soroushdes/hamkadr
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Align deploy with central nginx: host-published 2569 + paste-in vhost (manual certs)
CI/CD / CI · dotnet build (push) Successful in 1m22s
Details
CI/CD / Deploy · hamkadr (push) Successful in 8s
Details

Browse Source 
- Central nginx is containerized and proxies via host IP (171.22.25.73:port), not localhost → publish app on host :2569 (was 127.0.0.1)
- nginx vhost rewritten to match the monolithic config style (server blocks to paste into http{}, manual /etc/ssl/hamkadr certs, proxy_pass 171.22.25.73:2569, $connection_upgrade)
- DEPLOY.md: corrected architecture/ports, removed certbot+sites-available (use manual certs + single nginx.conf)

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
soroush.asadi
2026-06-04 05:09:39 +03:30
parent f457e4b5ca
commit d05b329c7a
3 changed files with 59 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files
DEPLOY.md
+32 -20
View File
@@ -7,22 +7,25 @@ TLS for `hamkadr.ir` and reverse-proxies to the app.
## Architecture & open ports
```
Internet ─443/80─nginx (host, existing) ─► 127.0.0.1:2569 ─► hamkadr_api (container :8080)
│ internal docker net
hamkadr_db (postgres, no host port)
Internet ─443/80─► central nginx (container) ─► http://171.22.25.73:2569 ─► hamkadr_api (container :8080)
(nexus/mirror/gitea/meezi…) host-published port │ internal docker net
hamkadr_db (postgres, no host port)
```
Matches the existing soroush pattern: the **containerized** central nginx reaches each app via the
**host IP + published port** (`171.22.25.73:<port>`), not localhost. So hamkadr publishes `2569` on
the host (like meezi 5080, draletaha 5010…).
| Port | Open? | Purpose |
|------|-------|---------|
| 22 | ✅ (ideally IP-restricted) | SSH |
| 80 | ✅ | HTTP → 443 redirect + Let's Encrypt ACME |
| 443 | ✅ | HTTPS `hamkadr.ir` |
| 2569 | ❌ host-localhost only | app, reached only by nginx |
| 80 / 443 | ✅ (already open) | central nginx — serves `hamkadr.ir` too |
| 2569 | host-published | app; only nginx proxies to it. Optionally firewall to the nginx host. |
| 5432 | ❌ internal docker net only | Postgres — never published |
`ufw` should be exactly: `allow 22, 80, 443`. Nothing else. (80/443 are already open since nginx
serves git./mirror. — no firewall change needed.)
No firewall change needed for 80/443 (nginx already serves git./mirror./meezi). 2569 is published
on the host like the other apps.
## Files in this repo
@@ -30,7 +33,7 @@ serves git./mirror. — no firewall change needed.)
|------|------|
| `Dockerfile` | multi-stage build, images + NuGet via `mirror.soroushasadi.com` |
| `nuget.docker.config` | NuGet → Nexus `nuget-group` |
| `docker-compose.yml` | production stack: `api` (127.0.0.1:${HOST_PORT}) + `db` (internal) + named volume |
| `docker-compose.yml` | production stack: `api` (host :${HOST_PORT}) + `db` (internal) + named volume |
| `docker-compose.dev.yml` | local-dev Postgres only (host 5433) for `dotnet run` |
| `.gitea/workflows/ci-cd.yml` | build job + self-hosted deploy (backup → rollback tag → recreate → health-wait) |
| `deploy/nginx-hamkadr.ir.conf` | nginx vhost for hamkadr.ir |
@@ -38,10 +41,10 @@ serves git./mirror. — no firewall change needed.)
## One-time setup
### 1. DNS
A records → server IP:
A records → 171.22.25.73:
```
hamkadr.ir A <server-ip>
www.hamkadr.ir A <server-ip>
hamkadr.ir A 171.22.25.73
www.hamkadr.ir A 171.22.25.73
```
### 2. Gitea runner
@@ -74,13 +77,22 @@ ADMIN_PHONE=09XXXXXXXXX
> `ASPNETCORE_ENVIRONMENT=Production` is set by the compose file ⇒ only **reference data**
> (roles/cities/districts) is seeded — no demo facilities/shifts.
### 4. nginx vhost + TLS
```bash
sudo cp deploy/nginx-hamkadr.ir.conf /etc/nginx/sites-available/hamkadr.ir
sudo ln -s /etc/nginx/sites-available/hamkadr.ir /etc/nginx/sites-enabled/
sudo nginx -t && sudo systemctl reload nginx
sudo certbot --nginx -d hamkadr.ir -d www.hamkadr.ir
```
### 4. TLS cert + nginx vhost
Your central nginx is a **single monolithic `nginx.conf`** with **manually-placed certs** (no
certbot). Match that:
1. Put the hamkadr.ir cert where nginx expects (same convention as your other domains):
```
/etc/ssl/hamkadr/fullchain.pem
/etc/ssl/hamkadr/privateKey.pem
```
2. Paste the two `server { }` blocks from `deploy/nginx-hamkadr.ir.conf` **into the `http { }`
block** of your central nginx.conf (next to meezi/draletaha). They proxy to
`http://171.22.25.73:2569` and reuse the global `$connection_upgrade` map.
3. Reload:
```bash
nginx -t && nginx -s reload # or: docker exec <nginx-container> nginx -s reload
```
### 5. First deploy
```bash