m17hr1l/neuronetz-gateway
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

deploy: target jwilder-proxy production stack
Some checks failed
CI / ruff (push) Has been cancelled
Details
CI / mypy --strict (push) Has been cancelled
Details
CI / pytest (push) Has been cancelled
Details
CI / bandit (push) Has been cancelled
Details
CI / pip-audit (push) Has been cancelled
Details

Browse Source 
Production deployment now matches the host setup that already runs
neuronetz.ai / neuro-landing: the gateway sits behind the jwilder
nginx-proxy + acme-companion already on the host, instead of bundling
its own Caddy sidecar.

- docker-compose.yml: drop the Caddy service entirely. The gateway joins
  an external `proxy` Docker network (the same one neuronetz-web /
  neuronetz-www use) and advertises itself with VIRTUAL_HOST /
  VIRTUAL_PORT / LETSENCRYPT_HOST / LETSENCRYPT_EMAIL. nginx-proxy
  routes TLS-terminated traffic to it on the shared network;
  acme-companion handles Let's Encrypt issuance + renewal for
  api.neuronetz.ai automatically. NO host ports are published in this
  compose file anywhere — gateway, postgres, redis, ollama all stay
  unreachable from the host. Pinned container_names
  (neuronetz-gateway / -postgres / -redis / -ollama) for stable
  identification by nginx-proxy and ops scripts.
- .env.example: add GATEWAY_VIRTUAL_HOST + LETSENCRYPT_EMAIL; flip the
  default GATEWAY_TRUSTED_PROXIES to `127.0.0.1,nginx-proxy`.
- docs/DEPLOYMENT.md: the canonical path is now jwilder-proxy.
  Reorganized prerequisites + steps around it; documented adding HSTS
  and the other security headers via the nginx-proxy custom-config
  mechanism (/etc/nginx/vhost.d/<host>). The Caddy sidecar lives on as
  a documented alternative for hosts without jwilder-proxy
  (ops/caddy/Caddyfile.example is kept).

The Ollama-never-exposed non-negotiable is unchanged.
This commit is contained in:
Stephan Berbig
2026-05-26 20:55:20 +02:00
parent b47a09db91
commit b2ec32c852
3 changed files with 119 additions and 68 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
.env.example
View File

@@ -9,7 +9,14 @@ GATEWAY_BIND_PORT=8080
GATEWAY_LOG_LEVEL=INFO
GATEWAY_LOG_FORMAT=json # json|console
GATEWAY_REQUEST_ID_HEADER=X-Request-ID
GATEWAY_TRUSTED_PROXIES=127.0.0.1,caddy # for X-Forwarded-For
GATEWAY_TRUSTED_PROXIES=127.0.0.1,nginx-proxy # for X-Forwarded-For
# ──────────── Public hostname (jwilder-proxy / acme-companion) ───────
# These are consumed by docker-compose.yml's gateway service so that the
# host's nginx-proxy stack routes TLS-terminated traffic for your domain.
# Mirrors the pattern used by neuro-landing.
GATEWAY_VIRTUAL_HOST=api.neuronetz.ai
LETSENCRYPT_EMAIL=admin@neuronetz.ai
# ──────────────────────────── Upstream ───────────────────────────
OLLAMA_BASE_URL=http://ollama:11434