ded7d24924
Some checks failed
CI / Frontend Lint (pull_request) Failing after 7s
CI / Frontend Type Check (pull_request) Failing after 7s
CI / Frontend Build (pull_request) Failing after 6s
CI / Frontend E2E Tests (pull_request) Failing after 7s
CI / Orchestrator Build (pull_request) Failing after 7s
CI / Orchestrator Unit Tests (pull_request) Failing after 6s
CI / Orchestrator E2E (Testcontainers) (pull_request) Has been skipped
CI / Contracts Compile (pull_request) Failing after 5s
CI / Contracts Test (pull_request) Failing after 6s
Code Quality / SonarQube Analysis (pull_request) Failing after 20s
Code Quality / Code Quality Checks (pull_request) Failing after 7s
Security Scan / Dependency Vulnerability Scan (pull_request) Failing after 4s
Security Scan / OWASP ZAP Scan (pull_request) Failing after 4s
- deploy-currencicombo-8604.sh: on readiness timeout, print loud failure summary (journalctl tails + exact --rollback command with specific backup path) instead of silently exiting. Deliberately does NOT auto-rollback; first cutovers often fail because of env/migration mistakes and auto-restore hides the failure state ops needs. - install.sh: on first run, write the three API keys + EVENT_SIGNING_SECRET to /root/currencicombo-first-keys.txt (0600, root:root) as a handoff copy. Canonical values still live in /etc/currencicombo/orchestrator.env. Log one pointer line (not the secrets themselves) to journald. Handoff file is NOT regenerated if orchestrator.env already exists. - install-prune-cron.sh (new, opt-in): installs /etc/cron.daily/ currencicombo-prune-backups that deletes entries older than 30 days from /var/lib/currencicombo/backups/ WHILE always keeping the newest 5 regardless of age. Enforced via newest-first sort + i<KEEP_MIN skip. - webapp-nginx.conf: drop the misleading /events/* 421 guard-rail. The orchestrator's SSE endpoint is /api/plans/:id/events/stream (under /api/), so one /api/* guard-rail covers both normal REST and SSE. - README.md: corrected NPMplus rule table to TWO rules (/api/* with SSE-friendly proxy_buffering=off + 24h read_timeout + Connection "" + http/1.1, and /); added post-cutover smoke checks section with a concrete SSE streaming test that catches silent proxy_buffering=on misconfig; documented the /root/currencicombo-first-keys.txt handoff and the install-prune-cron.sh workflow; replaced stale 'not auto-pruned' note. Verification: - shellcheck --severity=warning: clean on all 3 scripts. - bash -n: clean on install-prune-cron.sh. - install-prune-cron.sh --dry-run: prints the pruner body with resolved env values as expected. - install.sh --dry-run: walks through user/dirs/nginx-apt steps, then fails fast on missing psql (expected on a build box without Postgres). Co-Authored-By: Nakamoto, S <defi@defi-oracle.io>
81 lines
2.5 KiB
Plaintext
81 lines
2.5 KiB
Plaintext
# Self-contained nginx.conf for the CurrenciCombo Vite SPA.
|
|
# Invoked by the `currencicombo-webapp.service` systemd unit and installed
|
|
# to /etc/currencicombo/webapp-nginx.conf by scripts/deployment/install.sh.
|
|
#
|
|
# Listens on :3000 (NPMplus upstream). NPMplus path-routes /api/* to the
|
|
# orchestrator on :8080 (with SSE-friendly settings — see README.md);
|
|
# everything else lands here.
|
|
# This config does NOT proxy /api itself — that's intentional so a wrong
|
|
# NPMplus rule fails loudly instead of silently bypassing the orchestrator.
|
|
|
|
worker_processes auto;
|
|
error_log /var/log/currencicombo/webapp-nginx.error.log warn;
|
|
|
|
events {
|
|
worker_connections 1024;
|
|
}
|
|
|
|
http {
|
|
include /etc/nginx/mime.types;
|
|
default_type application/octet-stream;
|
|
|
|
access_log /var/log/currencicombo/webapp-nginx.access.log combined;
|
|
|
|
sendfile on;
|
|
tcp_nopush on;
|
|
keepalive_timeout 65;
|
|
server_tokens off;
|
|
gzip on;
|
|
gzip_types text/plain text/css application/javascript application/json image/svg+xml;
|
|
gzip_min_length 1024;
|
|
|
|
# Uploads/bodies: the portal is a static SPA, so any request with a body
|
|
# is almost certainly mis-routed. Cap tight.
|
|
client_max_body_size 1m;
|
|
|
|
server {
|
|
listen 3000 default_server;
|
|
listen [::]:3000 default_server;
|
|
server_name _;
|
|
|
|
root /opt/currencicombo/webapp/dist;
|
|
index index.html;
|
|
|
|
# Security headers are also set by NPMplus, but apply them here too
|
|
# so they survive a direct-to-CT curl for debugging.
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
|
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
|
|
|
# Immutable asset bundles.
|
|
location /assets/ {
|
|
access_log off;
|
|
expires 1y;
|
|
add_header Cache-Control "public, max-age=31536000, immutable";
|
|
try_files $uri =404;
|
|
}
|
|
|
|
# Deny sourcemaps in prod.
|
|
location ~ \.map$ {
|
|
access_log off;
|
|
deny all;
|
|
return 404;
|
|
}
|
|
|
|
# Guard-rail: if NPMplus fails to path-route /api/*, surface it as a
|
|
# clean 421 rather than serving index.html and confusing the browser
|
|
# with a JSON parse error. The SSE endpoint lives at
|
|
# /api/plans/:id/events/stream, which also sits under /api/, so one
|
|
# rule covers both.
|
|
location /api/ {
|
|
return 421 "NPMplus is misconfigured: /api/* must proxy to orchestrator :8080\n";
|
|
add_header Content-Type text/plain always;
|
|
}
|
|
|
|
# SPA fallback. Must come last.
|
|
location / {
|
|
try_files $uri $uri/ /index.html;
|
|
}
|
|
}
|
|
}
|