config: make domain configurable via DOMAIN env var

Replace hardcoded evosync.ru with a DOMAIN variable read from .env. nginx.conf is now generated from nginx.conf.template via envsubst; init-letsencrypt.sh reads DOMAIN from .env and fails loudly if unset. README documents the new variable and first-deploy TLS workflow. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-12 14:01:38 +03:00
parent 796cf49ff9
commit 4f4081c54c
6 changed files with 110 additions and 16 deletions
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -1,3 +1,5 @@
+# Generated from nginx.conf.template — do not edit directly.
+# Regenerate: DOMAIN=yourdomain.com envsubst '${DOMAIN}' < nginx/nginx.conf.template > nginx/nginx.conf
 upstream web {
    server 127.0.0.1:8080;
 }
--- a/nginx/nginx.conf.template
+++ b/nginx/nginx.conf.template
@@ -0,0 +1,36 @@
+upstream web {
+    server 127.0.0.1:8080;
+}
+
+server {
+    listen 80;
+    server_name ${DOMAIN} www.${DOMAIN};
+
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl;
+    server_name ${DOMAIN} www.${DOMAIN};
+
+    ssl_certificate /etc/letsencrypt/live/${DOMAIN}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/${DOMAIN}/privkey.pem;
+
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers HIGH:!aNULL:!MD5;
+    ssl_prefer_server_ciphers on;
+
+    location / {
+        proxy_pass http://web;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}