Merge pull request #130 from Pet-projects-CodePET/feature/ssl

Feature/ssl

.github/workflows/deploy.yaml

@@ -26,7 +26,7 @@ jobs:
           tags: ${{ secrets.DOCKERHUB_USERNAME }}/${{ secrets.PROJECT_NAME }}_backend:latest
 
   build_and_push_to_docker_hub_nginx:
-    name: Push gateway Docker image to DockerHub
+    name: Push nginx Docker image to DockerHub
     runs-on: ubuntu-latest
     steps:
       - name: Check out the repo
@@ -45,11 +45,32 @@ jobs:
           push: true
           tags: ${{ secrets.DOCKERHUB_USERNAME }}/${{ secrets.PROJECT_NAME }}_nginx:latest
 
+  build_and_push_to_docker_hub_certbot:
+    name: Push certbot Docker image to DockerHub
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v4
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Login to Docker
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_PASSWORD }}
+      - name: Push to DockerHub
+        uses: docker/build-push-action@v5
+        with:
+          context: ./infra/certbot/
+          push: true
+          tags: ${{ secrets.DOCKERHUB_USERNAME }}/${{ secrets.PROJECT_NAME }}_certbot:latest
+
   deploy:
     runs-on: ubuntu-latest
     needs:
       - build_and_push_to_docker_hub_backend
       - build_and_push_to_docker_hub_nginx
+      - build_and_push_to_docker_hub_certbot
     steps:
     - name: Checkout repo
       uses: actions/checkout@v4
@@ -72,9 +93,12 @@ jobs:
             POSTGRES_PASSWORD=${{ secrets.POSTGRES_PASSWORD }}
             PROJECT_NAME=${{ secrets.PROJECT_NAME }}
             SECRET_KEY=${{ secrets.SECRET_KEY }}
+            DJANGO_SETTINGS_MODULE=${{ secrets.DJANGO_SETTINGS_MODULE }}
             DOCKERHUB_USERNAME_FRONT=${{ secrets.DOCKERHUB_USERNAME_FRONT }}
             DOCKERHUB_USERNAME=${{ secrets.DOCKERHUB_USERNAME }}
             ALLOWED_HOSTS=${{ secrets.ALLOWED_HOSTS }}
+            NGINX_NAME=${{ secrets.NGINX_DEV }}
+            DOMAIN_NAME=${{ secrets.DOMAIN_DEV }}
             EMAIL_HOST=${{ secrets.EMAIL_HOST }}
             EMAIL_HOST_USER=${{ secrets.EMAIL_HOST_USER }}
             EMAIL_HOST_PASSWORD=${{ secrets.EMAIL_HOST_PASSWORD }}
@@ -105,4 +129,6 @@ jobs:
           sudo docker compose -f docker-compose-prod.yaml exec backend python manage.py migrate
           sudo docker compose -f docker-compose-prod.yaml exec backend python manage.py collectstatic --no-input
           sudo docker compose -f docker-compose-prod.yaml exec backend cp -r static/. /backend_static/static/
+          sudo docker compose -f docker-compose-prod.yaml run --rm certbot certonly --webroot --webroot-path /var/www/certbot/ -d devcodepet.tw1.ru
+          sudo docker compose -f docker-compose-prod.yaml run --rm certbot renew
           sudo docker system prune -f

.github/workflows/qa_deploy.yaml

@@ -10,11 +10,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out the repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
       - name: Login to Docker
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_PASSWORD }}
@@ -30,11 +30,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out the repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
       - name: Login to Docker
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_PASSWORD }}
@@ -45,14 +45,35 @@ jobs:
           push: true
           tags: ${{ secrets.DOCKERHUB_USERNAME }}/${{ secrets.PROJECT_NAME }}_nginx:latest
 
+  build_and_push_to_docker_hub_certbot:
+    name: Push certbot Docker image to DockerHub
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v4
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Login to Docker
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_PASSWORD }}
+      - name: Push to DockerHub
+        uses: docker/build-push-action@v5
+        with:
+          context: ./infra/certbot/
+          push: true
+          tags: ${{ secrets.DOCKERHUB_USERNAME }}/${{ secrets.PROJECT_NAME }}_certbot:latest
+
   deploy:
     runs-on: ubuntu-latest
     needs:
       - build_and_push_to_docker_hub_backend
       - build_and_push_to_docker_hub_nginx
+      - build_and_push_to_docker_hub_certbot
     steps:
     - name: Checkout repo
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Create project directory and .env-file
       uses: appleboy/ssh-action@master
       with:
@@ -72,9 +93,12 @@ jobs:
             POSTGRES_PASSWORD=${{ secrets.POSTGRES_PASSWORD }}
             PROJECT_NAME=${{ secrets.PROJECT_NAME }}
             SECRET_KEY=${{ secrets.SECRET_KEY }}
+            DJANGO_SETTINGS_MODULE=${{ secrets.DJANGO_SETTINGS_MODULE }}
             DOCKERHUB_USERNAME_FRONT=${{ secrets.DOCKERHUB_USERNAME_FRONT }}
             DOCKERHUB_USERNAME=${{ secrets.DOCKERHUB_USERNAME }}
             ALLOWED_HOSTS=${{ secrets.ALLOWED_HOSTS }}
+            NGINX_NAME=${{ secrets.NGINX_QA }}
+            DOMAIN_NAME=${{ secrets.DOMAIN_QA }}
             EMAIL_HOST=${{ secrets.EMAIL_HOST }}
             EMAIL_HOST_USER=${{ secrets.EMAIL_HOST_USER }}
             EMAIL_HOST_PASSWORD=${{ secrets.EMAIL_HOST_PASSWORD }}
@@ -105,4 +129,6 @@ jobs:
           sudo docker compose -f docker-compose-prod.yaml exec backend python manage.py migrate
           sudo docker compose -f docker-compose-prod.yaml exec backend python manage.py collectstatic --no-input
           sudo docker compose -f docker-compose-prod.yaml exec backend cp -r static/. /backend_static/static/
+          sudo docker compose -f docker-compose-prod.yaml run --rm certbot certonly --webroot --webroot-path /var/www/certbot/ -d devcodepet.tw1.ru
+          sudo docker compose -f docker-compose-prod.yaml run --rm certbot renew
           sudo docker system prune -f

README.md

@@ -7,7 +7,7 @@ RESTfull API приложение, разработанное для поиск
 реализовать что-то новое, для менеджеров проектов и для компаний которые хотят
 создать тестовое МВП нового продукта.
 
-![workflow](https://github.com/Pet-projects-CodePET/Backend/actions/workflows/main.yml/badge.svg)
+[![Code cheсks](https://github.com/Pet-projects-CodePET/Backend/actions/workflows/code_check.yml/badge.svg)](https://github.com/Pet-projects-CodePET/Backend/actions/workflows/code_check.yml)
 
 ## Стек технологий:
 

infra/.env.example

@@ -6,7 +6,9 @@ DEBUG=True
 #Хосты через запятую
 ALLOWED_HOSTS=localhost,127.0.0.1,
 # True - sqlite | False - PostgeSQL
-USE_SQLITE=True
+USE_SQLITE=False
+# local - локальные настройки, dev - разработка, prod - продакшн
+DJANGO_SETTINGS_MODULE=config.settings.dev
 
 # Для PostgeSQL
 DB_ENGINE=django.db.backends.postgresql
@@ -20,3 +22,9 @@ POSTGRES_PORT=
 DOCKERHUB_USERNAME_FRONT=
 DOCKERHUB_USERNAME=
 PROJECT_NAME=
+
+# Переменные для работы с nginx. Название файла
+NGINX_NAME=nginx_loc.conf
+
+# Переменные для работы с cerbot. Получение сертификата для доменного имени
+DOMAIN_NAME=

infra/certbot/Dockerfile

@@ -0,0 +1,7 @@
+FROM certbot/certbot
+
+ARG DOMAIN_NAME
+
+COPY fullchain.pem /letsencrypt/live/${DOMAIN_NAME}/fullchain.pem
+
+COPY privkey.pem /letsencrypt/live/${DOMAIN_NAME}/privkey.pem

infra/certbot/fullchain.pem

@@ -0,0 +1,3 @@
+-----BEGIN CERTIFICATE-----
+MIIEJjCCAw6gAwIBAgISA6TLYZ/Hyg4wib0SFHfrvVZBMA0GCSqGSIb3DQEBCwUA
+-----END CERTIFICATE-----

infra/certbot/privkey.pem

@@ -0,0 +1 @@
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgILVj3nRN/yfoyLtn

infra/docker-compose-prod.yaml

@@ -4,6 +4,8 @@ volumes:
   pg_data:
   static_volume:
   media_value:
+  certbot:
+  letsencrypt:
 
 services:
   db:
@@ -50,10 +52,24 @@ services:
     ports:
       - "80:80"
       - "443:443"
+    env_file: .env
     volumes:
       - static_volume:/staticfiles/
-      - media_value:/var/html/media/
-      - /etc/letsencrypt:/etc/letsencrypt
+      - media_value:/mediafiles/
+      - certbot:/certbot/
+      - letsencrypt:/letsencrypt/
+    restart: unless-stopped
+    depends_on:
+      - backend
+      - frontend
+
+  certbot:
+    image: ${DOCKERHUB_USERNAME}/${PROJECT_NAME}_certbot:latest
+    env_file: .env
+    volumes:
+      - certbot:/var/www/certbot/
+      - letsencrypt:/etc/letsencrypt/
+    restart: unless-stopped
     depends_on:
       - backend
       - frontend

infra/nginx/Dockerfile

@@ -1,2 +1,5 @@
 FROM nginx:1.25.4-alpine-slim
-COPY nginx.conf /etc/nginx/templates/default.conf.template
+
+ARG NGINX_NAME
+
+COPY nginx_qa.conf /etc/nginx/templates/default.conf.template

infra/nginx/nginx_dev.conf

@@ -0,0 +1,49 @@
+server {
+    listen 80;
+    listen [::]:80;
+    server_name 89.23.117.80 devcodepet.tw1.ru;
+    server_tokens off;
+
+    root /staticfiles;
+
+    location /.well-known/acme-challenge/ {
+        root /certbot;
+    }
+
+    location / {
+      return 301 https://$host$request_uri;
+    }
+}
+
+server {
+    listen 443 default_server ssl http2;
+    listen [::]:443 ssl http2;
+    server_name 89.23.117.80 devcodepet.tw1.ru;
+
+    ssl_certificate /letsencrypt/live/devcodepet.tw1.ru/fullchain.pem;
+    ssl_certificate_key /letsencrypt/live/devcodepet.tw1.ru/privkey.pem;
+
+    root /staticfiles;
+
+    location /api/v1/ {
+      proxy_set_header Host $http_host;
+      proxy_pass http://backend:8000/api/v1/;
+    }
+    location /admin/ {
+      proxy_set_header Host $http_host;
+      proxy_pass http://backend:8000/admin/;
+    }
+
+    location /.well-known/acme-challenge/ {
+        root /certbot;
+    }
+
+    location / {
+    	try_files $uri $uri.html $uri/ =404;
+    }
+
+    error_page 404 /404.html;
+    location = /404.html {
+      internal;
+    }
+}

infra/nginx/nginx.conf → infra/nginx/nginx_loc.conf

@@ -1,22 +1,28 @@
 server {
     listen 80;
     listen [::]:80;
-    server_name 89.23.117.80 devcodepet.tw1.ru 89.23.117.168 testcodepet.tw1.ru localhost;
+    server_name localhost;
+    server_tokens off;
 
     root /staticfiles;
 
     location /api/v1/ {
       proxy_set_header Host $http_host;
       proxy_pass http://backend:8000/api/v1/;
     }
+
     location /admin/ {
       proxy_set_header Host $http_host;
       proxy_pass http://backend:8000/admin/;
     }
+
+    location /.well-known/acme-challenge/ {
+        root /certbot;
+    }
+
     location / {
       try_files $uri $uri.html $uri/ =404;
     }
-
     error_page 404 /404.html;
     location = /404.html {
       internal;

infra/nginx/nginx_qa.conf

@@ -0,0 +1,45 @@
+server {
+    listen 80;
+    listen [::]:80;
+    server_name 89.23.117.168 testcodepet.tw1.ru;
+    server_tokens off;
+
+    root /staticfiles;
+
+    location /.well-known/acme-challenge/ {
+        root /certbot;
+    }
+
+    location / {
+      return 301 https://$host$request_uri;
+    }
+}
+
+server {
+    listen 443 default_server ssl http2;
+    listen [::]:443 ssl http2;
+    server_name 89.23.117.168 testcodepet.tw1.ru;
+
+    ssl_certificate /etc/nginx/ssl/live/testcodepet.tw1.ru/fullchain.pem;
+    ssl_certificate_key /etc/nginx/ssl/live/testcodepet.tw1.ru/privkey.pem;
+
+    root /staticfiles;
+
+    location /api/v1/ {
+      proxy_set_header Host $http_host;
+      proxy_pass http://backend:8000/api/v1/;
+    }
+    location /admin/ {
+      proxy_set_header Host $http_host;
+      proxy_pass http://backend:8000/admin/;
+    }
+
+    location / {
+    	try_files $uri $uri.html $uri/ =404;
+    }
+
+    error_page 404 /404.html;
+    location = /404.html {
+      internal;
+    }
+}

pyproject.toml

@@ -19,6 +19,7 @@ pillow = "^10.1.0"
 djoser = "^2.2.2"
 drf-spectacular = "^0.27.1"
 django-filter = "^23.5"
+django-cors-headers = "^4.3.1"
 
 [tool.poetry.group.dev.dependencies]
 pre-commit = "^3.5.0"