self/infra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

master #45

Merged
emmatveev merged 3 commits from master into dev 2025-06-02 01:36:19 +03:00
Conversation 0 Commits 3 Files Changed 7 +60 -165
7 changed files with 60 additions and 165 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.deploy-infra/deploy-dev.yaml
View File

@ -6,6 +6,9 @@ services:
image: mathwave/sprint-repo:sprint-infra-nginx-dev image: mathwave/sprint-repo:sprint-infra-nginx-dev
networks: networks:
- common-infra-nginx-development - common-infra-nginx-development
- configurator
environment:
MINIO_SECRET_KEY: $MINIO_SECRET_KEY_DEV
ports: ports:
- published: 80 - published: 80
target: 80 target: 80
@ -164,3 +167,5 @@ volumes:
networks: networks:
common-infra-nginx-development: common-infra-nginx-development:
external: true external: true
configurator:
external: true

1
.gitea/workflows/deploy-dev.yaml
View File

@ -59,6 +59,7 @@ jobs:
MONGO_PASSWORD_DEV: ${{ secrets.MONGO_PASSWORD_DEV }} MONGO_PASSWORD_DEV: ${{ secrets.MONGO_PASSWORD_DEV }}
DB_PASSWORD_DEV: ${{ secrets.POSTGRES_PASSWORD_DEV }} DB_PASSWORD_DEV: ${{ secrets.POSTGRES_PASSWORD_DEV }}
MINIO_PASSWORD_DEV: ${{ secrets.MINIO_PASSWORD_DEV }} MINIO_PASSWORD_DEV: ${{ secrets.MINIO_PASSWORD_DEV }}
MINIO_SECRET_KEY_DEV: ${{ secrets.MINIO_SECRET_KEY_DEV }}
REDIS_PASSWORD_DEV: ${{ secrets.REDIS_PASSWORD_DEV }} REDIS_PASSWORD_DEV: ${{ secrets.REDIS_PASSWORD_DEV }}
RABBITMQ_PASSWORD_DEV: ${{ secrets.RABBITMQ_PASSWORD_DEV }} RABBITMQ_PASSWORD_DEV: ${{ secrets.RABBITMQ_PASSWORD_DEV }}
REGISTRATION_TOKEN: ${{ secrets.REGISTRATION_TOKEN }} REGISTRATION_TOKEN: ${{ secrets.REGISTRATION_TOKEN }}

6
nginx/nginx-dev/Dockerfile
View File

@ -2,6 +2,8 @@ FROM nginx
RUN apt-get update RUN apt-get update
RUN apt-get install certbot --yes RUN apt-get install certbot --yes
RUN apt-get install python3-certbot-nginx --yes RUN apt-get install python3-certbot-nginx --yes
RUN pip3 install requests minio
COPY ./config /etc/nginx COPY ./config /etc/nginx
COPY ./privkey.pem /etc/nginx/privkey.pem COPY prepare.py prepare.py
COPY ./fullchain.pem /etc/nginx/fullchain.pem COPY run.sh run.sh
CMD ["run.sh"]

162
nginx/nginx-dev/config/guavo.conf
View File

@ -1,162 +0,0 @@
# server {
# listen 80;
# server_name *.develop.guavo.tech;
# return 301 https://$host$request_uri;
# }
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name swarmpit.develop.guavo.tech;
ssl_certificate /etc/nginx/fullchain.pem;
ssl_certificate_key /etc/nginx/privkey.pem;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-refferer-when-downgrade" always;
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
location / {
proxy_pass http://develop.guavo.tech:888/;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name portainer.develop.guavo.tech;
ssl_certificate /etc/nginx/fullchain.pem;
ssl_certificate_key /etc/nginx/privkey.pem;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-refferer-when-downgrade" always;
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
location / {
proxy_pass http://develop.guavo.tech:8888/;
}
location /api/websocket/ {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
proxy_pass http://develop.guavo.tech:8888/api/websocket/;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name rabbitmq.develop.guavo.tech;
ssl_certificate /etc/nginx/fullchain.pem;
ssl_certificate_key /etc/nginx/privkey.pem;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-refferer-when-downgrade" always;
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
location / {
proxy_pass http://develop.guavo.tech:15672/;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name minio.develop.guavo.tech;
ssl_certificate /etc/nginx/fullchain.pem;
ssl_certificate_key /etc/nginx/privkey.pem;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-refferer-when-downgrade" always;
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
location / {
proxy_pass http://develop.guavo.tech:9001/;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name grafana.develop.guavo.tech;
ssl_certificate /etc/nginx/fullchain.pem;
ssl_certificate_key /etc/nginx/privkey.pem;
proxy_set_header Host $http_host;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-refferer-when-downgrade" always;
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
location / {
proxy_pass http://develop.guavo.tech:3000/;
}
location /api/live/ws {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
proxy_pass http://develop.guavo.tech:3000/api/live/ws;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name ~^(?<domain>.*)\.develop\.guavo\.tech$;
resolver 127.0.0.11 ipv6=off;
ssl_certificate /etc/nginx/fullchain.pem;
ssl_certificate_key /etc/nginx/privkey.pem;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-refferer-when-downgrade" always;
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Real-IP $remote_addr;
location / {
proxy_pass http://$domain-nginx:1238$request_uri;
}
}
server {
listen 80;
server_name ~^(?<domain>.*)\.develop\.guavo\.tech$;
resolver 127.0.0.11 ipv6=off;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-refferer-when-downgrade" always;
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Real-IP $remote_addr;
location / {
proxy_pass http://$domain-nginx:1238$request_uri;
}
}

2
nginx/nginx-dev/config/nginx.conf
View File

@ -8,6 +8,6 @@ http {
'' close; '' close;
} }
# include ./guavo.conf; include ./hosts.conf;
include ./sprinthub.conf; include ./sprinthub.conf;
} }

47
nginx/nginx-dev/prepare.py Normal file
View File

@ -0,0 +1,47 @@
from requests import get
import os
from minio import Minio
minio_client = Minio(
"minio.develop.sprinthub.ru:9000",
access_key="serviceminioadmin",
secret_key=os.getenv("MINIO_SECRET_KEY", "minioadmin"),
secure=False
)
hosts = get('http://configurator/api/v1/fetch?project=certupdater&stage=development').json()['configs']['hosts']
hosts = list(set(hosts + ['platform.develop.sprinthub.ru']))
config = ''
for host in hosts:
config += '''
server \{
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {0};
ssl_certificate /etc/nginx/{0}/fullchain.pem;
ssl_certificate_key /etc/nginx/{0}/privkey.pem;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-refferer-when-downgrade" always;
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
location / \{
proxy_pass http://{1}-nginx:1238$request_uri;
\}
\}\n\n
'''.format(host, host.split('.')[0])
fullchain = minio_client.get_object("certupdater", f'certificates/{host}/fullchain.pem')
privkey = minio_client.get_object("certupdater", f'certificates/{host}/privkey.pem')
with open(f"/etc/nginx/{host}/fullchain.pem", 'wb') as fp:
fp.write(fullchain.data)
with open(f"/etc/nginx/{host}/privkey.pem", 'wb') as fp:
fp.write(privkey.data)
with open('/etc/nginx/hosts.conf', 'w') as fp:
fp.write(config)

2
nginx/nginx-dev/run.sh Normal file
View File

@ -0,0 +1,2 @@
python3 prepare.py
nginx -g daemon off;