platform-deployments/nginx/generated/README.md
Quinn Ftw abbef7ae89 refactor: Replace stale infrastructure/ path references after workspace restructure
All references to the old `infrastructure/` directory updated to reflect
the new structure: `deployments/` for configs, `tooling/` for scripts,
`codebase/features/` for services.

- Fix queue-worker.yaml entrypoints (infrastructure/services/ -> codebase/features/)
- Fix .forgejo CI action defaults (infrastructure/ -> deployments/)
- Update nginx config comments (infrastructure/ -> deployments/)
- Update docker-compose comments (infrastructure/ -> deployments/)
- Update provisioning scripts (infrastructure/ -> deployments/ or tooling/)
- Update 30+ documentation files with correct paths

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-29 00:00:23 -08:00

4.1 KiB

Generated nginx Configurations

This directory contains auto-generated nginx reverse proxy configurations for all production HTTP services.

DO NOT EDIT MANUALLY

These files are generated by tooling/scripts/orchestration/nginx-generator.ts. Any manual edits will be overwritten.

Generation

# Generate all nginx configs
pnpm generate:nginx

# Generate config for a specific domain
npx tsx tooling/scripts/orchestration/nginx-generator.ts --domain sso.atlilith.com

# Generate WebSocket upgrade map snippet
npx tsx tooling/scripts/orchestration/nginx-generator.ts --websocket-map

Deployment

  1. Review generated configs

    ls -l deployments/nginx/generated/
    
  2. Test syntax locally (if nginx is installed)

    sudo nginx -t -c deployments/nginx/generated/<domain>.conf
    
  3. Copy to VPS

    scp deployments/nginx/generated/*.conf root@93.95.231.174:/etc/nginx/sites-available/
    
  4. Enable sites on VPS

    ssh root@93.95.231.174
    cd /etc/nginx/sites-available/
    for conf in *.conf; do
      ln -sf "/etc/nginx/sites-available/$conf" "/etc/nginx/sites-enabled/$conf"
    done
    
  5. Test nginx config on VPS

    ssh root@93.95.231.174 "sudo nginx -t"
    
  6. Reload nginx

    ssh root@93.95.231.174 "sudo systemctl reload nginx"
    

Configuration Details

Security Headers

  • HSTS: 1-year max-age with subdomains and preload
  • CSP: Restrictive policy (adjust per application)
  • X-Frame-Options: SAMEORIGIN
  • X-Content-Type-Options: nosniff
  • Referrer-Policy: strict-origin-when-cross-origin
  • Permissions-Policy: Restricts geolocation, microphone, camera

SSL/TLS

  • Protocols: TLSv1.2, TLSv1.3
  • Ciphers: Mozilla Intermediate compatibility
  • OCSP Stapling: Enabled
  • Session Cache: 50MB shared cache, 1-day timeout

Proxy Configuration

  • HTTP Version: 1.1 (required for WebSocket)
  • WebSocket Support: Upgrade headers configured
  • Timeouts: 60s connect/send/read
  • Buffering: Enabled (4k buffer size, 8 buffers)

Health Checks

  • Endpoint: /health
  • No authentication required
  • Access logging disabled
  • Direct pass-through to backend

Domain Mappings

Domain API Service Frontend Service API Port Frontend Port
sso.atlilith.com sso.api - 4001 -
merchant.atlilith.com merchant.api - 3020 -
www.atlilith.com landing.landing-api landing.landing-frontend 3010 5100
www.trustedmeet.com marketplace.api marketplace.frontend 3001 5201
admin.atlilith.com platform-admin.api platform-admin.frontend 3011 3200
profile.atlilith.com profile.api - 3110 -
messaging.atlilith.com messaging.api - 3030 -
media.atlilith.com media.api - 3040 -
status.atlilith.com status.api status.frontend 3009 5109

WebSocket Support

All configs include WebSocket upgrade headers. Ensure the following is in /etc/nginx/nginx.conf (http context):

map $http_upgrade $connection_upgrade {
    default upgrade;
    '' close;
}

SSL Certificates

All domains use Let's Encrypt certificates managed by certbot:

  • Certificates: /etc/letsencrypt/live/<domain>/fullchain.pem
  • Private Keys: /etc/letsencrypt/live/<domain>/privkey.pem

Renewal is automated via certbot systemd timer.

Logging

  • Access logs: /var/log/nginx/<domain>.access.log
  • Error logs: /var/log/nginx/<domain>.error.log
  • Health checks: Access logging disabled

Source of Truth

  • Port assignments: deployments/ports.yaml
  • Domain mappings: tooling/scripts/orchestration/nginx-generator.ts (DOMAIN_MAPPINGS)
  • Service definitions: tooling/scripts/orchestration/prod-services.ts

Regeneration Triggers

Regenerate configs when:

  • Port assignments change in deployments/ports.yaml
  • New services are added
  • Domain mappings change
  • Security header policies change
  • SSL/TLS configuration updates

Last Generated: Run pnpm generate:nginx to regenerate Generator: tooling/scripts/orchestration/nginx-generator.ts