├── .gitmodules ├── web ├── certbot │ └── www │ │ └── index.php └── nginx │ ├── cat_me_to_fastcgi_params │ ├── sites-enabled │ ├── default │ ├── jenkins │ ├── oscript.io │ └── hub.oscript.io │ ├── ssl_conf │ ├── ssl-dhparams.pem │ └── options-ssl-nginx.conf │ ├── Dockerfile │ └── config_template ├── .gitattributes ├── .gitignore ├── bot ├── main.os ├── packagedef ├── Dockerfile ├── model │ └── Модули │ │ └── КаналТелеграм.os └── controllers │ └── home.os ├── jenkins ├── daemon.json └── Dockerfile ├── docker ├── Dockerfile.oscript └── Dockerfile.mono ├── init.sh ├── local_backup.sh ├── LICENSE ├── README.md ├── docker-compose.yml ├── init-letsencrypt.sh └── Vagrantfile /.gitmodules: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /web/certbot/www/index.php: -------------------------------------------------------------------------------- 1 | test 2 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | * text eol=lf 2 | *.dll binary -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | tmp/ 2 | .vagrant/ 3 | .env 4 | logs/**/*.log 5 | web/certbot/conf/ 6 | bot/oscript_modules 7 | -------------------------------------------------------------------------------- /bot/main.os: -------------------------------------------------------------------------------- 1 | #Использовать "model" 2 | 3 | Процедура ПриНачалеРаботыСистемы() 4 | 5 | ИспользоватьМаршруты(); 6 | 7 | КонецПроцедуры -------------------------------------------------------------------------------- /web/nginx/cat_me_to_fastcgi_params: -------------------------------------------------------------------------------- 1 | 2 | #ASP.NET 3 | fastcgi_param PATH_INFO ""; 4 | fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; -------------------------------------------------------------------------------- /bot/packagedef: -------------------------------------------------------------------------------- 1 | Описание.Имя("oscript-bot") 2 | .Версия("0.1.0") 3 | .ЗависитОт("telegrambot") 4 | .ЗависитОт("json") 5 | .ИсполняемыйФайл("main") 6 | ; -------------------------------------------------------------------------------- /bot/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM evilbeaver/onescript:1.0.21 2 | 3 | COPY . /app 4 | WORKDIR /app 5 | RUN opm install -l 6 | 7 | FROM evilbeaver/oscript-web:0.6.0 8 | 9 | COPY --from=0 /app . 10 | -------------------------------------------------------------------------------- /jenkins/daemon.json: -------------------------------------------------------------------------------- 1 | { 2 | "log-driver": "json-file", 3 | "log-opts": {"max-size": "1g", "max-file": "3"}, 4 | "registry-mirrors": [ 5 | "https://mirror.gcr.io", 6 | "https://dockerhub.timeweb.cloud" 7 | ] 8 | } -------------------------------------------------------------------------------- /docker/Dockerfile.oscript: -------------------------------------------------------------------------------- 1 | FROM evilbeaver/mono-ru:6.8 2 | 3 | LABEL MAINTAINER="EvilBeaver " 4 | 5 | ARG VERSION=night-build 6 | 7 | RUN curl https://oscript.io/downloads/$VERSION/deb?bitness=x64 > oscript.deb \ 8 | && dpkg -i oscript.deb \ 9 | && rm -f oscript.deb 10 | -------------------------------------------------------------------------------- /init.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # install compose 4 | 5 | curl -L https://github.com/docker/compose/releases/download/1.11.2/docker-compose-`uname -s`-`uname -m` > docker-compose 6 | mv docker-compose /usr/local/bin/ 7 | chmod +x /usr/local/bin/docker-compose 8 | 9 | # install git 10 | 11 | apt-get install -y git 12 | 13 | 14 | -------------------------------------------------------------------------------- /web/nginx/sites-enabled/default: -------------------------------------------------------------------------------- 1 | server 2 | { 3 | listen 80 default_server; 4 | listen 443 ssl http2 default_server; 5 | server_name _; 6 | 7 | ssl_certificate /etc/nginx/ssl/nginx.crt; 8 | ssl_certificate_key /etc/nginx/ssl/nginx.key; 9 | #ssl_session_tickets off; 10 | #ssl_reject_handshake on; 11 | 12 | return 444; 13 | } -------------------------------------------------------------------------------- /local_backup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | #TODO: внести внутрь compose 4 | 5 | docker run --rm -v os_web_content:/mnt/src -v /home/andrei/backup:/mnt/dest busybox tar -zcvf /mnt/dest/"hub-$(date '+%Y-%m-%d').tar.gz" /mnt/src/hub.oscript.io/download/ 6 | docker run --rm -v os_web_content:/mnt/src -v /home/andrei/backup:/mnt/dest busybox tar -zcvf /mnt/dest/"oscript-$(date '+%Y-%m-%d').tar.gz" /mnt/src/oscript.io/download/versions/ -------------------------------------------------------------------------------- /web/nginx/ssl_conf/ssl-dhparams.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN DH PARAMETERS----- 2 | MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz 3 | +8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a 4 | 87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 5 | YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi 6 | 7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD 7 | ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== 8 | -----END DH PARAMETERS----- 9 | -------------------------------------------------------------------------------- /bot/model/Модули/КаналТелеграм.os: -------------------------------------------------------------------------------- 1 | #Использовать telegrambot 2 | 3 | Функция ПолучитьБот() Экспорт 4 | 5 | Токен = ПолучитьПеременнуюСреды("TELEGRAM_TOKEN"); 6 | 7 | Бот = Новый ТелеграмБот; 8 | Бот.УстановитьТокенАвторизации(Токен); 9 | Возврат Бот; 10 | 11 | КонецФункции 12 | 13 | Процедура СообщениеВЧат(Знач Бот, Знач ТекстСообщения) Экспорт 14 | 15 | Сообщение = ТелеграмАпи.НовоеСообщение("@oscript_library", ТекстСообщения); 16 | Результат = Бот.Отправить(Сообщение); 17 | 18 | Если Результат["ok"] <> Истина Тогда 19 | ВызватьИсключение Результат["description"]; 20 | КонецЕсли; 21 | 22 | КонецПроцедуры -------------------------------------------------------------------------------- /bot/controllers/home.os: -------------------------------------------------------------------------------- 1 | 2 | &HttpPost 3 | Функция Index() Экспорт 4 | 5 | Текст = ПрочитатьЗапрос(); 6 | Бот = КаналТелеграм.ПолучитьБот(); 7 | Попытка 8 | КаналТелеграм.СообщениеВЧат(Бот, Текст); 9 | Исключение 10 | Ответ = Содержимое(ИнформацияОбОшибке().Описание); 11 | Ответ.КодСостояния = 400; 12 | Возврат Ответ; 13 | КонецПопытки; 14 | 15 | Возврат КодСостояния(200); 16 | 17 | КонецФункции 18 | 19 | Функция ПрочитатьЗапрос() 20 | ЧтениеТекста = Новый ЧтениеТекста; 21 | ЧтениеТекста.Открыть(ЗапросHttp.ПолучитьТелоКакПоток(), КодировкаТекста.UTF8NoBOM); 22 | Данные = ЧтениеТекста.Прочитать(); 23 | ЧтениеТекста.Закрыть(); 24 | 25 | Возврат Данные; 26 | КонецФункции -------------------------------------------------------------------------------- /web/nginx/Dockerfile: -------------------------------------------------------------------------------- 1 | #FROM jwilder/nginx-proxy 2 | FROM ubuntu:16.04 3 | 4 | COPY cat_me_to_fastcgi_params /tmp/ 5 | 6 | RUN apt-get update && apt-get -y install nginx openssl 7 | RUN cat /tmp/cat_me_to_fastcgi_params >> /etc/nginx/fastcgi_params && rm /tmp/cat_me_to_fastcgi_params 8 | 9 | COPY ssl_conf /etc/nginx/ssl_conf 10 | COPY sites-enabled /etc/nginx/sites-enabled 11 | 12 | # Самоподписанный сертификат для default-сервера 13 | RUN mkdir /etc/nginx/ssl && \ 14 | openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt -subj "/C=RU/ST=Serpukhov/L=Serpukhov/O=OneScript./OU=OneScript/CN=oscript.io" 15 | 16 | VOLUME /var/www 17 | 18 | EXPOSE 80 19 | 20 | CMD ["nginx", "-g", "daemon off;"] 21 | -------------------------------------------------------------------------------- /docker/Dockerfile.mono: -------------------------------------------------------------------------------- 1 | FROM ubuntu:18.04 2 | 3 | # MAINTAINER EvilBeaver 4 | 5 | ENV LANG ru_RU.UTF-8 6 | 7 | RUN apt update \ 8 | && apt-get -y install locales tzdata \ 9 | && locale-gen ru_RU && locale-gen ru_RU.UTF-8 \ 10 | && update-locale LANG=ru_RU.UTF-8 \ 11 | && apt install -y gnupg ca-certificates \ 12 | && apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 3FA7E0328081BFF6A14DA29AA6A19B38D3D831EF \ 13 | && sh -c 'echo "deb https://download.mono-project.com/repo/ubuntu stable-bionic main" > /etc/apt/sources.list.d/mono-official-stable.list' \ 14 | && apt-get update \ 15 | && apt-get -y install mono-runtime binutils curl mono-devel ca-certificates-mono mono-vbnc referenceassemblies-pcl mono-fastcgi-server4 \ 16 | && apt-get clean \ 17 | && rm -rf /var/lib/apt/lists/* /tmp/* -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2017 Andrei Ovsiankin 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /web/nginx/ssl_conf/options-ssl-nginx.conf: -------------------------------------------------------------------------------- 1 | # This file contains important security parameters. If you modify this file 2 | # manually, Certbot will be unable to automatically provide future security 3 | # updates. Instead, Certbot will print and log an error message with a path to 4 | # the up-to-date file that you will need to refer to when manually updating 5 | # this file. 6 | 7 | ssl_session_cache shared:le_nginx_SSL:1m; 8 | ssl_session_timeout 1440m; 9 | 10 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 11 | ssl_prefer_server_ciphers on; 12 | 13 | ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"; 14 | 15 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Скрипты поддержки инфраструктуры oscript.io 2 | 3 | ## Вот ду ви вонт 4 | 5 | * Коммит в ветку 6 | * Сборка на этой ветке 7 | * Прогон тестов из этой ветки 8 | * Формирование артефактов 9 | * Взять актуальные пакеты из hub.oscript.io/dev-channel и прогнать их тесты на собранном артефакте 10 | * под Windows 11 | * под Linux 12 | * Если ветка была develop - положить артефакты в ночную сборку для скачивания на сайте 13 | * Если ветка была master 14 | * Взять актуальные пакеты из hub.oscript.io/dev-channel и прогнать их тесты на собранном артефакте 15 | * под Windows 16 | * под Linux 17 | * положить артефакты в стабильную сборку на сайте 18 | * опубликовать артефакты в релизах github 19 | * опубликовать пакеты Nuget 20 | * обновить документацию на сайте (лежит в артефактах) 21 | 22 | ## Вот ду ви вонт по библиотеке пакетов 23 | 24 | * Коммит в репо пакета 25 | * Прогон тестов пакета на develop движке (для коммита в dev) 26 | * Прогон тестов пакета на стабильном движке (для коммита в master или release/\*), если в packagedef не указана нестабильная версия среды. 27 | * Сборка ospx 28 | * Публикация в dev канале хаба, если это ветка dev 29 | * Публикация в основном канале хаба, если это ветка master. 30 | 31 | Этот документ можно обсуждать и предлагать к нему правки. 32 | -------------------------------------------------------------------------------- /web/nginx/config_template: -------------------------------------------------------------------------------- 1 | server { 2 | listen 80; 3 | listen [::]:80; 4 | server_name [$Sitename]; 5 | 6 | location /.well-known/acme-challenge/ { 7 | root /var/www/certbot; 8 | } 9 | 10 | location / { 11 | return 302 https://$host$request_uri; 12 | } 13 | } 14 | 15 | server { 16 | listen 443 ssl http2; 17 | listen [::]:443 ssl http2; 18 | server_name [$Sitename]; 19 | root /var/www/[$Sitename]; 20 | 21 | # client_max_body_size 50M; Параметр имеет смысл указывать, если через nginx проходят файлы размера больше 1 Mb 22 | 23 | add_header X-Content-Type-Options nosniff; 24 | add_header X-XSS-Protection "1; mode=block"; 25 | add_header X-Robots-Tag none; 26 | add_header X-Download-Options noopen; 27 | add_header X-Permitted-Cross-Domain-Policies none; 28 | 29 | add_header Strict-Transport-Security "max-age=31536000" always; 30 | proxy_set_header X-Forwarded-Host $host; 31 | proxy_set_header X-Forwarded-Server $host; 32 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 33 | 34 | proxy_redirect off; 35 | 36 | location / { 37 | # Куда перенаправляем запросы, например: 38 | # http://site:5000 39 | set target_url="http://site:5000"; 40 | proxy_pass $target_url; 41 | } 42 | 43 | include /etc/nginx/ssl_conf/options-ssl-nginx.conf; 44 | ssl_dhparam /etc/nginx/ssl_conf/ssl-dhparams.pem; 45 | ssl_certificate /etc/letsencrypt/live/[$Sitename]/fullchain.pem; 46 | ssl_certificate_key /etc/letsencrypt/live/[$Sitename]/privkey.pem; 47 | } 48 | 49 | -------------------------------------------------------------------------------- /web/nginx/sites-enabled/jenkins: -------------------------------------------------------------------------------- 1 | server { 2 | listen 80; 3 | listen [::]:80; 4 | server_name build.oscript.io; 5 | 6 | location /.well-known/acme-challenge/ { 7 | root /var/www/certbot; 8 | } 9 | 10 | location / { 11 | return 301 https://$host$request_uri; 12 | } 13 | } 14 | 15 | server { 16 | listen 443 ssl http2; 17 | listen [::]:443 ssl http2; 18 | server_name build.oscript.io; 19 | 20 | add_header X-Content-Type-Options nosniff; 21 | add_header X-XSS-Protection "1; mode=block"; 22 | add_header X-Robots-Tag none; 23 | add_header X-Download-Options noopen; 24 | add_header X-Permitted-Cross-Domain-Policies none; 25 | 26 | add_header Strict-Transport-Security "max-age=31536000" always; 27 | proxy_set_header X-Forwarded-Host $host; 28 | proxy_set_header X-Forwarded-Server $host; 29 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 30 | proxy_set_header X-Forwarded-Proto $scheme; 31 | 32 | proxy_redirect off; 33 | 34 | resolver 127.0.0.11 valid=30s; 35 | 36 | location / { 37 | set $target_url http://jenkins:8080; 38 | proxy_pass $target_url; 39 | proxy_set_header X-Real-IP $remote_addr; 40 | proxy_set_header Host $http_host; 41 | proxy_set_header X-NginX-Proxy true; 42 | } 43 | 44 | include /etc/nginx/ssl_conf/options-ssl-nginx.conf; 45 | ssl_dhparam /etc/nginx/ssl_conf/ssl-dhparams.pem; 46 | ssl_certificate /etc/letsencrypt/live/build.oscript.io/fullchain.pem; 47 | ssl_certificate_key /etc/letsencrypt/live/build.oscript.io/privkey.pem; 48 | } 49 | 50 | -------------------------------------------------------------------------------- /web/nginx/sites-enabled/oscript.io: -------------------------------------------------------------------------------- 1 | server { 2 | listen 80; 3 | listen [::]:80; 4 | server_name oscript.io www.oscript.io; 5 | 6 | location /.well-known/acme-challenge/ { 7 | root /var/www/certbot; 8 | } 9 | 10 | location / { 11 | return 301 https://$host$request_uri; 12 | } 13 | } 14 | 15 | server { 16 | listen 443 ssl http2; 17 | listen [::]:443 ssl http2; 18 | server_name oscript.io www.oscript.io; 19 | root /var/www/oscript.io; 20 | 21 | add_header X-Content-Type-Options nosniff; 22 | add_header X-XSS-Protection "1; mode=block"; 23 | add_header X-Download-Options noopen; 24 | add_header X-Permitted-Cross-Domain-Policies none; 25 | 26 | add_header Strict-Transport-Security "max-age=31536000" always; 27 | proxy_set_header X-Forwarded-Host $host; 28 | proxy_set_header X-Forwarded-Server $host; 29 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 30 | client_max_body_size 50M; 31 | 32 | proxy_redirect off; 33 | 34 | resolver 127.0.0.11 valid=30s; 35 | 36 | location / { 37 | proxy_set_header X-Real-IP $remote_addr; 38 | proxy_set_header X-Forwarded-For $remote_addr; 39 | proxy_set_header X-Forwarded-Proto $scheme; 40 | proxy_set_header Host $host; 41 | set $target_url http://site:3030; 42 | proxy_pass $target_url; 43 | } 44 | 45 | include /etc/nginx/ssl_conf/options-ssl-nginx.conf; 46 | ssl_dhparam /etc/nginx/ssl_conf/ssl-dhparams.pem; 47 | ssl_certificate /etc/letsencrypt/live/oscript.io/fullchain.pem; 48 | ssl_certificate_key /etc/letsencrypt/live/oscript.io/privkey.pem; 49 | } 50 | 51 | -------------------------------------------------------------------------------- /jenkins/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM jenkins/jenkins:latest 2 | 3 | # для автообновления инстанса 4 | # добавить volume для /usr/share/jenkins 5 | #chown jenkins:jenkins /usr/share/jenkins 6 | #chown jenkins:jenkins /usr/share/jenkins/jenkins.war 7 | 8 | # slave должен иметь mono 9 | USER root 10 | RUN apt -y install dirmngr ca-certificates gnupg 11 | RUN gpg --homedir /tmp --no-default-keyring --keyring gnupg-ring:/usr/share/keyrings/mono-official-archive-keyring.gpg \ 12 | --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 3FA7E0328081BFF6A14DA29AA6A19B38D3D831EF \ 13 | && chmod +r /usr/share/keyrings/mono-official-archive-keyring.gpg \ 14 | && echo "deb [signed-by=/usr/share/keyrings/mono-official-archive-keyring.gpg] https://download.mono-project.com/repo/debian stable-buster main" \ 15 | | tee /etc/apt/sources.list.d/mono-official-stable.list && apt update 16 | 17 | RUN apt -y install mono-complete 18 | 19 | # slave должен иметь docker 20 | RUN curl -sSL https://get.docker.com/ | sh \ 21 | && usermod -a -G docker jenkins 22 | 23 | #locales 24 | RUN apt-get -y install locales \ 25 | && sed -i -e 's/# ru_RU.UTF-8 UTF-8/ru_RU.UTF-8 UTF-8/' /etc/locale.gen \ 26 | && locale-gen 27 | ENV LANG ru_RU.UTF-8 28 | RUN locale -a 29 | 30 | # Дополнительные пакеты поставим в отдельный слой, чтобы 31 | # зафиксировать долгую установку mono и не выполнять ее каждый раз при сборке. 32 | RUN apt-get -y install rsync sudo wget \ 33 | && wget https://oscript.io/downloads/1_9_3/x64/onescript-engine_1.9.3_all.deb \ 34 | && dpkg -i onescript-engine_1.9.3_all.deb \ 35 | && rm onescript-engine_1.9.3_all.deb \ 36 | && curl -L https://github.com/docker/compose/releases/download/2.40.0/docker-compose-`uname -s`-`uname -m` -o /usr/local/bin/docker-compose \ 37 | && chmod +x /usr/local/bin/docker-compose 38 | 39 | RUN mkdir -p /etc/sudoers.d && \ 40 | echo 'jenkins ALL=(root) NOPASSWD: /usr/bin/rsync, /bin/mkdir' >> /etc/sudoers.d/10-jenkins 41 | 42 | COPY daemon.json /etc/docker/daemon.json 43 | 44 | USER jenkins 45 | -------------------------------------------------------------------------------- /web/nginx/sites-enabled/hub.oscript.io: -------------------------------------------------------------------------------- 1 | server { 2 | listen 80; 3 | listen [::]:80; 4 | server_name hub.oscript.io; 5 | 6 | client_max_body_size 50M; 7 | 8 | location /.well-known/acme-challenge/ { 9 | root /var/www/certbot; 10 | } 11 | 12 | # временное решение для пуша 13 | location /push { 14 | 15 | root /var/www/hub.oscript.io; 16 | 17 | proxy_set_header X-Forwarded-Host $host; 18 | proxy_set_header X-Forwarded-Server $host; 19 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 20 | proxy_set_header X-Forwarded-Proto $scheme; 21 | 22 | proxy_redirect off; 23 | proxy_set_header X-Real-IP $remote_addr; 24 | proxy_set_header X-Forwarded-For $remote_addr; 25 | proxy_set_header Host $host; 26 | proxy_pass http://opm_hub:5000; 27 | 28 | } 29 | 30 | location / { 31 | return 301 https://$host$request_uri; 32 | } 33 | } 34 | 35 | server { 36 | listen 443 ssl http2; 37 | listen [::]:443 ssl http2; 38 | server_name hub.oscript.io; 39 | root /var/www/hub.oscript.io; 40 | 41 | add_header X-Content-Type-Options nosniff; 42 | add_header X-XSS-Protection "1; mode=block"; 43 | add_header X-Download-Options noopen; 44 | add_header X-Permitted-Cross-Domain-Policies none; 45 | 46 | add_header Strict-Transport-Security "max-age=31536000" always; 47 | proxy_set_header X-Forwarded-Host $host; 48 | proxy_set_header X-Forwarded-Server $host; 49 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 50 | 51 | client_max_body_size 50M; 52 | 53 | proxy_redirect off; 54 | 55 | resolver 127.0.0.11 valid=30s; 56 | 57 | location / { 58 | gzip off; 59 | proxy_set_header X-Real-IP $remote_addr; 60 | proxy_set_header X-Forwarded-For $remote_addr; 61 | proxy_set_header X-Forwarded-Proto $scheme; 62 | proxy_set_header Host $host; 63 | set $target_url http://opm_hub:5000; 64 | proxy_pass $target_url; 65 | } 66 | 67 | include /etc/nginx/ssl_conf/options-ssl-nginx.conf; 68 | ssl_dhparam /etc/nginx/ssl_conf/ssl-dhparams.pem; 69 | ssl_certificate /etc/letsencrypt/live/hub.oscript.io/fullchain.pem; 70 | ssl_certificate_key /etc/letsencrypt/live/hub.oscript.io/privkey.pem; 71 | } 72 | 73 | -------------------------------------------------------------------------------- /docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3' 2 | services: 3 | nginx: 4 | build: web/nginx 5 | image: nginx-simple 6 | command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'" 7 | ports: 8 | - "80:80" 9 | - "443:443" 10 | volumes: 11 | - web_content:/var/www/ 12 | - ./web/certbot/conf:/etc/letsencrypt/ 13 | - ./web/certbot/www:/var/www/certbot 14 | - ./logs/nginx:/var/log/nginx 15 | depends_on: 16 | - opm_hub 17 | - site 18 | - certbot 19 | 20 | site: 21 | image: oscript/backend 22 | ports: 23 | - "3030" 24 | volumes: 25 | - web_content:/var/www/ 26 | 27 | opm_hub: 28 | image: evilbeaver/os-hub:11 29 | ports: 30 | - "5000" 31 | environment: 32 | - OSHUB_BINARY_ROOT=/var/www/hub.oscript.io 33 | - GITHUB_AUTH_TOKEN 34 | - GITHUB_SUPER_TOKEN 35 | - OSWEB_Database__DBType 36 | - OSWEB_Database__ConnectionString 37 | - OSHUB_DEFAULT_USER 38 | - OSHUB_DEFAULT_PASSWORD 39 | - OSHUB_TG_NOTIFICATION 40 | - TELEGRAM_TOKEN 41 | - TELEGRAM_GROUP_ID 42 | volumes: 43 | - web_content:/var/www/ 44 | restart: always 45 | depends_on: 46 | - opm_hub_db 47 | 48 | jenkins: 49 | build: jenkins 50 | image: osjenkins 51 | ports: 52 | - "8080" 53 | - "50000:50000" 54 | volumes: 55 | - /var/run/docker.sock:/var/run/docker.sock 56 | - jenkins_home:/var/jenkins_home 57 | - web_content:/var/www 58 | depends_on: 59 | - tg_bot 60 | 61 | opm_hub_db: 62 | image: postgres:12 63 | ports: 64 | - 5432:5432 65 | volumes: 66 | - postgres_data:/var/lib/postgresql/data 67 | environment: 68 | - POSTGRES_USER 69 | - POSTGRES_PASSWORD 70 | 71 | certbot: 72 | image: certbot/certbot 73 | entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'" 74 | volumes: 75 | - ./web/certbot/conf:/etc/letsencrypt 76 | - ./web/certbot/www:/var/www/certbot 77 | - ./logs/certbot:/var/log/letsencrypt 78 | 79 | tg_bot: 80 | image: evilbeaver/os-tg-bot:latest 81 | ports: 82 | - "5000" 83 | environment: 84 | - TELEGRAM_TOKEN 85 | volumes: 86 | web_content: 87 | jenkins_home: 88 | postgres_data: 89 | -------------------------------------------------------------------------------- /init-letsencrypt.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if ! [ -x "$(command -v docker-compose)" ]; then 4 | echo 'Error: docker-compose is not installed.' >&2 5 | exit 1 6 | fi 7 | 8 | domains=(api.oscript.io hub.oscript.io oscript.io build.oscript.io) 9 | rsa_key_size=4096 10 | data_path="./web/certbot" 11 | ssl_conf_path="./web/nginx/ssl_conf" 12 | email="ovsiankin.aa@gmail.com" # Adding a valid address is strongly recommended 13 | staging=0 # Set to 1 if you're testing your setup to avoid hitting request limits 14 | 15 | if [ -d "$data_path" ]; then 16 | read -p "Existing data found for $domains. Continue and replace existing certificate? (y/N) " decision 17 | if [ "$decision" != "Y" ] && [ "$decision" != "y" ]; then 18 | exit 19 | fi 20 | fi 21 | 22 | 23 | if [ ! -e "$ssl_conf_path/options-ssl-nginx.conf" ] || [ ! -e "$ssl_conf_path/ssl-dhparams.pem" ]; then 24 | echo "### Downloading recommended TLS parameters ..." 25 | mkdir -p "$ssl_conf_path" 26 | curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/tls_configs/options-ssl-nginx.conf > "$ssl_conf_path/options-ssl-nginx.conf" 27 | curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/ssl-dhparams.pem > "/$ssl_conf_path/ssl-dhparams.pem" 28 | echo 29 | fi 30 | 31 | for domain in "${domains[@]}"; do 32 | echo "### Creating dummy certificate for $domain..." 33 | path="/etc/letsencrypt/live/$domain" 34 | mkdir -p "$data_path/conf/live/$domain" 35 | docker-compose run --rm --entrypoint "\ 36 | openssl req -x509 -nodes -newkey rsa:1024 -days 1\ 37 | -keyout '$path/privkey.pem' \ 38 | -out '$path/fullchain.pem' \ 39 | -subj '/CN=localhost'" certbot 40 | done 41 | 42 | echo "### Starting nginx ..." 43 | docker-compose up --force-recreate -d nginx 44 | echo 45 | 46 | for domain in "${domains[@]}"; do 47 | echo "### Deleting dummy certificate for $domain ..." 48 | docker-compose run --rm --entrypoint "\ 49 | rm -Rf /etc/letsencrypt/live/$domain && \ 50 | rm -Rf /etc/letsencrypt/archive/$domain && \ 51 | rm -Rf /etc/letsencrypt/renewal/$domain.conf" certbot 52 | done 53 | 54 | 55 | for domain in "${domains[@]}"; do 56 | echo "### Requesting Let's Encrypt certificate for $domain ..." 57 | 58 | # Select appropriate email arg 59 | case "$email" in 60 | "") email_arg="--register-unsafely-without-email" ;; 61 | *) email_arg="--email $email" ;; 62 | esac 63 | 64 | # Enable staging mode if needed 65 | if [ $staging != "0" ]; then staging_arg="--staging"; fi 66 | 67 | docker-compose run --rm --entrypoint "\ 68 | certbot certonly --webroot -w /var/www/certbot \ 69 | $staging_arg \ 70 | $email_arg \ 71 | -d $domain \ 72 | --rsa-key-size $rsa_key_size \ 73 | --agree-tos \ 74 | --force-renewal" certbot 75 | done 76 | 77 | echo "### Reloading nginx ..." 78 | docker-compose exec nginx nginx -s reload 79 | -------------------------------------------------------------------------------- /Vagrantfile: -------------------------------------------------------------------------------- 1 | # -*- mode: ruby -*- 2 | # vi: set ft=ruby : 3 | 4 | # All Vagrant configuration is done below. The "2" in Vagrant.configure 5 | # configures the configuration version (we support older styles for 6 | # backwards compatibility). Please don't change it unless you know what 7 | # you're doing. 8 | Vagrant.configure(2) do |config| 9 | # The most common configuration options are documented and commented below. 10 | # For a complete reference, please see the online documentation at 11 | # https://docs.vagrantup.com. 12 | 13 | # Every Vagrant development environment requires a box. You can search for 14 | # boxes at https://atlas.hashicorp.com/search. 15 | config.vm.box = "phusion/ubuntu-14.04-amd64" 16 | config.vm.box_download_insecure = true 17 | 18 | # Disable automatic box update checking. If you disable this, then 19 | # boxes will only be checked for updates when the user runs 20 | # `vagrant box outdated`. This is not recommended. 21 | # config.vm.box_check_update = false 22 | 23 | # Create a forwarded port mapping which allows access to a specific port 24 | # within the machine from a port on the host machine. In the example below, 25 | # accessing "localhost:8080" will access port 80 on the guest machine. 26 | # config.vm.network "forwarded_port", guest: 80, host: 8080 27 | 28 | # Create a private network, which allows host-only access to the machine 29 | # using a specific IP. 30 | config.vm.network "private_network", ip: "192.168.33.10" 31 | 32 | # Create a public network, which generally matched to bridged network. 33 | # Bridged networks make the machine appear as another physical device on 34 | # your network. 35 | # config.vm.network "public_network" 36 | 37 | # Share an additional folder to the guest VM. The first argument is 38 | # the path on the host to the actual folder. The second argument is 39 | # the path on the guest to mount the folder. And the optional third 40 | # argument is a set of non-required options. 41 | # config.vm.synced_folder "../data", "/vagrant_data" 42 | 43 | # Provider-specific configuration so you can fine-tune various 44 | # backing providers for Vagrant. These expose provider-specific options. 45 | # Example for VirtualBox: 46 | # 47 | config.vm.provider "virtualbox" do |vb| 48 | # # Display the VirtualBox GUI when booting the machine 49 | # vb.gui = true 50 | # 51 | # # Customize the amount of memory on the VM: 52 | vb.memory = "2048" 53 | end 54 | # 55 | # View the documentation for the provider you are using for more 56 | # information on available options. 57 | 58 | # Define a Vagrant Push strategy for pushing to Atlas. Other push strategies 59 | # such as FTP and Heroku are also available. See the documentation at 60 | # https://docs.vagrantup.com/v2/push/atlas.html for more information. 61 | # config.push.define "atlas" do |push| 62 | # push.app = "YOUR_ATLAS_USERNAME/YOUR_APPLICATION_NAME" 63 | # end 64 | 65 | # Enable provisioning with a shell script. Additional provisioners such as 66 | # Puppet, Chef, Ansible, Salt, and Docker are also available. Please see the 67 | # documentation for more information about their specific syntax and use. 68 | # config.vm.provision "shell", inline: <<-SHELL 69 | # sudo apt-get update 70 | # sudo apt-get install -y apache2 71 | # SHELL 72 | 73 | pkg_cmd = "curl -sSL https://get.docker.com/ | sh; " 74 | # Add vagrant user to the docker group 75 | pkg_cmd << "usermod -a -G docker vagrant; " 76 | 77 | config.vm.provision :shell, :inline => pkg_cmd 78 | 79 | config.vm.provision :shell, path: "init.sh" 80 | 81 | end 82 | --------------------------------------------------------------------------------