From 93bb9325962ede8dfe0eb7b5ba86210bf6ad1476 Mon Sep 17 00:00:00 2001
From: TronoSfera <119615520+TronoSfera@users.noreply.github.com>
Date: Sat, 28 Feb 2026 15:29:01 +0300
Subject: [PATCH] add cert

---
 Makefile                              |  89 +++++++++++++++++++++++---
 README.md                             |  18 ++++--
 celerybeat-schedule                   | Bin 16384 -> 16384 bytes
 context/13_production_deploy_ruakb.md |  31 ++++++---
 4 files changed, 115 insertions(+), 23 deletions(-)

diff --git a/Makefile b/Makefile
index e497774..cf0ae9f 100644
--- a/Makefile
+++ b/Makefile
@@ -1,11 +1,84 @@
-run:
-	docker compose up --build
+.PHONY: \
+	help \
+	local-up local-down local-logs local-migrate local-test local-seed \
+	prod-up prod-down prod-logs prod-ps prod-migrate \
+	prod-cert-init prod-cert-renew \
+	run migrate test seed-quotes
 
-migrate:
-	docker compose exec backend alembic upgrade head
+DOMAIN ?= ruakb.ru
+WWW_DOMAIN ?= www.ruakb.ru
+LETSENCRYPT_EMAIL ?= admin@ruakb.ru
 
-test:
-	docker compose exec backend python -m unittest discover -s tests -p "test_*.py" -v
+LOCAL_COMPOSE = docker compose -f docker-compose.yml
+PROD_COMPOSE = docker compose -f docker-compose.yml -f docker-compose.prod.nginx.yml
+CERT_COMPOSE = docker compose -f docker-compose.yml -f docker-compose.prod.nginx.yml -f docker-compose.prod.cert.yml
 
-seed-quotes:
-	docker compose exec backend python -m app.scripts.upsert_quotes
+help:
+	@echo "Targets:"
+	@echo "  local-up          - Start local stack"
+	@echo "  local-down        - Stop local stack"
+	@echo "  local-logs        - Tail local logs"
+	@echo "  local-migrate     - Apply migrations (local)"
+	@echo "  local-test        - Run backend tests (local)"
+	@echo "  local-seed        - Seed quotes (local)"
+	@echo "  prod-up           - Start production stack (nginx 80/443 + TLS certs already issued)"
+	@echo "  prod-down         - Stop production stack"
+	@echo "  prod-logs         - Tail production logs"
+	@echo "  prod-ps           - Show production services"
+	@echo "  prod-migrate      - Apply migrations (prod)"
+	@echo "  prod-cert-init    - Initial Let's Encrypt issue (nginx only 80 during bootstrap)"
+	@echo "  prod-cert-renew   - Renew existing certificates"
+
+local-up:
+	$(LOCAL_COMPOSE) up -d --build
+
+local-down:
+	$(LOCAL_COMPOSE) down
+
+local-logs:
+	$(LOCAL_COMPOSE) logs -f --tail=200
+
+local-migrate:
+	$(LOCAL_COMPOSE) exec -T backend alembic upgrade head
+
+local-test:
+	$(LOCAL_COMPOSE) exec -T backend python -m unittest discover -s tests -p "test_*.py" -v
+
+local-seed:
+	$(LOCAL_COMPOSE) exec -T backend python -m app.scripts.upsert_quotes
+
+prod-up:
+	$(PROD_COMPOSE) up -d --build
+	$(PROD_COMPOSE) exec -T backend alembic upgrade head
+
+prod-down:
+	$(PROD_COMPOSE) down
+
+prod-logs:
+	$(PROD_COMPOSE) logs -f --tail=200
+
+prod-ps:
+	$(PROD_COMPOSE) ps
+
+prod-migrate:
+	$(PROD_COMPOSE) exec -T backend alembic upgrade head
+
+# Initial certificate bootstrap:
+# 1) Start stack with edge nginx on port 80 only.
+# 2) Obtain cert via certbot webroot challenge.
+# 3) Restart stack in regular prod mode (80/443).
+prod-cert-init:
+	$(CERT_COMPOSE) up -d --build db redis minio backend chat-service worker beat frontend edge
+	$(CERT_COMPOSE) run --rm certbot certonly --webroot -w /var/www/certbot --email "$(LETSENCRYPT_EMAIL)" --agree-tos --no-eff-email -d "$(DOMAIN)" -d "$(WWW_DOMAIN)"
+	$(PROD_COMPOSE) up -d --build edge
+	$(PROD_COMPOSE) exec -T backend alembic upgrade head
+
+prod-cert-renew:
+	$(PROD_COMPOSE) run --rm certbot renew --webroot -w /var/www/certbot
+	$(PROD_COMPOSE) exec -T edge nginx -s reload
+
+# Backward-compatible aliases
+run: local-up
+migrate: local-migrate
+test: local-test
+seed-quotes: local-seed
diff --git a/README.md b/README.md
index a3fb341..f79de93 100644
--- a/README.md
+++ b/README.md
@@ -12,23 +12,27 @@ API (backend): http://localhost:8002
 Swagger: http://localhost:8002/docs
 Chat service health (via nginx): http://localhost:8081/chat-health
 
-## Production (ruakb.ru, 80/443, TLS)
-Production is configured with a dedicated edge proxy (Caddy) in `docker-compose.prod.yml`.
+## Production (ruakb.ru, 80/443, TLS via Nginx + Certbot)
+Production stack uses dedicated edge nginx (`docker-compose.prod.nginx.yml`).
 
 Prerequisites:
 - DNS `A` record: `ruakb.ru -> 45.150.36.116`
 - Optional DNS `A` record: `www.ruakb.ru -> 45.150.36.116`
 - Open server ports: `80/tcp`, `443/tcp`
 
-Start/update production:
+Initial certificate issue (bootstrap with nginx on port 80 only):
 ```bash
-docker compose -f docker-compose.yml -f docker-compose.prod.yml up -d --build
-docker compose -f docker-compose.yml -f docker-compose.prod.yml exec -T backend alembic upgrade head
+make prod-cert-init LETSENCRYPT_EMAIL=you@example.com DOMAIN=ruakb.ru WWW_DOMAIN=www.ruakb.ru
 ```
 
-Or use helper script:
+Regular production start/update:
 ```bash
-./scripts/ops/deploy_prod.sh
+make prod-up
+```
+
+Certificate renew:
+```bash
+make prod-cert-renew
 ```
 
 Checks:
diff --git a/celerybeat-schedule b/celerybeat-schedule
index a6c5d52270fe2987be18f381857e5378e9b37c5f..d84640c95aca8ae37082efc9fac2be38f28151a2 100644
GIT binary patch
delta 82
zcmZo@U~Fh$+%VggpI5<>ed>WJ8Decyf~I(TPF`m%H+he_-6U%^0U3~7Pa;&#mwmE~
TT^CsWEJkGY3Y)LmX)^)<jQtzo

delta 82
zcmZo@U~Fh$+%VggpG)4F)#AyN46(K;K~uclC$F=Xo4m)|Zjv>dfDE@N7d!VcsGKkJ
VWEs0IuzJTPWc3Q0ui9xd0swC=8)yIk

diff --git a/context/13_production_deploy_ruakb.md b/context/13_production_deploy_ruakb.md
index c4de110..a041048 100644
--- a/context/13_production_deploy_ruakb.md
+++ b/context/13_production_deploy_ruakb.md
@@ -4,11 +4,15 @@
 Развернуть платформу на сервере `45.150.36.116` c HTTPS на `80/443` для домена `ruakb.ru`.
 
 ## Что добавлено
-- `docker-compose.prod.yml` — production override:
-  - добавлен edge proxy (`caddy`) на `80/443`
+- `docker-compose.prod.nginx.yml` — production override:
+  - edge nginx на `80/443`
+  - certbot volume для сертификатов
   - отключены внешние порты у внутренних сервисов
-- `deploy/caddy/Caddyfile` — TLS (Let's Encrypt) + reverse proxy
-- `scripts/ops/deploy_prod.sh` — запуск стека и миграций
+- `docker-compose.prod.cert.yml` — bootstrap override для первичного выпуска сертификата
+  - edge nginx только на `80`
+- `deploy/nginx/edge-http-only.conf` — nginx конфиг только под `80` + ACME challenge
+- `deploy/nginx/edge-https.conf` — nginx конфиг для `80/443` + TLS + reverse proxy
+- `Makefile` — цели локального и production запуска
 
 ## Предусловия
 1. DNS:
@@ -17,10 +21,16 @@
 2. Открыты порты сервера:
    - `80/tcp`, `443/tcp`
 
-## Запуск
+## Первичный выпуск сертификата (nginx только 80)
 ```bash
 cd /opt/law
-./scripts/ops/deploy_prod.sh
+make prod-cert-init LETSENCRYPT_EMAIL=you@example.com DOMAIN=ruakb.ru WWW_DOMAIN=www.ruakb.ru
+```
+
+## Запуск production
+```bash
+cd /opt/law
+make prod-up
 ```
 
 ## Проверка
@@ -34,11 +44,16 @@ curl -fsS https://ruakb.ru/chat-health
 ## Обновление
 ```bash
 git pull
-./scripts/ops/deploy_prod.sh
+make prod-up
+```
+
+## Обновление сертификата
+```bash
+make prod-cert-renew
 ```
 
 ## Откат
 ```bash
-docker compose -f docker-compose.yml -f docker-compose.prod.yml down
+make prod-down
 # и вернуть предыдущий git tag/commit
 ```