From 989abd3f4da22e4cb21dc3fea67ac68ab555730c Mon Sep 17 00:00:00 2001 From: Nicolas Cantu Date: Thu, 11 Sep 2025 17:03:36 +0200 Subject: [PATCH] =?UTF-8?q?feat(proxy,registry):=20nginx=20TLS=20*.local?= =?UTF-8?q?=20mapp=C3=A9=20services=20+=20compose=20registry=20push=20(USE?= =?UTF-8?q?R/TOKEN/BRANCH=20via=20CI=20gitea)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- docker-compose.registry.yml | 31 ++++++++++++ docker-compose.yml | 12 +++++ modules/nginx-proxy/certs/local.crt | 19 ++++++++ modules/nginx-proxy/certs/local.key | 28 +++++++++++ modules/nginx-proxy/conf/nginx.conf | 76 +++++++++++++++++++++++++++++ 5 files changed, 166 insertions(+) create mode 100644 docker-compose.registry.yml create mode 100644 modules/nginx-proxy/certs/local.crt create mode 100644 modules/nginx-proxy/certs/local.key create mode 100644 modules/nginx-proxy/conf/nginx.conf diff --git a/docker-compose.registry.yml b/docker-compose.registry.yml new file mode 100644 index 00000000..9da8ff1d --- /dev/null +++ b/docker-compose.registry.yml @@ -0,0 +1,31 @@ +version: "3.8" + +services: + push-4nk-ia-front: + image: docker:24.0-cli + container_name: push-4nk-ia-front + environment: + - REGISTRY=git.4nkweb.com + - NAMESPACE=4nk + - IMAGE_NAME=4nk-ia-front + - USER=${USER} + - TOKEN=${TOKEN} + - BRANCH=${BRANCH} + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + entrypoint: ["/bin/sh","-lc"] + command: >- + set -e; + if [ -z "${USER}" ] || [ -z "${TOKEN}" ] || [ -z "${BRANCH}" ]; then + echo "USER, TOKEN ou BRANCH manquant(s). Les fournir via secrets CI." >&2; exit 2; fi; + echo "Connexion au registry ${REGISTRY}..."; + echo "$TOKEN" | docker login "$REGISTRY" -u "$USER" --password-stdin; + SRC_IMAGE="$REGISTRY/$NAMESPACE/$IMAGE_NAME:dev"; + DST_IMAGE="$REGISTRY/$NAMESPACE/$IMAGE_NAME:${BRANCH}"; + echo "Pull $SRC_IMAGE"; + docker pull "$SRC_IMAGE"; + echo "Tag $DST_IMAGE"; + docker tag "$SRC_IMAGE" "$DST_IMAGE"; + echo "Push $DST_IMAGE"; + docker push "$DST_IMAGE"; + echo "OK: $DST_IMAGE poussé."; diff --git a/docker-compose.yml b/docker-compose.yml index 824673d4..c60f45cf 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -450,6 +450,18 @@ services: ipv4_address: 172.20.0.60 restart: unless-stopped + 4nk-ia-front.local: + <<: *x-4nk-extra-hosts + image: git.4nkweb.com/4nk/4nk-ia-front:dev + container_name: 4nk-ia-front.local + hostname: 4nk-ia-front.local + volumes: + - ./projects/4NK_IA_front/logs:/logs + networks: + 4nk_projects_net: + ipv4_address: 172.21.0.10 + restart: unless-stopped + volumes: grafana_central_data: loki_data: diff --git a/modules/nginx-proxy/certs/local.crt b/modules/nginx-proxy/certs/local.crt new file mode 100644 index 00000000..0f807ac2 --- /dev/null +++ b/modules/nginx-proxy/certs/local.crt @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDIDCCAgigAwIBAgIUaYEl/pQF0ZyLDAi5FR7xZYyeeKswDQYJKoZIhvcNAQEL +BQAwEjEQMA4GA1UEAwwHKi5sb2NhbDAeFw0yNTA5MTExNDI0MjRaFw0zNTA5MDkx +NDI0MjRaMBIxEDAOBgNVBAMMByoubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IB +DwAwggEKAoIBAQD3Njaaod0J1g8ag24ZDwW2Y1xOmJpZqQp2b2CQodAsoAQFrvfz +ltOwOAiZPV2aBDL7u2aKbNfZW7AUTBNDanevadLzeXK1H9xXuDzr0ROQh0LK3V+V +znfQh8Y12HdOWtyZMf3suEBoy98OoT8jqUocDajDOfVMx1kYb3Rl8EUmcS9IqOOr +h68rrcmSH4Wq1cTXMv71qqTD7K0vixdgrOgN2YLF5l+upb465TpUFp3pp63s/Itf +/AOpd5PDu2tw2aZvrEH4MckQ310S3rRQCobe61m5iwIRk1KWdgb2bGyV6yZX6KmF +htFN1OZaN0Iz/kzMkqSRhyfViiCcyStLWw2NAgMBAAGjbjBsMB0GA1UdDgQWBBR8 +4QPda5kFELdFLjDjbieUMk9nsTAfBgNVHSMEGDAWgBR84QPda5kFELdFLjDjbieU +Mk9nsTAPBgNVHRMBAf8EBTADAQH/MBkGA1UdEQQSMBCCByoubG9jYWyCBWxvY2Fs +MA0GCSqGSIb3DQEBCwUAA4IBAQC+OzNNEUQLR/01AwfQpduYSD+YVRxrYvDdKujR +zc+yTyglkM3RQdmLVsMPaVmZatUc0DG1Ggx+D9oTLVrqQcdy1mKBJ2jKn+cnlJ9R +32CKtnb6vBPTwm03dP08H6cH8f17RKI4rTnl7C/bygMNeuvmlXltr7FZIdI9fJ1n +kMGpY7FXQQw66qYy6OFc+YPkA3soOAfyUuNIzjaxB/E87Sk4quxE6zFNfCBK8QTS +/Cwdx7anxQpmnpu9a1f7ql1t6ylFPCn39HT/kemSXeq2nU43X/CGEAhVKK4aEX9Y +E3plaTx7fKjFEli0V7T+bhj8c6nJb3IprvW2uQ+fhzqRmRiI +-----END CERTIFICATE----- diff --git a/modules/nginx-proxy/certs/local.key b/modules/nginx-proxy/certs/local.key new file mode 100644 index 00000000..03b202e8 --- /dev/null +++ b/modules/nginx-proxy/certs/local.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQD3Njaaod0J1g8a +g24ZDwW2Y1xOmJpZqQp2b2CQodAsoAQFrvfzltOwOAiZPV2aBDL7u2aKbNfZW7AU +TBNDanevadLzeXK1H9xXuDzr0ROQh0LK3V+VznfQh8Y12HdOWtyZMf3suEBoy98O +oT8jqUocDajDOfVMx1kYb3Rl8EUmcS9IqOOrh68rrcmSH4Wq1cTXMv71qqTD7K0v +ixdgrOgN2YLF5l+upb465TpUFp3pp63s/Itf/AOpd5PDu2tw2aZvrEH4MckQ310S +3rRQCobe61m5iwIRk1KWdgb2bGyV6yZX6KmFhtFN1OZaN0Iz/kzMkqSRhyfViiCc +yStLWw2NAgMBAAECggEAXOU3YaYffJm+tTTcQ3hcqivuPO6lWbnm35h8zfywUISU +3lngfN2ZkKeNu5/Os5iOXAAQyUWbWudUZFwuBPBWJ0l55tolW6CsWR43blnzoyTg +2YCUcaPTbD4JIqTEOGJ2cO7TP4gBVCAAIuw+4LS1z5Lmbu4xmndyqHcBY2kFYyr6 +CS4oHCip1J5AcIXbDx0eEJxyFFQvh/nAy1nUvoAuqt3X0Bpoj90uBXyG1KRz2Db7 +KANWPMeWRVPU6ceXorUPb24fUDah2g3YddXG3bqVVS0yq9G5eMZv5sl8Chs2P5Kp +3wARRjvt1WANXWPwk8W+cbBrWsZxCgCxgpgup48S9QKBgQD+Chl+TexZzReHR5yD +jif3/FKX2hp38RmNbpO2EhxCbkmGgmZwTkWyNCwCCr4mhAKMIMbL69zT8HKxWdSx +C0lJ9oPYCW3VqqPOIfIsN6mW2Hi4s2aMA8nNUUWWjhyi/msSDxOZRJZUj3s3+evs +B/Q9jkQvFkmNT0ZYSpHlUwgR5wKBgQD5Hp/ZLzySaBOqLpZjmPih9Q53diSuTZvN +wZVicmh32moGniSGKjWC7cetGCyAHzsBMDdN9XBJ1gqGxkmiFFmmfdxtpo/Jmps1 +a//ZS+RfXpphpRmgXfnUd9nUNwv0roQWTf0njmwdjXFNMBQjlQQZ1NwsvrJPr4FA +9rC3dLmeawKBgF4skkzPSEn2DL3anzvprAlzYY7njJ5gI4/ZqSp6xj0eM2WI277Q +VWf9jT7oipsunt8hm3CnLELpRStX2NAVFgM0PqYMwMnPq0/UJ7manOTNtNsLrn1D +PkE92qU4Y4dM95ZHPoW39l68nfofTQU/4ZwcLEykX3niJHrAkhtIT5qLAoGAGeXK +Hkzf0iSJrs5rCe2UI1oTZ+3bQFeHE+vE+NgF7jfBf/CewWfP6k2HzYHO1n7opmX5 +ydvzEWnz7DDe5L+S1lENQkTne8Db08DndxKBqjxudiowsNA0MZdICNy0HHqr9pmi +8KLIsIXMuoZ+AXjzVTAgt3IXnVsUZ8l9c4Tp6wMCgYBGIx0MLhJ69X1Te9SQb/pT +rxEEmn17z7YY0xUablgwahA+HbCeJjAckk7zmjEG9c8hixYecXZTD9A7ul9gCrAU +zlZF2QDv28tLRr8nHNYFFzbNTI/gy0cFDJKGouE6DPGjU8bWM23fXtJJTVeqIMW5 +8oCPL7ZL6V5uxZEWFfQUtg== +-----END PRIVATE KEY----- diff --git a/modules/nginx-proxy/conf/nginx.conf b/modules/nginx-proxy/conf/nginx.conf new file mode 100644 index 00000000..fcd1aa84 --- /dev/null +++ b/modules/nginx-proxy/conf/nginx.conf @@ -0,0 +1,76 @@ +worker_processes auto; + +events { + worker_connections 1024; +} + +http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + error_log /var/log/nginx/error.log warn; + + sendfile on; + keepalive_timeout 65; + + # DNS interne (dnsmasq sur la passerelle Docker de 4nk_network) + resolver 172.20.0.1 valid=10s ipv6=off; + + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + + # Mapping hôte -> port applicatif + map $host $upstream_port { + default 80; + ihm-client.local 80; + coffre-front.local 3000; + coffre-back-mini.local 8080; + blindbit-oracle.local 8000; + sdk-storage.local 8080; + sdk-relay1.local 8090; + sdk-relay2.local 8090; + sdk-relay3.local 8090; + sdk-signer.local 9090; + grafana-central.local 3000; + loki.local 3100; + prometheus.local 9091; + 4nk-ia-front.local 3000; + } + + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + + server { + listen 443 ssl; + server_name *.local; + + ssl_certificate /etc/nginx/certs/local.crt; + ssl_certificate_key /etc/nginx/certs/local.key; + + add_header X-Content-Type-Options nosniff; + add_header X-Frame-Options SAMEORIGIN; + add_header X-XSS-Protection "1; mode=block"; + + location / { + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto https; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + proxy_read_timeout 300s; + proxy_send_timeout 300s; + proxy_pass http://$host:$upstream_port$request_uri; + } + } +}