diff --git a/roadmap/prod-env/02-godaddy-credentials.md b/roadmap/prod-env/02-godaddy-credentials.md index 1cbff06..4db58d6 100644 --- a/roadmap/prod-env/02-godaddy-credentials.md +++ b/roadmap/prod-env/02-godaddy-credentials.md @@ -30,7 +30,7 @@ GODADDY_SECRET= ## Step 2 — Repo template file -Same file as test: `swag/dns-conf/godaddy.ini.tpl` (already created in test step 02). +Same file as test: `template/swag/dns-conf/godaddy.ini.tpl` (already created in test step 02). No additional action needed in the repo. ## Step 3 — (Handled by pipeline) Write credentials file on prod host @@ -40,7 +40,7 @@ The deploy pipeline (see `08-deploy-pipeline-update.md`) runs on iklim-app-01: ```bash set -a; . ./.env; set +a mkdir -p "$SWAG_CONFIG_DIR/dns-conf" -envsubst < swag/dns-conf/godaddy.ini.tpl > "$SWAG_CONFIG_DIR/dns-conf/godaddy.ini" +envsubst < template/swag/dns-conf/godaddy.ini.tpl > "$SWAG_CONFIG_DIR/dns-conf/godaddy.ini" chmod 600 "$SWAG_CONFIG_DIR/dns-conf/godaddy.ini" ``` diff --git a/roadmap/prod-env/04-swag-nginx-configs.md b/roadmap/prod-env/04-swag-nginx-configs.md index bde781d..fc35738 100644 --- a/roadmap/prod-env/04-swag-nginx-configs.md +++ b/roadmap/prod-env/04-swag-nginx-configs.md @@ -1,7 +1,7 @@ # 04 — SWAG Nginx Proxy Configs (Prod) ## Context -Same template files as test (`swag/site-confs/*.conf.tpl`), different env vars. +Same template files as test (`template/swag/site-confs/*.conf.tpl`), different env vars. The pipeline processes templates with prod-specific subdomain values. ## Required env vars (in `.env` on storagebox `prod/secrets/iklim.co/.env.prod`) @@ -23,11 +23,11 @@ SWAG_SITE_CONFS_DIR=/mnt/storagebox/swag/site-confs ## Template files (already created in test step 04) -- `swag/site-confs/default.conf` -- `swag/site-confs/api.conf.tpl` -- `swag/site-confs/apigw.conf.tpl` -- `swag/site-confs/rabbitmq.conf.tpl` -- `swag/site-confs/grafana.conf.tpl` +- `template/swag/site-confs/default.conf` +- `template/swag/site-confs/api.conf.tpl` +- `template/swag/site-confs/apigw.conf.tpl` +- `template/swag/site-confs/rabbitmq.conf.tpl` +- `template/swag/site-confs/grafana.conf.tpl` No new files to create — the same templates work for both environments. @@ -40,13 +40,13 @@ export RESTRICTED_IPS_BLOCK="$(echo "$RESTRICTED_IPS" | tr ',' '\n' | sed 's|.*| mkdir -p "$SWAG_SITE_CONFS_DIR" SWAG_VARS='${API_SUBDOMAIN}${APIGW_SUBDOMAIN}${GRAFANA_SUBDOMAIN}${RABBITMQ_SUBDOMAIN}${RESTRICTED_IPS_BLOCK}' -for tpl in swag/site-confs/*.conf.tpl; do +for tpl in template/swag/site-confs/*.conf.tpl; do out="$SWAG_SITE_CONFS_DIR/$(basename "${tpl%.tpl}")" envsubst "$SWAG_VARS" < "$tpl" | sudo tee "$out" > /dev/null echo "✅ $out" done -sudo cp swag/site-confs/default.conf "$SWAG_SITE_CONFS_DIR/default.conf" +sudo cp template/swag/site-confs/default.conf "$SWAG_SITE_CONFS_DIR/default.conf" ``` With `API_SUBDOMAIN=api.iklim.co`, the output file `$SWAG_SITE_CONFS_DIR/api.conf` @@ -74,4 +74,4 @@ Expected: APISIX response with valid `*.iklim.co` cert. - `Prometheus` is intentionally NOT exposed via SWAG. Access it via Grafana (internal connection: `http://prometheus:9090`) or SSH tunnel. - If additional restricted-access subdomains are needed in the future, create a new - `swag/site-confs/.conf.tpl` following the same pattern. + `template/swag/site-confs/.conf.tpl` following the same pattern. diff --git a/roadmap/prod-env/08-deploy-pipeline-update.md b/roadmap/prod-env/08-deploy-pipeline-update.md index 69d4acb..9073002 100644 --- a/roadmap/prod-env/08-deploy-pipeline-update.md +++ b/roadmap/prod-env/08-deploy-pipeline-update.md @@ -71,7 +71,7 @@ Insert **before** `Bootstrap Vault TLS Placeholder`: mkdir -p "$SWAG_CONFIG_DIR/dns-conf" "$SWAG_SITE_CONFS_DIR" - envsubst < swag/dns-conf/godaddy.ini.tpl | docker run --rm -i \ + envsubst < template/swag/dns-conf/godaddy.ini.tpl | docker run --rm -i \ -v "${SWAG_CONFIG_DIR}/dns-conf:/output" \ alpine sh -c "cat > /output/godaddy.ini && chmod 600 /output/godaddy.ini" echo "✅ godaddy.ini written" @@ -79,7 +79,7 @@ Insert **before** `Bootstrap Vault TLS Placeholder`: export RESTRICTED_IPS_BLOCK="$(echo "$RESTRICTED_IPS" | tr ',' '\n' | sed 's|.*| allow &;|')" SWAG_VARS='${API_SUBDOMAIN}${APIGW_SUBDOMAIN}${GRAFANA_SUBDOMAIN}${RABBITMQ_SUBDOMAIN}${RESTRICTED_IPS_BLOCK}' - for tpl in swag/site-confs/*.conf.tpl; do + for tpl in template/swag/site-confs/*.conf.tpl; do fname=$(basename "${tpl%.tpl}") envsubst "$SWAG_VARS" < "$tpl" | docker run --rm -i \ -v "${SWAG_SITE_CONFS_DIR}:/output" \ @@ -87,7 +87,7 @@ Insert **before** `Bootstrap Vault TLS Placeholder`: echo "✅ ${fname}" done - cat swag/site-confs/default.conf | docker run --rm -i \ + cat template/swag/site-confs/default.conf | docker run --rm -i \ -v "${SWAG_SITE_CONFS_DIR}:/output" \ alpine sh -c "cat > /output/default.conf" diff --git a/roadmap/test-env/02-godaddy-credentials.md b/roadmap/test-env/02-godaddy-credentials.md index 2fe90e4..3a204a8 100644 --- a/roadmap/test-env/02-godaddy-credentials.md +++ b/roadmap/test-env/02-godaddy-credentials.md @@ -33,7 +33,7 @@ These are fetched by the deploy pipeline's `Fetch Service Secret Files` step and ## Step 2 — Template file in the repo -`swag/dns-conf/godaddy.ini.tpl` already exists in the repository root: +`template/swag/dns-conf/godaddy.ini.tpl` already exists in the repository root: ```ini dns_godaddy_key = ${GODADDY_KEY} @@ -48,7 +48,7 @@ The deploy pipeline (see `07-deploy-pipeline-update.md`) runs: ```bash mkdir -p /opt/iklimco/swag/dns-conf -envsubst < swag/dns-conf/godaddy.ini.tpl > /opt/iklimco/swag/dns-conf/godaddy.ini +envsubst < template/swag/dns-conf/godaddy.ini.tpl > /opt/iklimco/swag/dns-conf/godaddy.ini chmod 600 /opt/iklimco/swag/dns-conf/godaddy.ini ``` diff --git a/roadmap/test-env/04-swag-nginx-configs.md b/roadmap/test-env/04-swag-nginx-configs.md index 3f4c9bd..5692ff5 100644 --- a/roadmap/test-env/04-swag-nginx-configs.md +++ b/roadmap/test-env/04-swag-nginx-configs.md @@ -1,7 +1,7 @@ # 04 — SWAG Nginx Proxy Configs (Test) ## Context -SWAG nginx auto-includes only `site-confs/*.conf`. All proxy config templates live in `swag/site-confs/` in the repo and are rendered to `/opt/iklimco/swag/site-confs/` on the host at deploy time. +SWAG nginx auto-includes only `site-confs/*.conf`. All proxy config templates live in `template/swag/site-confs/` in the repo and are rendered to `/opt/iklimco/swag/site-confs/` on the host at deploy time. Templates use `${VAR}` placeholders processed with `envsubst` at deploy time. @@ -18,7 +18,7 @@ RESTRICTED_IPS="78.187.87.109/32,95.70.151.248/32" ## Files to create -### `swag/site-confs/default.conf` +### `template/swag/site-confs/default.conf` Default catch-all: HTTP→HTTPS redirect + 444 for unknown HTTPS hosts. ```nginx @@ -38,7 +38,7 @@ server { } ``` -### `swag/site-confs/api.conf.tpl` +### `template/swag/site-confs/api.conf.tpl` Public API gateway — no IP restriction. ```nginx @@ -63,7 +63,7 @@ server { } ``` -### `swag/site-confs/apigw.conf.tpl` +### `template/swag/site-confs/apigw.conf.tpl` APISIX Dashboard — IP restricted. ```nginx @@ -94,7 +94,7 @@ ${RESTRICTED_IPS_BLOCK} > `${RESTRICTED_IPS_BLOCK}` is generated at deploy time from `RESTRICTED_IPS` (comma-separated CIDRs) > as multi-line `allow` directives with `/32` suffix. See `07-deploy-pipeline-update.md` for the pipeline step. -### `swag/site-confs/rabbitmq.conf.tpl` +### `template/swag/site-confs/rabbitmq.conf.tpl` RabbitMQ Management UI — IP restricted. ```nginx @@ -122,7 +122,7 @@ ${RESTRICTED_IPS_BLOCK} } ``` -### `swag/site-confs/grafana.conf.tpl` +### `template/swag/site-confs/grafana.conf.tpl` Grafana — IP restricted. ```nginx @@ -158,7 +158,7 @@ set -a; . ./.env; . ./.env.secrets.swag; set +a docker run --rm -v /opt/iklimco/swag:/output alpine \ mkdir -p /output/dns-conf /output/site-confs -envsubst < swag/dns-conf/godaddy.ini.tpl | docker run --rm -i \ +envsubst < template/swag/dns-conf/godaddy.ini.tpl | docker run --rm -i \ -v /opt/iklimco/swag/dns-conf:/output \ alpine sh -c "cat > /output/godaddy.ini && chmod 600 /output/godaddy.ini" @@ -167,7 +167,7 @@ export RESTRICTED_IPS_BLOCK="$(echo "$RESTRICTED_IPS" | tr ',' '\n' | sed 's|.*| # Explicit var list prevents nginx $upstream_* from being substituted by envsubst SWAG_VARS='${API_SUBDOMAIN}${APIGW_SUBDOMAIN}${GRAFANA_SUBDOMAIN}${RABBITMQ_SUBDOMAIN}${RESTRICTED_IPS_BLOCK}' -for tpl in swag/site-confs/*.conf.tpl; do +for tpl in template/swag/site-confs/*.conf.tpl; do fname=$(basename "${tpl%.tpl}") envsubst "$SWAG_VARS" < "$tpl" | docker run --rm -i \ -v /opt/iklimco/swag/site-confs:/output \ @@ -175,7 +175,7 @@ for tpl in swag/site-confs/*.conf.tpl; do echo "✅ ${fname}" done -cat swag/site-confs/default.conf | docker run --rm -i \ +cat template/swag/site-confs/default.conf | docker run --rm -i \ -v /opt/iklimco/swag/site-confs:/output \ alpine sh -c "cat > /output/default.conf" ``` diff --git a/roadmap/test-env/07-deploy-pipeline-update.md b/roadmap/test-env/07-deploy-pipeline-update.md index c8f9b50..19e0301 100644 --- a/roadmap/test-env/07-deploy-pipeline-update.md +++ b/roadmap/test-env/07-deploy-pipeline-update.md @@ -39,7 +39,7 @@ Insert this step **before** `Deploy Swarm Stack`: docker run --rm -v /opt/iklimco/swag:/output alpine \ mkdir -p /output/dns-conf /output/site-confs - envsubst < swag/dns-conf/godaddy.ini.tpl | docker run --rm -i \ + envsubst < template/swag/dns-conf/godaddy.ini.tpl | docker run --rm -i \ -v /opt/iklimco/swag/dns-conf:/output \ alpine sh -c "cat > /output/godaddy.ini && chmod 600 /output/godaddy.ini" echo "✅ godaddy.ini written" @@ -49,7 +49,7 @@ Insert this step **before** `Deploy Swarm Stack`: # Explicit var list prevents nginx $upstream_* from being substituted by envsubst SWAG_VARS='${API_SUBDOMAIN}${APIGW_SUBDOMAIN}${GRAFANA_SUBDOMAIN}${RABBITMQ_SUBDOMAIN}${RESTRICTED_IPS_BLOCK}' - for tpl in swag/site-confs/*.conf.tpl; do + for tpl in template/swag/site-confs/*.conf.tpl; do fname=$(basename "${tpl%.tpl}") envsubst "$SWAG_VARS" < "$tpl" | docker run --rm -i \ -v /opt/iklimco/swag/site-confs:/output \ @@ -57,7 +57,7 @@ Insert this step **before** `Deploy Swarm Stack`: echo "✅ ${fname}" done - cat swag/site-confs/default.conf | docker run --rm -i \ + cat template/swag/site-confs/default.conf | docker run --rm -i \ -v /opt/iklimco/swag/site-confs:/output \ alpine sh -c "cat > /output/default.conf" diff --git a/setup-vs-roadmap-map.md b/setup-vs-roadmap-map.md index 590f474..524469b 100644 --- a/setup-vs-roadmap-map.md +++ b/setup-vs-roadmap-map.md @@ -21,7 +21,7 @@ Terraform/Ansible setup aşamalarından hangisinde ele alındığını gösterir | `act_runner` systemd kurulumu | **Ansible `05-test-runner-ve-deploy-onkosullari.md`** — `act_runner` role (`test-app-post-stack.yml`) | | GoDaddy credentials storagebox'a yükleme | **Manuel kalır** — secret yönetimi, Terraform/Ansible dışı | | `docker-stack-infra.yml` port kaldırma + SWAG/cert-reloader ekleme | **Pipeline `deploy-test.yml`** + **repo değişikliği** — `roadmap/test-env/03` | -| SWAG nginx proxy conf'ları (`swag/site-confs/*.conf.tpl`) | **Repo içinde teslim edildi** — `roadmap/test-env/04` | +| SWAG nginx proxy conf'ları (`template/swag/site-confs/*.conf.tpl`) | **Repo içinde teslim edildi** — `roadmap/test-env/04` | | APISIX SSL cert yükleme bloğu kaldırma (`init/apisix-core/init.sh`) | **Repo değişikliği** — `roadmap/test-env/05` | | cert-reloader sidecar servisi | **`docker-stack-infra.yml`'e eklendi** — `roadmap/test-env/06` | | Pipeline güncelleme: Prepare SWAG Dirs + Bootstrap SWAG Cert + Run DB Init | **`deploy-test.yml`** — `roadmap/test-env/07` | @@ -49,7 +49,7 @@ Terraform/Ansible setup aşamalarından hangisinde ele alındığını gösterir | 3× `act_runner` systemd (HA runner) | **Ansible `09-prod-runner-ha-ve-swarm.md`** — `act_runner` role | | GoDaddy credentials storagebox'a yükleme | **Manuel kalır** — secret yönetimi, Terraform/Ansible dışı | | `docker-stack-infra.yml` port kaldırma + SWAG/cert-reloader ekleme | **Repo değişikliği** — `roadmap/prod-env/03` | -| SWAG nginx proxy conf'ları (`swag/site-confs/*.conf.tpl`) | **Repo içinde teslim edildi** — `roadmap/prod-env/04` | +| SWAG nginx proxy conf'ları (`template/swag/site-confs/*.conf.tpl`) | **Repo içinde teslim edildi** — `roadmap/prod-env/04` | | APISIX SSL cert yükleme bloğu kaldırma (`init/apisix-core/init.sh`) | **Repo değişikliği** — `roadmap/prod-env/05` | | cert-reloader sidecar servisi | **`docker-stack-infra.yml`'e eklendi** — `roadmap/prod-env/06` | | Vault Raft Cluster geçiş planı | **Manuel / İleri Faz** — `roadmap/prod-env/07` | diff --git a/setup/09-prod-runner-ha-ve-swarm.md b/setup/09-prod-runner-ha-ve-swarm.md index 4f118df..71b17c3 100644 --- a/setup/09-prod-runner-ha-ve-swarm.md +++ b/setup/09-prod-runner-ha-ve-swarm.md @@ -112,11 +112,11 @@ docker secret ls Before the deploy pipeline runs, the following template files must exist in the repo: -- `swag/site-confs/default.conf` -- `swag/site-confs/api.conf.tpl` -- `swag/site-confs/apigw.conf.tpl` -- `swag/site-confs/rabbitmq.conf.tpl` -- `swag/site-confs/grafana.conf.tpl` +- `template/swag/site-confs/default.conf` +- `template/swag/site-confs/api.conf.tpl` +- `template/swag/site-confs/apigw.conf.tpl` +- `template/swag/site-confs/rabbitmq.conf.tpl` +- `template/swag/site-confs/grafana.conf.tpl` These files are created in the test environment (`test-env/04-swag-nginx-configs.md`); they are not created separately for prod. Template files are shared by both environments; prod-specific values are injected with environment variables during deploy. @@ -645,7 +645,7 @@ Expected: valid JSON weather response. - `PROD_FLOATING_IP` project variable is defined in Gitea. - `rabbitmq_erlang_cookie` appears in `docker secret ls`. - The `ssl`, `swag/config`, `swag/site-confs`, `grafana/data`, and `precipitation/images` directories exist on StorageBox; see `07-prod-ansible-bootstrap.md` — StorageBox Directory Structure. -- The `swag/site-confs/default.conf`, `api.conf.tpl`, `apigw.conf.tpl`, `rabbitmq.conf.tpl`, and `grafana.conf.tpl` template files exist in the repo. +- The `template/swag/site-confs/default.conf`, `api.conf.tpl`, `apigw.conf.tpl`, `rabbitmq.conf.tpl`, and `grafana.conf.tpl` template files exist in the repo. - StorageBox `prod/secrets/iklim.co/.env.prod` has correct values for `API_SUBDOMAIN`, `APIGW_SUBDOMAIN`, `RABBITMQ_SUBDOMAIN`, `GRAFANA_SUBDOMAIN`, `RESTRICTED_IPS`, `SWAG_CERT_DIR`, `SWAG_CONFIG_DIR`, and `SWAG_SITE_CONFS_DIR`. - After the first deploy, `docker exec $(docker ps -q -f name=iklimco_swag) nginx -t` succeeds and returns `syntax is ok`. - The output of `cat /mnt/storagebox/swag/site-confs/api.conf | grep server_name` contains `server_name api.iklim.co;`.