michael/michaelschiemer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: CI/CD pipeline setup complete - Ansible playbooks updated, secrets configured, workflow ready

Browse Source
This commit is contained in:
Michael Schiemer
2025-10-31 01:39:24 +01:00
parent 55c04e4fd0
commit e26eb2aa12
601 changed files with 44184 additions and 32477 deletions
Download Patch File Download Diff File Expand all files Collapse all files

154
docker/nginx/default.production.conf Normal file
View File

@@ -0,0 +1,154 @@
# Production Nginx Configuration
# Based on default.conf but adapted for single-container deployment
# PHP-FPM runs in same container via Supervisor
upstream php-upstream {
server 127.0.0.1:9000;
}
# HTTP Server - Redirect to HTTPS
server {
listen 80;
listen [::]:80;
server_name _;
# Health check on HTTP
location /health {
access_log off;
return 200 "healthy\n";
add_header Content-Type text/plain;
}
# ACME Challenge for Let's Encrypt
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /var/www/certbot;
allow all;
}
# Redirect all other traffic to HTTPS
location / {
return 301 https://$host$request_uri;
}
}
# HTTPS Server
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name _;
# SSL Configuration
ssl_certificate /var/www/ssl/cert.pem;
ssl_certificate_key /var/www/ssl/key.pem;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384;
root /var/www/html/public;
index index.php index.html;
# Security headers
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
# Gzip
gzip on;
gzip_vary on;
gzip_types text/css application/javascript application/json image/svg+xml;
gzip_comp_level 5;
# ACME Challenge for Let's Encrypt
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /var/www/certbot;
allow all;
}
# Health check endpoint
location /health {
access_log off;
return 200 "healthy\n";
add_header Content-Type text/plain;
}
# Static assets with caching
location ~* \.(jpg|jpeg|png|gif|ico|svg|woff|woff2|ttf|eot)$ {
expires 1y;
add_header Cache-Control "public, immutable";
try_files $uri =404;
}
location ~* \.(css|js|map)$ {
expires 1w;
add_header Cache-Control "public, max-age=604800";
try_files $uri =404;
}
# Service Worker
location = /sw.js {
alias /var/www/html/public/sw.js;
add_header Cache-Control "no-cache, must-revalidate";
add_header Service-Worker-Allowed "/";
}
location = /js/sw-push.js {
alias /var/www/html/public/js/sw-push.js;
add_header Cache-Control "no-cache, must-revalidate";
add_header Service-Worker-Allowed "/";
add_header Content-Type "application/javascript; charset=utf-8";
}
# Main application
location / {
try_files $uri $uri/ /index.php?$query_string;
autoindex off;
}
# PHP-FPM
location ~ \.php$ {
try_files $uri =404;
include fastcgi_params;
fastcgi_pass php-upstream;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_param APP_ENV production;
fastcgi_param HTTPS on;
fastcgi_read_timeout 60s;
fastcgi_connect_timeout 60s;
fastcgi_send_timeout 60s;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
fastcgi_keep_conn on;
fastcgi_hide_header X-Powered-By;
}
# Deny access to hidden files
location ~ /\.(?!well-known).* {
deny all;
access_log off;
log_not_found off;
}
# Prevent PHP execution in uploads
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}
# Error pages
error_page 404 /errors/404.html;
error_page 403 /errors/403.html;
error_page 500 502 503 504 /errors/50x.html;
location /errors/ {
internal;
}
server_tokens off;
}

114
docker/nginx/default.traefik.conf Normal file
View File

@@ -0,0 +1,114 @@
# Nginx Configuration for Traefik Integration
# Traefik handles SSL termination - this listens on HTTP:80 only
upstream php-upstream {
server 127.0.0.1:9000;
}
server {
listen 80;
listen [::]:80;
server_name _;
root /var/www/html/public;
index index.php index.html;
# Security headers (Traefik may add more)
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
# Gzip
gzip on;
gzip_vary on;
gzip_types text/css application/javascript application/json image/svg+xml;
gzip_comp_level 5;
# Health check endpoint
location /health {
access_log off;
return 200 "healthy\n";
add_header Content-Type text/plain;
}
# Static assets with caching
location ~* \.(jpg|jpeg|png|gif|ico|svg|woff|woff2|ttf|eot)$ {
expires 1y;
add_header Cache-Control "public, immutable";
try_files $uri =404;
}
location ~* \.(css|js|map)$ {
expires 1w;
add_header Cache-Control "public, max-age=604800";
try_files $uri =404;
}
# Service Worker
location = /sw.js {
alias /var/www/html/public/sw.js;
add_header Cache-Control "no-cache, must-revalidate";
add_header Service-Worker-Allowed "/";
}
location = /js/sw-push.js {
alias /var/www/html/public/js/sw-push.js;
add_header Cache-Control "no-cache, must-revalidate";
add_header Service-Worker-Allowed "/";
add_header Content-Type "application/javascript; charset=utf-8";
}
# Main application
location / {
try_files $uri $uri/ /index.php?$query_string;
autoindex off;
}
# PHP-FPM
location ~ \.php$ {
try_files $uri =404;
include fastcgi_params;
fastcgi_pass php-upstream;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_param APP_ENV production;
# Traefik terminates SSL, but tell app it's HTTPS
fastcgi_param HTTPS $http_x_forwarded_proto;
fastcgi_param HTTP_X_FORWARDED_PROTO $http_x_forwarded_proto;
fastcgi_read_timeout 60s;
fastcgi_connect_timeout 60s;
fastcgi_send_timeout 60s;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
fastcgi_keep_conn on;
fastcgi_hide_header X-Powered-By;
}
# Deny access to hidden files
location ~ /\.(?!well-known).* {
deny all;
access_log off;
log_not_found off;
}
# Prevent PHP execution in uploads
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}
# Error pages
error_page 404 /errors/404.html;
error_page 403 /errors/403.html;
error_page 500 502 503 504 /errors/50x.html;
location /errors/ {
internal;
}
server_tokens off;
}

43
docker/nginx/nginx.production.conf Normal file
View File

@@ -0,0 +1,43 @@
user www-data;
worker_processes auto;
pid /run/nginx.pid;
error_log /var/log/nginx/error.log warn;
events {
worker_connections 1024;
use epoll;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens off;
# Gzip compression
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_types text/plain text/css text/xml text/javascript
application/json application/javascript application/xml+rss
application/rss+xml font/truetype font/opentype
application/vnd.ms-fontobject image/svg+xml;
# Client body size
client_max_body_size 20M;
# Include site configurations (Debian nginx uses sites-enabled)
include /etc/nginx/sites-enabled/*;
}