iklim.co/Environment_Infrastructure
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Environment_Infrastructure/roadmap/prod-env/04-swag-nginx-configs.md
Murat ÖZDEMİR f4b7f49968 chore: prepare prod ansible and db operations 
Add the Ansible README and expand prod bootstrap coverage for StorageBox keys, DB labels, DB stack configuration, and act runner setup. Update MongoDB configuration for replica set support and refresh prod roadmap/setup documentation for Swarm labels, StorageBox-backed cert paths, and recovery guidance.
2026-05-15 20:39:57 +03:00

78 lines
2.4 KiB
Markdown
Raw Blame History

# 04 — SWAG Nginx Proxy Configs (Prod)
## Context
Same template files as test (`swag/proxy-confs/*.conf.tpl`), different env vars.
The pipeline processes templates with prod-specific subdomain values.
## Required env vars (in `.env` on storagebox `prod/secrets/iklim.co/.env.prod`)
```bash
API_SUBDOMAIN=api.iklim.co
APIGW_SUBDOMAIN=apigw.iklim.co
RABBITMQ_SUBDOMAIN=rabbitmq.iklim.co
GRAFANA_SUBDOMAIN=grafana.iklim.co
RESTRICTED_IP_1=78.187.87.109
RESTRICTED_IP_2=95.70.151.248
# SWAG storage paths — StorageBox so certs are accessible from any app node
# cert-reloader writes here; Vault reads from here on any manager node
SWAG_CERT_DIR=/mnt/storagebox/prod/ssl
# SWAG full config dir (includes letsencrypt state) — enables clean node failover
SWAG_CONFIG_DIR=/mnt/storagebox/prod/swag/config
```
## Template files (already created in test step 04)
- `swag/site-confs/default.conf`
- `swag/proxy-confs/api.conf.tpl`
- `swag/proxy-confs/apigw.conf.tpl`
- `swag/proxy-confs/rabbitmq.conf.tpl`
- `swag/proxy-confs/grafana.conf.tpl`
No new files to create — the same templates work for both environments.
## Deploy step (handled by pipeline — see `08-deploy-pipeline-update.md`)
```bash
set -a; . ./.env; set +a
export RESTRICTED_IP_1="78.187.87.109"
export RESTRICTED_IP_2="95.70.151.248"
sudo mkdir -p /opt/iklimco/swag/proxy-confs /opt/iklimco/swag/site-confs
for tpl in swag/proxy-confs/*.conf.tpl; do
out="/opt/iklimco/swag/proxy-confs/$(basename "${tpl%.tpl}")"
envsubst < "$tpl" | sudo tee "$out" > /dev/null
echo "✅ $out"
done
sudo cp swag/site-confs/default.conf /opt/iklimco/swag/site-confs/default.conf
```
With `API_SUBDOMAIN=api.iklim.co`, the output file `/opt/iklimco/swag/proxy-confs/api.conf`
will contain `server_name api.iklim.co;` — correct for prod.
## Verification
After deploy, on iklim-app-01:
```bash
cat /opt/iklimco/swag/proxy-confs/api.conf | grep server_name
```
Expected: `server_name api.iklim.co;`
```bash
docker exec $(docker ps -q -f name=iklimco_swag) nginx -t
```
Expected: `syntax is ok`
```bash
curl -si https://api.iklim.co/health
```
Expected: APISIX response with valid `*.iklim.co` cert.
## Notes
- `Prometheus` is intentionally NOT exposed via SWAG. Access it via Grafana
(internal connection: `http://prometheus:9090`) or SSH tunnel.
- If additional restricted-access subdomains are needed in the future, create a new
`swag/proxy-confs/<name>.conf.tpl` following the same pattern.
Reference in New Issue View Git Blame Copy Permalink