tronosfera/Law
1
0
Fork 0
mirror of https://github.com/TronoSfera/Law.git synced 2026-05-18 10:03:45 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions
Law/Makefile
TronoSfera 85ac21a1cb add security test
2026-03-02 16:22:07 +03:00

148 lines
6.1 KiB
Makefile
Raw Blame History

.PHONY: \
help \
local-up local-down local-logs local-migrate local-test local-seed \
prod-up prod-down prod-logs prod-ps prod-migrate \
prod-secrets-generate prod-secrets-apply \
prod-minio-tls-init incident-checklist rotate-encryption-kid reencrypt-active-kid \
security-smoke prod-security-audit \
prod-cert-init prod-cert-renew \
check-prod-files check-cert-files \
run migrate test seed-quotes
DOMAIN ?= ruakb.ru
WWW_DOMAIN ?= www.ruakb.ru
SECOND_DOMAIN ?= ruakb.online
SECOND_WWW_DOMAIN ?= www.ruakb.online
LETSENCRYPT_EMAIL ?= admin@ruakb.ru
AUTO_CERT_INIT ?= 0
CONFIRM_TOKEN ?= ROTATE-PROD-SECRETS
CERTBOT_DOMAINS = -d "$(DOMAIN)" -d "$(WWW_DOMAIN)" $(if $(strip $(SECOND_DOMAIN)),-d "$(SECOND_DOMAIN)") $(if $(strip $(SECOND_WWW_DOMAIN)),-d "$(SECOND_WWW_DOMAIN)")
LOCAL_COMPOSE = docker compose -f docker-compose.yml -f docker-compose.local.yml
PROD_COMPOSE = docker compose -f docker-compose.yml -f docker-compose.prod.nginx.yml
CERT_COMPOSE = docker compose -f docker-compose.yml -f docker-compose.prod.nginx.yml -f docker-compose.prod.cert.yml
help:
@echo "Targets:"
@echo " local-up - Start local stack"
@echo " local-down - Stop local stack"
@echo " local-logs - Tail local logs"
@echo " local-migrate - Apply migrations (local)"
@echo " local-test - Run backend tests (local)"
@echo " local-seed - Seed quotes (local)"
@echo " prod-up - Start production stack (nginx 80/443 + TLS certs already issued)"
@echo " prod-down - Stop production stack"
@echo " prod-logs - Tail production logs"
@echo " prod-ps - Show production services"
@echo " prod-migrate - Apply migrations (prod)"
@echo " prod-secrets-generate - Generate rotated internal secrets into .env.prod"
@echo " prod-secrets-apply - Generate + apply rotated internal secrets to running prod stack"
@echo " prod-minio-tls-init - Generate internal CA and MinIO TLS certs (deploy/tls/minio)"
@echo " incident-checklist - Create PDn incident checklist markdown report"
@echo " security-smoke - Run security smoke checks and create report"
@echo " prod-security-audit - Full production security audit/repair workflow"
@echo " rotate-encryption-kid - Add new KID key pair to .env and switch active KID"
@echo " reencrypt-active-kid - Re-encrypt historical encrypted fields using active KID"
@echo " prod-cert-init - Initial Let's Encrypt issue (nginx only 80 during bootstrap)"
@echo " prod-cert-renew - Renew existing certificates"
@echo ""
@echo "Domains:"
@echo " DOMAIN=$(DOMAIN)"
@echo " WWW_DOMAIN=$(WWW_DOMAIN)"
@echo " SECOND_DOMAIN=$(SECOND_DOMAIN)"
@echo " SECOND_WWW_DOMAIN=$(SECOND_WWW_DOMAIN)"
@echo " AUTO_CERT_INIT=$(AUTO_CERT_INIT)"
local-up:
$(LOCAL_COMPOSE) up -d --build
local-down:
$(LOCAL_COMPOSE) down
local-logs:
$(LOCAL_COMPOSE) logs -f --tail=200
local-migrate:
$(LOCAL_COMPOSE) exec -T backend alembic upgrade head
local-test:
$(LOCAL_COMPOSE) exec -T backend python -m unittest discover -s tests -p "test_*.py" -v
local-seed:
$(LOCAL_COMPOSE) exec -T backend python -m app.scripts.upsert_quotes
check-prod-files:
@test -f docker-compose.prod.nginx.yml || (echo "[ERROR] Missing docker-compose.prod.nginx.yml. Run: git pull"; exit 1)
@test -f frontend/nginx.prod.conf || (echo "[ERROR] Missing frontend/nginx.prod.conf. Run: git pull"; exit 1)
@test -f scripts/ops/minio_tls_bootstrap.sh || (echo "[ERROR] Missing scripts/ops/minio_tls_bootstrap.sh. Run: git pull"; exit 1)
check-cert-files: check-prod-files
@test -f docker-compose.prod.cert.yml || (echo "[ERROR] Missing docker-compose.prod.cert.yml. Run: git pull"; exit 1)
@test -f deploy/nginx/edge-http-only.conf || (echo "[ERROR] Missing deploy/nginx/edge-http-only.conf. Run: git pull"; exit 1)
@test -f deploy/nginx/edge-https.conf || (echo "[ERROR] Missing deploy/nginx/edge-https.conf. Run: git pull"; exit 1)
prod-up: check-prod-files
$(PROD_COMPOSE) up -d --build --force-recreate --remove-orphans
$(PROD_COMPOSE) exec -T backend alembic upgrade head
prod-down: check-prod-files
$(PROD_COMPOSE) down
prod-logs: check-prod-files
$(PROD_COMPOSE) logs -f --tail=200
prod-ps: check-prod-files
$(PROD_COMPOSE) ps
prod-migrate: check-prod-files
$(PROD_COMPOSE) exec -T backend alembic upgrade head
prod-secrets-generate:
./scripts/ops/rotate_prod_secrets.sh --env-in .env.production --env-out .env.prod
prod-secrets-apply: check-prod-files
./scripts/ops/rotate_prod_secrets.sh --env-in .env.production --env-out .env.prod --apply-running --compose-override docker-compose.prod.nginx.yml --non-interactive --require-confirmation-token "$(CONFIRM_TOKEN)"
prod-minio-tls-init:
./scripts/ops/minio_tls_bootstrap.sh
incident-checklist:
./scripts/ops/incident_checklist.sh
security-smoke:
./scripts/ops/security_smoke.sh
prod-security-audit: check-cert-files
DOMAIN="$(DOMAIN)" \
WWW_DOMAIN="$(WWW_DOMAIN)" \
SECOND_DOMAIN="$(SECOND_DOMAIN)" \
SECOND_WWW_DOMAIN="$(SECOND_WWW_DOMAIN)" \
LETSENCRYPT_EMAIL="$(LETSENCRYPT_EMAIL)" \
AUTO_CERT_INIT="$(AUTO_CERT_INIT)" \
./scripts/ops/prod_security_audit.sh
rotate-encryption-kid:
./scripts/ops/rotate_encryption_kid.sh --env-file .env
reencrypt-active-kid:
docker compose exec -T backend python -m app.scripts.reencrypt_with_active_kid --apply
# Initial certificate bootstrap:
# 1) Start stack with edge nginx on port 80 only.
# 2) Obtain cert via certbot webroot challenge.
# 3) Restart stack in regular prod mode (80/443).
prod-cert-init: check-cert-files
$(CERT_COMPOSE) up -d --build db redis minio backend chat-service worker beat frontend edge
$(CERT_COMPOSE) run --rm certbot certonly --webroot -w /var/www/certbot --email "$(LETSENCRYPT_EMAIL)" --agree-tos --no-eff-email --non-interactive --expand $(CERTBOT_DOMAINS)
$(PROD_COMPOSE) up -d --build edge
$(PROD_COMPOSE) exec -T backend alembic upgrade head
prod-cert-renew: check-prod-files
$(PROD_COMPOSE) run --rm certbot renew --webroot -w /var/www/certbot
$(PROD_COMPOSE) exec -T edge nginx -s reload
# Backward-compatible aliases
run: local-up
migrate: local-migrate
test: local-test
seed-quotes: local-seed
Reference in a new issue View git blame Copy permalink