feat: add deployment scripts with SSL support for production

Backend deploy script (deploy/docker/deploy.sh): - install: auto-generate .env with secure secrets (JWT, DB passwords, vault keys) - up/down/restart: manage all services (infra + app + gateway) - build/build-no-cache: Docker image management - status/health: health checks for all 9 services + infrastructure - migrate: TypeORM migration commands (run/generate/revert/schema-sync) - infra-*: standalone infrastructure management (PostgreSQL + Redis) - voice-*: voice service with GPU support (docker-compose.voice.yml overlay) - start-svc/stop-svc/rebuild-svc: individual service operations - ssl-init: obtain Let's Encrypt certificates for both domains independently - ssl-up/ssl-down: start/stop with Nginx SSL reverse proxy - ssl-renew/ssl-status: certificate renewal and status checks Web Admin deploy script (it0-web-admin/deploy.sh): - build/start/stop/restart/logs/status/clean commands - auto-generates Dockerfile (Next.js multi-stage standalone build) - auto-generates docker-compose.yml - configurable API domain (default: it0api.szaiai.com) SSL / Nginx configuration: - nginx.conf: reverse proxy for both domains with HTTP->HTTPS redirect - it0api.szaiai.com -> api-gateway:8000 (with WebSocket support) - it0.szaiai.com -> web-admin:3000 (with Next.js HMR support) - nginx-init.conf: HTTP-only config for initial ACME challenge verification - ssl-params.conf: TLS 1.2/1.3, HSTS, security headers (Mozilla Intermediate) - docker-compose.ssl.yml: Nginx + Certbot overlay with auto-renewal (12h cycle) Domain plan: - https://it0api.szaiai.com — API endpoint (backend services) - https://it0.szaiai.com — Web Admin dashboard (frontend) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-09 17:44:27 -08:00 · 2026-02-09 17:44:27 -08:00 · e761b65b6e
parent 00f8801d51
commit e761b65b6e
6 changed files with 1527 additions and 0 deletions
--- a/deploy/docker/deploy.sh
+++ b/deploy/docker/deploy.sh
--- a/deploy/docker/docker-compose.ssl.yml
+++ b/deploy/docker/docker-compose.ssl.yml
@ -0,0 +1,43 @@
+version: '3.8'
+
+# SSL overlay — adds Nginx reverse proxy + Certbot for Let's Encrypt
+# Usage: docker compose -f docker-compose.yml -f docker-compose.ssl.yml up -d
+
+services:
+  nginx:
+    image: nginx:alpine
+    container_name: it0-nginx
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
+      - ./nginx/ssl-params.conf:/etc/nginx/ssl-params.conf:ro
+      - certbot_webroot:/var/www/certbot:ro
+      - certbot_certs:/etc/letsencrypt:ro
+    depends_on:
+      - api-gateway
+      - web-admin
+    networks:
+      - it0-network
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD", "nginx", "-t"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+
+  certbot:
+    image: certbot/certbot
+    container_name: it0-certbot
+    volumes:
+      - certbot_webroot:/var/www/certbot
+      - certbot_certs:/etc/letsencrypt
+    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew --webroot -w /var/www/certbot --quiet; sleep 12h & wait $${!}; done'"
+    networks:
+      - it0-network
+    restart: unless-stopped
+
+volumes:
+  certbot_webroot:
+  certbot_certs:
--- a/deploy/docker/nginx/nginx-init.conf
+++ b/deploy/docker/nginx/nginx-init.conf
@ -0,0 +1,32 @@
+worker_processes auto;
+error_log /var/log/nginx/error.log warn;
+pid /var/run/nginx.pid;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    # =========================================================================
+    # Initial HTTP-only config for obtaining Let's Encrypt certificates
+    # After certificates are obtained, switch to nginx.conf
+    # =========================================================================
+    server {
+        listen 80;
+        server_name it0api.szaiai.com it0.szaiai.com;
+
+        # Let's Encrypt ACME challenge
+        location /.well-known/acme-challenge/ {
+            root /var/www/certbot;
+        }
+
+        # Temporary: serve a simple response before SSL is ready
+        location / {
+            return 200 'IT0 - SSL certificate pending...';
+            add_header Content-Type text/plain;
+        }
+    }
+}
--- a/deploy/docker/nginx/nginx.conf
+++ b/deploy/docker/nginx/nginx.conf
@ -0,0 +1,123 @@
+worker_processes auto;
+error_log /var/log/nginx/error.log warn;
+pid /var/run/nginx.pid;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+                    '$status $body_bytes_sent "$http_referer" '
+                    '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log /var/log/nginx/access.log main;
+    sendfile on;
+    keepalive_timeout 65;
+    client_max_body_size 50m;
+
+    # Gzip compression
+    gzip on;
+    gzip_vary on;
+    gzip_proxied any;
+    gzip_comp_level 6;
+    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+    # Rate limiting
+    limit_req_zone $binary_remote_addr zone=api:10m rate=30r/s;
+    limit_req_zone $binary_remote_addr zone=web:10m rate=50r/s;
+
+    # Upstream definitions
+    upstream api_gateway {
+        server api-gateway:8000;
+    }
+
+    upstream web_admin {
+        server web-admin:3000;
+    }
+
+    # =========================================================================
+    # HTTP -> HTTPS redirect + ACME challenge
+    # =========================================================================
+    server {
+        listen 80;
+        server_name it0api.szaiai.com it0.szaiai.com;
+
+        # Let's Encrypt ACME challenge
+        location /.well-known/acme-challenge/ {
+            root /var/www/certbot;
+        }
+
+        # Redirect all other HTTP to HTTPS
+        location / {
+            return 301 https://$host$request_uri;
+        }
+    }
+
+    # =========================================================================
+    # it0api.szaiai.com — API Gateway (HTTPS)
+    # =========================================================================
+    server {
+        listen 443 ssl;
+        http2 on;
+        server_name it0api.szaiai.com;
+
+        ssl_certificate /etc/letsencrypt/live/it0api.szaiai.com/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/it0api.szaiai.com/privkey.pem;
+        include /etc/nginx/ssl-params.conf;
+
+        # API proxy
+        location / {
+            limit_req zone=api burst=60 nodelay;
+
+            proxy_pass http://api_gateway;
+            proxy_http_version 1.1;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+
+            # WebSocket support
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+            proxy_read_timeout 86400;
+        }
+
+        # Health check (no rate limit)
+        location /status {
+            proxy_pass http://api_gateway;
+            proxy_set_header Host $host;
+        }
+    }
+
+    # =========================================================================
+    # it0.szaiai.com — Web Admin (HTTPS)
+    # =========================================================================
+    server {
+        listen 443 ssl;
+        http2 on;
+        server_name it0.szaiai.com;
+
+        ssl_certificate /etc/letsencrypt/live/it0.szaiai.com/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/it0.szaiai.com/privkey.pem;
+        include /etc/nginx/ssl-params.conf;
+
+        location / {
+            limit_req zone=web burst=100 nodelay;
+
+            proxy_pass http://web_admin;
+            proxy_http_version 1.1;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+
+            # Next.js HMR / WebSocket
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+        }
+    }
+}
--- a/deploy/docker/nginx/ssl-params.conf
+++ b/deploy/docker/nginx/ssl-params.conf
@ -0,0 +1,24 @@
+# SSL Configuration — Mozilla Intermediate compatibility
+# https://ssl-config.mozilla.org/
+
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+ssl_prefer_server_ciphers off;
+
+# OCSP Stapling
+ssl_stapling on;
+ssl_stapling_verify on;
+resolver 8.8.8.8 8.8.4.4 valid=300s;
+resolver_timeout 5s;
+
+# SSL session
+ssl_session_timeout 1d;
+ssl_session_cache shared:SSL:10m;
+ssl_session_tickets off;
+
+# Security headers
+add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
+add_header X-Frame-Options DENY always;
+add_header X-Content-Type-Options nosniff always;
+add_header X-XSS-Protection "1; mode=block" always;
+add_header Referrer-Policy "strict-origin-when-cross-origin" always;
--- a/it0-web-admin/deploy.sh
+++ b/it0-web-admin/deploy.sh
@ -0,0 +1,304 @@
+#!/bin/bash
+#
+# IT0 Web Admin - Deployment Script
+# ==================================
+#
+# Usage:
+#   ./deploy.sh build    - Build Docker image
+#   ./deploy.sh start    - Build and start service
+#   ./deploy.sh stop     - Stop service
+#   ./deploy.sh restart  - Restart service
+#   ./deploy.sh logs     - View logs
+#   ./deploy.sh status   - Show service status
+#   ./deploy.sh clean    - Clean containers and images
+#
+
+set -e
+
+# ===========================================================================
+# Configuration
+# ===========================================================================
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
+
+PROJECT_NAME="it0-web-admin"
+IMAGE_NAME="it0-web-admin"
+CONTAINER_NAME="it0-web-admin"
+DEFAULT_PORT=3000
+
+# API Configuration
+API_DOMAIN="${API_DOMAIN:-it0api.szaiai.com}"
+API_BASE_URL="${API_BASE_URL:-https://${API_DOMAIN}}"
+WS_URL="${WS_URL:-wss://${API_DOMAIN}}"
+
+# Colors
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+NC='\033[0m'
+
+log_info() { echo -e "${BLUE}[INFO]${NC} $1"; }
+log_success() { echo -e "${GREEN}[SUCCESS]${NC} $1"; }
+log_warn() { echo -e "${YELLOW}[WARN]${NC} $1"; }
+log_error() { echo -e "${RED}[ERROR]${NC} $1"; }
+
+# ===========================================================================
+# Docker Check
+# ===========================================================================
+
+check_docker() {
+    if ! command -v docker &> /dev/null; then
+        log_error "Docker is not installed. Please install Docker first."
+        exit 1
+    fi
+
+    if ! docker info &> /dev/null; then
+        log_error "Docker service is not running. Please start Docker."
+        exit 1
+    fi
+
+    if docker compose version &> /dev/null; then
+        COMPOSE_CMD="docker compose"
+    elif command -v docker-compose &> /dev/null; then
+        COMPOSE_CMD="docker-compose"
+    else
+        log_error "Docker Compose is not installed."
+        exit 1
+    fi
+
+    log_success "Docker check passed"
+}
+
+# ===========================================================================
+# Ensure docker-compose.yml exists
+# ===========================================================================
+
+ensure_compose_file() {
+    if [ ! -f "$SCRIPT_DIR/docker-compose.yml" ]; then
+        log_info "Creating docker-compose.yml..."
+        cat > "$SCRIPT_DIR/docker-compose.yml" << EOF
+version: '3.8'
+
+services:
+  web-admin:
+    build:
+      context: .
+      dockerfile: Dockerfile
+    container_name: ${CONTAINER_NAME}
+    ports:
+      - "\${PORT:-${DEFAULT_PORT}}:3000"
+    environment:
+      - NODE_ENV=production
+      - NEXT_PUBLIC_API_BASE_URL=${API_BASE_URL}
+      - NEXT_PUBLIC_WS_URL=${WS_URL}
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:3000"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 30s
+EOF
+        log_success "docker-compose.yml created"
+    fi
+}
+
+# ===========================================================================
+# Ensure Dockerfile exists
+# ===========================================================================
+
+ensure_dockerfile() {
+    if [ ! -f "$SCRIPT_DIR/Dockerfile" ]; then
+        log_info "Creating Dockerfile..."
+        cat > "$SCRIPT_DIR/Dockerfile" << 'EOF'
+# Stage 1: Dependencies
+FROM node:20-alpine AS deps
+RUN corepack enable && corepack prepare pnpm@latest --activate
+WORKDIR /app
+COPY package.json pnpm-lock.yaml* ./
+RUN pnpm install --frozen-lockfile --prod=false
+
+# Stage 2: Build
+FROM node:20-alpine AS builder
+RUN corepack enable && corepack prepare pnpm@latest --activate
+WORKDIR /app
+COPY --from=deps /app/node_modules ./node_modules
+COPY . .
+RUN pnpm build
+
+# Stage 3: Production
+FROM node:20-alpine AS runner
+WORKDIR /app
+ENV NODE_ENV=production
+
+RUN addgroup --system --gid 1001 nodejs
+RUN adduser --system --uid 1001 nextjs
+
+COPY --from=builder /app/public ./public
+COPY --from=builder /app/.next/standalone ./
+COPY --from=builder /app/.next/static ./.next/static
+
+USER nextjs
+EXPOSE 3000
+ENV PORT=3000
+CMD ["node", "server.js"]
+EOF
+        log_success "Dockerfile created"
+    fi
+}
+
+# ===========================================================================
+# Commands
+# ===========================================================================
+
+build() {
+    log_info "Building Docker image..."
+    ensure_compose_file
+    ensure_dockerfile
+    $COMPOSE_CMD build --no-cache
+    log_success "Image built successfully"
+}
+
+start() {
+    log_info "Starting IT0 Web Admin..."
+    ensure_compose_file
+    ensure_dockerfile
+
+    PORT=${PORT:-$DEFAULT_PORT}
+
+    # Check if port is occupied
+    if command -v lsof &> /dev/null && lsof -Pi :$PORT -sTCP:LISTEN -t >/dev/null 2>&1; then
+        log_warn "Port $PORT is already in use, stopping existing service..."
+        stop
+    fi
+
+    $COMPOSE_CMD up -d --build
+
+    # Wait for service to start
+    log_info "Waiting for service to start..."
+    sleep 5
+
+    if docker ps | grep -q "$CONTAINER_NAME"; then
+        log_success "Service deployed successfully!"
+        log_info "Access URL: http://localhost:$PORT"
+        log_info "API endpoint: $API_BASE_URL"
+    else
+        log_error "Service failed to start. Check logs: ./deploy.sh logs"
+        exit 1
+    fi
+}
+
+stop() {
+    log_info "Stopping service..."
+    $COMPOSE_CMD down
+    log_success "Service stopped"
+}
+
+restart() {
+    log_info "Restarting service..."
+    stop
+    start
+}
+
+logs() {
+    $COMPOSE_CMD logs -f
+}
+
+status() {
+    log_info "Service status:"
+    docker ps -a --filter "name=$CONTAINER_NAME" --format "table {{.Names}}\t{{.Status}}\t{{.Ports}}"
+
+    echo ""
+    # Health check
+    PORT=${PORT:-$DEFAULT_PORT}
+    if curl -s -o /dev/null -w "%{http_code}" "http://localhost:$PORT" 2>/dev/null | grep -q "200"; then
+        log_success "Web Admin is running (port $PORT)"
+    else
+        log_warn "Web Admin is not responding (port $PORT)"
+    fi
+}
+
+clean() {
+    log_info "Cleaning containers and images..."
+    $COMPOSE_CMD down --rmi local --volumes --remove-orphans
+    docker image prune -f
+    log_success "Cleanup complete"
+}
+
+# ===========================================================================
+# Help
+# ===========================================================================
+
+show_help() {
+    echo ""
+    echo "IT0 Web Admin Deployment Script"
+    echo ""
+    echo "Usage: $0 <command>"
+    echo ""
+    echo "Commands:"
+    echo "  build    Build Docker image"
+    echo "  start    Build and start service (default)"
+    echo "  stop     Stop service"
+    echo "  restart  Restart service"
+    echo "  logs     View service logs"
+    echo "  status   Show service status"
+    echo "  clean    Clean containers and images"
+    echo "  help     Show this help message"
+    echo ""
+    echo "Environment Variables:"
+    echo "  PORT         Service port (default: 3000)"
+    echo "  API_DOMAIN   API domain (default: it0api.szaiai.com)"
+    echo "  API_BASE_URL API base URL (default: https://it0api.szaiai.com)"
+    echo "  WS_URL       WebSocket URL (default: wss://it0api.szaiai.com)"
+    echo ""
+    echo "Examples:"
+    echo "  $0 start                                  # Start on default port 3000"
+    echo "  PORT=8080 $0 start                        # Start on port 8080"
+    echo "  API_DOMAIN=api.example.com $0 start       # Use custom API domain"
+    echo ""
+}
+
+# ===========================================================================
+# Main
+# ===========================================================================
+
+main() {
+    cd "$SCRIPT_DIR"
+
+    check_docker
+
+    case "${1:-start}" in
+        build)
+            build
+            ;;
+        start)
+            start
+            ;;
+        stop)
+            stop
+            ;;
+        restart)
+            restart
+            ;;
+        logs)
+            logs
+            ;;
+        status)
+            status
+            ;;
+        clean)
+            clean
+            ;;
+        help|--help|-h)
+            show_help
+            ;;
+        *)
+            log_error "Unknown command: $1"
+            show_help
+            exit 1
+            ;;
+    esac
+}
+
+main "$@"