode=block" always;
-        add_header X-Content-Type-Options "nosniff" always;
-        add_header Referrer-Policy "no-refferer-when-downgrade" always;
-        add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
-        proxy_set_header Host            $host;
-        proxy_set_header X-Forwarded-For $remote_addr;
-        proxy_set_header        X-Real-IP       $remote_addr;
-
-        location / {
-            proxy_pass http://$domain-nginx:1238$request_uri;
-        }
-    }
--- a/nginx/nginx-dev/config/nginx.conf
+++ b/nginx/nginx-dev/config/nginx.conf
@ -8,6 +8,6 @@ http {
        '' close;
    }
    
-    # include ./guavo.conf;
+    include ./hosts.conf;
    include ./sprinthub.conf;
 }
--- a/nginx/nginx-dev/prepare.py
+++ b/nginx/nginx-dev/prepare.py
@ -0,0 +1,47 @@
+from requests import get
+import os
+from minio import Minio
+
+
+minio_client = Minio(
+    "minio.develop.sprinthub.ru:9000",
+    access_key="serviceminioadmin",
+    secret_key=os.getenv("MINIO_SECRET_KEY", "minioadmin"),
+    secure=False
+)
+
+
+hosts = get('http://configurator/api/v1/fetch?project=certupdater&stage=development').json()['configs']['hosts']
+hosts = list(set(hosts + ['platform.develop.sprinthub.ru']))
+
+config = ''
+for host in hosts:
+    config += '''
+        server \{
+            listen      443 ssl http2;
+            listen      [::]:443 ssl http2;
+            server_name {0};
+
+            ssl_certificate     /etc/nginx/{0}/fullchain.pem;
+            ssl_certificate_key /etc/nginx/{0}/privkey.pem;
+
+            add_header X-Frame-Options "SAMEORIGIN" always;
+            add_header X-XSS-Protection "1; mode=block" always;
+            add_header X-Content-Type-Options "nosniff" always;
+            add_header Referrer-Policy "no-refferer-when-downgrade" always;
+            add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
+
+            location / \{
+                proxy_pass http://{1}-nginx:1238$request_uri;
+            \}
+        \}\n\n
+    '''.format(host, host.split('.')[0])
+    fullchain = minio_client.get_object("certupdater", f'certificates/{host}/fullchain.pem')
+    privkey = minio_client.get_object("certupdater", f'certificates/{host}/privkey.pem')
+    with open(f"/etc/nginx/{host}/fullchain.pem", 'wb') as fp:
+        fp.write(fullchain.data)
+    with open(f"/etc/nginx/{host}/privkey.pem", 'wb') as fp:
+        fp.write(privkey.data)
+
+with open('/etc/nginx/hosts.conf', 'w') as fp:
+    fp.write(config)
--- a/nginx/nginx-dev/run.sh
+++ b/nginx/nginx-dev/run.sh
@ -0,0 +1,2 @@
+python3 prepare.py
+nginx -g daemon off;