# 04 — SWAG Nginx Proxy Configs (Prod) ## Context Same template files as test (`swag/site-confs/*.conf.tpl`), different env vars. The pipeline processes templates with prod-specific subdomain values. ## Required env vars (in `.env` on storagebox `prod/secrets/iklim.co/.env.prod`) ```bash API_SUBDOMAIN=api.iklim.co APIGW_SUBDOMAIN=apigw.iklim.co RABBITMQ_SUBDOMAIN=rabbitmq.iklim.co GRAFANA_SUBDOMAIN=grafana.iklim.co RESTRICTED_IPS="78.187.87.109/32,95.70.151.248/32" # SWAG storage paths — StorageBox is mounted on all app nodes, shared filesystem # cert-reloader writes here; Vault reads from this path on every node — no SSH distribution needed SWAG_CERT_DIR=/mnt/storagebox/ssl # SWAG config dirs on StorageBox — all three survive node failover without pipeline re-run SWAG_CONFIG_DIR=/mnt/storagebox/swag/config SWAG_SITE_CONFS_DIR=/mnt/storagebox/swag/site-confs ``` ## Template files (already created in test step 04) - `swag/site-confs/default.conf` - `swag/site-confs/api.conf.tpl` - `swag/site-confs/apigw.conf.tpl` - `swag/site-confs/rabbitmq.conf.tpl` - `swag/site-confs/grafana.conf.tpl` No new files to create — the same templates work for both environments. ## Deploy step (handled by pipeline — see `08-deploy-pipeline-update.md`) ```bash set -a; . ./.env; set +a export RESTRICTED_IPS_BLOCK="$(echo "$RESTRICTED_IPS" | tr ',' '\n' | sed 's|.*| allow &;|')" mkdir -p "$SWAG_SITE_CONFS_DIR" SWAG_VARS='${API_SUBDOMAIN}${APIGW_SUBDOMAIN}${GRAFANA_SUBDOMAIN}${RABBITMQ_SUBDOMAIN}${RESTRICTED_IPS_BLOCK}' for tpl in swag/site-confs/*.conf.tpl; do out="$SWAG_SITE_CONFS_DIR/$(basename "${tpl%.tpl}")" envsubst "$SWAG_VARS" < "$tpl" | sudo tee "$out" > /dev/null echo "✅ $out" done sudo cp swag/site-confs/default.conf "$SWAG_SITE_CONFS_DIR/default.conf" ``` With `API_SUBDOMAIN=api.iklim.co`, the output file `$SWAG_SITE_CONFS_DIR/api.conf` (`/mnt/storagebox/swag/site-confs/api.conf`) will contain `server_name api.iklim.co;` — correct for prod. ## Verification After deploy, on iklim-app-01: ```bash cat /mnt/storagebox/swag/site-confs/api.conf | grep server_name ``` Expected: `server_name api.iklim.co;` ```bash docker exec $(docker ps -q -f name=iklimco_swag) nginx -t ``` Expected: `syntax is ok` ```bash curl -si https://api.iklim.co/health ``` Expected: APISIX response with valid `*.iklim.co` cert. ## Notes - `Prometheus` is intentionally NOT exposed via SWAG. Access it via Grafana (internal connection: `http://prometheus:9090`) or SSH tunnel. - If additional restricted-access subdomains are needed in the future, create a new `swag/site-confs/.conf.tpl` following the same pattern.