diff --git a/scripts/deploy.sh b/scripts/deploy.sh index 08f9ea8..961be1a 100755 --- a/scripts/deploy.sh +++ b/scripts/deploy.sh @@ -19,6 +19,8 @@ INSTALL_DIR="/opt/" SERVICE_USER="" SERVICE_NAME="" HEALTH_URL="http://localhost:3000/api/health" +NGINX_CONF_SRC="${INSTALL_DIR}/config/nginx/.conf" # set to "" to skip +NGINX_DOMAIN="" # ----------------------------------------- SOURCE_DIR="${1:-.}" @@ -42,10 +44,26 @@ rsync -a --delete \ "${SOURCE_DIR}/" "${INSTALL_DIR}/" chown -R "${SERVICE_USER}:${SERVICE_USER}" "${INSTALL_DIR}" -echo "[2/3] Installing dependencies..." +echo "[2/4] Installing dependencies..." sudo -u "${SERVICE_USER}" HOME="${INSTALL_DIR}" bash -c "cd ${INSTALL_DIR} && npm ci --omit=dev" -echo "[3/3] Restarting service..." +echo "[3/4] Updating nginx config..." +if [[ -n "${NGINX_CONF_SRC:-}" && -f "${NGINX_CONF_SRC}" ]]; then + WEBUZO_DIR="/var/webuzo-data/nginx/custom/domains" + NGINX_BIN="/usr/local/apps/nginx/sbin/nginx" + if [[ -d "${WEBUZO_DIR}" ]]; then + cat "${NGINX_CONF_SRC}" > "${WEBUZO_DIR}/${NGINX_DOMAIN}.conf" + else + cp "${NGINX_CONF_SRC}" "/etc/nginx/conf.d/${SERVICE_NAME}.conf" + NGINX_BIN="nginx" + fi + "${NGINX_BIN}" -t && "${NGINX_BIN}" -s reload + echo "nginx reloaded" +else + echo "nginx: no config source set — skipping" +fi + +echo "[4/4] Restarting service..." systemctl daemon-reload systemctl restart "${SERVICE_NAME}" sleep 2 @@ -53,7 +71,7 @@ sleep 2 if systemctl is-active --quiet "${SERVICE_NAME}"; then echo "Service running" else - echo "Error: service failed to start"; exit 1 + echo "Error: service failed to start — check: journalctl -u ${SERVICE_NAME} -n 50"; exit 1 fi curl -sf "${HEALTH_URL}" || { echo "FAIL: health check"; exit 1; } diff --git a/scripts/setup-project.sh b/scripts/setup-project.sh index 4b25798..2af26e8 100755 --- a/scripts/setup-project.sh +++ b/scripts/setup-project.sh @@ -198,16 +198,21 @@ else fi cat > "${NGINX_CONF}" << 'NGINX' +# Security headers — at server block level so they are inherited by all +# location blocks (including Webuzo's own regex location). +# Do NOT move into location blocks: on Webuzo the regex location +# location ~ (\.php|shtml|/)$ takes priority and blocks inheritance. +add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; +add_header X-Content-Type-Options "nosniff" always; +add_header X-Frame-Options "DENY" always; +add_header Referrer-Policy "no-referrer" always; +add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always; + # Static files location / { root __INSTALL_DIR__/public; index index.html; try_files $uri $uri/ /index.html; - - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - add_header X-Content-Type-Options "nosniff" always; - add_header X-Frame-Options "DENY" always; - add_header Referrer-Policy "no-referrer" always; } # API proxy @@ -243,8 +248,12 @@ NGINX sed -i "s|__INSTALL_DIR__|${INSTALL_DIR}|g" "${NGINX_CONF}" sed -i "s|__PORT__|${PORT}|g" "${NGINX_CONF}" -if nginx -t 2>/dev/null; then - systemctl reload nginx +NGINX_BIN="/usr/local/apps/nginx/sbin/nginx" +if [[ ! -x "${NGINX_BIN}" ]]; then + NGINX_BIN="nginx" +fi +if "${NGINX_BIN}" -t 2>/dev/null; then + "${NGINX_BIN}" -s reload echo " ${NGINX_CONF} — nginx reloaded" else echo " Warning: nginx config test failed. Check ${NGINX_CONF} manually."