infra/nginx/nginx-prod/prepare.py

from requests import get
import os
from minio import Minio


minio_client = Minio(
    "minio.sprinthub.ru:9000",
    access_key="serviceminioadmin",
    secret_key=os.getenv("MINIO_SECRET_KEY", "minioadmin"),
    secure=False,
)


hosts = get(
    "http://configurator/api/v1/fetch?project=certupdater&stage=production"
).json()["configs"]["hosts"]

config = ""
for host, params in hosts.items():
    config += """
        server {{
            listen      443 ssl http2;
            listen      [::]:443 ssl http2;
            server_name {host};

            ssl_certificate     /etc/nginx/{host}/fullchain.pem;
            ssl_certificate_key /etc/nginx/{host}/privkey.pem;

            add_header X-Frame-Options "SAMEORIGIN" always;
            add_header X-XSS-Protection "1; mode=block" always;
            add_header X-Content-Type-Options "nosniff" always;
            add_header Referrer-Policy "no-refferer-when-downgrade" always;
            add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;

            location / {{
                resolver 127.0.0.11;
                proxy_pass http://{target_host}:{port}$request_uri;
            }}
        }}\n\n
    """.format(
        host=host, target_host=params["host"], port=params["port"]
    )
    fullchain = minio_client.get_object(
        "certupdater", f"certificates/{host}/fullchain.pem"
    )
    privkey = minio_client.get_object("certupdater", f"certificates/{host}/privkey.pem")
    try:
        os.mkdir(f"/etc/nginx/{host}")
    except FileExistsError:
        ...
    with open(f"/etc/nginx/{host}/fullchain.pem", "wb") as fp:
        fp.write(fullchain.data)
    with open(f"/etc/nginx/{host}/privkey.pem", "wb") as fp:
        fp.write(privkey.data)

with open("/etc/nginx/hosts.conf", "w") as fp:
    fp.write(config)