diff --git a/.deploy-infra/deploy-prod.yaml b/.deploy-infra/deploy-prod.yaml index 6c5ac31..5776cc3 100644 --- a/.deploy-infra/deploy-prod.yaml +++ b/.deploy-infra/deploy-prod.yaml @@ -6,6 +6,9 @@ services: image: mathwave/sprint-repo:sprint-infra-nginx-prod networks: - common-infra-nginx + - configurator + environment: + MINIO_SECRET_KEY: $MINIO_SECRET_KEY_PROD ports: - published: 80 target: 80 diff --git a/.gitea/workflows/deploy-prod.yaml b/.gitea/workflows/deploy-prod.yaml index d76b613..b055f86 100644 --- a/.gitea/workflows/deploy-prod.yaml +++ b/.gitea/workflows/deploy-prod.yaml @@ -63,6 +63,7 @@ jobs: MONGO_PASSWORD_PROD: ${{ secrets.MONGO_PASSWORD_PROD }} DB_PASSWORD_PROD: ${{ secrets.POSTGRES_PASSWORD_PROD }} MINIO_PASSWORD_PROD: ${{ secrets.MINIO_PASSWORD_PROD }} + MINIO_SECRET_KEY_PROD: ${{ secrets.MINIO_SECRET_KEY_PROD }} REDIS_PASSWORD_PROD: ${{ secrets.REDIS_PASSWORD_PROD }} RABBITMQ_PASSWORD_PROD: ${{ secrets.RABBITMQ_PASSWORD_PROD }} REGISTRATION_TOKEN: ${{ secrets.REGISTRATION_TOKEN }} diff --git a/nginx/nginx-prod/Dockerfile b/nginx/nginx-prod/Dockerfile index 19ac378..d5818df 100644 --- a/nginx/nginx-prod/Dockerfile +++ b/nginx/nginx-prod/Dockerfile @@ -1,10 +1,13 @@ FROM nginx RUN apt-get update RUN apt-get install certbot --yes -RUN apt-get install python3-certbot-nginx --yes -RUN mkdir /etc/allinvest -COPY ./nginx-prod.conf /etc/nginx/nginx.conf -COPY ./privkey.pem /etc/nginx/privkey.pem +RUN apt-get install python3-certbot-nginx python3-pip --yes +RUN pip3 install --break-system-packages requests minio +COPY ./config /etc/nginx COPY ./fullchain.pem /etc/nginx/fullchain.pem -COPY ./allinvest/privkey.pem /etc/allinvest/privkey.pem -COPY ./allinvest/fullchain.pem /etc/allinvest/fullchain.pem \ No newline at end of file +COPY ./privkey.pem /etc/nginx/privkey.pem +COPY prepare.py prepare.py +COPY run.sh run.sh +ENV PYTHONUNBUFFERED=1 +RUN chmod 777 run.sh +ENTRYPOINT ["./run.sh"] \ No newline at end of file diff --git a/nginx/nginx-prod/allinvest/fullchain.pem b/nginx/nginx-prod/allinvest/fullchain.pem deleted file mode 100644 index de29c73..0000000 --- a/nginx/nginx-prod/allinvest/fullchain.pem +++ /dev/null @@ -1,90 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIE5TCCA82gAwIBAgISBLLA45sg/IhDBwA/vxe7YIKrMA0GCSqGSIb3DQEBCwUA -MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD -EwJSMzAeFw0yNDAyMDMyMTI1NDdaFw0yNDA1MDMyMTI1NDZaMBcxFTATBgNVBAMT -DHlvdXJnb2xzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANFC -SqAyzSV1BHFSqKxH3GuLEVRgxUABAhveeLWOTJt3xrKTNhdgaP4fD8CZF5vmgFqx -M/Zk4mizZ9FEQeKnrmlhAL643OaGRTVwN1FfBEfvr/fT3AQD0HQB55OSsUReSFUn -yT9vR2cv+r/f6EU78Uw/svvTD7M0vY/uRfOc2qWv+I6dGsoS32iDQmsYlOK4HKWX -mfBTuGSCJKcec1nviehXXrGFP4YJa3gs6RzWTtGXxGgI0lG9O366RszkKZKVJICh -BH+YWV9KJ1hzgmRWlRJgs4t14MO2Dxw5Mu1G08WbaEQGvE7RgcBCNY8sV1K1Bx/P -NUPRsSPT6rIsX3MhQ4sCAwEAAaOCAg4wggIKMA4GA1UdDwEB/wQEAwIFoDAdBgNV -HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4E -FgQUcY+9gyWVjqP8S2owFnPbtwbiZ1QwHwYDVR0jBBgwFoAUFC6zF7dYVsuuUAlA -5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8vcjMu -by5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9yZy8w -FwYDVR0RBBAwDoIMeW91cmdvbHMuY29tMBMGA1UdIAQMMAowCAYGZ4EMAQIBMIIB -BAYKKwYBBAHWeQIEAgSB9QSB8gDwAHUAO1N3dT4tuYBOizBbBv5AO2fYT8P0x70A -DS1yb+H61BcAAAGNcRPt8gAABAMARjBEAiAMpD5lfh43xD1tAvsSa20OQ4LsQ8Kt -YBvl5svUTuGrHAIgPveMh3yZ6z+QLW1k8Lv7z1kyXsxSvCUQrX16k7m1V8kAdwCi -4r/WHt4vLweg1k5tN6fcZUOwxrUuotq3iviabfUX2AAAAY1xE+3xAAAEAwBIMEYC -IQD+hmWzWe0y9M8xYKvuhySnHN6AWKQpvJgTqBsCFiiy5QIhANM0ce+SEC4BlY8m -QAIGNXbAjlKU28q66EcTuSjji227MA0GCSqGSIb3DQEBCwUAA4IBAQAAfH8lbwUk -JD6voPBGCTt7XSZPl9dq4LdmOLV3bsfjtqWOeGNCznBYKfRZO/UJ/srekCjapzKy -DAmv0dl/tvBGfqhU/emOtKsq9AE0J7RqzF9SQPrVzq/VxWXGCCmtxUHEAlNk/lrg -PqxpTUZdLpeBEbNvtloSaUEpe8mkFcFhw7TZVtdkpn+pHRlltqXry/8BekFPQR5Y -qgI8akm2rXOV616MnF81DhIUVY4n6t4SVsDjSk69iDnKG97PJJK5yqsEfdZFiDRK -PlhHTYwOsypaP/JMuanK8eGjnNR9pA40DEjAJO0kvE3IE7dHD3R1iGkXjr7wIkKw -5NjP9yOv01mH ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw -TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh -cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw -WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg -RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK -AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP -R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx -sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm -NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg -Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG -/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC -AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB -Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA -FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw -AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw -Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB -gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W -PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl -ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz -CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm -lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4 -avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2 -yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O -yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids -hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+ -HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv -MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX -nLRbwHOoq7hHwg== ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/ -MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT -DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow -TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh -cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB -AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC -ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL -wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D -LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK -4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5 -bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y -sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ -Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4 -FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc -SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql -PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND -TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw -SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1 -c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx -+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB -ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu -b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E -U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu -MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC -5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW -9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG -WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O -he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC -Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5 ------END CERTIFICATE----- diff --git a/nginx/nginx-prod/allinvest/privkey.pem b/nginx/nginx-prod/allinvest/privkey.pem deleted file mode 100755 index 1efe87d..0000000 --- a/nginx/nginx-prod/allinvest/privkey.pem +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDRQkqgMs0ldQRx -UqisR9xrixFUYMVAAQIb3ni1jkybd8aykzYXYGj+Hw/AmReb5oBasTP2ZOJos2fR -REHip65pYQC+uNzmhkU1cDdRXwRH76/309wEA9B0AeeTkrFEXkhVJ8k/b0dnL/q/ -3+hFO/FMP7L70w+zNL2P7kXznNqlr/iOnRrKEt9og0JrGJTiuByll5nwU7hkgiSn -HnNZ74noV16xhT+GCWt4LOkc1k7Rl8RoCNJRvTt+ukbM5CmSlSSAoQR/mFlfSidY -c4JkVpUSYLOLdeDDtg8cOTLtRtPFm2hEBrxO0YHAQjWPLFdStQcfzzVD0bEj0+qy -LF9zIUOLAgMBAAECggEANWFhxAfxiRKWtYnOeVRDiDOLkii1aKRZM17HEBlitW4S -g89FxyTS47BsxkbHXP+p0njNtpb5opfRbfKpk/YOaddS51QlFbE+ymj704gXgXpF -O0USJPwMGuu5dU3AZp5eeUqS7dmnL01v+65UhATMgxTkxZSLtr1HdgXkVka3B/ir -Q/iqR4ftt+qT0a9mzXQOxgdN7qnNwVNO1uJi87C6fQBRB6F724U5SJyOTMl9R6ZS -+JZ9Oz5xxoGLA/Nftn078uMjf2ymWfOqicHYeXxfPYllXNuRsIf7NA00F0orwF15 -TWBZLB5GbkOIP7k7vzabZMCbGmf42XYtt1oFYIssIQKBgQD7aB8cUDVdE47VOX4p -+Bf2ilMJA2d+KsCA3uYw5VQjjxBbfN+nChOx6e6eSmy2MMtH2ECG2IgW04FDbHtZ -y2tbmRY3XIl+4dos+6ybbiYeYKRcHOQiXbjFK9ml1NpDcuLMHE3a6v0gFB8N0iB4 -J3u6h9+kHe3LGPzIVDGbITWi4wKBgQDVFQleHfRWM9/hebU8/tshY4sRJ9nA9haI -F/NDMHhE+IyX9JHxGXtVE0ihOh0+0PLKLwtOepc4vqZaquKVnzZ82+sc+C4Iqg8K -S+1NoRFOZG1AlM53UI51ZXLvXZp8gAdDBXzwBZpWZNdhJHJSnuwVI+UoDkrAQkmn -/n4jzV01OQKBgQCH8pr4JYtlxIC1XryRl13l7JDQS+339MhaJ66UfD5OaDtxLYqH -elSCHbzyDc7RinsyY4cpJAgbR84blprxSKXKR3MTBtA3M4xWTNXeyuaEAMCAKwNW -bhXPUVIFcZ+BX6uysg+LtQyh/x93ysvSDY/Do1vVFHYVIHL5JUYZ3BBz/wKBgQDT -oCYCnJtr9e9Xn6oZ30BBg/y9WCfTllVAaxEGXSBF19jCnntHyjgMga9zuSUMmzdX -CKwhEG4aRHcxu2B4m3zhOwXiarZFkqiHYGtZ2ys2AVXkeyYnqBEklVI2W2+wUPNl -ZBD2zYnAXjzu1OTaG857HIBebPtewTcoKwCajD8TOQKBgQDr07j3sx5nQsg4kHmR -kBvHHjq7kQ1pEItrD/CfLsZ7Ntip4L82UzdZm/hhdM/12fB+wLu8HcZzvY5H1J+3 -IlkKYhAAe8lgzE7hYupVD9QtdFBuNsAnQfT+VV4JnZNDVZHXfnhz19KJ+iIvqton -8WCEnmpiIKyt+Lq+Ol3n7PDMIw== ------END PRIVATE KEY----- diff --git a/nginx/nginx-prod/config/nginx.conf b/nginx/nginx-prod/config/nginx.conf new file mode 100644 index 0000000..97c6f16 --- /dev/null +++ b/nginx/nginx-prod/config/nginx.conf @@ -0,0 +1,13 @@ +events {} + +http { + client_max_body_size 50m; + + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + + include ./hosts.conf; + include ./sprinthub.conf; +} \ No newline at end of file diff --git a/nginx/nginx-prod/config/sprinthub.conf b/nginx/nginx-prod/config/sprinthub.conf new file mode 100644 index 0000000..5e428d9 --- /dev/null +++ b/nginx/nginx-prod/config/sprinthub.conf @@ -0,0 +1,111 @@ + + server { + listen 80; + server_name *.sprinthub.ru; + return 301 https://$host$request_uri; + } + + server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name swarmpit.sprinthub.ru; + + ssl_certificate /etc/nginx/fullchain.pem; + ssl_certificate_key /etc/nginx/privkey.pem; + + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header X-Content-Type-Options "nosniff" always; + add_header Referrer-Policy "no-refferer-when-downgrade" always; + add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; + + location / { + proxy_pass http://dev.sprinthub.ru:888/; + } + } + + server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name portainer.sprinthub.ru; + + ssl_certificate /etc/nginx/fullchain.pem; + ssl_certificate_key /etc/nginx/privkey.pem; + + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header X-Content-Type-Options "nosniff" always; + add_header Referrer-Policy "no-refferer-when-downgrade" always; + add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; + + location / { + proxy_pass http://dev.sprinthub.ru:8888/; + } + + location /api/websocket/ { + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + proxy_set_header Host $host; + proxy_pass http://dev.sprinthub.ru:8888/api/websocket/; + } + } + + server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name minio.sprinthub.ru; + + ssl_certificate /etc/nginx/fullchain.pem; + ssl_certificate_key /etc/nginx/privkey.pem; + + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header X-Content-Type-Options "nosniff" always; + add_header Referrer-Policy "no-refferer-when-downgrade" always; + add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; + + location / { + proxy_pass http://dev.sprinthub.ru:9001/; + } + } + + server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name gitea.sprinthub.ru; + + ssl_certificate /etc/nginx/fullchain.pem; + ssl_certificate_key /etc/nginx/privkey.pem; + + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header X-Content-Type-Options "nosniff" always; + add_header Referrer-Policy "no-refferer-when-downgrade" always; + add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; + + location / { + proxy_pass http://dev.sprinthub.ru:3000/; + } + } + + server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name ~^(?.*)\.sprinthub\.ru$; + + resolver 127.0.0.11 ipv6=off; + + ssl_certificate /etc/nginx/fullchain.pem; + ssl_certificate_key /etc/nginx/privkey.pem; + + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header X-Content-Type-Options "nosniff" always; + add_header Referrer-Policy "no-refferer-when-downgrade" always; + add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; + proxy_set_header X-Real-IP $remote_addr; + location / { + proxy_pass http://$domain-nginx:1238$request_uri; + } + } diff --git a/nginx/nginx-prod/nginx-prod.conf b/nginx/nginx-prod/nginx-prod.conf deleted file mode 100644 index 91852d0..0000000 --- a/nginx/nginx-prod/nginx-prod.conf +++ /dev/null @@ -1,236 +0,0 @@ -events {} - -http { - client_max_body_size 150m; - - map $http_upgrade $connection_upgrade { - default upgrade; - '' close; - } - - server { - listen 80; - server_name gitlab.sprinthub.ru; - - location / { - proxy_pass http://dev.sprinthub.ru:1234/; - } - } - - server { - listen 80; - server_name *.sprinthub.ru; - return 301 https://$host$request_uri; - } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name gitlab.sprinthub.ru; - - ssl_certificate /etc/nginx/fullchain.pem; - ssl_certificate_key /etc/nginx/privkey.pem; - - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - - location / { - proxy_pass http://dev.sprinthub.ru:1234/; - } - } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name swarmpit.sprinthub.ru; - - ssl_certificate /etc/nginx/fullchain.pem; - ssl_certificate_key /etc/nginx/privkey.pem; - - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - - location / { - proxy_pass http://dev.sprinthub.ru:888/; - } - } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name portainer.sprinthub.ru; - - ssl_certificate /etc/nginx/fullchain.pem; - ssl_certificate_key /etc/nginx/privkey.pem; - - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - - location / { - proxy_pass http://dev.sprinthub.ru:8888/; - } - - location /api/websocket/ { - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - proxy_set_header Host $host; - proxy_pass http://dev.sprinthub.ru:8888/api/websocket/; - } - } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name rabbitmq.sprinthub.ru; - - ssl_certificate /etc/nginx/fullchain.pem; - ssl_certificate_key /etc/nginx/privkey.pem; - - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - - location / { - proxy_pass http://dev.sprinthub.ru:15672/; - } - } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name swarmpit.sprinthub.ru; - - ssl_certificate /etc/nginx/fullchain.pem; - ssl_certificate_key /etc/nginx/privkey.pem; - - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - - location / { - proxy_pass http://dev.sprinthub.ru:15672/; - } - } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name minio.sprinthub.ru; - - ssl_certificate /etc/nginx/fullchain.pem; - ssl_certificate_key /etc/nginx/privkey.pem; - - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - - location / { - proxy_pass http://dev.sprinthub.ru:9001/; - } - } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name gitea.sprinthub.ru; - - ssl_certificate /etc/nginx/fullchain.pem; - ssl_certificate_key /etc/nginx/privkey.pem; - - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - - location / { - proxy_pass http://dev.sprinthub.ru:3000/; - } - } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name keycloak.sprinthub.ru; - - ssl_certificate /etc/nginx/fullchain.pem; - ssl_certificate_key /etc/nginx/privkey.pem; - - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - - location / { - proxy_pass http://dev.sprinthub.ru:8443/; - } - } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name ~^(?.*)\.sprinthub\.ru$; - - resolver 127.0.0.11 ipv6=off; - - ssl_certificate /etc/nginx/fullchain.pem; - ssl_certificate_key /etc/nginx/privkey.pem; - - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - proxy_set_header X-Real-IP $remote_addr; - location / { - proxy_pass http://$domain-nginx:1238$request_uri; - } - } - - server { - listen 80; - server_name yourgols.com; - return 301 https://$host$request_uri; - } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name yourgols.com; - - resolver 127.0.0.11 ipv6=off; - - ssl_certificate /etc/allinvest/fullchain.pem; - ssl_certificate_key /etc/allinvest/privkey.pem; - - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; - location / { - proxy_pass http://yourgols-nginx:1238$request_uri; - } - } - -} diff --git a/nginx/nginx-prod/prepare.py b/nginx/nginx-prod/prepare.py new file mode 100644 index 0000000..cbc95d7 --- /dev/null +++ b/nginx/nginx-prod/prepare.py @@ -0,0 +1,49 @@ +from requests import get +import os +from minio import Minio + + +minio_client = Minio( + "minio.sprinthub.ru:9000", + access_key="serviceminioadmin", + secret_key=os.getenv("MINIO_SECRET_KEY", "minioadmin"), + secure=False +) + + +hosts = get('http://configurator/api/v1/fetch?project=certupdater&stage=production').json()['configs']['hosts'] +hosts = list(set(hosts + ['platform.sprinthub.ru'])) + +config = '' +for host in hosts: + config += ''' + server {{ + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name {host}; + + ssl_certificate /etc/nginx/{host}/fullchain.pem; + ssl_certificate_key /etc/nginx/{host}/privkey.pem; + + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header X-Content-Type-Options "nosniff" always; + add_header Referrer-Policy "no-refferer-when-downgrade" always; + add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; + + location / {{ + resolver 127.0.0.11; + proxy_pass http://{pre_domain}-nginx:1238$request_uri; + }} + }}\n\n + '''.format(host=host, pre_domain=host.split('.')[0]) + fullchain = minio_client.get_object("certupdater", f'certificates/{host}/fullchain.pem') + privkey = minio_client.get_object("certupdater", f'certificates/{host}/privkey.pem') + os.mkdir(f'/etc/nginx/{host}') + with open(f"/etc/nginx/{host}/fullchain.pem", 'wb') as fp: + fp.write(fullchain.data) + with open(f"/etc/nginx/{host}/privkey.pem", 'wb') as fp: + fp.write(privkey.data) + +with open('/etc/nginx/hosts.conf', 'w') as fp: + fp.write(config) diff --git a/nginx/nginx-prod/run.sh b/nginx/nginx-prod/run.sh new file mode 100644 index 0000000..55dfbaa --- /dev/null +++ b/nginx/nginx-prod/run.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +python3 prepare.py +/docker-entrypoint.sh nginx -g 'daemon off;' \ No newline at end of file