self/infra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix
All checks were successful
Deploy Prod / Build (pull_request) Successful in 8s
Details
Deploy Prod / Push (pull_request) Successful in 15s
Details
Deploy Prod / prepare (pull_request) Successful in 3s
Details
Deploy Prod / Deploy prod (pull_request) Successful in 30s
Details

Browse Source
This commit is contained in:
Egor Matveev 2025-06-12 13:26:50 +03:00
parent 1f3bdc2bd3
commit e174ff26c4
4 changed files with 55 additions and 115 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
nginx/nginx-prod/Dockerfile
View File

@ -2,7 +2,7 @@ FROM nginx
RUN apt-get update
RUN apt-get install certbot --yes
RUN apt-get install python3-certbot-nginx python3-pip --yes
RUN pip3 install --break-system-packages requests minio
RUN pip3 install --break-system-packages minio
COPY ./config /etc/nginx
COPY ./fullchain.pem /etc/nginx/fullchain.pem
COPY ./privkey.pem /etc/nginx/privkey.pem

13
nginx/nginx-prod/config/nginx.conf
View File

@ -7,7 +7,18 @@ http {
default upgrade;
'' close;
}
server {
listen 80;
server_name *.sprinthub.ru;
return 301 https://$host$request_uri;
}
server {
listen 80;
server_name *.chocomarsh.com;
return 301 https://$host$request_uri;
}
include ./hosts.conf;
include ./sprinthub.conf;
}

96
nginx/nginx-prod/config/sprinthub.conf
View File

@ -1,96 +0,0 @@
server {
listen 80;
server_name *.sprinthub.ru;
return 301 https://$host$request_uri;
}
server {
listen 80;
server_name *.chocomarsh.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name swarmpit.sprinthub.ru;
ssl_certificate /etc/nginx/fullchain.pem;
ssl_certificate_key /etc/nginx/privkey.pem;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-refferer-when-downgrade" always;
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
location / {
proxy_pass http://dev.sprinthub.ru:888/;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name portainer.sprinthub.ru;
ssl_certificate /etc/nginx/fullchain.pem;
ssl_certificate_key /etc/nginx/privkey.pem;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-refferer-when-downgrade" always;
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
location / {
proxy_pass http://dev.sprinthub.ru:8888/;
}
location /api/websocket/ {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
proxy_pass http://dev.sprinthub.ru:8888/api/websocket/;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name minio.sprinthub.ru;
ssl_certificate /etc/nginx/fullchain.pem;
ssl_certificate_key /etc/nginx/privkey.pem;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-refferer-when-downgrade" always;
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
location / {
proxy_pass http://dev.sprinthub.ru:9001/;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name gitea.sprinthub.ru;
ssl_certificate /etc/nginx/fullchain.pem;
ssl_certificate_key /etc/nginx/privkey.pem;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-refferer-when-downgrade" always;
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
location / {
proxy_pass http://dev.sprinthub.ru:3000/;
}
}

59
nginx/nginx-prod/prepare.py
View File

@ -1,6 +1,8 @@
from requests import get
import os
import sys
from minio import Minio
from urllib.request import urlopen
from json import loads
minio_client = Minio(
@ -11,9 +13,20 @@ minio_client = Minio(
)
hosts = get(
"http://configurator/api/v1/fetch?project=certupdater&stage=production"
).json()["configs"]["hosts"]
def get(url):
with urlopen(url) as response:
data = response.read().decode("utf-8")
return loads(data)
try:
response = get(
"http://configurator/api/v1/fetch?project=certupdater&stage=production"
)
hosts = response["configs"]["hosts"]
except Exception as e:
print(f"Error fetching config: {e}", file=sys.stderr)
sys.exit(1)
config = ""
for host, params in hosts.items():
@ -40,18 +53,30 @@ for host, params in hosts.items():
""".format(
host=host, target_host=params["host"], port=params["port"]
)
fullchain = minio_client.get_object(
"certupdater", f"certificates/{host}/fullchain.pem"
)
privkey = minio_client.get_object("certupdater", f"certificates/{host}/privkey.pem")
try:
os.mkdir(f"/etc/nginx/{host}")
except FileExistsError:
...
with open(f"/etc/nginx/{host}/fullchain.pem", "wb") as fp:
fp.write(fullchain.data)
with open(f"/etc/nginx/{host}/privkey.pem", "wb") as fp:
fp.write(privkey.data)
fullchain = minio_client.get_object(
"certupdater", f"certificates/{host}/fullchain.pem"
)
privkey = minio_client.get_object(
"certupdater", f"certificates/{host}/privkey.pem"
)
try:
os.makedirs(f"/etc/nginx/{host}", exist_ok=True)
except OSError as e:
print(f"Error creating directory: {e}", file=sys.stderr)
continue
with open("/etc/nginx/hosts.conf", "w") as fp:
fp.write(config)
with open(f"/etc/nginx/{host}/fullchain.pem", "wb") as fp:
fp.write(fullchain.data)
with open(f"/etc/nginx/{host}/privkey.pem", "wb") as fp:
fp.write(privkey.data)
except Exception as e:
print(f"Error processing host {host}: {e}", file=sys.stderr)
continue
try:
with open("/etc/nginx/hosts.conf", "w") as fp:
fp.write(config)
except Exception as e:
print(f"Error writing config file: {e}", file=sys.stderr)
sys.exit(1)