Integrate Gitea + Woodpecker, TLS proxy, shared net

2025-07-30 15:13:30 +00:00 · 2025-07-30 15:13:30 +00:00 · 06cebb2f54
commit 06cebb2f54
parent 36da8a5a7f
5 changed files with 67 additions and 27 deletions
--- a/.env
+++ b/.env
@ -2,4 +2,4 @@ CORS_ALLOWED_ORIGINS=https://dev1.aptivaai.com,http://34.16.120.118:3000,http://
 SERVER1_PORT=5000
 SERVER2_PORT=5001
 SERVER3_PORT=5002
-IMG_TAG=202507281838
+IMG_TAG=202507301457
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -101,9 +101,17 @@ services:
    image: nginx:1.25-alpine
    command: ["nginx", "-g", "daemon off;"]
    depends_on: [server1, server2, server3]
+    networks: [default, aptiva-shared]
    ports: ["80:80", "443:443"]
    volumes:
      - ./build:/usr/share/nginx/html:ro
      - ./nginx.conf:/etc/nginx/nginx.conf:ro
      - /etc/letsencrypt:/etc/letsencrypt:ro
      - ./empty:/etc/nginx/conf.d
+
+networks:
+  default:
+    name: aptiva_default
+  aptiva-shared:
+    external: true
+
--- a/nginx.conf
+++ b/nginx.conf
@ -4,14 +4,15 @@ http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

-    # ------------------ upstreams (one line to edit per container) ----------
+    # ───────────── upstreams to Docker services ─────────────
    upstream backend5000 { server server1:5000; }   # auth & free
    upstream backend5001 { server server2:5001; }   # onet, distance, etc.
    upstream backend5002 { server server3:5002; }   # premium
+    upstream gitea_backend { server gitea:3000; }   # gitea service (shared network)

-    # -----------------------------------------------------------------------
-    #  1.  HTTP → HTTPS redirect
-    # -----------------------------------------------------------------------
+    ########################################################################
+    # 1.  HTTP → HTTPS redirect for the main site
+    ########################################################################
    server {
        listen 80;
        listen [::]:80;
@ -19,19 +20,19 @@ http {
        return 301 https://$host$request_uri;
    }

-    # -----------------------------------------------------------------------
-    #  2.  Main virtual host on :443
-    # -----------------------------------------------------------------------
+    ########################################################################
+    # 2.  Main virtual host  (dev1.aptivaai.com)  on :443
+    ########################################################################
    server {
-        listen 443 ssl http2;
+        listen 443 ssl;
+        http2  on;                     # modern syntax
        server_name dev1.aptivaai.com;

-        # ---------- TLS -----------------------------------------------------
        ssl_certificate     /etc/letsencrypt/live/dev1.aptivaai.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/dev1.aptivaai.com/privkey.pem;
        ssl_protocols       TLSv1.2 TLSv1.3;

-        # ---------- React static assets -------------------------------------
+        # ───── React static assets ─────
        root /usr/share/nginx/html;
        index index.html;
        location / {
@ -42,13 +43,7 @@ http {
            access_log off;
        }

-        # -------------------------------------------------------------------
-        #  3.  API reverse‑proxy rules  (three prefixes = three back‑ends)
-        # -------------------------------------------------------------------
-
-        ## 3A  server2 – career, maps, onet, salary, etc.
-        ##     Anything that *starts* with /api/onet/ OR any one of the paths
-        ##     you previously enumerated now lives here.
+        # ───── API reverse‑proxy rules ─────
        location ^~ /api/onet/          { proxy_pass http://backend5001; }
        location ^~ /api/chat/          { proxy_pass http://backend5001; proxy_http_version 1.1; proxy_buffering off; }
        location ^~ /api/job-zones      { proxy_pass http://backend5001; }
@ -61,23 +56,48 @@ http {
        location ^~ /api/maps/distance  { proxy_pass http://backend5001; }
        location ^~ /api/schools        { proxy_pass http://backend5001; }

-        ## 3B  server3 – premium & public assets handled by server3
        location ^~ /api/premium/       { proxy_pass http://backend5002; }
        location ^~ /api/public/        { proxy_pass http://backend5002; }

-        ## 3C  server1 – everything else beginning with /api/
-        ##     (register, signin, user‑profile, areas, activate‑premium, …)
        location ^~ /api/               { proxy_pass http://backend5000; }

-        # ---------- shared proxy settings -----------------------------------
-        ## Add the headers *once*; they apply to every proxy_pass above.
-        proxy_set_header Host            $host;
-        proxy_set_header X-Real-IP       $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        # shared proxy headers
+        proxy_set_header Host              $host;
+        proxy_set_header X-Real-IP         $remote_addr;
+        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

-        # ---------- error pages ---------------------------------------------
        error_page 502 503 504 /50x.html;
        location = /50x.html { root /usr/share/nginx/html; }
    }
+
+    ########################################################################
+    # 3.  Gitea virtual host  (HTTPS)  gitea.dev1.aptivaai.com
+    ########################################################################
+    server {
+        listen 443 ssl;
+        http2  on;
+        server_name gitea.dev1.aptivaai.com;
+
+        ssl_certificate     /etc/letsencrypt/live/gitea.dev1.aptivaai.com/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/gitea.dev1.aptivaai.com/privkey.pem;
+        ssl_protocols       TLSv1.2 TLSv1.3;
+
+        location / {
+            proxy_pass http://gitea_backend;
+            proxy_set_header Host              $host;
+            proxy_set_header X-Real-IP         $remote_addr;
+            proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto https;
+        }
+    }
+
+    ########################################################################
+    # 4.  Gitea HTTP → HTTPS redirect
+    ########################################################################
+    server {
+        listen 80;
+        server_name gitea.dev1.aptivaai.com;
+        return 301 https://$host$request_uri;
+    }
 }
--- a/refresh_secrets.sh
+++ b/refresh_secrets.sh
@ -0,0 +1,12 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Re‑export secrets from Secret Manager
+echo "🔐  Pulling latest secrets…"
+source /home/jcoakley/aptiva-dev1-app/fetch-secrets.sh   # same array as deploy_all.sh
+
+# Restart only the application stack so env changes propagate
+cd /home/jcoakley/aptiva-dev1-app
+docker compose up -d --no-build --no-deps server1 server2 server3
+
+echo "✅  Secrets injected; containers unchanged."
--- a/user_profile.db
+++ b/user_profile.db