bunker-admin
99a6abab06
- New video card block for GrapesJS landing pages, email templates, MkDocs export, and documentation editor Insert dropdown - Shared HTML generators in admin/src/utils/videoCardHtml.ts - MkDocs video-player.js hydrates .video-card-block elements: thumbnail fix via MEDIA_API_URL, click-to-play inline, Gallery link - Media API CORS: auto-add MkDocs + docs subdomain origins - env_config_hook.py: smart Docker hostname detection, ADMIN_PORT resolution, pass env vars to MkDocs container - Gallery URL uses /gallery?expanded=ID format - VideoPickerModal: fix double /api prefix and Docker hostname thumbs - Seed: default-video-card PageBlock - Remove V1 legacy code (influence/, map/) Bunker Admin
402 lines
13 KiB
Plaintext
402 lines
13 KiB
Plaintext
# Gitea — allows iframe embedding from admin (app.${DOMAIN})
|
|
server {
|
|
listen 80;
|
|
server_name git.${DOMAIN};
|
|
add_header Content-Security-Policy "frame-ancestors 'self' app.${DOMAIN}" always;
|
|
|
|
# Increase max body size for large git pushes (2GB)
|
|
client_max_body_size 2048M;
|
|
|
|
location / {
|
|
set $upstream_gitea http://gitea-changemaker:3000;
|
|
proxy_pass $upstream_gitea;
|
|
proxy_hide_header X-Frame-Options;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
}
|
|
|
|
# n8n — allows iframe embedding from admin (app.${DOMAIN})
|
|
server {
|
|
listen 80;
|
|
server_name n8n.${DOMAIN};
|
|
add_header Content-Security-Policy "frame-ancestors 'self' app.${DOMAIN}" always;
|
|
|
|
location / {
|
|
set $upstream_n8n http://n8n-changemaker:5678;
|
|
proxy_pass $upstream_n8n;
|
|
proxy_hide_header X-Frame-Options;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
}
|
|
}
|
|
|
|
# Grafana
|
|
server {
|
|
listen 80;
|
|
server_name grafana.${DOMAIN};
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
|
|
|
location / {
|
|
set $upstream_grafana http://grafana-changemaker:3000;
|
|
proxy_pass $upstream_grafana;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
}
|
|
}
|
|
|
|
# NocoDB (data browser) — allows iframe embedding from admin
|
|
server {
|
|
listen 80;
|
|
server_name db.${DOMAIN};
|
|
add_header Content-Security-Policy "frame-ancestors 'self' app.${DOMAIN}" always;
|
|
|
|
location / {
|
|
set $upstream_nocodb http://changemaker-v2-nocodb:8080;
|
|
proxy_pass $upstream_nocodb;
|
|
proxy_hide_header X-Frame-Options;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
}
|
|
|
|
# Listmonk
|
|
server {
|
|
listen 80;
|
|
server_name listmonk.${DOMAIN};
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
|
|
|
location / {
|
|
set $upstream_listmonk http://listmonk-app:9000;
|
|
proxy_pass $upstream_listmonk;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
}
|
|
|
|
# MkDocs — allows iframe embedding from admin
|
|
server {
|
|
listen 80;
|
|
server_name docs.${DOMAIN};
|
|
add_header Content-Security-Policy "frame-ancestors 'self' app.${DOMAIN}" always;
|
|
|
|
location / {
|
|
set $upstream_mkdocs http://mkdocs-changemaker:8000;
|
|
proxy_pass $upstream_mkdocs;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
}
|
|
}
|
|
|
|
# Code Server — allows iframe embedding from admin (app.${DOMAIN})
|
|
server {
|
|
listen 80;
|
|
server_name code.${DOMAIN};
|
|
add_header Content-Security-Policy "frame-ancestors 'self' app.${DOMAIN}" always;
|
|
|
|
location / {
|
|
set $upstream_code http://code-server-changemaker:8080;
|
|
proxy_pass $upstream_code;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
}
|
|
}
|
|
|
|
# MailHog (email testing) — allows iframe embedding from admin (app.${DOMAIN})
|
|
server {
|
|
listen 80;
|
|
server_name mail.${DOMAIN};
|
|
add_header Content-Security-Policy "frame-ancestors 'self' app.${DOMAIN}" always;
|
|
|
|
location / {
|
|
set $upstream_mailhog http://mailhog-changemaker:8025;
|
|
proxy_pass $upstream_mailhog;
|
|
proxy_hide_header X-Frame-Options;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
# WebSocket support for MailHog live updates
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
}
|
|
}
|
|
|
|
# Mini QR — allows iframe embedding from admin (app.${DOMAIN})
|
|
server {
|
|
listen 80;
|
|
server_name qr.${DOMAIN};
|
|
add_header Content-Security-Policy "frame-ancestors 'self' app.${DOMAIN}" always;
|
|
|
|
location / {
|
|
set $upstream_miniqr http://mini-qr:8080;
|
|
proxy_pass $upstream_miniqr;
|
|
proxy_hide_header X-Frame-Options;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
}
|
|
|
|
# Excalidraw — allows iframe embedding from admin (app.${DOMAIN})
|
|
server {
|
|
listen 80;
|
|
server_name draw.${DOMAIN};
|
|
add_header Content-Security-Policy "frame-ancestors 'self' app.${DOMAIN}" always;
|
|
|
|
location / {
|
|
set $upstream_excalidraw http://excalidraw-changemaker:80;
|
|
proxy_pass $upstream_excalidraw;
|
|
proxy_hide_header X-Frame-Options;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
# WebSocket support for collaboration
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
proxy_http_version 1.1;
|
|
}
|
|
}
|
|
|
|
# --- Embed proxy ports (for iframe embedding without DNS/subdomain) ---
|
|
# These listen on dedicated ports so the admin GUI can iframe services via
|
|
# localhost:PORT, bypassing X-Frame-Options without needing *.localhost DNS.
|
|
|
|
server {
|
|
listen 8881;
|
|
location / {
|
|
set $upstream_nocodb http://changemaker-v2-nocodb:8080;
|
|
proxy_pass $upstream_nocodb;
|
|
proxy_hide_header X-Frame-Options;
|
|
proxy_hide_header Content-Security-Policy;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
}
|
|
|
|
server {
|
|
listen 8882;
|
|
location / {
|
|
set $upstream_n8n http://n8n-changemaker:5678;
|
|
proxy_pass $upstream_n8n;
|
|
proxy_hide_header X-Frame-Options;
|
|
proxy_hide_header Content-Security-Policy;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
}
|
|
}
|
|
|
|
server {
|
|
listen 8883;
|
|
# Increase max body size for large git pushes (2GB)
|
|
client_max_body_size 2048M;
|
|
location / {
|
|
set $upstream_gitea http://gitea-changemaker:3000;
|
|
proxy_pass $upstream_gitea;
|
|
proxy_hide_header X-Frame-Options;
|
|
proxy_hide_header Content-Security-Policy;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
}
|
|
|
|
server {
|
|
listen 8884;
|
|
location / {
|
|
set $upstream_mailhog http://mailhog-changemaker:8025;
|
|
proxy_pass $upstream_mailhog;
|
|
proxy_hide_header X-Frame-Options;
|
|
proxy_hide_header Content-Security-Policy;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
}
|
|
}
|
|
|
|
server {
|
|
listen 8885;
|
|
location / {
|
|
set $upstream_miniqr http://mini-qr:8080;
|
|
proxy_pass $upstream_miniqr;
|
|
proxy_hide_header X-Frame-Options;
|
|
proxy_hide_header Content-Security-Policy;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
}
|
|
|
|
# Excalidraw embed proxy (port 8886)
|
|
server {
|
|
listen 8886;
|
|
location / {
|
|
set $upstream_excalidraw http://excalidraw-changemaker:80;
|
|
proxy_pass $upstream_excalidraw;
|
|
proxy_hide_header X-Frame-Options;
|
|
proxy_hide_header Content-Security-Policy;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
# WebSocket support for collaboration
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
proxy_http_version 1.1;
|
|
}
|
|
}
|
|
|
|
# Admin GUI — app subdomain
|
|
server {
|
|
listen 80;
|
|
server_name app.${DOMAIN};
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
|
|
|
location / {
|
|
set $upstream_admin http://changemaker-v2-admin:3000;
|
|
proxy_pass $upstream_admin;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
# WebSocket support for Vite HMR
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
}
|
|
|
|
# Media API routes rewrite (matches Vite dev proxy behavior)
|
|
# Rewrites /media/* to /api/* on media-api (port 4100)
|
|
location /media/ {
|
|
rewrite ^/media/(.*) /api/$1 break;
|
|
proxy_pass http://changemaker-media-api:4100;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
# Large file upload support
|
|
client_max_body_size 10G;
|
|
proxy_read_timeout 3600s;
|
|
proxy_connect_timeout 75s;
|
|
proxy_request_buffering off;
|
|
|
|
# WebSocket support
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
}
|
|
|
|
# Media API endpoints (must come BEFORE /api/ for longest prefix match)
|
|
location /api/media/ {
|
|
set $upstream_media http://changemaker-media-api:4100;
|
|
proxy_pass $upstream_media;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
# Large upload support
|
|
client_max_body_size 10G;
|
|
proxy_read_timeout 3600s;
|
|
proxy_connect_timeout 75s;
|
|
proxy_request_buffering off;
|
|
|
|
# WebSocket support
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
}
|
|
|
|
# API (Express)
|
|
location /api/ {
|
|
set $upstream_api http://changemaker-v2-api:4000;
|
|
proxy_pass $upstream_api;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
}
|
|
|
|
# Root domain — routes to MkDocs static site only
|
|
server {
|
|
listen 80;
|
|
server_name ${DOMAIN};
|
|
|
|
location / {
|
|
set $upstream_site http://mkdocs-site-server-changemaker:80;
|
|
proxy_pass $upstream_site;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
}
|
|
|
|
# Homepage dashboard — allows iframe embedding from admin
|
|
server {
|
|
listen 80;
|
|
server_name home.${DOMAIN};
|
|
add_header Content-Security-Policy "frame-ancestors 'self' app.${DOMAIN}" always;
|
|
|
|
location / {
|
|
set $upstream_homepage http://homepage-changemaker:3000;
|
|
proxy_pass $upstream_homepage;
|
|
proxy_hide_header X-Frame-Options;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
}
|
|
|
|
# Homepage embed proxy (port 8887)
|
|
server {
|
|
listen 8887;
|
|
location / {
|
|
set $upstream_homepage http://homepage-changemaker:3000;
|
|
proxy_pass $upstream_homepage;
|
|
proxy_hide_header X-Frame-Options;
|
|
proxy_hide_header Content-Security-Policy;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
}
|