From b65daf378450c3b1d272942dd1fecce8dd7d301e Mon Sep 17 00:00:00 2001
From: finn <git@hot.oily.dad>
Date: Mon, 5 Aug 2024 09:55:47 +0000
Subject: [PATCH] prod cleanup for live c10

---
 .gitignore         |  1 +
 README.md          |  8 ++++++-
 compose.yaml       | 24 ++++++++-----------
 compose.yaml.local | 16 +++++--------
 compose.yaml.prod  | 16 +++++--------
 proxy/conf         | 60 ++++++++++++++++++++++++++++++++++++++--------
 6 files changed, 80 insertions(+), 45 deletions(-)

diff --git a/.gitignore b/.gitignore
index 850c508..ecffb5f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,4 +3,5 @@ gitea/
 pmb-pf/
 venv
 zapp.db
+db/bu
 
diff --git a/README.md b/README.md
index 5a0baa3..8f913a2 100644
--- a/README.md
+++ b/README.md
@@ -69,6 +69,12 @@ Find in proxy/conf.\
 Find in gitea conf.\
 Rebuild images.
 
+### MariaDB backup:
+```
+mariadb-dump -uroot -pxxxx gitea > /bu/19840101.sql
+mariadb -uroot -pxxxx gitea < /bu/19840101.sql
+```
+
 ### Todo:
 - gitea subdomain will require wildcard cert -- therefore "*.oily.dad" AND "oily.dad" DONE
-- move more stuff from backend config into root .env
\ No newline at end of file
+- move more stuff from backend config into root .env
diff --git a/compose.yaml b/compose.yaml
index 88cff10..8ddc36f 100644
--- a/compose.yaml
+++ b/compose.yaml
@@ -3,23 +3,19 @@ services:
     image: mariadb:lts
     restart: always
     healthcheck:
-      #test: ['CMD-SHELL', 'mysqladmin ping -h 127.0.0.1 --password="${DOTENV_MYSQL_ROOT_PASSWORD}" --silent']
       test: ['CMD', 'healthcheck.sh', '--connect', '--innodb_initialized']
       interval: 10s
       retries: 5
       timeout: 5s
-      start_period: 10s
+      start_period: 5s
     volumes:
       - db-data:/var/lib/mysql
       - ./db/init:/docker-entrypoint-initdb.d/
+      - ./db/bu:/bu
     networks:
       - backnet
     environment:
-      #- MYSQL_DATABASE=gitea
-      #- MYSQL_USER=gitea
-      #- MYSQL_PASSWORD=gitea
-      #- MYSQL_ROOT_PASSWORD=rootpass
-      - MYSQL_ROOT_PASSWORD=${DOTENV_MYSQL_ROOT_PASSWORD}
+      - MARIADB_ROOT_PASSWORD=${DOTENV_MYSQL_ROOT_PASSWORD}
     expose:
       - 3306
       - 33060
@@ -29,11 +25,11 @@ services:
       context: backend
       target: builder
     # Next two are only debug, used without restart
-    stdin_open: true
-    tty: true
-    #restart: always
+    #stdin_open: true
+    #tty: true
+    restart: always
     # Comment following line to use flask (1worker, dev), uncomment to use uwsgi (wsgi)
-    #command: ["uwsgi", "--http", "0.0.0.0:8000", "--master", "-p", "4", "-w", "microblog:app"]
+    command: ["uwsgi", "--http", "0.0.0.0:8000", "--master", "-p", "4", "-w", "microblog:app"]
     environment:
       - MYSQL_USER=flasku
       #- MYSQL_PASSWORD=flaskp
@@ -96,9 +92,9 @@ services:
   proxy:
     build: proxy
     restart: always
-    #volumes:
-    #  - /home/finn/d/cert/var/lib/letsencrypt:/var/lib/letsencrypt
-    #  - /home/finn/d/cert/etc/letsencrypt:/etc/letsencrypt
+    volumes:
+      - /home/finn/d/cert/var/lib/letsencrypt:/var/lib/letsencrypt
+      - /home/finn/d/cert/etc/letsencrypt:/etc/letsencrypt
     ports:
       - 80:80
       - 443:443
diff --git a/compose.yaml.local b/compose.yaml.local
index 88cff10..2548389 100644
--- a/compose.yaml.local
+++ b/compose.yaml.local
@@ -3,23 +3,19 @@ services:
     image: mariadb:lts
     restart: always
     healthcheck:
-      #test: ['CMD-SHELL', 'mysqladmin ping -h 127.0.0.1 --password="${DOTENV_MYSQL_ROOT_PASSWORD}" --silent']
       test: ['CMD', 'healthcheck.sh', '--connect', '--innodb_initialized']
       interval: 10s
       retries: 5
       timeout: 5s
-      start_period: 10s
+      start_period: 5s
     volumes:
       - db-data:/var/lib/mysql
       - ./db/init:/docker-entrypoint-initdb.d/
+      - ./db/bu:/bu
     networks:
       - backnet
     environment:
-      #- MYSQL_DATABASE=gitea
-      #- MYSQL_USER=gitea
-      #- MYSQL_PASSWORD=gitea
-      #- MYSQL_ROOT_PASSWORD=rootpass
-      - MYSQL_ROOT_PASSWORD=${DOTENV_MYSQL_ROOT_PASSWORD}
+      - MARIADB_ROOT_PASSWORD=${DOTENV_MYSQL_ROOT_PASSWORD}
     expose:
       - 3306
       - 33060
@@ -29,9 +25,9 @@ services:
       context: backend
       target: builder
     # Next two are only debug, used without restart
-    stdin_open: true
-    tty: true
-    #restart: always
+    #stdin_open: true
+    #tty: true
+    restart: always
     # Comment following line to use flask (1worker, dev), uncomment to use uwsgi (wsgi)
     #command: ["uwsgi", "--http", "0.0.0.0:8000", "--master", "-p", "4", "-w", "microblog:app"]
     environment:
diff --git a/compose.yaml.prod b/compose.yaml.prod
index 98403d8..8ddc36f 100644
--- a/compose.yaml.prod
+++ b/compose.yaml.prod
@@ -3,23 +3,19 @@ services:
     image: mariadb:lts
     restart: always
     healthcheck:
-      #test: ['CMD-SHELL', 'mysqladmin ping -h 127.0.0.1 --password="${DOTENV_MYSQL_ROOT_PASSWORD}" --silent']
       test: ['CMD', 'healthcheck.sh', '--connect', '--innodb_initialized']
       interval: 10s
       retries: 5
       timeout: 5s
-      start_period: 10s
+      start_period: 5s
     volumes:
       - db-data:/var/lib/mysql
       - ./db/init:/docker-entrypoint-initdb.d/
+      - ./db/bu:/bu
     networks:
       - backnet
     environment:
-      #- MYSQL_DATABASE=gitea
-      #- MYSQL_USER=gitea
-      #- MYSQL_PASSWORD=gitea
-      #- MYSQL_ROOT_PASSWORD=rootpass
-      - MYSQL_ROOT_PASSWORD=${DOTENV_MYSQL_ROOT_PASSWORD}
+      - MARIADB_ROOT_PASSWORD=${DOTENV_MYSQL_ROOT_PASSWORD}
     expose:
       - 3306
       - 33060
@@ -96,9 +92,9 @@ services:
   proxy:
     build: proxy
     restart: always
-    #volumes:
-    #  - /home/finn/d/cert/var/lib/letsencrypt:/var/lib/letsencrypt
-    #  - /home/finn/d/cert/etc/letsencrypt:/etc/letsencrypt
+    volumes:
+      - /home/finn/d/cert/var/lib/letsencrypt:/var/lib/letsencrypt
+      - /home/finn/d/cert/etc/letsencrypt:/etc/letsencrypt
     ports:
       - 80:80
       - 443:443
diff --git a/proxy/conf b/proxy/conf
index fe29397..80f6015 100755
--- a/proxy/conf
+++ b/proxy/conf
@@ -1,12 +1,52 @@
+#server {
+#    listen       80;
+#    server_name  localhost;
+#    location / {
+#        proxy_pass   http://backend:8000;
+#    }
+
+
+# always redirect to https
 server {
-    listen       80;
-    server_name  localhost;
-    location / {
-        proxy_pass   http://backend:8000;
-    }
-    location /gutty {
-        proxy_pass   http://gitea:3000;
-    }
-
-
+	listen 80 default_server;
+	server_name _;
+	return 301 https://$host$request_uri;
 }
+
+server {
+	listen 443 ssl http2;
+	# use the certificates
+	ssl_certificate /etc/letsencrypt/live/oily.dad/fullchain.pem;
+	ssl_certificate_key /etc/letsencrypt/live/oily.dad/privkey.pem;
+	server_name oily.dad www.oily.dad;
+	root /var/www/html;
+	index index.php index.html index.htm;
+
+
+	location / {
+		proxy_pass http://backend:8000/;
+	}
+}
+
+server {
+	listen 443 ssl http2;
+	# use the certificates
+	ssl_certificate /etc/letsencrypt/live/oily.dad/fullchain.pem;
+	ssl_certificate_key /etc/letsencrypt/live/oily.dad/privkey.pem;
+	server_name gut.oily.dad;
+	root /var/www/html;
+	index index.php index.html index.htm;
+
+	location / {
+		client_max_body_size 512M;
+	        #proxy_pass http://localhost:3000;
+	        proxy_set_header Connection $http_connection;
+        	proxy_set_header Upgrade $http_upgrade;
+	        proxy_set_header Host $host;
+	        proxy_set_header X-Real-IP $remote_addr;
+	        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+	        proxy_set_header X-Forwarded-Proto $scheme;
+		proxy_pass http://gitea:3000/;
+	}
+}
+