add cert

Makefile

@@ -1,11 +1,84 @@
-run:
+.PHONY: \
-	docker compose up --build
+	help \
+	local-up local-down local-logs local-migrate local-test local-seed \
+	prod-up prod-down prod-logs prod-ps prod-migrate \
+	prod-cert-init prod-cert-renew \
+	run migrate test seed-quotes
 
-migrate:
+DOMAIN ?= ruakb.ru
-	docker compose exec backend alembic upgrade head
+WWW_DOMAIN ?= www.ruakb.ru
+LETSENCRYPT_EMAIL ?= admin@ruakb.ru
 
-test:
+LOCAL_COMPOSE = docker compose -f docker-compose.yml
-	docker compose exec backend python -m unittest discover -s tests -p "test_*.py" -v
+PROD_COMPOSE = docker compose -f docker-compose.yml -f docker-compose.prod.nginx.yml
+CERT_COMPOSE = docker compose -f docker-compose.yml -f docker-compose.prod.nginx.yml -f docker-compose.prod.cert.yml
 
-seed-quotes:
+help:
-	docker compose exec backend python -m app.scripts.upsert_quotes
+	@echo "Targets:"
+	@echo "  local-up          - Start local stack"
+	@echo "  local-down        - Stop local stack"
+	@echo "  local-logs        - Tail local logs"
+	@echo "  local-migrate     - Apply migrations (local)"
+	@echo "  local-test        - Run backend tests (local)"
+	@echo "  local-seed        - Seed quotes (local)"
+	@echo "  prod-up           - Start production stack (nginx 80/443 + TLS certs already issued)"
+	@echo "  prod-down         - Stop production stack"
+	@echo "  prod-logs         - Tail production logs"
+	@echo "  prod-ps           - Show production services"
+	@echo "  prod-migrate      - Apply migrations (prod)"
+	@echo "  prod-cert-init    - Initial Let's Encrypt issue (nginx only 80 during bootstrap)"
+	@echo "  prod-cert-renew   - Renew existing certificates"
+
+local-up:
+	$(LOCAL_COMPOSE) up -d --build
+
+local-down:
+	$(LOCAL_COMPOSE) down
+
+local-logs:
+	$(LOCAL_COMPOSE) logs -f --tail=200
+
+local-migrate:
+	$(LOCAL_COMPOSE) exec -T backend alembic upgrade head
+
+local-test:
+	$(LOCAL_COMPOSE) exec -T backend python -m unittest discover -s tests -p "test_*.py" -v
+
+local-seed:
+	$(LOCAL_COMPOSE) exec -T backend python -m app.scripts.upsert_quotes
+
+prod-up:
+	$(PROD_COMPOSE) up -d --build
+	$(PROD_COMPOSE) exec -T backend alembic upgrade head
+
+prod-down:
+	$(PROD_COMPOSE) down
+
+prod-logs:
+	$(PROD_COMPOSE) logs -f --tail=200
+
+prod-ps:
+	$(PROD_COMPOSE) ps
+
+prod-migrate:
+	$(PROD_COMPOSE) exec -T backend alembic upgrade head
+
+# Initial certificate bootstrap:
+# 1) Start stack with edge nginx on port 80 only.
+# 2) Obtain cert via certbot webroot challenge.
+# 3) Restart stack in regular prod mode (80/443).
+prod-cert-init:
+	$(CERT_COMPOSE) up -d --build db redis minio backend chat-service worker beat frontend edge
+	$(CERT_COMPOSE) run --rm certbot certonly --webroot -w /var/www/certbot --email "$(LETSENCRYPT_EMAIL)" --agree-tos --no-eff-email -d "$(DOMAIN)" -d "$(WWW_DOMAIN)"
+	$(PROD_COMPOSE) up -d --build edge
+	$(PROD_COMPOSE) exec -T backend alembic upgrade head
+
+prod-cert-renew:
+	$(PROD_COMPOSE) run --rm certbot renew --webroot -w /var/www/certbot
+	$(PROD_COMPOSE) exec -T edge nginx -s reload
+
+# Backward-compatible aliases
+run: local-up
+migrate: local-migrate
+test: local-test
+seed-quotes: local-seed

README.md

@@ -12,23 +12,27 @@ API (backend): http://localhost:8002
 Swagger: http://localhost:8002/docs
 Chat service health (via nginx): http://localhost:8081/chat-health
 
-## Production (ruakb.ru, 80/443, TLS)
+## Production (ruakb.ru, 80/443, TLS via Nginx + Certbot)
-Production is configured with a dedicated edge proxy (Caddy) in `docker-compose.prod.yml`.
+Production stack uses dedicated edge nginx (`docker-compose.prod.nginx.yml`).
 
 Prerequisites:
 - DNS `A` record: `ruakb.ru -> 45.150.36.116`
 - Optional DNS `A` record: `www.ruakb.ru -> 45.150.36.116`
 - Open server ports: `80/tcp`, `443/tcp`
 
-Start/update production:
+Initial certificate issue (bootstrap with nginx on port 80 only):
 ```bash
-docker compose -f docker-compose.yml -f docker-compose.prod.yml up -d --build
+make prod-cert-init LETSENCRYPT_EMAIL=you@example.com DOMAIN=ruakb.ru WWW_DOMAIN=www.ruakb.ru
-docker compose -f docker-compose.yml -f docker-compose.prod.yml exec -T backend alembic upgrade head
 ```
 
-Or use helper script:
+Regular production start/update:
 ```bash
-./scripts/ops/deploy_prod.sh
+make prod-up
+```
+
+Certificate renew:
+```bash
+make prod-cert-renew
 ```
 
 Checks:

context/13_production_deploy_ruakb.md

@@ -4,11 +4,15 @@
 Развернуть платформу на сервере `45.150.36.116` c HTTPS на `80/443` для домена `ruakb.ru`.
 
 ## Что добавлено
-- `docker-compose.prod.yml` — production override:
+- `docker-compose.prod.nginx.yml` — production override:
-  - добавлен edge proxy (`caddy`) на `80/443`
+  - edge nginx на `80/443`
+  - certbot volume для сертификатов
   - отключены внешние порты у внутренних сервисов
-- `deploy/caddy/Caddyfile` — TLS (Let's Encrypt) + reverse proxy
+- `docker-compose.prod.cert.yml` — bootstrap override для первичного выпуска сертификата
-- `scripts/ops/deploy_prod.sh` — запуск стека и миграций
+  - edge nginx только на `80`
+- `deploy/nginx/edge-http-only.conf` — nginx конфиг только под `80` + ACME challenge
+- `deploy/nginx/edge-https.conf` — nginx конфиг для `80/443` + TLS + reverse proxy
+- `Makefile` — цели локального и production запуска
 
 ## Предусловия
 1. DNS:
@@ -17,10 +21,16 @@
 2. Открыты порты сервера:
    - `80/tcp`, `443/tcp`
 
-## Запуск
+## Первичный выпуск сертификата (nginx только 80)
 ```bash
 cd /opt/law
-./scripts/ops/deploy_prod.sh
+make prod-cert-init LETSENCRYPT_EMAIL=you@example.com DOMAIN=ruakb.ru WWW_DOMAIN=www.ruakb.ru
+```
+
+## Запуск production
+```bash
+cd /opt/law
+make prod-up
 ```
 
 ## Проверка
@@ -34,11 +44,16 @@ curl -fsS https://ruakb.ru/chat-health
 ## Обновление
 ```bash
 git pull
-./scripts/ops/deploy_prod.sh
+make prod-up
+```
+
+## Обновление сертификата
+```bash
+make prod-cert-renew
 ```
 
 ## Откат
 ```bash
-docker compose -f docker-compose.yml -f docker-compose.prod.yml down
+make prod-down
 # и вернуть предыдущий git tag/commit
 ```