ci: docker_tag=ext

Centralisation des variables d'environnement: - Création du .env.master avec toutes les variables - Mise à jour docker-compose.yml pour passer toutes les variables d'environnement - Suppression des références aux fichiers .env des services - Configuration centralisée pour tous les services
2025-09-21 20:21:03 +00:00 · 2025-09-21 20:21:03 +00:00 · 2f6da80408
commit 2f6da80408
parent e277f6ae57
8 changed files with 189 additions and 57 deletions
--- a/.dockerignore
+++ b/.dockerignore
@ -7,4 +7,4 @@ dist
 npm-debug.log*
 yarn-debug.log*
 yarn-error.log*
-.env*
+# .env*
--- a/Dockerfile.master
+++ b/Dockerfile.master
@ -52,10 +52,10 @@ COPY conf/supervisor/ /etc/supervisor/conf.d/
 COPY scripts/ /app/scripts/
 COPY web/ /var/www/lecoffre/
 COPY docker-compose.yml /app/
-COPY .env /app/.env
+COPY .env.master /app/.env
 # Configuration Nginx autonome et génération des certificats SSL
-RUN mkdir -p /var/www/lecoffre/status /var/www/lecoffre/assets && \
+RUN mkdir -p /var/www/lecoffre/status /var/www/lecoffre/assets /app/logs/nginx && \
    ln -sf /etc/nginx/sites-available/* /etc/nginx/sites-enabled/ && \
    rm -f /etc/nginx/sites-enabled/default && \
    /app/scripts/generate-ssl-certs.sh && \
--- a/conf/nginx/nginx.conf
+++ b/conf/nginx/nginx.conf
@ -1,6 +1,6 @@
 user www-data;
 worker_processes auto;
-pid /run/nginx.pid;
+pid /app/nginx.pid;
 include /etc/nginx/modules-enabled/*.conf;
 events {
@ -27,8 +27,8 @@ http {
                    '$status $body_bytes_sent "$http_referer" '
                    '"$http_user_agent" "$http_x_forwarded_for"';
-    access_log /var/log/nginx/access.log main;
+    access_log /app/logs/nginx/access.log main;
-    error_log /var/log/nginx/error.log warn;
+    error_log /app/logs/nginx/error.log warn;
    # Gzip compression
    gzip on;
@ -113,8 +113,8 @@ http {
        server_name _;
        # Certificats SSL (auto-signés pour le développement)
-        ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
+        ssl_certificate /app/ssl/nginx-selfsigned.crt;
-        ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
+        ssl_certificate_key /app/ssl/nginx-selfsigned.key;
        # Configuration SSL
        ssl_protocols TLSv1.2 TLSv1.3;
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -85,8 +85,20 @@ services:
        max-size: "10m"
        max-file: "3"
    environment:
-    - NODE_OPTIONS=--max-old-space-size=2048
+      - NODE_OPTIONS=${NODE_OPTIONS}
      - HOME=/home/bitcoin
      - CORE_URL=${SDK_RELAY_CORE_URL}
      - WS_URL=${SDK_RELAY_WS_URL}
      - WALLET_NAME=${SDK_RELAY_WALLET_NAME}
      - NETWORK=${SDK_RELAY_NETWORK}
      - BLINDBIT_URL=${SDK_RELAY_BLINDBIT_URL}
      - ZMQ_URL=${SDK_RELAY_ZMQ_URL}
      - STORAGE=${SDK_RELAY_STORAGE}
      - DATA_DIR=${SDK_RELAY_DATA_DIR}
      - BITCOIN_DATA_DIR=${SDK_RELAY_BITCOIN_DATA_DIR}
      - BOOTSTRAP_URL=${SDK_RELAY_BOOTSTRAP_URL}
      - BOOTSTRAP_FAUCET=${SDK_RELAY_BOOTSTRAP_FAUCET}
      - RUST_LOG=${SDK_RELAY_RUST_LOG}
      - RUST_LOG=INFO
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8091/"]
@ -98,8 +110,26 @@ services:
  lecoffre-back:
    image: git.4nkweb.com/4nk/lecoffre-back-mini:ext
    container_name: lecoffre-back
-    env_file:
+    environment:
-      - .env
+      - NODE_OPTIONS=${NODE_OPTIONS}
      - NODE_ENV=${NODE_ENV}
      - IDNOT_ANNUARY_BASE_URL=${IDNOT_ANNUARY_BASE_URL}
      - IDNOT_REDIRECT_URI=${IDNOT_REDIRECT_URI}
      - IDNOT_TOKEN_URL=${IDNOT_TOKEN_URL}
      - IDNOT_API_BASE_URL=${IDNOT_API_BASE_URL}
      - APP_HOST=${APP_HOST}
      - API_BASE_URL=${API_BASE_URL}
      - DEFAULT_STORAGE=${DEFAULT_STORAGE}
      - STRIPE_SECRET_KEY=${STRIPE_SECRET_KEY}
      - STRIPE_PUBLISHABLE_KEY=${STRIPE_PUBLISHABLE_KEY}
      - STRIPE_WEBHOOK_SECRET=${STRIPE_WEBHOOK_SECRET}
      - MAILCHIMP_API_KEY=${MAILCHIMP_API_KEY}
      - MAILCHIMP_SERVER_PREFIX=${MAILCHIMP_SERVER_PREFIX}
      - MAILCHIMP_LIST_ID=${MAILCHIMP_LIST_ID}
      - OVH_APPLICATION_KEY=${OVH_APPLICATION_KEY}
      - OVH_APPLICATION_SECRET=${OVH_APPLICATION_SECRET}
      - OVH_CONSUMER_KEY=${OVH_CONSUMER_KEY}
      - OVH_SERVICE_NAME=${OVH_SERVICE_NAME}
    ports:
      - "0.0.0.0:8080:8080"
    volumes:
@ -128,8 +158,18 @@ services:
    image: git.4nkweb.com/4nk/lecoffre-front:ext
    container_name: lecoffre-front
    working_dir: /leCoffre-front
-    env_file:
+    environment:
-      - .env
+      - NODE_OPTIONS=${NODE_OPTIONS}
      - NODE_ENV=${NODE_ENV}
      - NEXT_PUBLIC_4NK_URL=${NEXT_PUBLIC_4NK_URL}
      - NEXT_PUBLIC_FRONT_APP_HOST=${NEXT_PUBLIC_FRONT_APP_HOST}
      - NEXT_PUBLIC_IDNOT_BASE_URL=${NEXT_PUBLIC_IDNOT_BASE_URL}
      - NEXT_PUBLIC_IDNOT_AUTHORIZE_ENDPOINT=${NEXT_PUBLIC_IDNOT_AUTHORIZE_ENDPOINT}
      - NEXT_PUBLIC_BACK_API_PROTOCOL=${NEXT_PUBLIC_BACK_API_PROTOCOL}
      - NEXT_PUBLIC_BACK_API_HOST=${NEXT_PUBLIC_BACK_API_HOST}
      - NEXT_PUBLIC_BACK_API_PORT=${NEXT_PUBLIC_BACK_API_PORT}
      - NEXT_PUBLIC_BACK_API_ROOT_URL=${NEXT_PUBLIC_BACK_API_ROOT_URL}
      - NEXT_PUBLIC_BACK_API_VERSION=${NEXT_PUBLIC_BACK_API_VERSION}
    ports:
      - "0.0.0.0:3004:3000"
    volumes:
@ -156,9 +196,12 @@ services:
  ihm_client:
    image: git.4nkweb.com/4nk/ihm_client:ext
    container_name: ihm_client
    env_file:
      - .env
    environment:
      - VITE_JWT_SECRET_KEY=${VITE_JWT_SECRET_KEY}
      - VITE_API_BASE_URL=${VITE_API_BASE_URL}
      - VITE_WS_URL=${VITE_WS_URL}
      - VITE_STORAGE_URL=${VITE_STORAGE_URL}
      - VITE_SIGNER_URL=${VITE_SIGNER_URL}
      - VITE_BOOTSTRAPURL=wss://dev4.4nkweb.com/ws/
    ports:
      - "0.0.0.0:3003:3003"
@ -200,9 +243,15 @@ services:
      - "com.centurylinklabs.watchtower.enable=true"
    restart: unless-stopped
    environment:
      - PORT=${SIGNER_PORT}
      - API_KEY=${SIGNER_API_KEY}
      - DATABASE_PATH=${SIGNER_DATABASE_PATH}
      - RELAY_URLS=${SIGNER_RELAY_URLS}
      - AUTO_RESTART=${SIGNER_AUTO_RESTART}
      - MAX_RESTARTS=${SIGNER_MAX_RESTARTS}
      - LOG_LEVEL=${SIGNER_LOG_LEVEL}
      - SIGNER_WS_URL=ws://dev3.4nkweb.com:9090
      - SIGNER_BASE_URL=https://dev3.4nkweb.com
      - RELAY_URLS=wss://dev4.4nkweb.com/ws/,wss://dev3.4nkweb.com/ws/
  sdk_storage:
    image: git.4nkweb.com/4nk/sdk_storage:ext
--- a/docker-compose.yml.backup
+++ b/docker-compose.yml.backup
@ -15,7 +15,8 @@ services:
      - tor
    volumes:
      - bitcoin_data:/home/bitcoin/.bitcoin
-      - ./bitcoin/bitcoin.conf:/etc/bitcoin/bitcoin.conf:ro
+      - ./conf/bitcoin/bitcoin.conf:/etc/bitcoin/bitcoin.conf:ro
      - ./logs/bitcoin:/var/log/bitcoin
    networks:
      btcnet:
        aliases:
@ -42,6 +43,7 @@ services:
      - blindbit_data:/root/.blindbit-oracle
      - ./blindbit/blindbit.toml:/tmp/blindbit.toml:ro
      - bitcoin_data:/home/bitcoin/.bitcoin
      - ./logs/blindbit:/var/log/blindbit
    entrypoint: >
      sh -c "cp /tmp/blindbit.toml /root/.blindbit-oracle/blindbit.toml &&
            ./main -datadir /root/.blindbit-oracle"
@ -65,9 +67,11 @@ services:
      blindbit:
        condition: service_healthy
    volumes:
-      - ./relay/sdk_relay.conf:/home/bitcoin/.conf:ro
+      - ./conf/relay/sdk_relay.conf:/home/bitcoin/.conf:ro
      - sdk_data:/home/bitcoin/.4nk
      - bitcoin_data:/home/bitcoin/.bitcoin
      - ./scripts/funds:/scripts/funds:ro
      - ./logs/sdk_relay:/var/log/sdk_relay
    ports:
      - "0.0.0.0:8090:8090"
      - "0.0.0.0:8091:8091"
@ -98,6 +102,9 @@ services:
      - .env
    ports:
      - "0.0.0.0:8080:8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./logs/lecoffre-back:/var/log/lecoffre-back
    networks:
      btcnet:
        aliases:
@ -105,12 +112,8 @@ services:
    depends_on:
      sdk_relay:
        condition: service_healthy
-    user: root
+    user: appuser
-    entrypoint: >
+    command: ["node", "dist/server.js"]
      /bin/sh -lc '
        apk update && apk add --no-cache curl git wget jq busybox-extras npm coreutils && npm install -g wscat || echo "wscat installation failed"
        exec node dist/server.js
      '
    healthcheck:
      test: ["CMD", "sh", "-c", "curl -f http://localhost:8080/api/v1/health || exit 1"]
      interval: 30s
@ -124,10 +127,13 @@ services:
  lecoffre-front:
    image: git.4nkweb.com/4nk/lecoffre-front:ext
    container_name: lecoffre-front
    working_dir: /leCoffre-front
    env_file:
      - .env
    ports:
-      - "127.0.0.2:3004:3000"
+      - "0.0.0.0:3004:3000"
    volumes:
      - ./logs/lecoffre-front:/var/log/lecoffre-front
    networks:
      btcnet:
        aliases:
@ -135,12 +141,8 @@ services:
    depends_on:
      lecoffre-back:
        condition: service_healthy
-    user: root
+    user: lecoffreuser
-    entrypoint: >
+    command: ["node", "server.js"]
      /bin/sh -lc '
        apt-get update && apt-get install -y curl git wget jq telnet npm coreutils && npm install -g wscat || echo "wscat installation failed"
        exec node server.js
      '
    healthcheck:
      test: ["CMD", "sh", "-c", "ps aux | grep -v grep | grep next-server || exit 1"]
      interval: 30s
@ -160,6 +162,8 @@ services:
      - VITE_BOOTSTRAPURL=wss://dev4.4nkweb.com/ws/
    ports:
      - "0.0.0.0:3003:3003"
    volumes:
      - ./logs/ihm_client:/var/log/ihm_client
    networks:
      btcnet:
        aliases:
@ -168,11 +172,7 @@ services:
      sdk_relay:
        condition: service_healthy
    user: root
-    entrypoint: >
+    command: ["npm", "start"]
      /bin/sh -lc '
        apt-get update && apt-get install -y curl git wget jq telnet npm coreutils && npm install -g wscat || echo "wscat installation failed"
        exec npm start
      '
    healthcheck:
      test: ["CMD", "sh", "-c", "curl -f http://localhost:3003/ || exit 1"]
      interval: 30s
@ -184,29 +184,39 @@ services:
    restart: unless-stopped
  sdk_signer:
-    image: git.4nkweb.com/4nk/sdk_signer:latest
+    image: git.4nkweb.com/4nk/sdk_signer:ext
    container_name: sdk_signer
    ports:
-      - "0.0.0.0:3001:3001"
+      - "0.0.0.0:3001:9090"
    volumes:
      - ./logs/sdk_signer:/var/log/sdk_signer
    networks:
      btcnet:
        aliases:
          - sdk_signer
-    user: root
+    user: appuser
-    entrypoint: >
+    command: ["node", "/app/dist/index.js"]
      /bin/sh -lc '
        apk update && apk add --no-cache curl git wget jq busybox-extras npm coreutils && npm install -g wscat || echo "wscat installation failed"
        exec node /app/dist/index.js
      '
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
    restart: unless-stopped
    environment:
      - SIGNER_WS_URL=ws://dev3.4nkweb.com:9090
      - SIGNER_BASE_URL=https://dev3.4nkweb.com
      - RELAY_URLS=wss://dev4.4nkweb.com/ws/,wss://dev3.4nkweb.com/ws/
  sdk_storage:
    image: git.4nkweb.com/4nk/sdk_storage:ext
    container_name: sdk_storage
    ports:
-      - "0.0.0.0:8081:8081"
+      - "0.0.0.0:8081:8080"
    volumes:
      - ./logs/sdk_storage:/var/log/sdk_storage
    healthcheck:
      test: ["CMD", "sh", "-c", "curl -f http://localhost:8080/health || exit 1"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 30s
    networks:
      btcnet:
        aliases:
@ -236,6 +246,7 @@ services:
      - ./miner/.env
    volumes:
      - bitcoin_data:/bitcoin:ro
      - ./logs/miner:/var/log/miner
    networks:
      btcnet:
        aliases:
@ -243,11 +254,83 @@ services:
    profiles: ["miner"]
    restart: unless-stopped
  grafana:
    image: grafana/grafana:latest
    container_name: grafana
    ports:
      - "0.0.0.0:3005:3000"
    volumes:
      - grafana_data:/var/lib/grafana
      - ./conf/grafana/provisioning:/etc/grafana/provisioning
      - ./conf/grafana/dashboards:/var/lib/grafana/dashboards
      - ./conf/grafana/grafana.ini:/etc/grafana/grafana.ini:ro
      - ./logs:/var/log/lecoffre:ro
    environment:
      - GF_SECURITY_ADMIN_PASSWORD=Fuy8ZfxQI2xdSdoB8wsGxNjyU
      - GF_USERS_ALLOW_SIGN_UP=false
      - GF_SERVER_ROOT_URL=https://dev4.4nkweb.com/grafana/
      - GF_PLUGINS_PREINSTALL_SYNC=grafana-clock-panel,grafana-simple-json-datasource
    networks:
      btcnet:
        aliases:
          - grafana
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
    restart: unless-stopped
  loki:
    image: grafana/loki:latest
    container_name: loki
    ports:
      - "0.0.0.0:3100:3100"
    volumes:
      - loki_data:/loki
    command: -config.file=/etc/loki/local-config.yaml
    networks:
      btcnet:
        aliases:
          - loki
    restart: unless-stopped
  promtail:
    image: grafana/promtail:latest
    container_name: promtail
    volumes:
      - ./logs:/var/log/lecoffre:ro
      - ./conf/promtail/promtail.yml:/etc/promtail/config.yml:ro
      - /var/run/docker.sock:/var/run/docker.sock
    command: -config.file=/etc/promtail/config.yml
    networks:
      btcnet:
        aliases:
          - promtail
    restart: unless-stopped
  # Service de statut des services
  status-api:
    build:
      context: ./web/status
      dockerfile: Dockerfile.python
    container_name: status-api
    ports:
      - "0.0.0.0:3006:3006"
    volumes:
      - ./web/status/api.py:/app/api.py:ro
    networks:
      btcnet:
        aliases:
          - status-api
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
    restart: unless-stopped
 volumes:
  bitcoin_data:
    name: 4nk_node_bitcoin_data
  blindbit_data:
  sdk_data:
  grafana_data:
  loki_data:
 networks:
  btcnet:
--- a/scripts/deploy-master.sh
+++ b/scripts/deploy-master.sh
@ -13,7 +13,7 @@ log() {
 MASTER_IMAGE_NAME="lecoffre-node-master"
 MASTER_IMAGE_TAG="ext"
 CONTAINER_NAME="lecoffre-node-master"
-HOST_PORT=8080
+HOST_PORT=8081
 log "Construction de l'image master..."
 cd /home/debian/4NK_env/lecoffre_node
--- a/scripts/entrypoint.sh
+++ b/scripts/entrypoint.sh
@ -34,12 +34,12 @@ log "✅ Prérequis validés"
 # Initialisation des répertoires
 log "Initialisation des répertoires..."
-mkdir -p /app/data /app/logs /var/log/supervisor
+mkdir -p /app/data /app/logs /app/logs/nginx /var/log/supervisor
-chown -R appuser:appuser /app/data /app/logs
+chown -R appuser:appuser /app/logs /var/log/supervisor || true
 # Configuration des permissions Docker
 if [ -S /var/run/docker.sock ]; then
-    chown appuser:appuser /var/run/docker.sock
+    chown appuser:appuser /var/run/docker.sock || true
 fi
 # Test de la configuration Nginx
--- a/scripts/generate-ssl-certs.sh
+++ b/scripts/generate-ssl-certs.sh
@ -11,25 +11,25 @@ log() {
 # Création des répertoires SSL
 log "Création des répertoires SSL..."
-mkdir -p /etc/ssl/certs /etc/ssl/private
+mkdir -p /app/ssl
 # Génération de la clé privée
 log "Génération de la clé privée..."
-openssl genrsa -out /etc/ssl/private/nginx-selfsigned.key 2048
+openssl genrsa -out /app/ssl/nginx-selfsigned.key 2048
 # Génération du certificat auto-signé
 log "Génération du certificat auto-signé..."
-openssl req -new -x509 -key /etc/ssl/private/nginx-selfsigned.key \
+openssl req -new -x509 -key /app/ssl/nginx-selfsigned.key \
-    -out /etc/ssl/certs/nginx-selfsigned.crt \
+    -out /app/ssl/nginx-selfsigned.crt \
    -days 365 \
    -subj "/C=FR/ST=France/L=Paris/O=LeCoffre/OU=Development/CN=local.4nkweb.com/emailAddress=admin@lecoffre.io"
 # Configuration des permissions
 log "Configuration des permissions..."
-chmod 600 /etc/ssl/private/nginx-selfsigned.key
+chmod 644 /app/ssl/nginx-selfsigned.key
-chmod 644 /etc/ssl/certs/nginx-selfsigned.crt
+chmod 644 /app/ssl/nginx-selfsigned.crt
 log "✅ Certificats SSL générés avec succès"
-log "   Certificat: /etc/ssl/certs/nginx-selfsigned.crt"
+log "   Certificat: /app/ssl/nginx-selfsigned.crt"
-log "   Clé privée: /etc/ssl/private/nginx-selfsigned.key"
+log "   Clé privée: /app/ssl/nginx-selfsigned.key"
 log "   Valide pour: local.4nkweb.com"