Merge pull request 'master' (#116) from master into dev

Reviewed-on: https://gitea.chocomarsh.com/self/infra/pulls/116

.deploy-infra/deploy-dev.yaml

@@ -31,6 +31,7 @@ services:
     image: clickhouse
     networks:
       - clickhouse-development
+      - common-infra-nginx-development
     volumes:
       - /sprint-data/clickhouse:/var/lib/clickhouse
     environment:

.deploy-infra/deploy-prod.yaml

@@ -27,6 +27,29 @@ services:
         parallelism: 1
         # order: start-first
 
+  grafana:
+    image: grafana/grafana
+    networks:
+      - common-infra-nginx
+      - clickhouse
+    volumes:
+      - /sprint-data/grafana:/var/lib/grafana
+    environment:
+      GF_SERVER_ROOT_URL: https://grafana.chocomarsh.com
+      GF_CORS_ENABLED: "false"
+      GF_AUTH_DISABLE_LOGIN_FORM: "false"
+      GF_CORS_ALLOW_ORIGINS: "*"
+      GF_SECURITY_CONTENT_SECURITY_POLICY: "false"
+    deploy:
+      mode: replicated
+      replicas: 1
+      restart_policy:
+        condition: any
+      placement:
+        constraints: [node.labels.stage == production]
+      update_config:
+        parallelism: 1
+
   clickhouse:
     image: clickhouse
     networks:

.gitea/workflows/deploy-prod.yaml

@@ -16,7 +16,7 @@ jobs:
       - name: checkout
         uses: actions/checkout@v4
         with:
-          ref: dev
+          ref: prod
       - name: build nginx prod
         run: docker build -t mathwave/sprint-repo:sprint-infra-nginx-prod nginx/nginx-prod
       - name: build gitea runner
@@ -40,7 +40,7 @@ jobs:
       - name: checkout
         uses: actions/checkout@v4
         with:
-          ref: dev
+          ref: prod
       - name: prepare
         run: chmod 777 ./prepare/run-production.sh && ./prepare/run-production.sh
   deploy-prod:

nginx/nginx-dev/prepare.py

@@ -43,7 +43,10 @@ for host, params in hosts.items():
             add_header X-XSS-Protection "1; mode=block" always;
             add_header X-Content-Type-Options "nosniff" always;
             add_header Referrer-Policy "no-refferer-when-downgrade" always;
-            add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
 
             location / {{
                 resolver 127.0.0.11;

nginx/nginx-prod/prepare.py

@@ -43,7 +43,10 @@ for host, params in hosts.items():
             add_header X-XSS-Protection "1; mode=block" always;
             add_header X-Content-Type-Options "nosniff" always;
             add_header Referrer-Policy "no-refferer-when-downgrade" always;
-            add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
 
             location / {{
                 resolver 127.0.0.11;

prepare/run-production.sh

@@ -5,6 +5,7 @@ docker network create -d overlay --attachable common-infra-nginx-development ||
 docker network create -d overlay --attachable queues || true
 docker network create -d overlay --attachable queues-development || true
 docker network create -d overlay --attachable configurator || true
+docker network create -d overlay --attachable monitoring || true
 docker network create -d overlay --attachable configurator-development || true
 docker network create -d overlay --attachable clickhouse || true
 docker network create -d overlay --attachable clickhouse-development || true
@@ -14,7 +15,9 @@ mkdir /sprint-data/rabbitmq || true
 mkdir /sprint-data/certs || true
 mkdir /sprint-data/gitea || true
 mkdir /sprint-data/clickhouse || true
+mkdir /sprint-data/grafana || true
 chmod 777 /sprint-data/redis
 chmod 777 /sprint-data/rabbitmq
 chmod 777 /sprint-data/gitea
 chmod 777 /sprint-data/clickhouse
+chmod 777 /sprint-data/grafana