ops: add deployment scripts and nginx/systemd configs
Scripts for installing and starting the app and nginx proxy. Includes systemd user service units and nginx configs for both user-mode 8443 and system-mode 443.
This commit is contained in:
145
scripts/install-nginx-system.sh
Executable file
145
scripts/install-nginx-system.sh
Executable file
@@ -0,0 +1,145 @@
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
|
||||
ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
|
||||
DOMAIN="${KANBAN_DOMAIN:-gahow-pc.ipads-lab.se.sjtu.edu.cn}"
|
||||
UPSTREAM_PORT="${KANBAN_PORT:-5180}"
|
||||
ENABLE_HTTP_REDIRECT="${KANBAN_ENABLE_HTTP_REDIRECT:-0}"
|
||||
GITEA_PORT="${KANBAN_GITEA_PORT:-3443}"
|
||||
STOCK_FRONTEND_PORT="${KANBAN_STOCK_FRONTEND_PORT:-5443}"
|
||||
STOCK_API_PORT="${KANBAN_STOCK_API_PORT:-8788}"
|
||||
|
||||
if [[ "${EUID}" -ne 0 ]]; then
|
||||
exec sudo -E bash "$0" "$@"
|
||||
fi
|
||||
|
||||
mkdir -p /etc/nginx/certs
|
||||
mkdir -p /var/www/local-kanban-portal
|
||||
cp "${ROOT_DIR}/deploy/certs/local-kanban.crt" /etc/nginx/certs/gahow-pc.fullchain.pem
|
||||
cp "${ROOT_DIR}/deploy/certs/local-kanban.key" /etc/nginx/certs/gahow-pc.key
|
||||
cp "${ROOT_DIR}/portal/index.html" /var/www/local-kanban-portal/index.html
|
||||
cp "${ROOT_DIR}/portal/portal.css" /var/www/local-kanban-portal/portal.css
|
||||
rm -f /var/www/local-kanban-portal/portal.js
|
||||
chmod 600 /etc/nginx/certs/gahow-pc.key
|
||||
|
||||
{
|
||||
cat <<EOF
|
||||
limit_req_zone \$binary_remote_addr zone=kanban_login:10m rate=5r/m;
|
||||
|
||||
EOF
|
||||
|
||||
if [[ "${ENABLE_HTTP_REDIRECT}" == "1" ]]; then
|
||||
cat <<EOF
|
||||
server {
|
||||
listen 80;
|
||||
server_name ${DOMAIN};
|
||||
return 301 https://\$host\$request_uri;
|
||||
}
|
||||
|
||||
EOF
|
||||
fi
|
||||
|
||||
cat <<EOF
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
server_name ${DOMAIN};
|
||||
root /var/www/local-kanban-portal;
|
||||
index index.html;
|
||||
|
||||
ssl_certificate /etc/nginx/certs/gahow-pc.fullchain.pem;
|
||||
ssl_certificate_key /etc/nginx/certs/gahow-pc.key;
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_prefer_server_ciphers off;
|
||||
|
||||
add_header Strict-Transport-Security "max-age=31536000" always;
|
||||
add_header X-Frame-Options "DENY" always;
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header Referrer-Policy "no-referrer" always;
|
||||
|
||||
client_max_body_size 1m;
|
||||
|
||||
location / {
|
||||
try_files \$uri \$uri/ /index.html;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen ${GITEA_PORT} ssl http2;
|
||||
server_name ${DOMAIN};
|
||||
|
||||
ssl_certificate /etc/nginx/certs/gahow-pc.fullchain.pem;
|
||||
ssl_certificate_key /etc/nginx/certs/gahow-pc.key;
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:3300;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Host \$host:${GITEA_PORT};
|
||||
proxy_set_header X-Real-IP \$remote_addr;
|
||||
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen ${STOCK_FRONTEND_PORT} ssl http2;
|
||||
server_name ${DOMAIN};
|
||||
|
||||
ssl_certificate /etc/nginx/certs/gahow-pc.fullchain.pem;
|
||||
ssl_certificate_key /etc/nginx/certs/gahow-pc.key;
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
|
||||
location /api/ {
|
||||
proxy_pass http://127.0.0.1:8787;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Host \$host:${STOCK_FRONTEND_PORT};
|
||||
proxy_set_header X-Real-IP \$remote_addr;
|
||||
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
}
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:5174;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Host \$host:${STOCK_FRONTEND_PORT};
|
||||
proxy_set_header X-Real-IP \$remote_addr;
|
||||
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
proxy_set_header Upgrade \$http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen ${STOCK_API_PORT} ssl http2;
|
||||
server_name ${DOMAIN};
|
||||
|
||||
ssl_certificate /etc/nginx/certs/gahow-pc.fullchain.pem;
|
||||
ssl_certificate_key /etc/nginx/certs/gahow-pc.key;
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:8787;
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Host \$host:${STOCK_API_PORT};
|
||||
proxy_set_header X-Real-IP \$remote_addr;
|
||||
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
}
|
||||
}
|
||||
EOF
|
||||
} >/etc/nginx/sites-available/local-kanban
|
||||
|
||||
ln -sf /etc/nginx/sites-available/local-kanban /etc/nginx/sites-enabled/local-kanban
|
||||
rm -f /etc/nginx/sites-enabled/default
|
||||
nginx -t
|
||||
systemctl reload nginx || systemctl restart nginx
|
||||
|
||||
echo "Nginx portal is configured for https://${DOMAIN}/"
|
||||
echo "Kanban remains available on its own port, for example https://${DOMAIN}:8443/"
|
||||
echo "Gitea HTTPS is configured for https://${DOMAIN}:${GITEA_PORT}/"
|
||||
echo "Stock Agent HTTPS is configured for https://${DOMAIN}:${STOCK_FRONTEND_PORT}/"
|
||||
echo "Stock Agent API HTTPS is configured for https://${DOMAIN}:${STOCK_API_PORT}/"
|
||||
if [[ "${ENABLE_HTTP_REDIRECT}" != "1" ]]; then
|
||||
echo "Port 80 redirect is disabled. Set KANBAN_ENABLE_HTTP_REDIRECT=1 only if port 80 is free."
|
||||
fi
|
||||
Reference in New Issue
Block a user