yurilima/Phx-Yuri
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update SSL certificate, NGINX configuration, and pgAdmin setup

Browse Source 
- Updated the SSL certificate for yuri.phx-erp.de with a new signed certificate.
- Added a new NGINX configuration file for pgAdmin reverse proxy under the subpath /pgadmin4.
- Enhanced the main NGINX configuration with improved logging, security headers, and real IP handling.
- Implemented health check endpoints for both system and worker services with IP whitelisting.
- Created a new entrypoint script for pgAdmin to manage .pgpass and servers.json configuration.
- Removed the redis.conf file and commented out Redis session caching in the configuration.
This commit is contained in:
Yuri Matos de Lima
2025-05-27 08:50:14 +00:00
parent 709362b1c0
commit 05f2f8aaa5
10 changed files with 696 additions and 228 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
.env
View File

@@ -1,50 +1,40 @@
# ===== Enviroment Stage ======
ENV_MODE=production
NODE_ENV=production
# ====== Database Configuration ======
POSTGRES_PASSWORD=6MaBQd9ICYeZnCb
PGADMIN_DEFAULT_PASSWORD=bET23d76xKArCqf
DB_NAME="phoenix"
DB_HOST="phoenixDB"
DB_PORT=5432
DB_USERNAME="postgres"
PGADMIN_DEFAULT_EMAIL="info@phx-erp.de"
MAIL_SERVER="mail.phx-erp.de"
MAIL_PORT=465
MAIL_USERNAME="internal@phx-erp.de "
MAIL_PASSWORD="8Kb2p4!o1"
SECURITY_EMAIL_SENDER="'No Reply PHX <no-reply@phx-erp.de>'"
# ====== Phoenix Super Admin Configuration ======
SUPER_ADMIN_USER_PASSWORD=zrRzSW5pC4cWwroX976oXcGQU
# ====== Redis Configuration ======
REDIS_PASSWORD=sBCuVsJkKTSErgF
# ====== Worker Configuration ======
RUN_JOB_QUEUE=1
# ====== Email Configuration ======
SMTP_FROM="Yuri Lima <yuri.lima@phx-erp.de>"
SMTP_TYPE='smtp'
SMTP_NAME='mail.phx-erp.de'
SMTP_HOST='mail.phx-erp.de'
SMTP_PORT=465
SMTP_SECURE='true'
SMTP_USER='yuri.lima@phx-erp.de'
SMTP_PASS='0rB0@et68'
SMTP_LOGGING='true'
SMTP_DEBUG='true'
SMTP_TLS_REJECT_UNAUTHORIZED='false' # If true will reject self-signed certificates. It will show: Hostname/IP does not match certificate's altnames: Host: mail.phx-erp.de. is not in the cert's altnames: DNS:*.netcup.net, DNS:netcup.net trace
SMTP_SECURE_CONNECTION='true' # Not in use
# ===== Metris Configuration ======
# Loki API URL -> The IP 5.75.153.161 is the Grafana Server where it has a firewall rule to allow the connection. Please, if you change here, need to be change in NGINX too.
LOKI_URL=http://grafana.phx-erp.de:3100/loki/api/v1/push
LOKI_RETRIES=5
LOKI_BATCH_SIZE=500
# ===== HTTPS-PORTAL Configuration ======
HTTPS_PORTAL_DOMAINS='yuri.phx-erp.de -> phoenix-app'
# ====== PHX-SYSTEM Configuration ======
PHOENIX_SYSTEM_REPLICAS=1
# ======= GraphQl =============
GRAPHQL_DEBUG='true'
GRAPHQL_TRACING='true'
# ======= Integrations =============
# Bill Bee
BILL_BEE_ACTIVE='true'
BILL_BEE_API_KEY='200EEBAD-06E8-4184-B430-3428D6447B92'
BILL_BEE_API_USERNAME="yuri.lima"
BILL_BEE_API_SECRET='YTB6tgm.dzb0ntf@zqr'
BILL_BEE_API_URL='https://api.billbee.io/api/v1'
# Channel Pilot Pro
CHANNEL_PILOT_PRO_ACTIVE='true'
CHANNEL_PILOT_PRO_URL='https://capi.channelpilot.com'
CHANNEL_PILOT_PRO_API_MERCHANT_ID=''
CHANNEL_PILOT_PRO_API_TOKEN=''
CHANNEL_PILOT_PRO_ACCESS_TOKEN=''
CHANNEL_PILOT_PRO_EXPIRED_AT=''
# Shopify
SHOPIFY_ACTIVE='true'
SHOPIFY_HOST_NAME='https://phxerpdev.myshopify.com/admin/api/2024-10/graphql.json'
SHOPIFY_API_KEY='159142eaee1b747e5cb084cc77564b3e'
SHOPIFY_API_SECRET='1be9e99cad669092247f8735da3e0570'
SHOPIFY_TOKEN='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'
SHOPIFY_HOST_SCHEME='https'
SHOPIFY_IS_EMBEDDED_APP='true'

1
.gitignore vendored
View File

@@ -7,3 +7,4 @@ e2e
https_portal/log
https_portal/data
assets
pgadmin/data

0
custom_pg_hba.conf
View File

353
docker-compose.yaml
View File

@@ -1,165 +1,287 @@
---
services:
postgres:
restart: always
image: "postgres:15.6-alpine"
container_name: phoenixDB
image: "postgres:15.1-alpine"
container_name: phoenixDB # Hostname
# logging:
# driver: loki
# options:
# loki-url: "${LOKI_URL}"
# loki-retries: "${LOKI_RETRIES}"
# loki-batch-size: "${LOKI_BATCH_SIZE}"
# loki-external-labels: "service=phx-postgres,env=prod"
networks:
- backend
ports:
- "5432:5432"
environment:
- PGUSER=postgres
- DEBUG=false
- POSTGRES_DB=phoenix
- "POSTGRES_PASSWORD=${POSTGRES_PASSWORD}"
DEBUG: true
POSTGRES_DB: ${DB_NAME}
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
volumes:
- "./database:/var/lib/postgresql/data"
- "./database/pg_hba.conf:/etc/postgresql/pg_hba.conf" # Correct location
command: ["postgres", "-c", "hba_file=/etc/postgresql/pg_hba.conf"] # ✅ Tell PostgreSQL where to find it
healthcheck:
test:
- CMD-SHELL
- pg_isready -U postgres
interval: 5s
timeout: 2s
retries: 5
test: [ "CMD-SHELL", "pg_isready -U postgres" ]
interval: 5s # Time between each health check
timeout: 2s # Number of failures before marking as unhealthy
retries: 5 # Grace period before health checks start
pgadmin:
image: dpage/pgadmin4
container_name: pgadmin_container
container_name: pgAdmin4_Ui
user: "5050:5050"
# logging:
# driver: loki
# options:
# loki-url: "${LOKI_URL}"
# loki-retries: "${LOKI_RETRIES}"
# loki-batch-size: "${LOKI_BATCH_SIZE}"
# loki-external-labels: "service=phx-pgadmin,env=prod"
networks:
- backend
- frontend
environment:
PGADMIN_DEFAULT_EMAIL: "pgadmin4@pgadmin.org"
PGADMIN_DEFAULT_PASSWORD: ${PGADMIN_DEFAULT_PASSWORD}
PGADMIN_CONFIG_SERVER_MODE: 'False'
ports:
- "${PGADMIN_PORT:-5050}:80"
PGADMIN_DEFAULT_EMAIL: ${PGADMIN_DEFAULT_EMAIL}
PGADMIN_DEFAULT_PASSWORD: ${SUPER_ADMIN_USER_PASSWORD}
PGADMIN_CONFIG_SERVER_MODE: 'True'
PGADMIN_CONFIG_WSGI_SCRIPT_NAME: "'/pgadmin4'"
PGADMIN_CONFIG_PROXY_X_PROTO_COUNT: 1
PGADMIN_SERVER_JSON_FILE: '/var/lib/pgadmin/servers.json'
PGADMIN_REPLACE_SERVERS_ON_STARTUP: 'True'
PGADMIN_CONFIG_DATA_DIR: "'/var/lib/pgadmin'"
PGADMIN_CONFIG_MASTER_PASSWORD_REQUIRED: 'False'
# pgpass dynamic vars
PGPASSFILE: /var/lib/pgadmin/pgpass
PGPASS_HOST: ${DB_HOST}
PGPASS_PORT: ${DB_PORT}
PGPASS_DB: ${DB_NAME}
PGPASS_USER: ${DB_USERNAME}
PGPASS_PASSWORD: ${POSTGRES_PASSWORD}
# Other config
ALLOW_SAVE_PASSWORD: 'False'
MFA_ENABLED: 'True'
MFA_FORCE_REGISTRATION: 'False'
MFA_SUPPORTED_METHODS: 'email'
MFA_EMAIL_SUBJECT: 'Your MFA code by PHX-ERP'
MAX_LOGIN_ATTEMPTS: 5
ENHANCED_COOKIE_PROTECTION: 'True'
SHOW_GRAVATAR_IMAGE: 'True'
SECURITY_EMAIL_SENDER: ${SECURITY_EMAIL_SENDER}
MAIL_SERVER: ${MAIL_SERVER}
MAIL_PORT: ${MAIL_PORT}
MAIL_USE_SSL: 'False'
MAIL_USE_TLS: 'False'
MAIL_USERNAME: ${MAIL_USERNAME}
MAIL_PASSWORD: ${MAIL_PASSWORD}
MAIL_DEBUG: 'False'
volumes:
- "pgadmin:/var/lib/pgadmin"
- ./pgadmin/data:/var/lib/pgadmin
- ./pgadmin/pgadmin-entrypoint.sh:/docker-entrypoint.sh:ro
entrypoint: ["/bin/sh", "/docker-entrypoint.sh"]
depends_on:
postgres:
condition: service_healthy
healthcheck:
test: ["CMD", "wget", "-O", "-", "http://localhost:80/misc/ping"]
interval: 15s
timeout: 10s
retries: 5
start_period: 60s
phoenix-app:
restart: always
image: "yurimatoslima/phoenix-frontend:alpha"
container_name: phoenixApp
ports:
- "3000:3000" # Restrict to only allow access from Grafana Server IP
# logging:
# driver: loki
# options:
# loki-url: "${LOKI_URL}"
# loki-retries: "${LOKI_RETRIES}"
# loki-batch-size: "${LOKI_BATCH_SIZE}"
# loki-external-labels: "service=phx-app,env=prod,project=phoenix"
volumes:
- "./app_custom:/usr/share/nginx/html/assets/custom"
- ./app_custom:/usr/share/nginx/html/assets/custom
- ./nginx/nginx.conf:/etc/nginx/nginx.conf
- ./nginx/includes:/etc/nginx/includes:ro
networks:
- backend # primary network [external]
- frontend # internal network
- backend
- frontend
depends_on:
- phoenix-system
pgadmin:
condition: service_healthy
healthcheck:
test: ["CMD", "wget", "--spider", "-q", "http://phoenixApp/login"] # localhost checks that the NGINX server inside the container is serving something at the root
interval: 10s # check every 10 seconds
timeout: 5s # allow 5 seconds per check
retries: 5 # mark as unhealthy after 5 failures
start_period: 15s # wait 15 seconds after container start before checking
phoenix-system:
restart: always
image: "yurimatoslima/phoenix-backend:alpha"
# logging:
# driver: loki
# options:
# loki-url: "${LOKI_URL}"
# loki-retries: "${LOKI_RETRIES}"
# loki-batch-size: "${LOKI_BATCH_SIZE}"
# loki-external-labels: "service=phoenix-system,env=prod"
environment:
- "DB_HOST=phoenixDB"
- "DB_NAME=${DB_NAME}"
- "DB_PASSWORD=${POSTGRES_PASSWORD}"
- "DB_USERNAME=postgres"
- "SUPER_ADMIN_USER_PASSWORD=${SUPER_ADMIN_USER_PASSWORD}"
- "REDIS_PASSWORD=${REDIS_PASSWORD}"
- RUN_JOB_QUEUE=${RUN_JOB_QUEUE}
- SMTP_FROM=${SMTP_FROM}
- SMTP_TYPE=${SMTP_TYPE}
- SMTP_NAME=${SMTP_NAME}
- SMTP_HOST=${SMTP_HOST}
- SMTP_PORT=${SMTP_PORT}
- SMTP_SECURE=${SMTP_SECURE}
- SMTP_USER=${SMTP_USER}
- SMTP_PASS=${SMTP_PASS}
- SMTP_LOGGING=${SMTP_LOGGING}
- SMTP_DEBUG=${SMTP_DEBUG}
- SMTP_TLS_REJECT_UNAUTHORIZED=${SMTP_TLS_REJECT_UNAUTHORIZED}
- SMTP_SECURE_CONNECTION=${SMTP_SECURE_CONNECTION}
- ENV_MODE=${ENV_MODE}
- NODE_ENV=${NODE_ENV}
- SMTP_TLS_CIPHERS={SMTP_TLS_CIPHERS}
- BILL_BEE_ACTIVE=${BILL_BEE_ACTIVE}
- BILL_BEE_API_KEY=${BILL_BEE_API_KEY}
- BILL_BEE_API_USERNAME=${BILL_BEE_API_USERNAME}
- BILL_BEE_API_SECRET=${BILL_BEE_API_SECRET}
- BILL_BEE_API_URL=${BILL_BEE_API_URL}
- CHANNEL_PILOT_PRO_ACTIVE=${CHANNEL_PILOT_PRO_ACTIVE}
- CHANNEL_PILOT_PRO_URL=${CHANNEL_PILOT_PRO_URL}
- CHANNEL_PILOT_PRO_API_MERCHANT_ID=${CHANNEL_PILOT_PRO_API_MERCHANT_ID}
- CHANNEL_PILOT_PRO_API_TOKEN=${CHANNEL_PILOT_PRO_API_TOKEN}
- CHANNEL_PILOT_PRO_ACCESS_TOKEN=${CHANNEL_PILOT_PRO_ACCESS_TOKEN}
- CHANNEL_PILOT_PRO_EXPIRED_AT=${CHANNEL_PILOT_PRO_EXPIRED_AT}
- SHOPIFY_ACTIVE=${SHOPIFY_ACTIVE}
- SHOPIFY_HOST_NAME=${SHOPIFY_HOST_NAME}
- SHOPIFY_API_KEY=${SHOPIFY_API_KEY}
- SHOPIFY_API_SECRET=${SHOPIFY_API_SECRET}
- SHOPIFY_HOST_SCHEME=${SHOPIFY_HOST_SCHEME}
- SHOPIFY_IS_EMBEDDED_APP=${SHOPIFY_IS_EMBEDDED_APP}
command: ["npm", "run", "start:server"]
deploy:
replicas: 1 #change here if u want to have more replicas. Cant find a way to set via variable right now
replicas: ${PHOENIX_SYSTEM_REPLICAS} #change here if u want to have more replicas. Cant find a way to set via variable right now
networks:
- backend
backend:
aliases:
- phoenix-system
depends_on:
postgres:
condition: service_healthy
phoenix-redis:
condition: service_healthy
healthcheck:
test: ["CMD-SHELL", "curl -s http://phoenix-system:3000/health | grep -q '\"admin-api\":{\"status\":\"up\"}' && curl -s http://phoenix-system:3000/health | grep -q '\"database\":{\"status\":\"up\"}'"] # Checks both admin-api and database status
interval: 10s # Time between each health check
timeout: 6s # Max time to wait for each check
retries: 10 # Number of failures before marking as unhealthy
start_period: 40s # Grace period before health checks start
volumes:
- "./logs:/usr/src/app/packages/dev-server/logs"
- "./assets:/usr/src/app/packages/dev-server/assets"
- "./server_custom:/usr/src/app/packages/dev-server/custom"
# - "./logs:/usr/src/app/packages/dev-server/logs"
phoenix-worker:
restart: always
image: "yurimatoslima/phoenix-backend:alpha"
container_name: "phoenix-worker"
ports:
- "3001:3001" # Restrict to only allow access from Grafana Server IP
# logging:
# driver: loki
# options:
# loki-url: "${LOKI_URL}"
# loki-retries: "${LOKI_RETRIES}"
# loki-batch-size: "${LOKI_BATCH_SIZE}"
# loki-external-labels: "service=phx-worker,env=prod"
networks:
- backend
environment:
- DB_HOST=phoenixDB
- "DB_NAME=${DB_NAME}"
- "DB_PASSWORD=${POSTGRES_PASSWORD}"
- DB_USERNAME=postgres
- "SUPER_ADMIN_USER_PASSWORD=${SUPER_ADMIN_USER_PASSWORD}"
- REDIS_PASSWORD=${REDIS_PASSWORD}
# command: ["npm", "run", "start:worker"]
entrypoint: ./entrypoint-phoenix-worker.sh
- NODE_ENV=${NODE_ENV}
depends_on:
phoenix-system:
condition: service_healthy
postgres:
condition: service_healthy
healthcheck:
test: [ "CMD-SHELL", "curl -s http://phoenix-worker:3001/health | grep -q '\"status\":\"ok\"'" ] # Check if worker responds with status ok
interval: 10s # Time between each health check
timeout: 6s # Max time to wait for each check
retries: 20 # Grace period before health checks start
start_period: 30s # Grace period before health checks start
volumes:
- "./assets:/usr/src/app/packages/dev-server/assets"
- "./server_custom:/usr/src/app/packages/dev-server/custom"
- "./logs:/usr/src/app/packages/dev-server/logs"
# - "./logs:/usr/src/app/packages/dev-server/logs"
phoenix-redis:
image: 'bitnami/redis:latest'
container_name: redis
command: /opt/bitnami/scripts/redis/run.sh --maxmemory 100mb --dir /bitnami/redis/data
user: 1001:1001 # Non-root user in Bitnami images The /bitnami/redis/data directory inside the container is already owned by 1001, avoiding permission issues.
command: /opt/bitnami/scripts/redis/run.sh --maxmemory 100mb
user: root
# logging:
# driver: loki
# options:
# loki-url: "${LOKI_URL}"
# loki-retries: "${LOKI_RETRIES}"
# loki-batch-size: "${LOKI_BATCH_SIZE}"
# loki-external-labels: "service=phx-redis,env=prod"
networks:
- backend
restart: always
environment:
ALLOW_EMPTY_PASSWORD: "no"
REDIS_DISABLE_COMMANDS: FLUSHDB,FLUSHALL,CONFIG
REDIS_PASSWORD: ${REDIS_PASSWORD}
healthcheck:
test: [ "CMD", "redis-cli", "--raw", "incr", "ping" ]
interval: 5s
retries: 10 # Increase retries if Redis takes a while to start
timeout: 5s # Increase timeout if needed
volumes:
- "./redis/data:/bitnami/redis/data"
- /opt/phx/redis/tmp:/opt/bitnami/redis/tmp # ✅ Fix permission issue
- /opt/phx/redis/logs:/opt/bitnami/redis/logs # ✅ Fix logs permission issue
- ./redis.conf:/opt/bitnami/redis/etc/redis.conf # ✅ Use a writable redis.conf
depends_on:
postgres:
condition: service_healthy
node_exporter:
volumes:
- "./redis/data:/bitnami/redis/data"
phoenix-health-exporter:
image: phxerp/phoenix-health-exporter:alpha
container_name: health_exporter
restart: unless-stopped
# logging:
# driver: loki
# options:
# loki-url: "${LOKI_URL}"
# loki-retries: "${LOKI_RETRIES}"
# loki-batch-size: "${LOKI_BATCH_SIZE}"
# loki-external-labels: "service=phx-health-exporter,env=prod"
ports:
- "9800:9800"
environment:
DB_HOST: ${DB_HOST}
DB_NAME: ${DB_NAME}
DB_PASSWORD: ${POSTGRES_PASSWORD}
DB_USERNAME: ${DB_USERNAME}
networks:
- frontend
- backend
volumes:
- /etc/hostname:/etc/host_hostname:ro # This ensures the container always uses the real machine hostname, even if restarted or recreated.
security_opt:
- no-new-privileges:true
deploy:
resources:
limits:
cpus: '0.25'
memory: 128M
depends_on:
phoenix-system:
condition: service_healthy
phoenix-worker:
condition: service_healthy
postgres:
condition: service_healthy
healthcheck:
test: ["CMD-SHELL", "curl -sf http://localhost:9800/healthz || exit 1"]
interval: 1m
timeout: 5s
retries: 3
start_period: 15s
node-exporter:
image: quay.io/prometheus/node-exporter:latest
container_name: node_exporter
# logging:
# driver: loki
# options:
# loki-url: "${LOKI_URL}"
# loki-retries: "${LOKI_RETRIES}"
# loki-batch-size: "${LOKI_BATCH_SIZE}"
# loki-external-labels: "service=phx-node-exporter,env=prod"
networks:
- metrics
- frontend
restart: unless-stopped
ports:
- "9100:9100"
- "9100:9100" # Restrict to only allow access from Grafana Server IP
command:
- "--path.procfs=/host/proc"
- "--path.sysfs=/host/sys"
@@ -169,13 +291,66 @@ services:
- "/proc:/host/proc:ro"
- "/sys:/host/sys:ro"
- "/:/host:ro,rslave"
security_opt:
- no-new-privileges:true
deploy:
resources:
limits:
cpus: '0.25'
memory: 128M
healthcheck:
test: ["CMD", "wget", "-qO-", "http://localhost:9100/metrics"]
interval: 15s
timeout: 5s
retries: 3
start_period: 20s
# nginx-exporter:
# image: nginx/nginx-prometheus-exporter:1.4.2
# container_name: nginx_exporter
# restart: unless-stopped
# # logging:
# # driver: loki
# # options:
# # loki-url: "${LOKI_URL}"
# # loki-retries: "${LOKI_RETRIES}"
# # loki-batch-size: "${LOKI_BATCH_SIZE}"
# # loki-external-labels: "service=phx-nginx-exporter,env=prod"
# ports:
# - "9113:9113" # Restrict to only allow access from Grafana Server IP
# command:
# - '--nginx.scrape-uri=http://phoenixApp/stub_status'
# security_opt:
# - no-new-privileges:true
# deploy:
# resources:
# limits:
# cpus: '0.25'
# memory: 128M
# depends_on:
# phoenix-app:
# condition: service_healthy
# networks:
# - frontend
# - metrics
# healthcheck:
# test: ["CMD", "wget", "-qO-", "http://localhost:9113/metrics"] # Not working as expected
# interval: 15s
# timeout: 5s
# retries: 3
# start_period: 10s
https_portal:
container_name: https_portal
image: "steveltn/https-portal:1.21"
restart: unless-stopped
# logging:
# driver: loki
# options:
# loki-url: "${LOKI_URL}"
# loki-retries: "${LOKI_RETRIES}"
# loki-batch-size: "${LOKI_BATCH_SIZE}"
# loki-external-labels: "service=phx-https-portal,env=prod"
networks:
- frontend # [ PgAdmin, Phoenix-App ]
- external # [ Outside of the World]
ports:
- "80:80"
- "443:443"
@@ -186,18 +361,18 @@ services:
DEBUG: "true"
RENEW_MARGIN_DAYS: 30
CLIENT_MAX_BODY_SIZE: 0
SERVER_NAMES_HASH_BUCKET_SIZE: 128 # Increase hash bucket size for server names - good for bigger domains names, if not set correctly, it will throw an error, break the container.
# FORCE_RENEW: 'true'
DOMAINS: 'yuri.phx-erp.de -> phoenix-app'
DOMAINS: "${HTTPS_PORTAL_DOMAINS}"
volumes:
- ./https_portal/data:/var/lib/https-portal # ssl_certs, vhost.d, htdocs
- ./https_portal/log:/var/log/nginx # nginx logs
- ./https_portal/config/custom_nginx.conf:/opt/custom_nginx.conf:ro # ✅ Mount file in a safe path
# - ./https_portal/config/custom_nginx.conf:/opt/custom_nginx.conf:ro # ✅ Mount file in a safe path
depends_on:
- phoenix-app
- phoenix-system
- pgadmin
- phoenix-redis
- postgres
pgadmin:
condition: service_healthy
postgres:
condition: service_healthy
fail2ban:
image: crazymax/fail2ban:latest
container_name: fail2ban
@@ -210,6 +385,7 @@ services:
- ./fail2ban/jail.d:/etc/fail2ban/jail.d
- /var/log:/var/log:ro
restart: always
networks:
backend:
driver: bridge
@@ -224,17 +400,10 @@ networks:
ipam:
config:
- subnet: 172.20.0.0/16
external:
driver: bridge
external: false
metrics:
driver: bridge
external: false
ipam:
config:
- subnet: 172.22.0.0/16
volumes:
pgadmin: null

36
https_portal/data/yuri.phx-erp.de/production/signed.crt
View File

@@ -1,31 +1,31 @@
-----BEGIN CERTIFICATE-----
MIIE7TCCA9WgAwIBAgISBN9fSOkvS54NMLTgeStNS2oTMA0GCSqGSIb3DQEBCwUA
MIIE+zCCA+OgAwIBAgISBeKK1knRhuU1oi3S5b7is2lPMA0GCSqGSIb3DQEBCwUA
MDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQwwCgYDVQQD
EwNSMTEwHhcNMjUwMTA4MDMyMzU2WhcNMjUwNDA4MDMyMzU1WjAaMRgwFgYDVQQD
EwNSMTEwHhcNMjUwNTA4MTUxNTE3WhcNMjUwODA2MTUxNTE2WjAaMRgwFgYDVQQD
Ew95dXJpLnBoeC1lcnAuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQCkoSgHOsFmtqy02FZoJflGQlqx2Lc9WP12L5i5D/hutP8gpMoEfq6WyHD7Gn25
LR2BTn8ceqMMoArfJs6SsEXT7xdbmWSS9r4pWtbpZLWO/jwtYBbg/lwCTJUbiIvD
wwRLtjP+xVlwfuslkgcEdPCD9CaigGkhcLQKgzL2hhwYwBMaA94MVX0rhd8w66zA
cwMcwo8VWDb0PwD2TAJqBXupmjMQ8XIob57rC0drO9175Wp2UX13W3m/NaOylKyU
Ct7uoClu/LtBXdXG0TmKTSlYdlEkwyWJYBNEnog0QWbsxl4PCaRaMianjgln5BGt
rmBUApxH0qm+Ct1Svw5HdB9tAgMBAAGjggISMIICDjAOBgNVHQ8BAf8EBAMCBaAw
rmBUApxH0qm+Ct1Svw5HdB9tAgMBAAGjggIgMIICHDAOBgNVHQ8BAf8EBAMCBaAw
HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYD
VR0OBBYEFEKJ54GyFoST7ssNgV+4Qn/QEubyMB8GA1UdIwQYMBaAFMXPRqTq9MPA
emyVxC2wXpIvJuO5MFcGCCsGAQUFBwEBBEswSTAiBggrBgEFBQcwAYYWaHR0cDov
L3IxMS5vLmxlbmNyLm9yZzAjBggrBgEFBQcwAoYXaHR0cDovL3IxMS5pLmxlbmNy
Lm9yZy8wGgYDVR0RBBMwEYIPeXVyaS5waHgtZXJwLmRlMBMGA1UdIAQMMAowCAYG
Z4EMAQIBMIIBAwYKKwYBBAHWeQIEAgSB9ASB8QDvAHUAouMK5EXvva2bfjjtR2d3
U9eCW4SU1yteGyzEuVCkR+cAAAGURCZHUAAABAMARjBEAiAxBCBQSJT8mWTph0yI
HQsoR6RFyMExrihZhIKpkMoRwwIgftlv5sQPZnto1KMuwrKwQXUdMej2Pb2/QgUM
eIyplEQAdgDM+w9qhXEJZf6Vm1PO6bJ8IumFXA2XjbapflTA/kwNsAAAAZREJkdh
AAAEAwBHMEUCIG02M+HEsqp2J7GT9Lkce/1FJKyFOo3lupETe/wvtfzQAiEA7PnP
MRZ481CHAg6HMYBv/lcSCBBOsjt6NASP8ZIgNvQwDQYJKoZIhvcNAQELBQADggEB
AFAeYvfig+Eb9IZlLxAXVKpnnIc11D3Tyvfe/c3YNbv2krXWd7n64TMEdE8IqzLl
Ew/2R7v7Zm8dsgnmWET2TGDT0O6ZAzeYTictTqaYkg0WMGGq1gfovjUt6E3aGhYm
TaacT0ypXm6zE0JpotXkJESNbfYx+zO0VNTCxYtfcTxeGFvqG41ZljvB5tWx2ODU
dlYh9omk1OnIgxY6LCdNdhIpNIfcswx0FN6dLc4hNIlZeUwAznao0/DB7M9kKKbL
JEISF1PD7+qgBCOLnKxylYx+aV3Bmg9jaUzySB2j95MLJirPYqqDa4ObU1UKa9v0
RWOYa6/PjG44rdUjvU6GsLY=
emyVxC2wXpIvJuO5MDMGCCsGAQUFBwEBBCcwJTAjBggrBgEFBQcwAoYXaHR0cDov
L3IxMS5pLmxlbmNyLm9yZy8wGgYDVR0RBBMwEYIPeXVyaS5waHgtZXJwLmRlMBMG
A1UdIAQMMAowCAYGZ4EMAQIBMC4GA1UdHwQnMCUwI6AhoB+GHWh0dHA6Ly9yMTEu
Yy5sZW5jci5vcmcvODAuY3JsMIIBBQYKKwYBBAHWeQIEAgSB9gSB8wDxAHYAzPsP
aoVxCWX+lZtTzumyfCLphVwNl422qX5UwP5MDbAAAAGWsKyn1QAABAMARzBFAiBz
v6PsRPAwXWcYu6BOQl5QmzzI6BP9Jl/t+teqR7rVgAIhAPrl3JjVjIPBuWh/LvfR
SSH1bJSLVuZpP/czfG1yZI+XAHcArxgaKNaMo+CpikycZ6sJ+Lu8IrquvLE4o6Gd
0/m2Aw0AAAGWsKyqywAABAMASDBGAiEArUQdsL6CsB9cBR2ZaXd5yOC3VypYyOmp
ZQPD/iPIOP8CIQDt0R00Uq3MTybefEXwTo34ixkQyN9vw/xh2OkbYYBP8DANBgkq
hkiG9w0BAQsFAAOCAQEAGxx7PNuGrMyX530iBmPfUtmRXBLmsVUmj1jalbUzx//i
oFxJ7DWAau8MZHPF+tSvrbReKjCFgpkOfSdaSMubWHlAPaSMP6NGZUwmLt7jApke
qzYKgYWhovh/J8uYgQ7KEDPJeXYeDIHbmnyyHtgxI0eXKlpN3hgQiIxC2Q9JZc7+
enktsKskPWpwHNxVPHYKF9VGbFMdOxBjr6wSRecmzD3lGXv0O0r9e84ULSfmK8KQ
a+TCZnwVM1tTNMm5TMKRa79nQE0+3R2wsXrqj2PfFtjS2haJgBbSQfSSqWlcft9C
WPuFNj8uG3ZVjqw7uOXjE6hy1AqdJbDt2gBSEB3gIA==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----

15
nginx/includes/pgadmin.conf Normal file
View File

@@ -0,0 +1,15 @@
# pgAdmin reverse proxy (under subpath)
location /pgadmin4 {
proxy_pass http://pgAdmin4_Ui/;
proxy_set_header X-Script-Name /pgadmin4;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $forwarded_proto;
# Include headers for proxying
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $forwarded_proto;
# End of headers
proxy_redirect off;
}

370
nginx/nginx.conf
View File

@@ -1,126 +1,392 @@
worker_processes 1;
# Main process configuration
worker_processes 1;
events {
worker_connections 1024;
worker_connections 1024;
}
http {
geo $frontend_whitelist {
default 1;
127.0.0.1 1;
172.20.0.0/16 1; # Frontend Docker subnet
5.75.153.161 1; # Grafana or monitoring
167.235.254.4 1; # Ansible server IP
}
geo $backend_whitelist {
default 1;
127.0.0.1 1;
172.19.0.0/16 1; # Backend Docker subnet
5.75.153.161 1; # Grafana or monitoring
167.235.254.4 1; # Ansible server IP
}
# These settings ensure that $remote_addr reflects the real client IP forwarded by https-portal, which is needed for your allow rules to work correctly
# Recommended for resolving client IP behind proxy
# Docker networks where both frontend and backend containers communicate through NGINX.
# To avoid potential misclassification of real client IPs from backend routes.
# The set_real_ip_from directive doesnt allow access — it just instructs NGINX to trust the X-Forwarded-For header from those IPs.
set_real_ip_from 172.20.0.0/16; # Replace with your Docker network subnet (matches your `frontend` network)
set_real_ip_from 172.19.0.0/16; # Replace with your Docker network subnet (matches your `backend` network)
real_ip_header X-Forwarded-For;
real_ip_recursive on;
resolver 127.0.0.11 valid=10s;
resolver_timeout 5s;
upstream phoenix_system_cluster {
zone phoenix_system_cluster 64k;
least_conn;
server phoenix-system:3000 resolve fail_timeout=1s max_fails=0;
# ADD_SYSTEM_SERVERS_HERE
}
upstream phoenix_worker_cluster {
zone phoenix_worker_cluster 64k;
least_conn;
server phoenix-worker:3001 resolve fail_timeout=1s max_fails=0;
# ADD_WORKER_SERVERS_HERE
}
server_tokens off; # Disable NGINX version tokens to avoid leaking NGINX version.
# File handling & upload limits
sendfile on;
client_max_body_size 64m;
#client_body_temp_path /data/temp;
# Prevent warning when setting many proxy headers, like we do
proxy_headers_hash_max_size 1024;
proxy_headers_hash_bucket_size 128;
# Gzip compression (for better bandwidth efficiency)
gzip on;
gzip_min_length 1000;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript;
# Trust the protocol from upstream proxy/load balancer
map $http_x_forwarded_proto $forwarded_proto {
default $scheme;
https https;
http http;
}
# File types and default mime type
include /etc/nginx/mime.types;
default_type application/octet-stream;
# 🧩 Logs
map $request_uri $loggable {
default 1;
~^/stub_status 0;
~^/health/system 0;
~^/health/worker 0;
}
log_format main_with_realip '$remote_addr - $realip_remote_addr [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
log_format json_compatible escape=json '{'
'"time":"$time_iso8601",'
'"remote_addr":"$remote_addr",'
'"proxy_addr":"$proxy_protocol_addr",'
'"x_forwarded_for":"$http_x_forwarded_for",'
'"request_method":"$request_method",'
'"request_uri":"$request_uri",'
'"status":$status,'
'"body_bytes_sent":$body_bytes_sent,'
'"request_time":$request_time,'
'"upstream_response_time":"$upstream_response_time",'
'"http_referer":"$http_referer",'
'"http_user_agent":"$http_user_agent",'
'"host":"$host",'
'"realip":"$realip_remote_addr"'
'}';
access_log /var/log/nginx/access_json.log json_compatible if=$loggable; # JSON format for Loki
access_log /var/log/nginx/access.log main_with_realip if=$loggable;
# End of logs
##################################################################
# 🧩 HTTP Server Block
##################################################################
server {
listen 80;
server_name localhost;
server_name _;
root /usr/share/nginx/html;
index index.html index.htm;
include /etc/nginx/mime.types;
# Security headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
gzip on;
gzip_min_length 1000;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript;
sendfile on;
client_max_body_size 64m;
root /usr/share/nginx/html;
index index.html index.htm;
# Frontend SPA fallback
location / {
try_files $uri $uri/ /index.html;
}
# https://serverfault.com/questions/379675/nginx-reverse-proxy-url-rewrite
# Backend API routes
location /backend-api/ {
#rewrite ^/backend-api(.*) /$1 break;
proxy_pass http://phoenix-system:3000/;
proxy_pass http://phoenix_system_cluster/;
# Include headers for proxying
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $forwarded_proto;
# End of headers
}
location /admin-api {
proxy_pass http://phoenix-system:3000/admin-api;
proxy_pass http://phoenix_system_cluster/admin-api;
# Include headers for proxying
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $forwarded_proto;
# End of headers
}
location /remote-assets {
proxy_pass http://phoenix-system:3000/remote-assets;
proxy_pass http://phoenix_system_cluster/remote-assets;
# Include headers for proxying
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $forwarded_proto;
# End of headers
}
location /sti {
proxy_pass http://phoenix-system:3000/sti;
proxy_pass http://phoenix_system_cluster/sti;
# Include headers for proxying
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $forwarded_proto;
# End of headers
}
# WebSocket support
location /ws {
proxy_pass http://phoenix-system:3000/graphql;
proxy_pass http://phoenix_system_cluster/graphql;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# Include headers for proxying
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $forwarded_proto;
# End of headers
}
# Reverse proxy for pgAdmin (subpath support)
include /etc/nginx/includes/*.conf;
# Health check endpoints -> used by the health check exporter
location /health/system {
proxy_pass http://phoenix_system_cluster/health;
# Secure the health check endpoint
if ($backend_whitelist = 0) {
return 403;
}
# End of security
# Include headers for proxying
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $forwarded_proto;
# End of headers
}
# location /health/system/metrics {
# proxy_pass http://phoenix_system_cluster/health/metrics;
# # Secure the health check endpoint
# # if ($backend_whitelist = 0) {
# # return 403;
# # }
# # End of security
# # Include headers for proxying
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto $forwarded_proto;
# # End of headers
# }
location /health/worker {
proxy_pass http://phoenix_worker_cluster/health;
# Secure the health check endpoint
if ($backend_whitelist = 0) {
return 403;
}
# End of security
# Include headers for proxying
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $forwarded_proto;
# End of headers
}
# location /health/worker/metrics {
# proxy_pass http://phoenix_worker_cluster/health/metrics;
# # Secure the health check endpoint
# # if ($backend_whitelist = 0) {
# # return 403;
# # }
# # End of security
# # Include headers for proxying
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto $forwarded_proto;
# # End of headers
# }
location /stub_status {
stub_status;
# Secure the stub status endpoint
if ($frontend_whitelist = 0) {
return 403;
}
# End of security
}
}
server { # This new server will watch for traffic on 443
listen 443 ssl http2;
server_name localhost;
##################################################################
# 🔐 HTTPS Server Block
##################################################################
server {
listen 443 ssl;
http2 on;
server_name _;
# Security headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
ssl_certificate /etc/nginx/external-certificate/certificate.crt;
ssl_certificate_key /etc/nginx/external-certificate/certificate.key;
root /usr/share/nginx/html;
index index.html index.htm;
include /etc/nginx/mime.types;
gzip on;
gzip_min_length 1000;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript;
sendfile on;
client_max_body_size 64m;
root /usr/share/nginx/html;
index index.html index.htm;
location / {
try_files $uri $uri/ /index.html;
}
# https://serverfault.com/questions/379675/nginx-reverse-proxy-url-rewrite
# Secure API routes
location /backend-api/ {
#rewrite ^/backend-api(.*) /$1 break;
proxy_pass http://phoenix-system:3000/;
proxy_pass http://phoenix_system_cluster/;
# Include headers for proxying
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $forwarded_proto;
# End of headers
}
location /admin-api {
proxy_pass http://phoenix-system:3000/admin-api;
proxy_pass http://phoenix_system_cluster/admin-api;
# Include headers for proxying
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $forwarded_proto;
# End of headers
}
location /remote-assets {
proxy_pass http://phoenix-system:3000/remote-assets;
proxy_pass http://phoenix_system_cluster/remote-assets;
# Include headers for proxying
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $forwarded_proto;
# End of headers
}
location /sti {
proxy_pass http://phoenix-system:3000/sti;
proxy_pass http://phoenix_system_cluster/sti;
# Include headers for proxying
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $forwarded_proto;
# End of headers
}
location /ws {
proxy_pass http://phoenix-system:3000/graphql;
proxy_pass http://phoenix_system_cluster/graphql;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# Include headers for proxying
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $forwarded_proto;
# End of headers
}
# Reverse proxy for pgAdmin (subpath support)
include /etc/nginx/includes/*.conf;
location /health/system {
proxy_pass http://phoenix_system_cluster/health;
# Secure the health check endpoint
if ($backend_whitelist = 0) {
return 403;
}
# End of security
# Include headers for proxying
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $forwarded_proto;
# End of headers
}
location /health/worker {
proxy_pass http://phoenix_worker_cluster/health;
# Secure the health check endpoint
if ($backend_whitelist = 0) {
return 403;
}
# End of security
# Include headers for proxying
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $forwarded_proto;
# End of headers
}
location /stub_status {
stub_status;
# Secure the stub status endpoint
if ($frontend_whitelist = 0) {
return 403;
}
# End of security
}
}
}

49
pgadmin/pgadmin-entrypoint.sh Normal file
View File

@@ -0,0 +1,49 @@
#!/bin/sh
set -e
echo "🔧 Entrypoint: Ensuring .pgpass directory and file"
PGADMIN_HOME="/var/lib/pgadmin"
PGPASS_PATH="${PGADMIN_HOME}/pgpass"
SERVERS_JSON_PATH="/var/lib/pgadmin/servers.json"
# Ensure parent directory exists
mkdir -p "$PGADMIN_HOME"
# Create or overwrite .pgpass file
echo "${PGPASS_HOST}:${PGPASS_PORT}:${PGPASS_DB}:${PGPASS_USER}:${PGPASS_PASSWORD}" > "$PGPASS_PATH"
chmod 600 "$PGPASS_PATH"
chown 5050:5050 "$PGPASS_PATH"
export PGPASSFILE="$PGPASS_PATH"
echo "✅ .pgpass ready at $PGPASS_PATH"
echo "🛠️ Generating servers.json for pgAdmin..."
# Try to ensure /pgadmin4 is owned by 5050 if possible
if [ -d /pgadmin4 ]; then
echo "🔧 Attempting to chown /pgadmin4 to 5050:5050"
chown 5050:5050 /pgadmin4 2>/dev/null || echo "⚠️ Could not chown /pgadmin4 (likely read-only or permission issue)"
fi
cat <<EOF > "$SERVERS_JSON_PATH"
{
"Servers": {
"1": {
"Name": "Phoenix DB",
"Group": "PHX GROUP",
"Host": "${PGPASS_HOST}",
"Port": ${PGPASS_PORT},
"MaintenanceDB": "${PGPASS_DB}",
"Username": "${PGPASS_USER}",
"SSLMode": "prefer",
"PassFile": "$PGPASSFILE"
}
}
}
EOF
chmod 600 "$SERVERS_JSON_PATH"
chown 5050:5050 "$SERVERS_JSON_PATH"
echo "✅ servers.json created at $SERVERS_JSON_PATH"
exec /entrypoint.sh "$@"

4
redis.conf
View File

@@ -1,4 +0,0 @@
rename-command FLUSHDB ""
rename-command FLUSHALL ""
rename-command CONFIG ""

48
server_custom/config.ts
View File

@@ -1,8 +1,7 @@
/* tslint:disable:no-console */
import path from 'path';
import { ConnectionOptions } from 'typeorm';
// import { DataSourceOptions } from 'typeorm';
import { WinstonLogger, RedisSessionCachePlugin, LogLevel, TypeOrmLogger, SystemConfig, DefaultJobQueuePlugin } from '@phoenix/core';
import { DataSourceOptions } from 'typeorm';
import { WinstonLogger, LogLevel, TypeOrmLogger, SystemConfig, DefaultJobQueuePlugin } from '@phoenix/core';
import { AssetServerPlugin } from '@phoenix/asset-server-plugin';
import { ADMIN_API_PATH, API_PORT, SHOP_API_PATH, SUPER_ADMIN_USER_IDENTIFIER } from '@phoenix/common';
import { EmailPlugin, FileBasedTemplateLoader, defaultEmailHandlers } from '@phoenix/email-plugin';
@@ -10,6 +9,8 @@ import { BillBeePlugin } from "@phoenix/bill-bee-plugin";
import { ChannelPilotProPlugin } from "@phoenix/channel-pilot-pro-plugin";
import { ShopifyPlugin } from '@phoenix/shopify-plugin';
// RedisSessionCachePlugin
/**
* Config settings used during development
*/
@@ -72,15 +73,15 @@ export const customConfig: SystemConfig = {
defaultTakeNumber: 100,
},
plugins: [
RedisSessionCachePlugin.init({
namespace: 'phx-session',
redisOptions: {
host: process.env.REDIS_HOST || 'redis',
port: process.env.REDIS_PORT ? parseInt(process.env.REDIS_PORT) : 6379,
db: process.env.REDIS_DB ? parseInt(process.env.REDIS_DB) : 0,
password: process.env.REDIS_PASSWORD || 'admin'
}
}),
// RedisSessionCachePlugin.init({
// namespace: 'phx-session',
// redisOptions: {
// host: process.env.REDIS_HOST || 'redis',
// port: process.env.REDIS_PORT ? parseInt(process.env.REDIS_PORT) : 6379,
// db: process.env.REDIS_DB ? parseInt(process.env.REDIS_DB) : 0,
// password: process.env.REDIS_PASSWORD || 'admin'
// }
// }),
AssetServerPlugin.init({
route: 'remote-assets',
assetUploadDir: path.join(__dirname, 'assets'),
@@ -104,28 +105,9 @@ export const customConfig: SystemConfig = {
}),
BillBeePlugin.init({
active: process.env.BILL_BEE_ACTIVE === 'true',
apiUrl: process.env.BILL_BEE_API_URL,
apiKey: process.env.BILL_BEE_API_KEY,
username: process.env.BILL_BEE_API_USERNAME,
password: process.env.BILL_BEE_API_SECRET,
header: {
'X-Billbee-Api-Key': process.env.BILL_BEE_API_KEY,
'Authorization': `Basic ${Buffer.from(`${process.env.BILL_BEE_API_USERNAME}:${process.env.BILL_BEE_API_SECRET}`).toString('base64')}`,
}
}),
ChannelPilotProPlugin.init({
active: process.env.CHANNEL_PILOT_PRO_ACTIVE === 'true',
connectionInfo: {
url: process.env.CHANNEL_PILOT_PRO_URL,
apiMerchantId: process.env.CHANNEL_PILOT_PRO_API_MERCHANT_ID,
apiToken: process.env.CHANNEL_PILOT_PRO_API_TOKEN,
access_token: process.env.CHANNEL_PILOT_PRO_ACCESS_TOKEN,
expiredAt: process.env.CHANNEL_PILOT_PRO_EXPIRED_AT,
tokenType: 'Bearer'
},
header: {
'Authorization': `Bearer ${process.env.CHANNEL_PILOT_PRO_ACCESS_TOKEN}`,
}
active: process.env.CHANNEL_PILOT_PRO_ACTIVE === 'true'
}),
ShopifyPlugin.init({
active: process.env.SHOPIFY_ACTIVE === 'true'
@@ -151,7 +133,7 @@ export const customConfig: SystemConfig = {
// ApolloEngineApiKey: "service:Logic-Bits-2900:5w1aCP5YUtF-1ErRG0KNQw"
};
function getDbConfig(): ConnectionOptions {
function getDbConfig(): DataSourceOptions {
const dbType = process.env.DB || 'postgres';
const dbHost = process.env.DB_HOST || 'localhost';
const dbPort = +process.env.DB_PORT || 5432;