c7e6537c64
Server recon (read-only SSH) showed the box already runs ~8 apps behind a host-level nginx, with Gitea + an Actions runner. The host-networking design collided with contentra on port 3001. - docker-compose.prod.yml: bridge networking + per-app network, house style; api/web/postgres/redis publish to 127.0.0.1 on verified-free ports (4000/4001/5440/6390); only the generator keeps host networking (no listening port, needs the host namespace for runner-port probing). - Drop the Traefik config; the box uses a host nginx. Add a ready nginx vhost in infra/nginx/buildmymcpserver.conf (listen 80, Cloudflare TLS). - Add .gitea/workflows/deploy.yml mirroring the buildmydiscord pipeline. - Narrow the generated-MCP port range to 4400-4900 (clear of screencraft on 4321). - .env.production.example + DEPLOY.md rewritten for buildmymcpserver.com and the real topology. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
69 lines
2.4 KiB
Plaintext
69 lines
2.4 KiB
Plaintext
# nginx vhost for buildmymcpserver.com — install on the host nginx:
|
|
# scp this to /etc/nginx/sites-available/buildmymcpserver
|
|
# ln -s /etc/nginx/sites-available/buildmymcpserver /etc/nginx/sites-enabled/
|
|
# nginx -t && systemctl reload nginx
|
|
#
|
|
# TLS is terminated by Cloudflare (proxied DNS records). The origin serves
|
|
# plain HTTP on :80 — same pattern as the other Cloudflare-fronted apps here.
|
|
# Set the Cloudflare SSL/TLS mode to "Full" for this zone.
|
|
|
|
# --- Web app: buildmymcpserver.com ---
|
|
server {
|
|
listen 80;
|
|
listen [::]:80;
|
|
server_name buildmymcpserver.com www.buildmymcpserver.com;
|
|
|
|
client_max_body_size 12M;
|
|
|
|
location / {
|
|
proxy_pass http://127.0.0.1:4001;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection 'upgrade';
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_cache_bypass $http_upgrade;
|
|
proxy_read_timeout 120s;
|
|
}
|
|
}
|
|
|
|
# --- Control plane API: api.buildmymcpserver.com ---
|
|
server {
|
|
listen 80;
|
|
listen [::]:80;
|
|
server_name api.buildmymcpserver.com;
|
|
|
|
client_max_body_size 12M;
|
|
|
|
# Build-log WebSocket stream (/v1/builds/:id/stream) — needs the upgrade
|
|
# headers and a long read timeout; buffering off so frames are not held.
|
|
location /v1/builds/ {
|
|
proxy_pass http://127.0.0.1:4000;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection 'upgrade';
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_buffering off;
|
|
proxy_cache off;
|
|
proxy_read_timeout 600s;
|
|
}
|
|
|
|
location / {
|
|
proxy_pass http://127.0.0.1:4000;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection 'upgrade';
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_cache_bypass $http_upgrade;
|
|
proxy_read_timeout 120s;
|
|
}
|
|
}
|