OPC # 0001: Extract gateway into standalone repo

2026-04-25 17:27:47 -04:00
commit 6accc7ca25
10 changed files with 224 additions and 0 deletions
@@ -0,0 +1,19 @@
+# Auto-generated by ControlPlane.Worker — do not edit manually.
+# Tenant: fdev-app-clarity-01000000
+server {
+    listen 443 ssl;
+    server_name fdev-app-clarity-01000000.clarity.test;
+
+    ssl_certificate     /etc/nginx/certs/clarity.test.crt;
+    ssl_certificate_key /etc/nginx/certs/clarity.test.key;
+
+    location / {
+        # Docker DNS resolves the container name on the managed network
+        set $upstream http://fdev-app-clarity-01000000:8080;
+        proxy_pass $upstream;
+        proxy_set_header Host              $host;
+        proxy_set_header X-Real-IP         $remote_addr;
+        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
@@ -0,0 +1,19 @@
+# Auto-generated by ControlPlane.Worker — do not edit manually.
+# Tenant: fdev-app-clarity-02000000
+server {
+    listen 443 ssl;
+    server_name fdev-app-clarity-02000000.clarity.test;
+
+    ssl_certificate     /etc/nginx/certs/clarity.test.crt;
+    ssl_certificate_key /etc/nginx/certs/clarity.test.key;
+
+    location / {
+        # Docker DNS resolves the container name on the managed network
+        set $upstream http://fdev-app-clarity-02000000:8080;
+        proxy_pass $upstream;
+        proxy_set_header Host              $host;
+        proxy_set_header X-Real-IP         $remote_addr;
+        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
@@ -0,0 +1,19 @@
+# Auto-generated by ControlPlane.Worker — do not edit manually.
+# Tenant: fdev-app-clarity-03000000
+server {
+    listen 443 ssl;
+    server_name fdev-app-clarity-03000000.clarity.test;
+
+    ssl_certificate     /etc/nginx/certs/clarity.test.crt;
+    ssl_certificate_key /etc/nginx/certs/clarity.test.key;
+
+    location / {
+        # Docker DNS resolves the container name on the managed network
+        set $upstream http://fdev-app-clarity-03000000:8080;
+        proxy_pass $upstream;
+        proxy_set_header Host              $host;
+        proxy_set_header X-Real-IP         $remote_addr;
+        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
@@ -0,0 +1,19 @@
+# Auto-generated by ControlPlane.Worker — do not edit manually.
+# Tenant: fdev-app-clarity-04000000
+server {
+    listen 443 ssl;
+    server_name fdev-app-clarity-04000000.clarity.test;
+
+    ssl_certificate     /etc/nginx/certs/clarity.test.crt;
+    ssl_certificate_key /etc/nginx/certs/clarity.test.key;
+
+    location / {
+        # Docker DNS resolves the container name on the managed network
+        set $upstream http://fdev-app-clarity-04000000:8080;
+        proxy_pass $upstream;
+        proxy_set_header Host              $host;
+        proxy_set_header X-Real-IP         $remote_addr;
+        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
@@ -0,0 +1,21 @@
+server {
+    listen 443 ssl;
+    server_name opc.clarity.test;
+
+    ssl_certificate     /etc/nginx/certs/clarity.test.crt;
+    ssl_certificate_key /etc/nginx/certs/clarity.test.key;
+
+    # Git over HTTP needs larger body and longer timeouts
+    client_max_body_size 100m;
+    proxy_read_timeout   300s;
+    proxy_send_timeout   300s;
+
+    location / {
+        set $upstream http://host.docker.internal:3000;
+        proxy_pass $upstream;
+        proxy_set_header Host              $host;
+        proxy_set_header X-Real-IP         $remote_addr;
+        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
@@ -0,0 +1,16 @@
+server {
+    listen 443 ssl;
+    server_name keycloak.clarity.test;
+
+    ssl_certificate     /etc/nginx/certs/clarity.test.crt;
+    ssl_certificate_key /etc/nginx/certs/clarity.test.key;
+
+    location / {
+        set $upstream http://keycloak:8080;
+        proxy_pass $upstream;
+        proxy_set_header Host              $host;
+        proxy_set_header X-Real-IP         $remote_addr;
+        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
@@ -0,0 +1,27 @@
+events {
+    worker_connections 1024;
+}
+
+http {
+    # Use Docker's embedded DNS resolver so container names resolve dynamically.
+    # This is critical — without it nginx resolves upstream names at startup only
+    # and won't pick up newly provisioned tenant containers.
+    resolver 127.0.0.11 valid=5s ipv6=off;
+
+    # Shared log format
+    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+                    '$status $body_bytes_sent "$http_referer" '
+                    '"$http_user_agent"';
+
+    access_log /var/log/nginx/access.log main;
+    error_log  /var/log/nginx/error.log warn;
+
+    # Redirect all HTTP → HTTPS
+    server {
+        listen 80 default_server;
+        return 301 https://$host$request_uri;
+    }
+
+    # Pick up per-tenant server blocks dropped by the provisioning worker
+    include /etc/nginx/conf.d/*.conf;
+}