From 2970f41b5e24b4a60c766fadc1fb5cafb09dcaa9 Mon Sep 17 00:00:00 2001 From: Egor Matveev Date: Mon, 2 Jun 2025 01:10:38 +0300 Subject: [PATCH 1/3] fix --- nginx/nginx-dev/Dockerfile | 5 +- nginx/nginx-dev/config/guavo.conf | 162 ------------------------------ nginx/nginx-dev/config/nginx.conf | 2 +- nginx/nginx-dev/run.py | 35 +++++++ 4 files changed, 39 insertions(+), 165 deletions(-) delete mode 100644 nginx/nginx-dev/config/guavo.conf create mode 100644 nginx/nginx-dev/run.py diff --git a/nginx/nginx-dev/Dockerfile b/nginx/nginx-dev/Dockerfile index aa5750c..c143730 100644 --- a/nginx/nginx-dev/Dockerfile +++ b/nginx/nginx-dev/Dockerfile @@ -2,6 +2,7 @@ FROM nginx RUN apt-get update RUN apt-get install certbot --yes RUN apt-get install python3-certbot-nginx --yes +RUN pip3 install requests COPY ./config /etc/nginx -COPY ./privkey.pem /etc/nginx/privkey.pem -COPY ./fullchain.pem /etc/nginx/fullchain.pem \ No newline at end of file +COPY run.py run.py +CMD ["python3", "run.py"] \ No newline at end of file diff --git a/nginx/nginx-dev/config/guavo.conf b/nginx/nginx-dev/config/guavo.conf deleted file mode 100644 index dc6696b..0000000 --- a/nginx/nginx-dev/config/guavo.conf +++ /dev/null @@ -1,162 +0,0 @@ - - # server { - # listen 80; - # server_name *.develop.guavo.tech; - # return 301 https://$host$request_uri; - # } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name swarmpit.develop.guavo.tech; - - ssl_certificate /etc/nginx/fullchain.pem; - ssl_certificate_key /etc/nginx/privkey.pem; - - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - - location / { - proxy_pass http://develop.guavo.tech:888/; - } - } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name portainer.develop.guavo.tech; - - ssl_certificate /etc/nginx/fullchain.pem; - ssl_certificate_key /etc/nginx/privkey.pem; - - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - - location / { - proxy_pass http://develop.guavo.tech:8888/; - } - - location /api/websocket/ { - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - proxy_set_header Host $host; - proxy_pass http://develop.guavo.tech:8888/api/websocket/; - } - } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name rabbitmq.develop.guavo.tech; - - ssl_certificate /etc/nginx/fullchain.pem; - ssl_certificate_key /etc/nginx/privkey.pem; - - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - - location / { - proxy_pass http://develop.guavo.tech:15672/; - } - } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name minio.develop.guavo.tech; - - ssl_certificate /etc/nginx/fullchain.pem; - ssl_certificate_key /etc/nginx/privkey.pem; - - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - - location / { - proxy_pass http://develop.guavo.tech:9001/; - } - } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name grafana.develop.guavo.tech; - - ssl_certificate /etc/nginx/fullchain.pem; - ssl_certificate_key /etc/nginx/privkey.pem; - - proxy_set_header Host $http_host; - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - - location / { - proxy_pass http://develop.guavo.tech:3000/; - } - - location /api/live/ws { - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - proxy_set_header Host $host; - proxy_pass http://develop.guavo.tech:3000/api/live/ws; - } - } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name ~^(?.*)\.develop\.guavo\.tech$; - - resolver 127.0.0.11 ipv6=off; - - ssl_certificate /etc/nginx/fullchain.pem; - ssl_certificate_key /etc/nginx/privkey.pem; - - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Real-IP $remote_addr; - - location / { - proxy_pass http://$domain-nginx:1238$request_uri; - } - } - - server { - listen 80; - server_name ~^(?.*)\.develop\.guavo\.tech$; - - resolver 127.0.0.11 ipv6=off; - - add_header X-Frame-Options "SAMEORIGIN" always; - add_header X-XSS-Protection "1; mode=block" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "no-refferer-when-downgrade" always; - add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Real-IP $remote_addr; - - location / { - proxy_pass http://$domain-nginx:1238$request_uri; - } - } diff --git a/nginx/nginx-dev/config/nginx.conf b/nginx/nginx-dev/config/nginx.conf index 5e77885..97c6f16 100644 --- a/nginx/nginx-dev/config/nginx.conf +++ b/nginx/nginx-dev/config/nginx.conf @@ -8,6 +8,6 @@ http { '' close; } - # include ./guavo.conf; + include ./hosts.conf; include ./sprinthub.conf; } \ No newline at end of file diff --git a/nginx/nginx-dev/run.py b/nginx/nginx-dev/run.py new file mode 100644 index 0000000..84798f8 --- /dev/null +++ b/nginx/nginx-dev/run.py @@ -0,0 +1,35 @@ +from requests import get +from subprocess import call + + +hosts = get('http://configurator/api/v1/fetch?project=certupdater&stage=development').json()['configs']['hosts'] +hosts = list(set(hosts + ['platform.develop.sprinthub.ru'])) + +config = '' +for host in hosts: + config += ''' + server \{ + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name {0}; + + ssl_certificate /etc/nginx/{0}/fullchain.pem; + ssl_certificate_key /etc/nginx/{0}/privkey.pem; + + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header X-Content-Type-Options "nosniff" always; + add_header Referrer-Policy "no-refferer-when-downgrade" always; + add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always; + + location / \{ + proxy_pass http://{1}-nginx:1238$request_uri; + \} + \}\n\n + '''.format(host, host.split('.')[0]) + +with open('/etc/nginx/hosts.conf', 'w') as fp: + fp.write(config) + + +call('nginx -g daemon off;', shell=True) -- 2.45.2 From 3f2af3e0a4da3cc74b4a0e576e13cd105af5aec6 Mon Sep 17 00:00:00 2001 From: Egor Matveev Date: Mon, 2 Jun 2025 01:23:47 +0300 Subject: [PATCH 2/3] fix --- nginx/nginx-dev/Dockerfile | 2 +- nginx/nginx-dev/run.py | 16 ++++++++++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/nginx/nginx-dev/Dockerfile b/nginx/nginx-dev/Dockerfile index c143730..383c079 100644 --- a/nginx/nginx-dev/Dockerfile +++ b/nginx/nginx-dev/Dockerfile @@ -2,7 +2,7 @@ FROM nginx RUN apt-get update RUN apt-get install certbot --yes RUN apt-get install python3-certbot-nginx --yes -RUN pip3 install requests +RUN pip3 install requests minio COPY ./config /etc/nginx COPY run.py run.py CMD ["python3", "run.py"] \ No newline at end of file diff --git a/nginx/nginx-dev/run.py b/nginx/nginx-dev/run.py index 84798f8..738e460 100644 --- a/nginx/nginx-dev/run.py +++ b/nginx/nginx-dev/run.py @@ -1,5 +1,15 @@ from requests import get from subprocess import call +import os +from minio import Minio + + +minio_client = Minio( + "minio.develop.sprinthub.ru:9000", + access_key="serviceminioadmin", + secret_key=os.getenv("MINIO_SECRET_KEY", "minioadmin"), + secure=False +) hosts = get('http://configurator/api/v1/fetch?project=certupdater&stage=development').json()['configs']['hosts'] @@ -27,6 +37,12 @@ for host in hosts: \} \}\n\n '''.format(host, host.split('.')[0]) + fullchain = minio_client.get_object("certupdater", f'certificates/{host}/fullchain.pem') + privkey = minio_client.get_object("certupdater", f'certificates/{host}/privkey.pem') + with open(f"/etc/nginx/{host}/fullchain.pem", 'wb') as fp: + fp.write(fullchain.data) + with open(f"/etc/nginx/{host}/privkey.pem", 'wb') as fp: + fp.write(privkey.data) with open('/etc/nginx/hosts.conf', 'w') as fp: fp.write(config) -- 2.45.2 From a4b4bfbaeb385614c3dc379e4de83d3dbeca953a Mon Sep 17 00:00:00 2001 From: Egor Matveev Date: Mon, 2 Jun 2025 01:35:47 +0300 Subject: [PATCH 3/3] fix --- .deploy-infra/deploy-dev.yaml | 5 +++++ .gitea/workflows/deploy-dev.yaml | 1 + nginx/nginx-dev/Dockerfile | 5 +++-- nginx/nginx-dev/{run.py => prepare.py} | 4 ---- nginx/nginx-dev/run.sh | 2 ++ 5 files changed, 11 insertions(+), 6 deletions(-) rename nginx/nginx-dev/{run.py => prepare.py} (95%) create mode 100644 nginx/nginx-dev/run.sh diff --git a/.deploy-infra/deploy-dev.yaml b/.deploy-infra/deploy-dev.yaml index 0b893b7..1db0504 100644 --- a/.deploy-infra/deploy-dev.yaml +++ b/.deploy-infra/deploy-dev.yaml @@ -6,6 +6,9 @@ services: image: mathwave/sprint-repo:sprint-infra-nginx-dev networks: - common-infra-nginx-development + - configurator + environment: + MINIO_SECRET_KEY: $MINIO_SECRET_KEY_DEV ports: - published: 80 target: 80 @@ -164,3 +167,5 @@ volumes: networks: common-infra-nginx-development: external: true + configurator: + external: true diff --git a/.gitea/workflows/deploy-dev.yaml b/.gitea/workflows/deploy-dev.yaml index 641f677..8489c5a 100644 --- a/.gitea/workflows/deploy-dev.yaml +++ b/.gitea/workflows/deploy-dev.yaml @@ -59,6 +59,7 @@ jobs: MONGO_PASSWORD_DEV: ${{ secrets.MONGO_PASSWORD_DEV }} DB_PASSWORD_DEV: ${{ secrets.POSTGRES_PASSWORD_DEV }} MINIO_PASSWORD_DEV: ${{ secrets.MINIO_PASSWORD_DEV }} + MINIO_SECRET_KEY_DEV: ${{ secrets.MINIO_SECRET_KEY_DEV }} REDIS_PASSWORD_DEV: ${{ secrets.REDIS_PASSWORD_DEV }} RABBITMQ_PASSWORD_DEV: ${{ secrets.RABBITMQ_PASSWORD_DEV }} REGISTRATION_TOKEN: ${{ secrets.REGISTRATION_TOKEN }} diff --git a/nginx/nginx-dev/Dockerfile b/nginx/nginx-dev/Dockerfile index 383c079..57b46a1 100644 --- a/nginx/nginx-dev/Dockerfile +++ b/nginx/nginx-dev/Dockerfile @@ -4,5 +4,6 @@ RUN apt-get install certbot --yes RUN apt-get install python3-certbot-nginx --yes RUN pip3 install requests minio COPY ./config /etc/nginx -COPY run.py run.py -CMD ["python3", "run.py"] \ No newline at end of file +COPY prepare.py prepare.py +COPY run.sh run.sh +CMD ["run.sh"] \ No newline at end of file diff --git a/nginx/nginx-dev/run.py b/nginx/nginx-dev/prepare.py similarity index 95% rename from nginx/nginx-dev/run.py rename to nginx/nginx-dev/prepare.py index 738e460..d6be531 100644 --- a/nginx/nginx-dev/run.py +++ b/nginx/nginx-dev/prepare.py @@ -1,5 +1,4 @@ from requests import get -from subprocess import call import os from minio import Minio @@ -46,6 +45,3 @@ for host in hosts: with open('/etc/nginx/hosts.conf', 'w') as fp: fp.write(config) - - -call('nginx -g daemon off;', shell=True) diff --git a/nginx/nginx-dev/run.sh b/nginx/nginx-dev/run.sh new file mode 100644 index 0000000..ede1e71 --- /dev/null +++ b/nginx/nginx-dev/run.sh @@ -0,0 +1,2 @@ +python3 prepare.py +nginx -g daemon off; \ No newline at end of file -- 2.45.2