ci(deploy): integrate with mirror-nginx instead of Caddy

The server's central mirror-nginx already owns 80/443 + manages TLS, so FlatRender can't run its own Caddy there. Adapt the deploy to the host-port + reverse-proxy model: - compose: Caddy moved behind `profiles: [edge]` (not started by default); frontend/ gateway/minio host ports are now EDGE_BIND + FRONTEND_PORT/GATEWAY_PORT/MINIO_PORT (so they can avoid Gitea's :3000 etc.); postgres/render stay on HOST_BIND loopback. - deploy/ENV_FILE.production.example: nginx model, pre-filled for flatrender.ir, host ports 1600/1605/1610, no Caddy/ACME vars. - deploy/mirror-nginx-flatrender.conf: ready-to-paste server blocks routing flatrender.ir / api / storage → 171.22.25.73:{1600,1605,1610}. - deploy/README.md: nginx integration + cert step. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-12 14:42:14 +03:30
parent 127f40e1c1
commit 12588b65df
4 changed files with 157 additions and 61 deletions
@@ -1,32 +1,36 @@
 # ─────────────────────────────────────────────────────────────────────────────
-# FlatRender — PRODUCTION ENV_FILE template
+# FlatRender — PRODUCTION ENV_FILE template (server: 171.22.25.73, behind mirror-nginx)
 #
-# This is the content of the Gitea repo secret named  ENV_FILE.
-# Set it at:  https://git.soroushasadi.com/soroushdes/flatrender/settings/secrets
+# This is the content of the Gitea repo secret  ENV_FILE.
+#   https://git.soroushasadi.com/soroushdes/flatrender/settings/secrets
 # The deploy job writes this verbatim to `.env`, which docker compose reads.
 #
+# TLS + domain routing is handled by the existing central mirror-nginx (it owns
+# 80/443). FlatRender does NOT run Caddy here — it publishes host ports and
+# mirror-nginx reverse-proxies the domains to them (see deploy/README.md).
+#
 # Fill every <PLACEHOLDER>. Generate secrets with:  openssl rand -hex 32
-# After editing the secret, push any commit to trigger a redeploy.
-# Changing a NEXT_PUBLIC_* value requires a redeploy (baked into the frontend at build).
+# Changing a NEXT_PUBLIC_* value requires a redeploy (baked into the frontend build).
 # ─────────────────────────────────────────────────────────────────────────────

-# ── Host port binding ────────────────────────────────────────────────────────
-# 127.0.0.1 keeps Postgres/MinIO/gateway/frontend OFF the public internet — only
-# Caddy (80/443) is public. (Docker bypasses ufw, so this binding is the real guard.)
+# ── Host-port binding ────────────────────────────────────────────────────────
+# Internal services (postgres, render) stay on loopback. The three nginx-facing
+# services publish on all interfaces so mirror-nginx can reach 171.22.25.73:PORT.
 HOST_BIND=127.0.0.1
+EDGE_BIND=0.0.0.0

-# ── Domains (DNS A-records must point at this server) ────────────────────────
-DOMAIN=flatrender.example.com
-API_DOMAIN=api.flatrender.example.com
-STORAGE_DOMAIN=storage.flatrender.example.com
-ACME_EMAIL=you@example.com
+# nginx-facing host ports (must be free on 171.22.25.73 — :3000 is Gitea, avoid it).
+FRONTEND_PORT=1600
+GATEWAY_PORT=1605
+MINIO_PORT=1610
+MINIO_CONSOLE_PORT=1611

-# ── Browser-facing URLs (baked into the frontend at build time) ──────────────
-NEXT_PUBLIC_SITE_URL=https://flatrender.example.com
-NEXT_PUBLIC_API_URL=https://api.flatrender.example.com/v1
-NEXT_PUBLIC_MINIO_URL=https://storage.flatrender.example.com
+# ── Browser-facing URLs (served by mirror-nginx over HTTPS; baked into frontend) ─
+NEXT_PUBLIC_SITE_URL=https://flatrender.ir
+NEXT_PUBLIC_API_URL=https://api.flatrender.ir/v1
+NEXT_PUBLIC_MINIO_URL=https://storage.flatrender.ir
 NEXT_PUBLIC_TENANT_SLUG=flatrender
-CORS_ORIGIN=https://flatrender.example.com
+CORS_ORIGIN=https://flatrender.ir

 # ── Core secrets ─────────────────────────────────────────────────────────────
 JWT_SECRET=<openssl rand -hex 32>
@@ -44,30 +48,27 @@ MINIO_SECRET_KEY=<openssl rand -hex 24>
 MINIO_BUCKET=flatrender-exports
 MINIO_TEMPLATES_BUCKET=flatrender-templates
 MINIO_UPLOAD_BUCKET=user-uploads
-# render-svc signs presigned URLs for the public storage domain (over HTTPS via Caddy):
-MINIO_HOST_ENDPOINT=storage.flatrender.example.com
+# render-svc signs presigned URLs for the public storage domain (HTTPS via nginx):
+MINIO_HOST_ENDPOINT=storage.flatrender.ir
 MINIO_HOST_USE_SSL=true

 # ── Render farm ──────────────────────────────────────────────────────────────
 # No AE node on the server → keep the dev worker OFF (it would mock-complete jobs).
-# Instead disable rendering in Admin → فارم رندر → موتور رندر so users see a notice.
+# Disable rendering in Admin → فارم رندر → موتور رندر so users see an "unavailable" notice.
 RENDER_DEV_WORKER=false
 RENDER_DEV_SNAPSHOTS=false

-# Gateway host port (bound to HOST_BIND above; public access is via API_DOMAIN/Caddy).
-GATEWAY_PORT=8080
-
-# ── Payments (fill the providers you actually use; leave others blank) ───────
+# ── Payments (fill the providers you use; leave others blank) ────────────────
 STRIPE_SECRET_KEY=
 STRIPE_WEBHOOK_SECRET=
 STRIPE_PUBLISHABLE_KEY=
 ZARINPAL_MERCHANT_ID=
-ZARINPAL_CALLBACK_URL=https://api.flatrender.example.com/v1/payments/callback/zarinpal
+ZARINPAL_CALLBACK_URL=https://api.flatrender.ir/v1/payments/callback/zarinpal
 ZARINPAL_SANDBOX=false
 SNAPPAY_CLIENT_ID=
 SNAPPAY_CLIENT_SECRET=
 SNAPPAY_BASE_URL=https://api.snappay.ir
-SNAPPAY_CALLBACK_URL=https://api.flatrender.example.com/v1/payments/callback/snappay
+SNAPPAY_CALLBACK_URL=https://api.flatrender.ir/v1/payments/callback/snappay
 TARA_API_KEY=
 TARA_BASE_URL=https://api.tara.ir
-TARA_CALLBACK_URL=https://api.flatrender.example.com/v1/payments/callback/tara
+TARA_CALLBACK_URL=https://api.flatrender.ir/v1/payments/callback/tara
@@ -1,26 +1,38 @@
-# Deploying FlatRender (Gitea CI/CD → server)
+# Deploying FlatRender (Gitea CI/CD → 171.22.25.73, behind mirror-nginx)

 Push to **Gitea** triggers `.gitea/workflows/ci-cd.yml`: a frontend `tsc` check, then a
-self-hosted `deploy` job that builds the whole compose stack and brings it up behind
-Caddy (Let's Encrypt HTTPS). GitHub (`origin`) stays a backup and never deploys.
+self-hosted `deploy` job that builds the whole compose stack and brings it up. The
+existing central **mirror-nginx** (owns 80/443, manual TLS certs) reverse-proxies the
+three public domains to FlatRender's host ports — FlatRender does **not** run Caddy here.
+GitHub (`origin`) stays a backup and never deploys.

 Stack: gateway · identity · content · studio (.NET/Go) · file · render · notification
-(Go) · Next.js frontend · Postgres · MinIO · Caddy. All package installs route through
+(Go) · Next.js frontend · Postgres · MinIO. All package installs route through
 `mirror.soroushasadi.com` (Nexus).

+```
+                      mirror-nginx (:443, /etc/ssl/flatrender)
+  flatrender.ir         → 171.22.25.73:1600  (fr2-frontend)
+  api.flatrender.ir     → 171.22.25.73:1605  (fr2-gateway)
+  storage.flatrender.ir → 171.22.25.73:1610  (fr2-minio)
+```
+
 ## One-time setup (do these BEFORE the first `git push gitea master`)

-1. **DNS** — point three A-records at the server:
-   `DOMAIN`, `API_DOMAIN`, `STORAGE_DOMAIN` (e.g. flatrender.ir / api.flatrender.ir / storage.flatrender.ir).
-2. **Firewall** — `ufw allow 22,80,443/tcp`. Everything else binds to `127.0.0.1`
-   (via `HOST_BIND=127.0.0.1` in the env), so only Caddy faces the internet.
-3. **Gitea Actions** — enabled for this repo, and an `act_runner` is registered with the
-   `self-hosted:host` label (the standard server already has this).
+1. **DNS** — three A-records → server IP: `flatrender.ir`, `api.flatrender.ir`,
+   `storage.flatrender.ir` (+ optional `www`).
+2. **TLS cert** — place a cert covering all three names at
+   `/etc/ssl/flatrender/fullchain.pem` + `/etc/ssl/flatrender/privateKey.pem`
+   (wildcard `*.flatrender.ir` + apex, or a SAN cert — your usual issuance process).
+3. **mirror-nginx** — add the server blocks from [`mirror-nginx-flatrender.conf`](./mirror-nginx-flatrender.conf)
+   to the proxy's `http{}` block, then:
+   `docker exec mirror-nginx nginx -t && docker exec mirror-nginx nginx -s reload`.
+   (Do this after the first deploy is up, or it'll 502 until the ports are live.)
 4. **ENV_FILE secret** — at `…/soroushdes/flatrender/settings/secrets`, create `ENV_FILE`
-   with the filled-in contents of [`ENV_FILE.production.example`](./ENV_FILE.production.example)
-   (generate each secret with `openssl rand -hex 32`).
-5. **Server prerequisites** (already true on the Gitea+Nexus box): Docker + compose v2,
-   `/etc/docker/daemon.json` has `{"registry-mirrors":["https://mirror.soroushasadi.com"]}`.
+   from [`ENV_FILE.production.example`](./ENV_FILE.production.example) (already filled for
+   flatrender.ir; generate each secret with `openssl rand -hex 32`).
+5. **Gitea Actions** enabled for this repo; act_runner has the `self-hosted:host` label
+   (the standard box already has this). daemon.json already mirrors Docker Hub via Nexus.

 ## Go live

@@ -28,25 +40,30 @@ Stack: gateway · identity · content · studio (.NET/Go) · file · render · n
 git push gitea master      # triggers CI + deploy
 ```

-Watch: `https://git.soroushasadi.com/soroushdes/flatrender/actions`.
-First run is the slowest (cold Nexus cache + all images build, ~15–25 min). Caddy issues
-TLS certs on first boot. Then visit `https://DOMAIN`.
+Watch `https://git.soroushasadi.com/soroushdes/flatrender/actions`. First run ~15–25 min
+(cold Nexus cache + all images build). When the deploy is green, add/reload the nginx
+blocks (step 3) and visit `https://flatrender.ir`.
+
+## Host ports (must be free on 171.22.25.73)
+
+`1600` frontend · `1605` gateway · `1610` MinIO · `1611` MinIO console. Postgres (5432)
+and render (5010) bind to `127.0.0.1` only. Avoid `:3000` (Gitea), `:8081-8083` (Nexus),
+`:1500/1505/1520` (bargevasat), `:3010/3101-3103/5080/5081` (meezi), `:3020`, `:2569`.
+Change them via `FRONTEND_PORT`/`GATEWAY_PORT`/`MINIO_PORT` in the secret if any collide.

 ## First-run notes

 - **Migrations** auto-run once via `scripts/init-db.sh` when the Postgres volume is first
-  created. Later schema changes are applied manually with `psql` (the data volume persists).
- **Admin seed** — create the first admin per the project's identity seed flow, then log in
-  at `https://DOMAIN` → admin.
- **Rendering** — there is no After Effects node on the server, so `RENDER_DEV_WORKER=false`.
-  Disable rendering in **Admin → فارم رندر → موتور رندر** so users see an "unavailable" notice
-  instead of jobs that never finish. (Point real render nodes at the server later.)
- **MinIO public URLs** — verify an uploaded image and a render download resolve over
-  `https://STORAGE_DOMAIN`. If not, recheck `MINIO_HOST_ENDPOINT` / `MINIO_HOST_USE_SSL` /
-  `NEXT_PUBLIC_MINIO_URL` in the secret and redeploy.
+  created. Later schema changes are applied manually with `psql` (the volume persists).
+- **Rendering** — no After Effects node on the server, so `RENDER_DEV_WORKER=false`.
+  Disable rendering in **Admin → فارم رندر → موتور رندر** so users see an "unavailable"
+  notice instead of jobs that never finish. Point real render nodes at the server later.
+- **MinIO public URLs** — verify an uploaded image + a render download resolve over
+  `https://storage.flatrender.ir`. If not, recheck `MINIO_HOST_ENDPOINT` /
+  `MINIO_HOST_USE_SSL` / `NEXT_PUBLIC_MINIO_URL` in the secret and redeploy.

 ## Redeploy / rotate secrets

-Edit `ENV_FILE` in Gitea (or push any commit) → the deploy job re-runs. It backs up the DB
-to `/opt/flatrender-backups/` before each deploy and never runs `docker compose down -v`.
-Changing a `NEXT_PUBLIC_*` value only takes effect after the redeploy (baked at build time).
+Edit `ENV_FILE` in Gitea (or push any commit) → the deploy re-runs. It backs up the DB to
+`/opt/flatrender-backups/` before each deploy and never runs `docker compose down -v`.
+Changing a `NEXT_PUBLIC_*` value only takes effect after the redeploy (baked at build).
@@ -0,0 +1,73 @@
+# ==========================================================================
+# FlatRender — flatrender.ir  (add inside the http{} block of mirror-nginx)
+#
+# Routes the three public domains to the FlatRender host ports on 171.22.25.73
+# (FRONTEND_PORT / GATEWAY_PORT / MINIO_PORT from the deploy ENV_FILE).
+#
+# TLS cert must exist first:  /etc/ssl/flatrender/{fullchain.pem,privateKey.pem}
+# covering  flatrender.ir + api.flatrender.ir + storage.flatrender.ir
+# (wildcard *.flatrender.ir + apex, or a SAN cert).
+#
+# Apply:  docker exec mirror-nginx nginx -t && docker exec mirror-nginx nginx -s reload
+# ==========================================================================
+
+server {
+    listen 80;
+    server_name flatrender.ir www.flatrender.ir api.flatrender.ir storage.flatrender.ir;
+    return 301 https://$host$request_uri;
+}
+
+# ── Site (Next.js frontend → FRONTEND_PORT) ───────────────────────────────
+server {
+    listen 443 ssl; http2 on;
+    server_name flatrender.ir www.flatrender.ir;
+    client_max_body_size 25m;
+    ssl_certificate     /etc/ssl/flatrender/fullchain.pem;
+    ssl_certificate_key /etc/ssl/flatrender/privateKey.pem;
+    location / {
+        proxy_pass http://171.22.25.73:1600;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+    }
+}
+
+# ── API gateway (→ GATEWAY_PORT) ──────────────────────────────────────────
+server {
+    listen 443 ssl; http2 on;
+    server_name api.flatrender.ir;
+    client_max_body_size 512m;          # large uploads routed through the gateway
+    ssl_certificate     /etc/ssl/flatrender/fullchain.pem;
+    ssl_certificate_key /etc/ssl/flatrender/privateKey.pem;
+    location / {
+        proxy_pass http://171.22.25.73:1605;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Upgrade $http_upgrade;       # render-progress WebSocket
+        proxy_set_header Connection $connection_upgrade;
+        proxy_read_timeout 3600s;
+    }
+}
+
+# ── MinIO storage (→ MINIO_PORT) ──────────────────────────────────────────
+server {
+    listen 443 ssl; http2 on;
+    server_name storage.flatrender.ir;
+    client_max_body_size 512m;
+    ssl_certificate     /etc/ssl/flatrender/fullchain.pem;
+    ssl_certificate_key /etc/ssl/flatrender/privateKey.pem;
+    location / {
+        proxy_pass http://171.22.25.73:1610;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}