added deployment files

deploy/README.md

@@ -0,0 +1,3 @@
+# Deployment files
+
+Copy these to the node you want to deploy to.

deploy/dev-node/nginx/docker-compose.yaml

@@ -0,0 +1,19 @@
+version: "3"
+
+services:
+  webserver:
+    image: nginx:latest
+    network_mode: host
+    ports:
+      - 80:80
+      - 443:443
+    restart: always
+    volumes:
+      - ./nginx.conf:/etc/nginx/nginx.conf:ro
+      - ./certbot/www:/var/www/certbot/:ro
+      - ./certbot/conf/:/etc/nginx/ssl/:ro
+  certbot:
+    image: certbot/certbot:latest
+    volumes:
+      - ./certbot/www/:/var/www/certbot/:rw
+      - ./certbot/conf/:/etc/letsencrypt/:rw

deploy/dev-node/nginx/get_cert.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+docker compose run --rm  certbot certonly -m admin@open-assistant.io --agree-tos --webroot --webroot-path /var/www/certbot/ -d $1

deploy/dev-node/nginx/nginx.conf

@@ -0,0 +1,81 @@
+events {}
+http {
+	server {
+		listen 80;
+		listen [::]:80;
+
+		server_name *.open-assistant.io;
+		server_tokens off;
+
+		location /.well-known/acme-challenge/ {
+			root /var/www/certbot;
+		}
+
+		location / {
+			return 301 https://$host$request_uri;
+		}
+	}
+
+	server {
+		listen 443 ssl http2;
+
+		server_name web.dev.open-assistant.io;
+
+		ssl_certificate /etc/nginx/ssl/live/web.dev.open-assistant.io/fullchain.pem;
+		ssl_certificate_key /etc/nginx/ssl/live/web.dev.open-assistant.io/privkey.pem;
+
+		location / {
+		    proxy_set_header Host $host;
+		    proxy_set_header X-Real-IP $remote_addr;
+		    proxy_pass http://127.0.0.1:3000;
+		}
+	}
+
+	server {
+		listen 443 ssl http2;
+
+		server_name backend.dev.open-assistant.io;
+
+		ssl_certificate /etc/nginx/ssl/live/backend.dev.open-assistant.io/fullchain.pem;
+		ssl_certificate_key /etc/nginx/ssl/live/backend.dev.open-assistant.io/privkey.pem;
+
+		location / {
+		    proxy_set_header Host $host;
+		    proxy_set_header X-Real-IP $remote_addr;
+		    proxy_pass http://127.0.0.1:8080;
+		}
+	}
+
+
+	server {
+		listen 443 ssl http2;
+
+		server_name web.staging.open-assistant.io;
+
+		ssl_certificate /etc/nginx/ssl/live/web.staging.open-assistant.io/fullchain.pem;
+		ssl_certificate_key /etc/nginx/ssl/live/web.staging.open-assistant.io/privkey.pem;
+
+		location / {
+		    proxy_set_header Host $host;
+		    proxy_set_header X-Real-IP $remote_addr;
+		    proxy_pass http://127.0.0.1:3100;
+		}
+	}
+
+	server {
+		listen 443 ssl http2;
+
+		server_name backend.staging.open-assistant.io;
+
+		ssl_certificate /etc/nginx/ssl/live/backend.staging.open-assistant.io/fullchain.pem;
+		ssl_certificate_key /etc/nginx/ssl/live/backend.staging.open-assistant.io/privkey.pem;
+
+		location / {
+		    proxy_set_header Host $host;
+		    proxy_set_header X-Real-IP $remote_addr;
+		    proxy_pass http://127.0.0.1:8180;
+		}
+	}
+
+
+}

deploy/dev-node/nginx/renew_certs.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+docker compose run --rm certbot renew

deploy/prod-node/nginx/docker-compose.yaml

@@ -0,0 +1,19 @@
+version: "3"
+
+services:
+  webserver:
+    image: nginx:latest
+    network_mode: host
+    ports:
+      - 80:80
+      - 443:443
+    restart: always
+    volumes:
+      - ./nginx.conf:/etc/nginx/nginx.conf:ro
+      - ./certbot/www:/var/www/certbot/:ro
+      - ./certbot/conf/:/etc/nginx/ssl/:ro
+  certbot:
+    image: certbot/certbot:latest
+    volumes:
+      - ./certbot/www/:/var/www/certbot/:rw
+      - ./certbot/conf/:/etc/letsencrypt/:rw

deploy/prod-node/nginx/get_cert.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+docker compose run --rm  certbot certonly -m admin@open-assistant.io --agree-tos --webroot --webroot-path /var/www/certbot/ -d $1

deploy/prod-node/nginx/nginx.conf

@@ -0,0 +1,62 @@
+events {}
+http {
+	server {
+		listen 80;
+		listen [::]:80;
+
+		server_name *.open-assistant.io open-assistant.io;
+		server_tokens off;
+
+		location /.well-known/acme-challenge/ {
+			root /var/www/certbot;
+		}
+
+		location / {
+			return 301 https://$host$request_uri;
+		}
+	}
+
+	server {
+		listen 443 ssl http2;
+
+		server_name open-assistant.io;
+
+		ssl_certificate /etc/nginx/ssl/live/open-assistant.io/fullchain.pem;
+		ssl_certificate_key /etc/nginx/ssl/live/open-assistant.io/privkey.pem;
+
+		location / {
+			return 301 https://web.prod.open-assistant.io$request_uri;
+		}
+	}
+
+	server {
+		listen 443 ssl http2;
+
+		server_name web.prod.open-assistant.io;
+
+		ssl_certificate /etc/nginx/ssl/live/web.prod.open-assistant.io/fullchain.pem;
+		ssl_certificate_key /etc/nginx/ssl/live/web.prod.open-assistant.io/privkey.pem;
+
+		location / {
+		    proxy_set_header Host $host;
+		    proxy_set_header X-Real-IP $remote_addr;
+		    proxy_pass http://127.0.0.1:3000;
+		}
+	}
+
+	server {
+		listen 443 ssl http2;
+
+		server_name backend.prod.open-assistant.io;
+
+		ssl_certificate /etc/nginx/ssl/live/backend.prod.open-assistant.io/fullchain.pem;
+		ssl_certificate_key /etc/nginx/ssl/live/backend.prod.open-assistant.io/privkey.pem;
+
+		location / {
+		    proxy_set_header Host $host;
+		    proxy_set_header X-Real-IP $remote_addr;
+		    proxy_pass http://127.0.0.1:8080;
+		}
+	}
+
+}

deploy/prod-node/nginx/renew_certs.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+docker compose run --rm certbot renew