feat: production infra — nginx configs, deploy script, security hardening
Some checks failed
CI / Lint → Typecheck → Test → Build (22) (push) Failing after 58s
Deploy / Build Web Image (push) Failing after 14s
Deploy / Rollback Production (push) Has been skipped
CI / E2E Tests (push) Has been skipped
Deploy / Build API Image (push) Failing after 3m8s
Deploy / Build AI Services Image (push) Failing after 10s
E2E Tests / Playwright E2E (push) Failing after 1m21s
Deploy / Deploy to Staging (push) Has been skipped
Deploy / Smoke Test Staging (push) Has been skipped
Deploy / Deploy to Production (push) Has been skipped
Deploy / Smoke Test Production (push) Has been skipped
Deploy / Rollback Staging (push) Has been skipped
Some checks failed
CI / Lint → Typecheck → Test → Build (22) (push) Failing after 58s
Deploy / Build Web Image (push) Failing after 14s
Deploy / Rollback Production (push) Has been skipped
CI / E2E Tests (push) Has been skipped
Deploy / Build API Image (push) Failing after 3m8s
Deploy / Build AI Services Image (push) Failing after 10s
E2E Tests / Playwright E2E (push) Failing after 1m21s
Deploy / Deploy to Staging (push) Has been skipped
Deploy / Smoke Test Staging (push) Has been skipped
Deploy / Deploy to Production (push) Has been skipped
Deploy / Smoke Test Production (push) Has been skipped
Deploy / Rollback Staging (push) Has been skipped
- Add Nginx reverse-proxy configs for api.goodgo.vn and platform.goodgo.vn with SSL, gzip, rate limiting, security headers, and WebSocket support - Add Cloudflare DNS setup script for A/AAAA/CNAME records - Add server-setup.sh for Ubuntu provisioning (Docker, fail2ban, UFW, swap, unattended-upgrades) - Add deploy-production.sh for manual production deployments - Add env.production.example with all required environment variables - Bind container ports to 127.0.0.1 in docker-compose.prod.yml (security: prevent direct access bypassing Nginx) - Fix deploy workflow: add -T flag to exec, sync Nginx configs, copy pgbouncer and backup configs to server Co-Authored-By: Claude Opus 4 (1M context) <noreply@anthropic.com>
This commit is contained in:
Ho Ngoc Hai
81
infra/env.production.example
Normal file
81
infra/env.production.example
Normal file
@@ -0,0 +1,81 @@
|
||||
# ==============================================================================
|
||||
# GoodGo Platform — Production Environment Variables
|
||||
# Copy to ~/goodgo/.env on the production server and fill in real values.
|
||||
#
|
||||
# WARNING: Never commit real secrets to version control!
|
||||
# ==============================================================================
|
||||
|
||||
# ── Docker Registry ──────────────────────────────────────────────────────────
|
||||
REGISTRY_URL=ghcr.io/velikho
|
||||
IMAGE_TAG=latest
|
||||
|
||||
# ── PostgreSQL ───────────────────────────────────────────────────────────────
|
||||
DB_NAME=goodgo_prod
|
||||
DB_USER=goodgo
|
||||
DB_PASSWORD=CHANGE_ME_strong_password_here
|
||||
|
||||
# ── PgBouncer ────────────────────────────────────────────────────────────────
|
||||
PGBOUNCER_POOL_SIZE=20
|
||||
PGBOUNCER_MAX_CLIENT_CONN=200
|
||||
PGBOUNCER_ADMIN_PASSWORD=CHANGE_ME_pgbouncer_admin
|
||||
PGBOUNCER_STATS_PASSWORD=CHANGE_ME_pgbouncer_stats
|
||||
|
||||
# ── Redis ────────────────────────────────────────────────────────────────────
|
||||
REDIS_PASSWORD=CHANGE_ME_redis_password
|
||||
|
||||
# ── Authentication (JWT) ─────────────────────────────────────────────────────
|
||||
# Generate with: openssl rand -base64 64
|
||||
JWT_SECRET=CHANGE_ME_jwt_secret_64_chars
|
||||
JWT_REFRESH_SECRET=CHANGE_ME_jwt_refresh_secret_64_chars
|
||||
|
||||
# ── Typesense (Full-text Search) ─────────────────────────────────────────────
|
||||
# Generate with: openssl rand -hex 32
|
||||
TYPESENSE_API_KEY=CHANGE_ME_typesense_api_key
|
||||
|
||||
# ── MinIO (Object Storage) ───────────────────────────────────────────────────
|
||||
MINIO_ACCESS_KEY=CHANGE_ME_minio_access_key
|
||||
MINIO_SECRET_KEY=CHANGE_ME_minio_secret_key_min_32_chars
|
||||
MINIO_BUCKET=goodgo-uploads
|
||||
|
||||
# ── AI Services ──────────────────────────────────────────────────────────────
|
||||
AI_API_KEY=CHANGE_ME_ai_api_key
|
||||
AI_RATE_LIMIT=60/minute
|
||||
|
||||
# ── Application URLs ─────────────────────────────────────────────────────────
|
||||
NEXT_PUBLIC_API_URL=https://api.goodgo.vn
|
||||
API_PORT=3001
|
||||
WEB_PORT=3000
|
||||
|
||||
# ── VNPay Payment Gateway ───────────────────────────────────────────────────
|
||||
VNPAY_TMN_CODE=CHANGE_ME_vnpay_merchant_code
|
||||
VNPAY_HASH_SECRET=CHANGE_ME_vnpay_hash_secret
|
||||
VNPAY_URL=https://pay.vnpay.vn/vpcpay.html
|
||||
VNPAY_RETURN_URL=https://platform.goodgo.vn/payment/return
|
||||
|
||||
# ── MoMo Payment Gateway (optional) ─────────────────────────────────────────
|
||||
# MOMO_PARTNER_CODE=
|
||||
# MOMO_ACCESS_KEY=
|
||||
# MOMO_SECRET_KEY=
|
||||
|
||||
# ── ZaloPay Payment Gateway (optional) ──────────────────────────────────────
|
||||
# ZALOPAY_APP_ID=
|
||||
# ZALOPAY_KEY1=
|
||||
# ZALOPAY_KEY2=
|
||||
|
||||
# ── Mapbox (Frontend Maps) ──────────────────────────────────────────────────
|
||||
# MAPBOX_TOKEN=
|
||||
|
||||
# ── Monitoring ───────────────────────────────────────────────────────────────
|
||||
GRAFANA_PORT=3002
|
||||
GRAFANA_ROOT_URL=https://grafana.goodgo.vn
|
||||
GRAFANA_ADMIN_USER=admin
|
||||
GRAFANA_ADMIN_PASSWORD=CHANGE_ME_grafana_admin_password
|
||||
|
||||
# ── Notifications ────────────────────────────────────────────────────────────
|
||||
SLACK_WEBHOOK_URL=
|
||||
|
||||
# ── Database Backups ─────────────────────────────────────────────────────────
|
||||
BACKUP_RETENTION_DAYS=7
|
||||
|
||||
# ── Prisma (auto-migrate on deploy) ─────────────────────────────────────────
|
||||
RUN_MIGRATIONS=false
|
||||
Reference in New Issue
Block a user