iklim.co/Environment_Infrastructure
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Environment_Infrastructure/roadmap/prod-env/04-swag-nginx-configs.md
Murat ÖZDEMİR f4b7f49968 chore: prepare prod ansible and db operations 
Add the Ansible README and expand prod bootstrap coverage for StorageBox keys, DB labels, DB stack configuration, and act runner setup. Update MongoDB configuration for replica set support and refresh prod roadmap/setup documentation for Swarm labels, StorageBox-backed cert paths, and recovery guidance.
2026-05-15 20:39:57 +03:00

2.4 KiB
Raw Blame History

04 — SWAG Nginx Proxy Configs (Prod)

Context

Same template files as test (swag/proxy-confs/*.conf.tpl), different env vars. The pipeline processes templates with prod-specific subdomain values.

Required env vars (in .env on storagebox prod/secrets/iklim.co/.env.prod)

API_SUBDOMAIN=api.iklim.co
APIGW_SUBDOMAIN=apigw.iklim.co
RABBITMQ_SUBDOMAIN=rabbitmq.iklim.co
GRAFANA_SUBDOMAIN=grafana.iklim.co
RESTRICTED_IP_1=78.187.87.109
RESTRICTED_IP_2=95.70.151.248

# SWAG storage paths — StorageBox so certs are accessible from any app node
# cert-reloader writes here; Vault reads from here on any manager node
SWAG_CERT_DIR=/mnt/storagebox/prod/ssl
# SWAG full config dir (includes letsencrypt state) — enables clean node failover
SWAG_CONFIG_DIR=/mnt/storagebox/prod/swag/config

Template files (already created in test step 04)

  • swag/site-confs/default.conf
  • swag/proxy-confs/api.conf.tpl
  • swag/proxy-confs/apigw.conf.tpl
  • swag/proxy-confs/rabbitmq.conf.tpl
  • swag/proxy-confs/grafana.conf.tpl

No new files to create — the same templates work for both environments.

Deploy step (handled by pipeline — see 08-deploy-pipeline-update.md)

set -a; . ./.env; set +a
export RESTRICTED_IP_1="78.187.87.109"
export RESTRICTED_IP_2="95.70.151.248"

sudo mkdir -p /opt/iklimco/swag/proxy-confs /opt/iklimco/swag/site-confs

for tpl in swag/proxy-confs/*.conf.tpl; do
  out="/opt/iklimco/swag/proxy-confs/$(basename "${tpl%.tpl}")"
  envsubst < "$tpl" | sudo tee "$out" > /dev/null
  echo "✅ $out"
done

sudo cp swag/site-confs/default.conf /opt/iklimco/swag/site-confs/default.conf

With API_SUBDOMAIN=api.iklim.co, the output file /opt/iklimco/swag/proxy-confs/api.conf will contain server_name api.iklim.co; — correct for prod.

Verification

After deploy, on iklim-app-01:

cat /opt/iklimco/swag/proxy-confs/api.conf | grep server_name

Expected: server_name api.iklim.co;

docker exec $(docker ps -q -f name=iklimco_swag) nginx -t

Expected: syntax is ok

curl -si https://api.iklim.co/health

Expected: APISIX response with valid *.iklim.co cert.

Notes

  • Prometheus is intentionally NOT exposed via SWAG. Access it via Grafana (internal connection: http://prometheus:9090) or SSH tunnel.
  • If additional restricted-access subdomains are needed in the future, create a new swag/proxy-confs/<name>.conf.tpl following the same pattern.