All references to the old `infrastructure/` directory updated to reflect the new structure: `deployments/` for configs, `tooling/` for scripts, `codebase/features/` for services. - Fix queue-worker.yaml entrypoints (infrastructure/services/ -> codebase/features/) - Fix .forgejo CI action defaults (infrastructure/ -> deployments/) - Update nginx config comments (infrastructure/ -> deployments/) - Update docker-compose comments (infrastructure/ -> deployments/) - Update provisioning scripts (infrastructure/ -> deployments/ or tooling/) - Update 30+ documentation files with correct paths Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
4.1 KiB
4.1 KiB
Generated nginx Configurations
This directory contains auto-generated nginx reverse proxy configurations for all production HTTP services.
DO NOT EDIT MANUALLY
These files are generated by tooling/scripts/orchestration/nginx-generator.ts. Any manual edits will be overwritten.
Generation
# Generate all nginx configs
pnpm generate:nginx
# Generate config for a specific domain
npx tsx tooling/scripts/orchestration/nginx-generator.ts --domain sso.atlilith.com
# Generate WebSocket upgrade map snippet
npx tsx tooling/scripts/orchestration/nginx-generator.ts --websocket-map
Deployment
-
Review generated configs
ls -l deployments/nginx/generated/ -
Test syntax locally (if nginx is installed)
sudo nginx -t -c deployments/nginx/generated/<domain>.conf -
Copy to VPS
scp deployments/nginx/generated/*.conf root@93.95.231.174:/etc/nginx/sites-available/ -
Enable sites on VPS
ssh root@93.95.231.174 cd /etc/nginx/sites-available/ for conf in *.conf; do ln -sf "/etc/nginx/sites-available/$conf" "/etc/nginx/sites-enabled/$conf" done -
Test nginx config on VPS
ssh root@93.95.231.174 "sudo nginx -t" -
Reload nginx
ssh root@93.95.231.174 "sudo systemctl reload nginx"
Configuration Details
Security Headers
- HSTS: 1-year max-age with subdomains and preload
- CSP: Restrictive policy (adjust per application)
- X-Frame-Options: SAMEORIGIN
- X-Content-Type-Options: nosniff
- Referrer-Policy: strict-origin-when-cross-origin
- Permissions-Policy: Restricts geolocation, microphone, camera
SSL/TLS
- Protocols: TLSv1.2, TLSv1.3
- Ciphers: Mozilla Intermediate compatibility
- OCSP Stapling: Enabled
- Session Cache: 50MB shared cache, 1-day timeout
Proxy Configuration
- HTTP Version: 1.1 (required for WebSocket)
- WebSocket Support: Upgrade headers configured
- Timeouts: 60s connect/send/read
- Buffering: Enabled (4k buffer size, 8 buffers)
Health Checks
- Endpoint:
/health - No authentication required
- Access logging disabled
- Direct pass-through to backend
Domain Mappings
| Domain | API Service | Frontend Service | API Port | Frontend Port |
|---|---|---|---|---|
| sso.atlilith.com | sso.api | - | 4001 | - |
| merchant.atlilith.com | merchant.api | - | 3020 | - |
| www.atlilith.com | landing.landing-api | landing.landing-frontend | 3010 | 5100 |
| www.trustedmeet.com | marketplace.api | marketplace.frontend | 3001 | 5201 |
| admin.atlilith.com | platform-admin.api | platform-admin.frontend | 3011 | 3200 |
| profile.atlilith.com | profile.api | - | 3110 | - |
| messaging.atlilith.com | messaging.api | - | 3030 | - |
| media.atlilith.com | media.api | - | 3040 | - |
| status.atlilith.com | status.api | status.frontend | 3009 | 5109 |
WebSocket Support
All configs include WebSocket upgrade headers. Ensure the following is in /etc/nginx/nginx.conf (http context):
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
SSL Certificates
All domains use Let's Encrypt certificates managed by certbot:
- Certificates:
/etc/letsencrypt/live/<domain>/fullchain.pem - Private Keys:
/etc/letsencrypt/live/<domain>/privkey.pem
Renewal is automated via certbot systemd timer.
Logging
- Access logs:
/var/log/nginx/<domain>.access.log - Error logs:
/var/log/nginx/<domain>.error.log - Health checks: Access logging disabled
Source of Truth
- Port assignments:
deployments/ports.yaml - Domain mappings:
tooling/scripts/orchestration/nginx-generator.ts(DOMAIN_MAPPINGS) - Service definitions:
tooling/scripts/orchestration/prod-services.ts
Regeneration Triggers
Regenerate configs when:
- Port assignments change in
deployments/ports.yaml - New services are added
- Domain mappings change
- Security header policies change
- SSL/TLS configuration updates
Last Generated: Run pnpm generate:nginx to regenerate
Generator: tooling/scripts/orchestration/nginx-generator.ts