[+] update gateway

1. add systemd units deployment recipie; 2. add certbot periodic task; 3. update nginx_config.py to user ssl_preread_server_name instead of protocol, since it seems to be broken;
2025-03-15 12:04:03 +03:00 · 2025-03-15 12:04:03 +03:00 · 7442368b03
commit 7442368b03
parent 4cf720ee17
8 changed files with 141 additions and 13 deletions
--- a/14
+++ b/14
@ -13,7 +13,7 @@ python_tests:
 #	rm -fr \
 #		deps/com.github.aiortc.aiortc/src/online_fxreader/vpn/dist;

-PYTHON_PROJECTS := \
+PYTHON_PROJECTS ?= \
 	deps/com.github.aiortc.aiortc/ \
 	deps/com.github.aiortc.aiortc/src/online_fxreader/vpn/ \
 	python
@ -95,3 +95,15 @@ dotfiles_deploy:
 		dotfiles \
 	| xz --compress -9 --stdout > \
 	releases/tar/dotfiles-$(DOTFILES_VERSION).tar.xz
+
+systemd:
+	/usr/bin/env python3 d1/systemd.py
+	for d in tmp/d1; do \
+		(\
+			cd $$d; \
+			for i in *.service *.timer; do \
+				sudo ln -s -f $$PWD/$$i /etc/systemd/system/$$i; \
+			done; \
+		); \
+	done
+	sudo systemctl daemon-reload
--- a/d1/certbot.py
+++ b/d1/certbot.py
@ -0,0 +1,19 @@
+#!/usr/bin/env python3
+
+import subprocess
+import time
+import logging
+
+logger = logging.getLogger(__name__)
+
+
+logging.basicConfig(level=logging.INFO)
+
+while True:
+    subprocess.check_call([
+        'docker', 'compose', 'exec', 'ssl-app', 'certbot', 'renew',
+    ])
+    subprocess.check_call([
+        'docker', 'compose', 'exec', 'ssl-app', 'nginx', '-s', 'reload',
+    ])
+    break
--- a/d1/fxreader.online-certbot.service
+++ b/d1/fxreader.online-certbot.service
@ -0,0 +1,11 @@
+[Unit]
+Description=fxreader.online-certbot
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/python3 d1/certbot.py
+WorkingDirectory={{PROJECT_ROOT}}
+#Restart=always
+
+#[Install]
+#WantedBy=multi-user.target
--- a/d1/fxreader.online-certbot.timer
+++ b/d1/fxreader.online-certbot.timer
@ -0,0 +1,9 @@
+[Unit]
+Description=fxreader.online-certbot-timer
+
+[Timer]
+OnUnitActiveSec=1d
+OnBootSec=1m
+
+[Install]
+WantedBy=timers.target
--- a/d1/nginx_config.py
+++ b/d1/nginx_config.py
@ -214,6 +214,23 @@ def ssl(input_json, output_conf):
    servers = []

    if 'stream_server' in ssl_nginx:
+        upstream_servers = []
+        server_names = []
+
+        for k, v in ssl_nginx['stream_server'].items():
+            upstream_servers.append(
+                'upstream %s { server %s; }' % (
+                    v['upstream_name'],
+                    v['url'],
+                )
+            )
+            server_names.append(
+                '"%s" %s;' % (
+                    v['server_name'], v['upstream_name'],
+                )
+            )
+            
+
        ssl_port = 444
        stream_server = r'''
 stream {
@ -221,26 +238,41 @@ stream {
        server 127.0.0.1:444;
    }

-    upstream ssh {
-        server {ssh};
-    }
+{upstream_servers}

-    map $ssl_preread_protocol $upstream {
-        default ssh;
-        "TLSv1.2" web;
-        "TLSv1.3" web;
+    #upstream ssh {
+    #    server {ssh};
+    #}
+
+    #map $ssl_preread_protocol $upstream {
+    #    default ssh;
+    #    "TLSv1.2" web;
+    #    "TLSv1.3" web;
+    #}
+
+    map $ssl_preread_server_name $upstream {
+        default web;
+{server_names}
    }

    # SSH and SSL on the same port
    server {
        listen 443;

-        proxy_pass $upstream;
        ssl_preread on;
+        proxy_pass $upstream;
    }
 }
        '''.replace(
-            '{ssh}', str(ssl_nginx['stream_server'])[:256]
+            '{upstream_servers}', ''.join([
+                '    ' + o + '\n'
+                for o in upstream_servers
+            ]),
+        ).replace(
+            '{server_names}', ''.join([
+                '        ' + o + '\n'
+                for o in server_names
+            ]),
        )
    else:
        stream_server = ''
--- a/d1/systemd.py
+++ b/d1/systemd.py
@ -0,0 +1,41 @@
+#!/usr/bin/env python3
+
+import os
+import pathlib
+import io
+import glob
+import subprocess
+import logging
+
+logger = logging.getLogger(__name__)
+
+logging.basicConfig(level=logging.INFO)
+
+cache_path = pathlib.Path.cwd() / 'tmp'
+
+project_root = pathlib.Path.cwd()
+
+logger.info(dict(project_root=project_root, cache_path=cache_path,))
+
+for service in [
+    pathlib.Path(o) for o in sum([
+        glob.glob('d1/*.service'),
+        glob.glob('d1/*.timer')
+    ], [])
+]:
+    os.makedirs(str((cache_path / service).parent), exist_ok=True)
+
+    with io.open(str(service), 'r') as f:
+        with io.open(
+            str(cache_path / service), 'w'
+        ) as f2:
+            f2.write(
+                f.read().replace(
+                    '{{PROJECT_ROOT}}',
+                    str(project_root),
+                )
+            )
+    logger.info(dict(
+        service=str(service),
+        msg='updated',
+    ))
--- a/deps/com.github.aiortc.aiortc
+++ b/deps/com.github.aiortc.aiortc
@ -1 +1 @@
-Subproject commit d3cdc32f8c474d90e48ecc4729c0088999cb82ad
+Subproject commit adef10a8c41f5c550622879370a40f8a9e545574
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -32,16 +32,20 @@ services:
    build:
      context: .
      dockerfile: ./docker/dynu/Dockerfile
+    profiles:
+      - broken
    volumes:
      - ./d1/dynu_update.py:/app/d1/dynu_update.py:ro
      - ./tmp/cache/dynu.auth.json:/app/tmp/cache/dynu.auth.json:ro
    restart: always
-    links:
-      - ngrok
+    # links:
+    #  - ngrok
  ngrok:
    image: wernight/ngrok
    links:
      - app
+    profiles:
+      - broken
    command: ['ngrok', 'http', 'app:80']
    volumes:
      - ./tmp/cache/ngrok.yml:/home/ngrok/.ngrok2/ngrok.yml:ro