soroush.asadi
ec51e87d2d
A generic multi-client payment gateway so FlatRender, meezi.ir and bargevasat.ir can all pay through ZarinPal's single verified callback domain (pay.flatrender.ir). New Go service services/payment (clones the notification skeleton + vendored deps): - migration 31_payment_broker.sql — `payment` schema: client_apps, transactions, webhook_deliveries. - ZarinPal v4 client ported from the proven identity PaymentService (request.json -> StartPay -> verify.json; codes 100/101). - client API: POST /v1/pay/request + /v1/pay/inquiry, authed by X-Api-Key + HMAC body signature; GET /callback/zarinpal (the single verified endpoint) verifies, then 302s the user back to the site's return_url (signed) and fires a signed, retried webhook. - per-client ZarinPal merchant override (default = shared merchant); amount stored canonically in Rial, unit to ZarinPal env-configurable. - admin API /v1/admin/* (FlatRender admin JWT): client-app CRUD + key issue/rotate + transactions list. Deploy wiring: payment-svc in docker-compose.v2.yml (host port 1607), pay.flatrender.ir server block in mirror-nginx conf, ENV_FILE + README updates (cert SAN + manual migration note). Admin UI: src/components/admin/PaymentsAdmin.tsx (client apps with one-time key reveal + rotate, transactions table) + /admin/payments page + nav link + fa/en strings; pay-admin proxy route to payment-svc. Docs/SDK: deploy/PAYMENTS.md (integration contract) + deploy/sdk/flatpay.js (zero-dep Node client + webhook verifier) for meezi/any site. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
103 lines
6.2 KiB
Markdown
103 lines
6.2 KiB
Markdown
# Deploying FlatRender (Gitea CI/CD → 171.22.25.73, behind mirror-nginx)
|
||
|
||
Push to **Gitea** triggers `.gitea/workflows/ci-cd.yml`: a frontend `tsc` check, then a
|
||
self-hosted `deploy` job that builds the whole compose stack and brings it up. The
|
||
existing central **mirror-nginx** (owns 80/443, manual TLS certs) reverse-proxies the
|
||
three public domains to FlatRender's host ports — FlatRender does **not** run Caddy here.
|
||
GitHub (`origin`) stays a backup and never deploys.
|
||
|
||
Stack: gateway · identity · content · studio (.NET/Go) · file · render · notification
|
||
(Go) · Next.js frontend · Postgres · MinIO. All package installs route through
|
||
`mirror.soroushasadi.com` (Nexus).
|
||
|
||
```
|
||
mirror-nginx (:443, /etc/ssl/flatrender)
|
||
flatrender.ir → 171.22.25.73:1600 (fr2-frontend)
|
||
api.flatrender.ir → 171.22.25.73:1605 (fr2-gateway)
|
||
pay.flatrender.ir → 171.22.25.73:1607 (fr2-payment, ZarinPal broker)
|
||
storage.flatrender.ir → 171.22.25.73:1610 (fr2-minio)
|
||
```
|
||
|
||
The **payment broker** (`fr2-payment`, `pay.flatrender.ir`) is a standalone generic
|
||
ZarinPal gateway shared by FlatRender + meezi.ir + bargevasat.ir — ZarinPal only
|
||
accepts callbacks on that one verified domain. It does NOT sit behind the API
|
||
gateway (clients authenticate with an API key + HMAC). See
|
||
[`PAYMENTS.md`](./PAYMENTS.md) for the integration contract. The `payment` schema
|
||
is migration `31_payment_broker.sql` — on an existing DB volume it must be applied
|
||
manually (migrations only auto-run on first volume creation):
|
||
`docker exec -i fr2-postgres psql -U postgres -d flatrender < backend/db/migrations/31_payment_broker.sql`.
|
||
|
||
## One-time setup (do these BEFORE the first `git push gitea master`)
|
||
|
||
1. **DNS** — this box sits BEHIND NAT: its interface IP is `171.22.25.73` (private),
|
||
public NAT IPs are `31.171.101.127/.211`, and inbound 443 normally arrives via the
|
||
edge/CDN `185.239.1.100` (same entry your other sites use, e.g. `meezi.ir`). So a new
|
||
domain must enter the SAME way the others do — either:
|
||
- register `flatrender.ir` + `api` + `pay` + `storage` + `www` in that edge/CDN (origin =
|
||
this server) and point DNS there, **or**
|
||
- bypass the CDN and point DNS straight at the server's public IP (like the hokm `api`
|
||
subdomain does — "must bypass").
|
||
Pointing DNS at a random/registrar IP shows that host's default page (e.g. a "not
|
||
licensed" page), NOT FlatRender.
|
||
2. **TLS cert** — ⚠️ mirror-nginx mounts cert dirs INDIVIDUALLY, so a fresh
|
||
`/etc/ssl/flatrender/` on the host is invisible inside the container. **Nest the cert
|
||
under an already-mounted dir** (the conf references this path):
|
||
```bash
|
||
mkdir -p /etc/ssl/soroushasadi/flatrender
|
||
cp <yourcert>/fullchain.pem /etc/ssl/soroushasadi/flatrender/
|
||
cp <yourcert>/privateKey.pem /etc/ssl/soroushasadi/flatrender/
|
||
```
|
||
Cert must cover `flatrender.ir` + `api.` + `pay.` + `storage.` (wildcard `*.flatrender.ir` + apex, or SAN).
|
||
3. **mirror-nginx** — add the server blocks from [`mirror-nginx-flatrender.conf`](./mirror-nginx-flatrender.conf)
|
||
to the proxy's `http{}` (the host file is `/root/mirror-server/nginx/nginx.conf`), then:
|
||
`docker exec mirror-nginx nginx -t && docker exec mirror-nginx nginx -s reload`.
|
||
⚠️ If you edited the conf with `sed -i` (which swaps the file inode), the running
|
||
container keeps the old inode → `docker restart mirror-nginx` instead (~3s blip).
|
||
Verify locally (bypasses DNS): `curl -sk --resolve flatrender.ir:443:127.0.0.1 https://flatrender.ir/ | head -c 60`
|
||
must show `<html lang="fa" dir="rtl">`. (Do this after the first deploy is up, or it 502s.)
|
||
4. **ENV_FILE secret** — at `…/soroushdes/flatrender/settings/secrets`, create `ENV_FILE`
|
||
from [`ENV_FILE.production.example`](./ENV_FILE.production.example) (already filled for
|
||
flatrender.ir; generate each secret with `openssl rand -hex 32`).
|
||
5. **Gitea Actions** enabled for this repo; act_runner has the `self-hosted:host` label
|
||
(the standard box already has this). daemon.json already mirrors Docker Hub via Nexus.
|
||
|
||
## Go live
|
||
|
||
```bash
|
||
git push gitea master # triggers CI + deploy
|
||
```
|
||
|
||
Watch `https://git.soroushasadi.com/soroushdes/flatrender/actions`. First run ~15–25 min
|
||
(cold Nexus cache + all images build). When the deploy is green, add/reload the nginx
|
||
blocks (step 3) and visit `https://flatrender.ir`.
|
||
|
||
## Host ports (must be free on 171.22.25.73)
|
||
|
||
`1600` frontend · `1605` gateway · `1607` payment broker · `1610` MinIO · `1611` MinIO
|
||
console. Postgres (5432) and render (5010) bind to `127.0.0.1` only. Avoid `:3000` (Gitea),
|
||
`:8081-8083` (Nexus), `:1500/1505/1520` (bargevasat), `:3010/3101-3103/5080/5081` (meezi),
|
||
`:3020`, `:2569`. Change them via `FRONTEND_PORT`/`GATEWAY_PORT`/`PAY_PORT`/`MINIO_PORT` in
|
||
the secret if any collide.
|
||
|
||
## First-run notes
|
||
|
||
- **Migrations** auto-run once via `deploy/postgres-initdb/00-init.sh` (mounted as the
|
||
whole `/docker-entrypoint-initdb.d` directory — a single-file bind mount left a stale
|
||
empty dir → "Is a directory") when the Postgres volume is first created. Later schema
|
||
changes are applied manually with `psql` (the volume persists). ⚠️ If a deploy ever
|
||
ran with a wrong/empty secret, the volume bakes the wrong password + may skip init →
|
||
`docker rm -f fr2-postgres && docker volume rm flatrender_pgdata` (only while there's
|
||
no real data) then re-run, so it re-inits with the current password + migrations.
|
||
- **Rendering** — no After Effects node on the server, so `RENDER_DEV_WORKER=false`.
|
||
Disable rendering in **Admin → فارم رندر → موتور رندر** so users see an "unavailable"
|
||
notice instead of jobs that never finish. Point real render nodes at the server later.
|
||
- **MinIO public URLs** — verify an uploaded image + a render download resolve over
|
||
`https://storage.flatrender.ir`. If not, recheck `MINIO_HOST_ENDPOINT` /
|
||
`MINIO_HOST_USE_SSL` / `NEXT_PUBLIC_MINIO_URL` in the secret and redeploy.
|
||
|
||
## Redeploy / rotate secrets
|
||
|
||
Edit `ENV_FILE` in Gitea (or push any commit) → the deploy re-runs. It backs up the DB to
|
||
`/opt/flatrender-backups/` before each deploy and never runs `docker compose down -v`.
|
||
Changing a `NEXT_PUBLIC_*` value only takes effect after the redeploy (baked at build).
|