349e8daa0b
Add `core prod` command with full production infrastructure tooling: - `core prod status` — parallel SSH health checks across all hosts, Galera cluster state, Redis sentinel, Docker, LB health - `core prod setup` — Phase 1 foundation: Hetzner topology discovery, managed LB creation, CloudNS DNS record management - `core prod dns` — CloudNS record CRUD with idempotent EnsureRecord - `core prod lb` — Hetzner Cloud LB status and creation - `core prod ssh <host>` — SSH into hosts defined in infra.yaml New packages: - pkg/infra: config parsing, Hetzner Cloud/Robot API, CloudNS DNS API - infra.yaml: declarative production topology (hosts, LB, DNS, SSL, Galera, Redis, containers, S3, CDN, CI/CD, monitoring, backups) Docker: - Dockerfile.app (PHP 8.3-FPM, multi-stage) - Dockerfile.web (Nginx + security headers) - docker-compose.prod.yml (app, web, horizon, scheduler, mcp, redis, galera) Ansible playbooks (runnable via `core deploy ansible`): - galera-deploy.yml, redis-deploy.yml, galera-backup.yml - inventory.yml with all production hosts CI/CD: - .forgejo/workflows/deploy.yml for Forgejo Actions pipeline Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
59 lines
1.4 KiB
Text
59 lines
1.4 KiB
Text
# Host UK Nginx Configuration
|
|
# Proxies PHP to the app (FPM) container, serves static files directly
|
|
|
|
server {
|
|
listen 80;
|
|
server_name _;
|
|
|
|
root /app/public;
|
|
index index.php;
|
|
|
|
charset utf-8;
|
|
|
|
# Security headers
|
|
include /etc/nginx/snippets/security-headers.conf;
|
|
|
|
# Health check endpoint (no logging)
|
|
location = /health {
|
|
access_log off;
|
|
try_files $uri /index.php?$query_string;
|
|
}
|
|
|
|
# Static file caching
|
|
location ~* \.(css|js|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot|webp|avif)$ {
|
|
expires 1y;
|
|
add_header Cache-Control "public, immutable";
|
|
access_log off;
|
|
try_files $uri =404;
|
|
}
|
|
|
|
# Laravel application
|
|
location / {
|
|
try_files $uri $uri/ /index.php?$query_string;
|
|
}
|
|
|
|
# PHP-FPM upstream
|
|
location ~ \.php$ {
|
|
fastcgi_pass app:9000;
|
|
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
|
|
include fastcgi_params;
|
|
|
|
fastcgi_hide_header X-Powered-By;
|
|
fastcgi_buffer_size 32k;
|
|
fastcgi_buffers 16 16k;
|
|
fastcgi_read_timeout 300;
|
|
|
|
# Pass real client IP from LB proxy protocol
|
|
fastcgi_param REMOTE_ADDR $http_x_forwarded_for;
|
|
}
|
|
|
|
# Block dotfiles (except .well-known)
|
|
location ~ /\.(?!well-known) {
|
|
deny all;
|
|
}
|
|
|
|
# Block access to sensitive files
|
|
location ~* \.(env|log|yaml|yml|toml|lock|bak|sql)$ {
|
|
deny all;
|
|
}
|
|
}
|