diff --git a/.deploy-infra/deploy-dev.yaml b/.deploy-infra/deploy-dev.yaml index 0b893b7..1db0504 100644 --- a/.deploy-infra/deploy-dev.yaml +++ b/.deploy-infra/deploy-dev.yaml @@ -6,6 +6,9 @@ services: image: mathwave/sprint-repo:sprint-infra-nginx-dev networks: - common-infra-nginx-development + - configurator + environment: + MINIO_SECRET_KEY: $MINIO_SECRET_KEY_DEV ports: - published: 80 target: 80 @@ -164,3 +167,5 @@ volumes: networks: common-infra-nginx-development: external: true + configurator: + external: true diff --git a/.gitea/workflows/deploy-dev.yaml b/.gitea/workflows/deploy-dev.yaml index 641f677..8489c5a 100644 --- a/.gitea/workflows/deploy-dev.yaml +++ b/.gitea/workflows/deploy-dev.yaml @@ -59,6 +59,7 @@ jobs: MONGO_PASSWORD_DEV: ${{ secrets.MONGO_PASSWORD_DEV }} DB_PASSWORD_DEV: ${{ secrets.POSTGRES_PASSWORD_DEV }} MINIO_PASSWORD_DEV: ${{ secrets.MINIO_PASSWORD_DEV }} + MINIO_SECRET_KEY_DEV: ${{ secrets.MINIO_SECRET_KEY_DEV }} REDIS_PASSWORD_DEV: ${{ secrets.REDIS_PASSWORD_DEV }} RABBITMQ_PASSWORD_DEV: ${{ secrets.RABBITMQ_PASSWORD_DEV }} REGISTRATION_TOKEN: ${{ secrets.REGISTRATION_TOKEN }} diff --git a/nginx/nginx-dev/Dockerfile b/nginx/nginx-dev/Dockerfile index aa5750c..57b46a1 100644 --- a/nginx/nginx-dev/Dockerfile +++ b/nginx/nginx-dev/Dockerfile @@ -2,6 +2,8 @@ FROM nginx RUN apt-get update RUN apt-get install certbot --yes RUN apt-get install python3-certbot-nginx --yes +RUN pip3 install requests minio COPY ./config /etc/nginx -COPY ./privkey.pem /etc/nginx/privkey.pem -COPY ./fullchain.pem /etc/nginx/fullchain.pem \ No newline at end of file +COPY prepare.py prepare.py +COPY run.sh run.sh +CMD ["run.sh"] \ No newline at end of file diff --git a/nginx/nginx-dev/config/guavo.conf b/nginx/nginx-dev/config/guavo.conf deleted file mode 100644 index dc6696b..0000000 --- a/nginx/nginx-dev/config/guavo.conf +++ /dev/null @@ -1,162 +0,0 @@ - - # server { - # listen 80; - # server_name *.develop.guavo.tech; - # return 301 https://$host$request_uri; - # } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name swarmpit.develop.guavo.tech; - - ssl_certificate /etc/nginx/fullchain.pem; - ssl_certificate_key /etc/nginx/privkey.pem; - - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - - location / { - proxy_pass http://develop.guavo.tech:888/; - } - } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name portainer.develop.guavo.tech; - - ssl_certificate /etc/nginx/fullchain.pem; - ssl_certificate_key /etc/nginx/privkey.pem; - - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - - location / { - proxy_pass http://develop.guavo.tech:8888/; - } - - location /api/websocket/ { - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - proxy_set_header Host $host; - proxy_pass http://develop.guavo.tech:8888/api/websocket/; - } - } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name rabbitmq.develop.guavo.tech; - - ssl_certificate /etc/nginx/fullchain.pem; - ssl_certificate_key /etc/nginx/privkey.pem; - - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - - location / { - proxy_pass http://develop.guavo.tech:15672/; - } - } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name minio.develop.guavo.tech; - - ssl_certificate /etc/nginx/fullchain.pem; - ssl_certificate_key /etc/nginx/privkey.pem; - - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - - location / { - proxy_pass http://develop.guavo.tech:9001/; - } - } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name grafana.develop.guavo.tech; - - ssl_certificate /etc/nginx/fullchain.pem; - ssl_certificate_key /etc/nginx/privkey.pem; - - proxy_set_header Host $http_host; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - - location / { - proxy_pass http://develop.guavo.tech:3000/; - } - - location /api/live/ws { - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - proxy_set_header Host $host; - proxy_pass http://develop.guavo.tech:3000/api/live/ws; - } - } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name ~^(?.*)\.develop\.guavo\.tech$; - - resolver 127.0.0.11 ipv6=off; - - ssl_certificate /etc/nginx/fullchain.pem; - ssl_certificate_key /etc/nginx/privkey.pem; - - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Real-IP $remote_addr; - - location / { - proxy_pass http://$domain-nginx:1238$request_uri; - } - } - - server { - listen 80; - server_name ~^(?.*)\.develop\.guavo\.tech$; - - resolver 127.0.0.11 ipv6=off; - - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Real-IP $remote_addr; - - location / { - proxy_pass http://$domain-nginx:1238$request_uri; - } - } diff --git a/nginx/nginx-dev/config/nginx.conf b/nginx/nginx-dev/config/nginx.conf index 5e77885..97c6f16 100644 --- a/nginx/nginx-dev/config/nginx.conf +++ b/nginx/nginx-dev/config/nginx.conf @@ -8,6 +8,6 @@ http { '' close; } - # include ./guavo.conf; + include ./hosts.conf; include ./sprinthub.conf; } \ No newline at end of file diff --git a/nginx/nginx-dev/prepare.py b/nginx/nginx-dev/prepare.py new file mode 100644 index 0000000..d6be531 --- /dev/null +++ b/nginx/nginx-dev/prepare.py @@ -0,0 +1,47 @@ +from requests import get +import os +from minio import Minio + + +minio_client = Minio( + "minio.develop.sprinthub.ru:9000", + access_key="serviceminioadmin", + secret_key=os.getenv("MINIO_SECRET_KEY", "minioadmin"), + secure=False +) + + +hosts = get('http://configurator/api/v1/fetch?project=certupdater&stage=development').json()['configs']['hosts'] +hosts = list(set(hosts + ['platform.develop.sprinthub.ru'])) + +config = '' +for host in hosts: + config += ''' + server \{ + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name {0}; + + ssl_certificate /etc/nginx/{0}/fullchain.pem; + ssl_certificate_key /etc/nginx/{0}/privkey.pem; + + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header X-Content-Type-Options "nosniff" always; + add_header Referrer-Policy "no-refferer-when-downgrade" always; + add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; + + location / \{ + proxy_pass http://{1}-nginx:1238$request_uri; + \} + \}\n\n + '''.format(host, host.split('.')[0]) + fullchain = minio_client.get_object("certupdater", f'certificates/{host}/fullchain.pem') + privkey = minio_client.get_object("certupdater", f'certificates/{host}/privkey.pem') + with open(f"/etc/nginx/{host}/fullchain.pem", 'wb') as fp: + fp.write(fullchain.data) + with open(f"/etc/nginx/{host}/privkey.pem", 'wb') as fp: + fp.write(privkey.data) + +with open('/etc/nginx/hosts.conf', 'w') as fp: + fp.write(config) diff --git a/nginx/nginx-dev/run.sh b/nginx/nginx-dev/run.sh new file mode 100644 index 0000000..ede1e71 --- /dev/null +++ b/nginx/nginx-dev/run.sh @@ -0,0 +1,2 @@ +python3 prepare.py +nginx -g daemon off; \ No newline at end of file