ci(deploy): integrate with mirror-nginx instead of Caddy

The server's central mirror-nginx already owns 80/443 + manages TLS, so FlatRender
can't run its own Caddy there. Adapt the deploy to the host-port + reverse-proxy model:

- compose: Caddy moved behind `profiles: [edge]` (not started by default); frontend/
  gateway/minio host ports are now EDGE_BIND + FRONTEND_PORT/GATEWAY_PORT/MINIO_PORT
  (so they can avoid Gitea's :3000 etc.); postgres/render stay on HOST_BIND loopback.
- deploy/ENV_FILE.production.example: nginx model, pre-filled for flatrender.ir,
  host ports 1600/1605/1610, no Caddy/ACME vars.
- deploy/mirror-nginx-flatrender.conf: ready-to-paste server blocks routing
  flatrender.ir / api / storage → 171.22.25.73:{1600,1605,1610}.
- deploy/README.md: nginx integration + cert step.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

deploy/ENV_FILE.production.example

@@ -1,32 +1,36 @@
 # ─────────────────────────────────────────────────────────────────────────────
-# FlatRender — PRODUCTION ENV_FILE template
+# FlatRender — PRODUCTION ENV_FILE template (server: 171.22.25.73, behind mirror-nginx)
 #
-# This is the content of the Gitea repo secret named  ENV_FILE.
+# This is the content of the Gitea repo secret  ENV_FILE.
-# Set it at:  https://git.soroushasadi.com/soroushdes/flatrender/settings/secrets
+#   https://git.soroushasadi.com/soroushdes/flatrender/settings/secrets
 # The deploy job writes this verbatim to `.env`, which docker compose reads.
 #
+# TLS + domain routing is handled by the existing central mirror-nginx (it owns
+# 80/443). FlatRender does NOT run Caddy here — it publishes host ports and
+# mirror-nginx reverse-proxies the domains to them (see deploy/README.md).
+#
 # Fill every <PLACEHOLDER>. Generate secrets with:  openssl rand -hex 32
-# After editing the secret, push any commit to trigger a redeploy.
+# Changing a NEXT_PUBLIC_* value requires a redeploy (baked into the frontend build).
-# Changing a NEXT_PUBLIC_* value requires a redeploy (baked into the frontend at build).
 # ─────────────────────────────────────────────────────────────────────────────
 
-# ── Host port binding ────────────────────────────────────────────────────────
+# ── Host-port binding ────────────────────────────────────────────────────────
-# 127.0.0.1 keeps Postgres/MinIO/gateway/frontend OFF the public internet — only
+# Internal services (postgres, render) stay on loopback. The three nginx-facing
-# Caddy (80/443) is public. (Docker bypasses ufw, so this binding is the real guard.)
+# services publish on all interfaces so mirror-nginx can reach 171.22.25.73:PORT.
 HOST_BIND=127.0.0.1
+EDGE_BIND=0.0.0.0
 
-# ── Domains (DNS A-records must point at this server) ────────────────────────
+# nginx-facing host ports (must be free on 171.22.25.73 — :3000 is Gitea, avoid it).
-DOMAIN=flatrender.example.com
+FRONTEND_PORT=1600
-API_DOMAIN=api.flatrender.example.com
+GATEWAY_PORT=1605
-STORAGE_DOMAIN=storage.flatrender.example.com
+MINIO_PORT=1610
-ACME_EMAIL=you@example.com
+MINIO_CONSOLE_PORT=1611
 
-# ── Browser-facing URLs (baked into the frontend at build time) ──────────────
+# ── Browser-facing URLs (served by mirror-nginx over HTTPS; baked into frontend) ─
-NEXT_PUBLIC_SITE_URL=https://flatrender.example.com
+NEXT_PUBLIC_SITE_URL=https://flatrender.ir
-NEXT_PUBLIC_API_URL=https://api.flatrender.example.com/v1
+NEXT_PUBLIC_API_URL=https://api.flatrender.ir/v1
-NEXT_PUBLIC_MINIO_URL=https://storage.flatrender.example.com
+NEXT_PUBLIC_MINIO_URL=https://storage.flatrender.ir
 NEXT_PUBLIC_TENANT_SLUG=flatrender
-CORS_ORIGIN=https://flatrender.example.com
+CORS_ORIGIN=https://flatrender.ir
 
 # ── Core secrets ─────────────────────────────────────────────────────────────
 JWT_SECRET=<openssl rand -hex 32>
@@ -44,30 +48,27 @@ MINIO_SECRET_KEY=<openssl rand -hex 24>
 MINIO_BUCKET=flatrender-exports
 MINIO_TEMPLATES_BUCKET=flatrender-templates
 MINIO_UPLOAD_BUCKET=user-uploads
-# render-svc signs presigned URLs for the public storage domain (over HTTPS via Caddy):
+# render-svc signs presigned URLs for the public storage domain (HTTPS via nginx):
-MINIO_HOST_ENDPOINT=storage.flatrender.example.com
+MINIO_HOST_ENDPOINT=storage.flatrender.ir
 MINIO_HOST_USE_SSL=true
 
 # ── Render farm ──────────────────────────────────────────────────────────────
 # No AE node on the server → keep the dev worker OFF (it would mock-complete jobs).
-# Instead disable rendering in Admin → فارم رندر → موتور رندر so users see a notice.
+# Disable rendering in Admin → فارم رندر → موتور رندر so users see an "unavailable" notice.
 RENDER_DEV_WORKER=false
 RENDER_DEV_SNAPSHOTS=false
 
-# Gateway host port (bound to HOST_BIND above; public access is via API_DOMAIN/Caddy).
+# ── Payments (fill the providers you use; leave others blank) ────────────────
-GATEWAY_PORT=8080
-
-# ── Payments (fill the providers you actually use; leave others blank) ───────
 STRIPE_SECRET_KEY=
 STRIPE_WEBHOOK_SECRET=
 STRIPE_PUBLISHABLE_KEY=
 ZARINPAL_MERCHANT_ID=
-ZARINPAL_CALLBACK_URL=https://api.flatrender.example.com/v1/payments/callback/zarinpal
+ZARINPAL_CALLBACK_URL=https://api.flatrender.ir/v1/payments/callback/zarinpal
 ZARINPAL_SANDBOX=false
 SNAPPAY_CLIENT_ID=
 SNAPPAY_CLIENT_SECRET=
 SNAPPAY_BASE_URL=https://api.snappay.ir
-SNAPPAY_CALLBACK_URL=https://api.flatrender.example.com/v1/payments/callback/snappay
+SNAPPAY_CALLBACK_URL=https://api.flatrender.ir/v1/payments/callback/snappay
 TARA_API_KEY=
 TARA_BASE_URL=https://api.tara.ir
-TARA_CALLBACK_URL=https://api.flatrender.example.com/v1/payments/callback/tara
+TARA_CALLBACK_URL=https://api.flatrender.ir/v1/payments/callback/tara

deploy/README.md

@@ -1,26 +1,38 @@
-# Deploying FlatRender (Gitea CI/CD → server)
+# Deploying FlatRender (Gitea CI/CD → 171.22.25.73, behind mirror-nginx)
 
 Push to **Gitea** triggers `.gitea/workflows/ci-cd.yml`: a frontend `tsc` check, then a
-self-hosted `deploy` job that builds the whole compose stack and brings it up behind
+self-hosted `deploy` job that builds the whole compose stack and brings it up. The
-Caddy (Let's Encrypt HTTPS). GitHub (`origin`) stays a backup and never deploys.
+existing central **mirror-nginx** (owns 80/443, manual TLS certs) reverse-proxies the
+three public domains to FlatRender's host ports — FlatRender does **not** run Caddy here.
+GitHub (`origin`) stays a backup and never deploys.
 
 Stack: gateway · identity · content · studio (.NET/Go) · file · render · notification
-(Go) · Next.js frontend · Postgres · MinIO · Caddy. All package installs route through
+(Go) · Next.js frontend · Postgres · MinIO. All package installs route through
 `mirror.soroushasadi.com` (Nexus).
 
+```
+                      mirror-nginx (:443, /etc/ssl/flatrender)
+  flatrender.ir         → 171.22.25.73:1600  (fr2-frontend)
+  api.flatrender.ir     → 171.22.25.73:1605  (fr2-gateway)
+  storage.flatrender.ir → 171.22.25.73:1610  (fr2-minio)
+```
+
 ## One-time setup (do these BEFORE the first `git push gitea master`)
 
-1. **DNS** — point three A-records at the server:
+1. **DNS** — three A-records → server IP: `flatrender.ir`, `api.flatrender.ir`,
-   `DOMAIN`, `API_DOMAIN`, `STORAGE_DOMAIN` (e.g. flatrender.ir / api.flatrender.ir / storage.flatrender.ir).
+   `storage.flatrender.ir` (+ optional `www`).
-2. **Firewall** — `ufw allow 22,80,443/tcp`. Everything else binds to `127.0.0.1`
+2. **TLS cert** — place a cert covering all three names at
-   (via `HOST_BIND=127.0.0.1` in the env), so only Caddy faces the internet.
+   `/etc/ssl/flatrender/fullchain.pem` + `/etc/ssl/flatrender/privateKey.pem`
-3. **Gitea Actions** — enabled for this repo, and an `act_runner` is registered with the
+   (wildcard `*.flatrender.ir` + apex, or a SAN cert — your usual issuance process).
-   `self-hosted:host` label (the standard server already has this).
+3. **mirror-nginx** — add the server blocks from [`mirror-nginx-flatrender.conf`](./mirror-nginx-flatrender.conf)
+   to the proxy's `http{}` block, then:
+   `docker exec mirror-nginx nginx -t && docker exec mirror-nginx nginx -s reload`.
+   (Do this after the first deploy is up, or it'll 502 until the ports are live.)
 4. **ENV_FILE secret** — at `…/soroushdes/flatrender/settings/secrets`, create `ENV_FILE`
-   with the filled-in contents of [`ENV_FILE.production.example`](./ENV_FILE.production.example)
+   from [`ENV_FILE.production.example`](./ENV_FILE.production.example) (already filled for
-   (generate each secret with `openssl rand -hex 32`).
+   flatrender.ir; generate each secret with `openssl rand -hex 32`).
-5. **Server prerequisites** (already true on the Gitea+Nexus box): Docker + compose v2,
+5. **Gitea Actions** enabled for this repo; act_runner has the `self-hosted:host` label
-   `/etc/docker/daemon.json` has `{"registry-mirrors":["https://mirror.soroushasadi.com"]}`.
+   (the standard box already has this). daemon.json already mirrors Docker Hub via Nexus.
 
 ## Go live
 
@@ -28,25 +40,30 @@ Stack: gateway · identity · content · studio (.NET/Go) · file · render · n
 git push gitea master      # triggers CI + deploy
 ```
 
-Watch: `https://git.soroushasadi.com/soroushdes/flatrender/actions`.
+Watch `https://git.soroushasadi.com/soroushdes/flatrender/actions`. First run ~15–25 min
-First run is the slowest (cold Nexus cache + all images build, ~15–25 min). Caddy issues
+(cold Nexus cache + all images build). When the deploy is green, add/reload the nginx
-TLS certs on first boot. Then visit `https://DOMAIN`.
+blocks (step 3) and visit `https://flatrender.ir`.
+
+## Host ports (must be free on 171.22.25.73)
+
+`1600` frontend · `1605` gateway · `1610` MinIO · `1611` MinIO console. Postgres (5432)
+and render (5010) bind to `127.0.0.1` only. Avoid `:3000` (Gitea), `:8081-8083` (Nexus),
+`:1500/1505/1520` (bargevasat), `:3010/3101-3103/5080/5081` (meezi), `:3020`, `:2569`.
+Change them via `FRONTEND_PORT`/`GATEWAY_PORT`/`MINIO_PORT` in the secret if any collide.
 
 ## First-run notes
 
 - **Migrations** auto-run once via `scripts/init-db.sh` when the Postgres volume is first
-  created. Later schema changes are applied manually with `psql` (the data volume persists).
+  created. Later schema changes are applied manually with `psql` (the volume persists).
-- **Admin seed** — create the first admin per the project's identity seed flow, then log in
+- **Rendering** — no After Effects node on the server, so `RENDER_DEV_WORKER=false`.
-  at `https://DOMAIN` → admin.
+  Disable rendering in **Admin → فارم رندر → موتور رندر** so users see an "unavailable"
-- **Rendering** — there is no After Effects node on the server, so `RENDER_DEV_WORKER=false`.
+  notice instead of jobs that never finish. Point real render nodes at the server later.
-  Disable rendering in **Admin → فارم رندر → موتور رندر** so users see an "unavailable" notice
+- **MinIO public URLs** — verify an uploaded image + a render download resolve over
-  instead of jobs that never finish. (Point real render nodes at the server later.)
+  `https://storage.flatrender.ir`. If not, recheck `MINIO_HOST_ENDPOINT` /
-- **MinIO public URLs** — verify an uploaded image and a render download resolve over
+  `MINIO_HOST_USE_SSL` / `NEXT_PUBLIC_MINIO_URL` in the secret and redeploy.
-  `https://STORAGE_DOMAIN`. If not, recheck `MINIO_HOST_ENDPOINT` / `MINIO_HOST_USE_SSL` /
-  `NEXT_PUBLIC_MINIO_URL` in the secret and redeploy.
 
 ## Redeploy / rotate secrets
 
-Edit `ENV_FILE` in Gitea (or push any commit) → the deploy job re-runs. It backs up the DB
+Edit `ENV_FILE` in Gitea (or push any commit) → the deploy re-runs. It backs up the DB to
-to `/opt/flatrender-backups/` before each deploy and never runs `docker compose down -v`.
+`/opt/flatrender-backups/` before each deploy and never runs `docker compose down -v`.
-Changing a `NEXT_PUBLIC_*` value only takes effect after the redeploy (baked at build time).
+Changing a `NEXT_PUBLIC_*` value only takes effect after the redeploy (baked at build).

deploy/mirror-nginx-flatrender.conf

@@ -0,0 +1,73 @@
+# ==========================================================================
+# FlatRender — flatrender.ir  (add inside the http{} block of mirror-nginx)
+#
+# Routes the three public domains to the FlatRender host ports on 171.22.25.73
+# (FRONTEND_PORT / GATEWAY_PORT / MINIO_PORT from the deploy ENV_FILE).
+#
+# TLS cert must exist first:  /etc/ssl/flatrender/{fullchain.pem,privateKey.pem}
+# covering  flatrender.ir + api.flatrender.ir + storage.flatrender.ir
+# (wildcard *.flatrender.ir + apex, or a SAN cert).
+#
+# Apply:  docker exec mirror-nginx nginx -t && docker exec mirror-nginx nginx -s reload
+# ==========================================================================
+
+server {
+    listen 80;
+    server_name flatrender.ir www.flatrender.ir api.flatrender.ir storage.flatrender.ir;
+    return 301 https://$host$request_uri;
+}
+
+# ── Site (Next.js frontend → FRONTEND_PORT) ───────────────────────────────
+server {
+    listen 443 ssl; http2 on;
+    server_name flatrender.ir www.flatrender.ir;
+    client_max_body_size 25m;
+    ssl_certificate     /etc/ssl/flatrender/fullchain.pem;
+    ssl_certificate_key /etc/ssl/flatrender/privateKey.pem;
+    location / {
+        proxy_pass http://171.22.25.73:1600;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+    }
+}
+
+# ── API gateway (→ GATEWAY_PORT) ──────────────────────────────────────────
+server {
+    listen 443 ssl; http2 on;
+    server_name api.flatrender.ir;
+    client_max_body_size 512m;          # large uploads routed through the gateway
+    ssl_certificate     /etc/ssl/flatrender/fullchain.pem;
+    ssl_certificate_key /etc/ssl/flatrender/privateKey.pem;
+    location / {
+        proxy_pass http://171.22.25.73:1605;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Upgrade $http_upgrade;       # render-progress WebSocket
+        proxy_set_header Connection $connection_upgrade;
+        proxy_read_timeout 3600s;
+    }
+}
+
+# ── MinIO storage (→ MINIO_PORT) ──────────────────────────────────────────
+server {
+    listen 443 ssl; http2 on;
+    server_name storage.flatrender.ir;
+    client_max_body_size 512m;
+    ssl_certificate     /etc/ssl/flatrender/fullchain.pem;
+    ssl_certificate_key /etc/ssl/flatrender/privateKey.pem;
+    location / {
+        proxy_pass http://171.22.25.73:1610;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}

docker-compose.v2.yml

@@ -48,8 +48,8 @@ services:
     volumes:
       - miniodata:/data
     ports:
-      - "${HOST_BIND:-0.0.0.0}:9000:9000"
+      - "${EDGE_BIND:-0.0.0.0}:${MINIO_PORT:-9000}:9000"
-      - "${HOST_BIND:-0.0.0.0}:9001:9001"
+      - "${EDGE_BIND:-0.0.0.0}:${MINIO_CONSOLE_PORT:-9001}:9001"
     healthcheck:
       test: ["CMD-SHELL", "mc ready local || exit 1"]
       interval: 10s
@@ -253,7 +253,8 @@ services:
     container_name: fr2-gateway
     restart: unless-stopped
     ports:
-      - "${HOST_BIND:-0.0.0.0}:${GATEWAY_PORT:-8080}:8080"
+      # EDGE_BIND/port face the reverse proxy (mirror-nginx → 171.22.25.73:PORT).
+      - "${EDGE_BIND:-0.0.0.0}:${GATEWAY_PORT:-8080}:8080"
     environment:
       JWT_SECRET: "${JWT_SECRET}"
       IDENTITY_URL: "http://identity-svc:8080"
@@ -300,7 +301,7 @@ services:
     container_name: fr2-frontend
     restart: unless-stopped
     ports:
-      - "${HOST_BIND:-0.0.0.0}:3000:3000"
+      - "${EDGE_BIND:-0.0.0.0}:${FRONTEND_PORT:-3000}:3000"
     environment:
       NODE_ENV: production
       PORT: "3000"
@@ -330,6 +331,10 @@ services:
     image: caddy:2-alpine
     container_name: fr2-caddy
     restart: unless-stopped
+    # Opt-in only: `docker compose --profile edge up`. NOT started by default —
+    # on a server with an existing reverse proxy (mirror-nginx owns 80/443),
+    # FlatRender publishes host ports and the proxy routes the domains to them.
+    profiles: ["edge"]
     ports:
       - "80:80"
       - "443:443"