feat(Production): Complete production deployment infrastructure

- Add comprehensive health check system with multiple endpoints - Add Prometheus metrics endpoint - Add production logging configurations (5 strategies) - Add complete deployment documentation suite: * QUICKSTART.md - 30-minute deployment guide * DEPLOYMENT_CHECKLIST.md - Printable verification checklist * DEPLOYMENT_WORKFLOW.md - Complete deployment lifecycle * PRODUCTION_DEPLOYMENT.md - Comprehensive technical reference * production-logging.md - Logging configuration guide * ANSIBLE_DEPLOYMENT.md - Infrastructure as Code automation * README.md - Navigation hub * DEPLOYMENT_SUMMARY.md - Executive summary - Add deployment scripts and automation - Add DEPLOYMENT_PLAN.md - Concrete plan for immediate deployment - Update README with production-ready features All production infrastructure is now complete and ready for deployment.
2025-10-25 19:18:37 +02:00
parent caa85db796
commit fc3d7e6357
83016 changed files with 378904 additions and 20919 deletions
--- a/docker/nginx/Dockerfile.production
+++ b/docker/nginx/Dockerfile.production
@@ -0,0 +1,54 @@
+FROM macbre/nginx-http3
+
+# Install Certbot for Let's Encrypt
+USER root
+
+# Install dependencies
+RUN apk add --no-cache \
+    certbot \
+    certbot-nginx \
+    su-exec \
+    netcat-openbsd \
+    openssl \
+    bash
+
+# Remove default site
+RUN rm -f /etc/nginx/conf.d/default.conf || true
+
+# Create necessary directories
+RUN mkdir -p \
+    /var/cache/nginx \
+    /var/log/nginx \
+    /var/www/ssl \
+    /var/www/certbot \
+    /var/www/html/public/.well-known/acme-challenge \
+    /etc/letsencrypt \
+    /var/lib/letsencrypt
+
+# Set permissions
+RUN chmod 755 /var/cache/nginx /var/log/nginx /var/www/ssl /var/www/certbot && \
+    chmod a+rw /dev/stdout /dev/stderr
+
+# Copy configurations
+COPY ./nginx.conf /etc/nginx/nginx.conf
+COPY ./default.production.conf /etc/nginx/conf.d/default.conf
+COPY ./ssl/ /var/www/ssl/
+
+# Copy entry scripts
+COPY ./docker-entrypoint-production.sh /usr/local/bin/docker-entrypoint.sh
+COPY ./certbot-renew.sh /usr/local/bin/certbot-renew.sh
+RUN chmod +x /usr/local/bin/docker-entrypoint.sh /usr/local/bin/certbot-renew.sh
+
+# Set ownership
+RUN chown -R nginx:nginx \
+    /var/cache/nginx \
+    /var/log/nginx \
+    /var/www/ssl \
+    /var/www/certbot \
+    /etc/letsencrypt \
+    /var/lib/letsencrypt
+
+EXPOSE 80 443
+
+ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]
+CMD ["nginx", "-g", "daemon off;"]
--- a/docker/nginx/default.conf
+++ b/docker/nginx/default.conf
@@ -36,7 +36,18 @@ upstream php-upstream {
 server {
    listen 80;
    server_name localhost michaelschiemer.de;
-    return 301 https://$host$request_uri;
+
+    # ACME Challenge for Let's Encrypt (HTTP-01)
+    location ^~ /.well-known/acme-challenge/ {
+        default_type "text/plain";
+        root /var/www/certbot;
+        allow all;
+    }
+
+    # Redirect all other traffic to HTTPS
+    location / {
+        return 301 https://$host$request_uri;
+    }
 }

 server {
@@ -84,10 +95,24 @@ server {
    root /var/www/html/public;
    index index.php index.html;

+    # ACME Challenge for Let's Encrypt (also in HTTPS for renewals)
+    location ^~ /.well-known/acme-challenge/ {
+        default_type "text/plain";
+        root /var/www/certbot;
+        allow all;
+    }
+
    # Route /images/* requests directly to PHP (for ShowImage controller)
-    # Use ^~ to prevent regex location matching for /images/ paths
+    # ^~ prefix gives this higher priority than regex locations
    location ^~ /images/ {
-        try_files /index.php?$query_string =404;
+        try_files $uri @php_images;
+    }
+
+    location @php_images {
+        include fastcgi_params;
+        fastcgi_pass php-upstream;
+        fastcgi_param SCRIPT_FILENAME $document_root/index.php;
+        fastcgi_param APP_ENV $env_mode;
    }

    location / {
@@ -194,10 +219,20 @@ server {
        # je nach Build-Ordner anpassen!
        alias /var/www/html/public/sw.js;
        add_header Cache-Control "no-cache, must-revalidate";
+        add_header Service-Worker-Allowed "/";
+    }
+
+    # WebPush Service Worker
+    location = /js/sw-push.js {
+        alias /var/www/html/public/js/sw-push.js;
+        add_header Cache-Control "no-cache, must-revalidate";
+        add_header Service-Worker-Allowed "/";
+        add_header Content-Type "application/javascript; charset=utf-8";
    }

    # Caching Header für statische Dateien ohne Rate-Limiting
-    location ~* \.(jpg|jpeg|png|gif|ico|svg|woff|woff2|ttf|eot)$ {
+    # Explicitly exclude /images/ path which is handled by PHP
+    location ~* ^/(?!images/).*\.(jpg|jpeg|png|gif|ico|svg|woff|woff2|ttf|eot)$ {
        expires 1y;
        add_header Cache-Control "public, immutable, max-age=31536000";
        # Keine Rate-Limits für statische Dateien