iklim.co/Environment_Infrastructure
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Environment_Infrastructure/roadmap/prod-env/04-swag-nginx-configs.md
Murat ÖZDEMİR f23835a30a docs(config): Update template file paths to use 'template/' subdirectory 
Reflects a clearer organization for SWAG configuration templates across all roadmap and setup documentation. This standardizes references to template files by explicitly including the `template/` subdirectory, improving clarity and distinction from generated configuration files.
2026-05-23 14:43:04 +03:00

2.7 KiB
Raw Blame History

04 — SWAG Nginx Proxy Configs (Prod)

Context

Same template files as test (template/swag/site-confs/*.conf.tpl), different env vars. The pipeline processes templates with prod-specific subdomain values.

Required env vars (in .env on storagebox prod/secrets/iklim.co/.env.prod)

API_SUBDOMAIN=api.iklim.co
APIGW_SUBDOMAIN=apigw.iklim.co
RABBITMQ_SUBDOMAIN=rabbitmq.iklim.co
GRAFANA_SUBDOMAIN=grafana.iklim.co
RESTRICTED_IPS="78.187.87.109/32,95.70.151.248/32"

# SWAG storage paths — StorageBox is mounted on all app nodes, shared filesystem
# cert-reloader writes here; Vault reads from this path on every node — no SSH distribution needed
SWAG_CERT_DIR=/mnt/storagebox/ssl
# SWAG config dirs on StorageBox — all three survive node failover without pipeline re-run
SWAG_CONFIG_DIR=/mnt/storagebox/swag/config
SWAG_SITE_CONFS_DIR=/mnt/storagebox/swag/site-confs

Template files (already created in test step 04)

  • template/swag/site-confs/default.conf
  • template/swag/site-confs/api.conf.tpl
  • template/swag/site-confs/apigw.conf.tpl
  • template/swag/site-confs/rabbitmq.conf.tpl
  • template/swag/site-confs/grafana.conf.tpl

No new files to create — the same templates work for both environments.

Deploy step (handled by pipeline — see 08-deploy-pipeline-update.md)

set -a; . ./.env; set +a
export RESTRICTED_IPS_BLOCK="$(echo "$RESTRICTED_IPS" | tr ',' '\n' | sed 's|.*|        allow &;|')"

mkdir -p "$SWAG_SITE_CONFS_DIR"

SWAG_VARS='${API_SUBDOMAIN}${APIGW_SUBDOMAIN}${GRAFANA_SUBDOMAIN}${RABBITMQ_SUBDOMAIN}${RESTRICTED_IPS_BLOCK}'
for tpl in template/swag/site-confs/*.conf.tpl; do
  out="$SWAG_SITE_CONFS_DIR/$(basename "${tpl%.tpl}")"
  envsubst "$SWAG_VARS" < "$tpl" | sudo tee "$out" > /dev/null
  echo "✅ $out"
done

sudo cp template/swag/site-confs/default.conf "$SWAG_SITE_CONFS_DIR/default.conf"

With API_SUBDOMAIN=api.iklim.co, the output file $SWAG_SITE_CONFS_DIR/api.conf (/mnt/storagebox/swag/site-confs/api.conf) will contain server_name api.iklim.co; — correct for prod.

Verification

After deploy, on iklim-app-01:

cat /mnt/storagebox/swag/site-confs/api.conf | grep server_name

Expected: server_name api.iklim.co;

docker exec $(docker ps -q -f name=iklimco_swag) nginx -t

Expected: syntax is ok

curl -si https://api.iklim.co/health

Expected: APISIX response with valid *.iklim.co cert.

Notes

  • Prometheus is intentionally NOT exposed via SWAG. Access it via Grafana (internal connection: http://prometheus:9090) or SSH tunnel.
  • If additional restricted-access subdomains are needed in the future, create a new template/swag/site-confs/<name>.conf.tpl following the same pattern.