From 06cebb2f5408c82e4444923af638a95391bd15c9 Mon Sep 17 00:00:00 2001 From: Josh Date: Wed, 30 Jul 2025 15:13:30 +0000 Subject: [PATCH] Integrate Gitea + Woodpecker, TLS proxy, shared net --- .env | 2 +- docker-compose.yml | 8 +++++ nginx.conf | 72 +++++++++++++++++++++++++++++---------------- refresh_secrets.sh | 12 ++++++++ user_profile.db | Bin 208896 -> 212992 bytes 5 files changed, 67 insertions(+), 27 deletions(-) create mode 100755 refresh_secrets.sh diff --git a/.env b/.env index 88e706c..ab077a4 100644 --- a/.env +++ b/.env @@ -2,4 +2,4 @@ CORS_ALLOWED_ORIGINS=https://dev1.aptivaai.com,http://34.16.120.118:3000,http:// SERVER1_PORT=5000 SERVER2_PORT=5001 SERVER3_PORT=5002 -IMG_TAG=202507281838 \ No newline at end of file +IMG_TAG=202507301457 \ No newline at end of file diff --git a/docker-compose.yml b/docker-compose.yml index eef8893..b4b046b 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -101,9 +101,17 @@ services: image: nginx:1.25-alpine command: ["nginx", "-g", "daemon off;"] depends_on: [server1, server2, server3] + networks: [default, aptiva-shared] ports: ["80:80", "443:443"] volumes: - ./build:/usr/share/nginx/html:ro - ./nginx.conf:/etc/nginx/nginx.conf:ro - /etc/letsencrypt:/etc/letsencrypt:ro - ./empty:/etc/nginx/conf.d + +networks: + default: + name: aptiva_default + aptiva-shared: + external: true + diff --git a/nginx.conf b/nginx.conf index 5179924..8d09571 100644 --- a/nginx.conf +++ b/nginx.conf @@ -4,14 +4,15 @@ http { include /etc/nginx/mime.types; default_type application/octet-stream; - # ------------------ upstreams (one line to edit per container) ---------- + # ───────────── upstreams to Docker services ───────────── upstream backend5000 { server server1:5000; } # auth & free upstream backend5001 { server server2:5001; } # onet, distance, etc. upstream backend5002 { server server3:5002; } # premium + upstream gitea_backend { server gitea:3000; } # gitea service (shared network) - # ----------------------------------------------------------------------- - # 1. HTTP → HTTPS redirect - # ----------------------------------------------------------------------- + ######################################################################## + # 1. HTTP → HTTPS redirect for the main site + ######################################################################## server { listen 80; listen [::]:80; @@ -19,19 +20,19 @@ http { return 301 https://$host$request_uri; } - # ----------------------------------------------------------------------- - # 2. Main virtual host on :443 - # ----------------------------------------------------------------------- + ######################################################################## + # 2. Main virtual host (dev1.aptivaai.com) on :443 + ######################################################################## server { - listen 443 ssl http2; + listen 443 ssl; + http2 on; # modern syntax server_name dev1.aptivaai.com; - # ---------- TLS ----------------------------------------------------- ssl_certificate /etc/letsencrypt/live/dev1.aptivaai.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/dev1.aptivaai.com/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; - # ---------- React static assets ------------------------------------- + # ───── React static assets ───── root /usr/share/nginx/html; index index.html; location / { @@ -42,13 +43,7 @@ http { access_log off; } - # ------------------------------------------------------------------- - # 3. API reverse‑proxy rules (three prefixes = three back‑ends) - # ------------------------------------------------------------------- - - ## 3A server2 – career, maps, onet, salary, etc. - ## Anything that *starts* with /api/onet/ OR any one of the paths - ## you previously enumerated now lives here. + # ───── API reverse‑proxy rules ───── location ^~ /api/onet/ { proxy_pass http://backend5001; } location ^~ /api/chat/ { proxy_pass http://backend5001; proxy_http_version 1.1; proxy_buffering off; } location ^~ /api/job-zones { proxy_pass http://backend5001; } @@ -61,23 +56,48 @@ http { location ^~ /api/maps/distance { proxy_pass http://backend5001; } location ^~ /api/schools { proxy_pass http://backend5001; } - ## 3B server3 – premium & public assets handled by server3 location ^~ /api/premium/ { proxy_pass http://backend5002; } location ^~ /api/public/ { proxy_pass http://backend5002; } - ## 3C server1 – everything else beginning with /api/ - ## (register, signin, user‑profile, areas, activate‑premium, …) location ^~ /api/ { proxy_pass http://backend5000; } - # ---------- shared proxy settings ----------------------------------- - ## Add the headers *once*; they apply to every proxy_pass above. - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # shared proxy headers + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; - # ---------- error pages --------------------------------------------- error_page 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; } } + + ######################################################################## + # 3. Gitea virtual host (HTTPS) gitea.dev1.aptivaai.com + ######################################################################## + server { + listen 443 ssl; + http2 on; + server_name gitea.dev1.aptivaai.com; + + ssl_certificate /etc/letsencrypt/live/gitea.dev1.aptivaai.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/gitea.dev1.aptivaai.com/privkey.pem; + ssl_protocols TLSv1.2 TLSv1.3; + + location / { + proxy_pass http://gitea_backend; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + } + } + + ######################################################################## + # 4. Gitea HTTP → HTTPS redirect + ######################################################################## + server { + listen 80; + server_name gitea.dev1.aptivaai.com; + return 301 https://$host$request_uri; + } } diff --git a/refresh_secrets.sh b/refresh_secrets.sh new file mode 100755 index 0000000..552233d --- /dev/null +++ b/refresh_secrets.sh @@ -0,0 +1,12 @@ +#!/usr/bin/env bash +set -euo pipefail + +# Re‑export secrets from Secret Manager +echo "🔐 Pulling latest secrets…" +source /home/jcoakley/aptiva-dev1-app/fetch-secrets.sh # same array as deploy_all.sh + +# Restart only the application stack so env changes propagate +cd /home/jcoakley/aptiva-dev1-app +docker compose up -d --no-build --no-deps server1 server2 server3 + +echo "✅ Secrets injected; containers unchanged." diff --git a/user_profile.db b/user_profile.db index cb40bcc8c5c9a7652d67bca39853b7e666028688..a6e06e0498a703b280a50ea54868c19b61c5ba91 100644 GIT binary patch delta 1545 zcmY*Z&2Jk;6pzT1meO0ezUd{I9S%s&U^3o_4eTB^1;F6 z*RPKsjg5^h9n$-SqyEkhJB9ClpDFpza5lE&|LyWtA6(6z|5K znKF4TvEyEeCT5H@c69bJ288(ll8UTGO()S-sumf^cPlu(lWGxG2&FtxT^0$$g|gHE zrbL+qS{pP(c_f>8WrtarJ>K@-$ZCIj6Z0|aji%y~o95a(I#JRB7RgPvc;1^{##>kF zx^t#QenlM9(*n?x5u`=Tq%y>{L~Zulx#HXV^%bhuSC?w5wUr0;jZ<@PJ{Z3=dtU@6 zwtOhHXv$XG0{42NtWKiAfV&QJDovZ3xMCd9!KjdILMQW$v?n zv9E0}m&mpS3DuQ4QL*D8;hQBb&F%tiq~K=A$srYw(op0R(Lr=^7o98r85a-TG(vYJ z$DlU*oar!0T?demaC#(3U{*EUn2tn<-Ae=7u_xvi?GGYG`V3d9}Xs@V)g@bGIIT0aLe~ zsl(;kN+M{JGu;L<*=$}gw8e6BKWaAdPMaGDi^UJdhE52m0?(}AHg|AzfIQnCHF~fQ z^f_es0Qtl|Rj?Ma;r@+<@VU)RfmSdeVta$dL~p6wx?&-=ghq#$Sa$6XZ+4%;-1k+N z?L2g3I)Y1pBZQn?fk)bb!SXr8SCAQ#iqRvPG>%>D4PL0Oz`C@6f*9vAgcCSs9XQd( zcOj?3Gz7LNb5ro0*l~e&Awpn93z$J3FwxMt#gkN9V7@*Gq@m70(PStd?In6QUsp>a zOnJTlXoCH-u+W7z>$kkCXRwTMo|imKi1LZ?*(Wo_sq0R6p2TsgBy`py8tsydBH9(A zLm~DWmt6Rc$3t?&3t5gDLR#9Bww?WWR5*7Ye(D7C6_jFT*DTa)_2p{q-Rj^=5WKTm G5B>#nuNbfZ delta 91 zcmV-h0HptbfDM4)43HZI?f?J)Gm#)a0q%idwO|3H?-&RV*Z=?k05cE!5B3l759|-; x58@Bq57?1G6}K@E0;dm`*#7}613?T{l?MW2m2Ltcv4PABhgJ*%w^j@Tsw2VfAB_M2