361776ab2e
Some checks failed
CI / Frontend Lint (pull_request) Failing after 7s
CI / Frontend Type Check (pull_request) Failing after 6s
CI / Frontend Build (pull_request) Failing after 8s
CI / Frontend E2E Tests (pull_request) Failing after 8s
CI / Orchestrator Build (pull_request) Failing after 7s
CI / Orchestrator Unit Tests (pull_request) Failing after 6s
CI / Orchestrator E2E (Testcontainers) (pull_request) Has been skipped
CI / Contracts Compile (pull_request) Failing after 6s
CI / Contracts Test (pull_request) Failing after 7s
Code Quality / SonarQube Analysis (pull_request) Failing after 19s
Code Quality / Code Quality Checks (pull_request) Failing after 6s
Security Scan / Dependency Vulnerability Scan (pull_request) Failing after 4s
Security Scan / OWASP ZAP Scan (pull_request) Failing after 5s
Closes the gap between Gitea main (b48eb2a, Vite portal + Node orchestrator, 29 PRs merged, 167 tests) and what's actually serving curucombo.xn--vov0g.com (Next.js 'ISO-20022 Combo Flow' app from an unpushed localb118b2bcheckout). After this PR is merged and the runbook in scripts/deployment/README.md is followed on CT 8604, the Phoenix deployment will serve d-bis/CurrenciCombo main. Artifacts (all under scripts/deployment/): - systemd/currencicombo-orchestrator.service - Node orchestrator, EnvironmentFile=/etc/currencicombo/orchestrator.env, full systemd hardening (ProtectSystem=strict, PrivateTmp, no caps). - systemd/currencicombo-webapp.service - nginx serving Vite SPA on :3000 via RuntimeDirectory=/run/currencicombo-webapp. - webapp-nginx.conf - self-contained nginx config; intentionally 421s on /api/* and /events/* so an NPMplus misconfig fails loudly instead of silently returning index.html. - .env.prod.example - template for /etc/currencicombo/orchestrator.env. Documents every EXT-* blocker env var 1:1 with the Proxmox repo's check-external-dependencies.sh. - install.sh - idempotent host setup: user, dirs, nginx, fresh Postgres role/DB (--force-recreate-db to wipe), Redis autodetect, env file with auto-generated EVENT_SIGNING_SECRET + 3 API keys, systemd units enabled but not started. --dry-run supported. - deploy-currencicombo-8604.sh - build-and-swap deploy driver (the script deploy-targets.json / phoenix-deploy-api calls): git fetch/reset, orchestrator tsc build, portal vite build with VITE_ORCHESTRATOR_URL baked in, migrations, timestamped backup, systemctl stop, rsync, systemctl start, smoke /ready + portal /, grep EXT-* from journalctl. --ref, --dry-run, --skip-migrate, --skip-build, --rollback. - README.md - architecture diagram, first-time setup (8 steps), NPMplus ingress rule table, subsequent- deploy one-liner, rollback, troubleshooting table, cutover-from- pre-existing-Next.js sequence, explicit list of Proxmox-side follow-ups. Target-agnostic: no IP / hostname / VLAN hardcoded. The only file that embeds the public hostname is README.md (for documentation) and the default VITE_ORCHESTRATOR_URL in deploy-currencicombo-8604.sh (which is overridable via env). Single-origin NPMplus routing (confirmed with user): curucombo.\xe6\x9b\xbc\xe6\x9d\x8e.com/api/* -> 10.160.0.14:8080 (orchestrator) curucombo.\xe6\x9b\xbc\xe6\x9d\x8e.com/events/* -> 10.160.0.14:8080 (SSE) curucombo.\xe6\x9b\xbc\xe6\x9d\x8e.com/* -> 10.160.0.14:3000 (Vite SPA) Verified on this box (headless): - shellcheck --severity=warning: clean on both scripts. - bash -n: clean on both scripts. - systemd-analyze verify: both unit files parse cleanly (only complaint is /usr/sbin/nginx not being executable, expected -- nginx is installed at deploy time). - install.sh --dry-run: fails fast with the expected FATAL on hosts without psql (build box). On CT 8604 with Postgres+Redis already installed, it walks through every step. - deploy-currencicombo-8604.sh --help: prints the usage. No runtime code changes. Non-UI. Complements PR #30 (docker-compose sandbox) which remains the local-dev path. Proxmox-side follow-up (separate commit on /home/intlc/projects/proxmox after this PR merges and cutover runs cleanly): - Update phoenix-deploy-api/deploy-targets.json to point at scripts/deployment/deploy-currencicombo-8604.sh. - Retire the inaccurate "Next.js webapp with ignoreBuildErrors" language in EXTERNAL_DEPENDENCY_BLOCKERS.md. Co-Authored-By: Nakamoto, S <defi@defi-oracle.io>
81 lines
3.4 KiB
Plaintext
81 lines
3.4 KiB
Plaintext
# CurrenciCombo orchestrator production env (Phoenix CT 8604 / any systemd host)
|
|
#
|
|
# Installed by scripts/deployment/install.sh to:
|
|
# /etc/currencicombo/orchestrator.env
|
|
#
|
|
# Loaded by the currencicombo-orchestrator.service systemd unit via
|
|
# EnvironmentFile=. Values that are committed here are safe defaults;
|
|
# secrets are left blank and must be set before first boot.
|
|
#
|
|
# The portal is a statically built SPA (nginx), so it takes NO runtime env.
|
|
# Any VITE_* vars needed at build time are baked into dist/ by
|
|
# scripts/deployment/deploy-currencicombo-8604.sh before the rsync.
|
|
|
|
############################################################
|
|
# Server
|
|
############################################################
|
|
NODE_ENV=production
|
|
PORT=8080
|
|
# Bind to loopback only when behind NPMplus on the same host; bind
|
|
# 0.0.0.0 if NPMplus is on a different host (the CT 8604 case, so 0.0.0.0).
|
|
HOST=0.0.0.0
|
|
|
|
############################################################
|
|
# Postgres (local to the CT per install.sh)
|
|
############################################################
|
|
DATABASE_URL=postgresql://currencicombo@127.0.0.1:5432/currencicombo
|
|
|
|
############################################################
|
|
# Redis (local to the CT per install.sh)
|
|
############################################################
|
|
REDIS_URL=redis://127.0.0.1:6379
|
|
|
|
############################################################
|
|
# Event bus signing (REQUIRED). install.sh generates this on first run
|
|
# via `openssl rand -hex 32` unless the file already exists.
|
|
############################################################
|
|
EVENT_SIGNING_SECRET=
|
|
|
|
############################################################
|
|
# API keys per role (REQUIRED). install.sh generates three random
|
|
# initiator/settler/auditor keys on first run unless set.
|
|
# Format: key1:role1,key2:role2,...
|
|
############################################################
|
|
ORCHESTRATOR_API_KEYS=
|
|
|
|
############################################################
|
|
# Chain 138 — resolves EXT-CHAIN138-CI-RPC (already resolved).
|
|
############################################################
|
|
CHAIN_138_RPC_URL=https://rpc.public-0138.defi-oracle.io
|
|
CHAIN_138_CHAIN_ID=138
|
|
|
|
# Leave empty to run mock notary. Populate after running
|
|
# `contracts/scripts/deploy-notary-registry.ts` once.
|
|
NOTARY_REGISTRY_ADDRESS=
|
|
# Leave empty to run mock notary. Otherwise 0x-prefixed 32-byte hex.
|
|
ORCHESTRATOR_PRIVATE_KEY=
|
|
|
|
############################################################
|
|
# External dependency blockers (leave blank → mock fallback + EXT-* log)
|
|
# These are the exact IDs that the Proxmox
|
|
# scripts/verify/check-external-dependencies.sh gate knows about.
|
|
############################################################
|
|
|
|
# EXT-DBIS-CORE — set when dbis_core is deployed and reachable.
|
|
DBIS_CORE_URL=
|
|
|
|
# EXT-FIN-GATEWAY — set when a real Alliance Access / FIN gateway is
|
|
# provisioned. Leave blank to use PR R's in-process sandbox.
|
|
FIN_SANDBOX_URL=
|
|
|
|
# EXT-CC-* — the following four blockers are upstream-scaffold repos
|
|
# (cc-payment-adapters, cc-audit-ledger, cc-shared-events,
|
|
# cc-shared-schemas). They cannot be resolved from this repo; no
|
|
# env var flips them. The orchestrator logs EXT-CC-* as active on boot.
|
|
|
|
# Identity + controls matrix (not a blocker IDs per se — they ship
|
|
# today via the cc-identity-core and cc-compliance-controls adapters
|
|
# merged in PR V/W). Blank keeps the embedded v0 matrix + mock identity.
|
|
CC_IDENTITY_URL=
|
|
CC_CONTROLS_MATRIX_URL=
|