feat: Ipad app production readiness, Colony orchestration, Social posting (#44)

#38 Ipad app production readiness, Colony orchestration, Social posting Co-authored-by: Sayan Datta <sayan@Sayans-MacBook-Air.local> Reviewed-on: #44
2026-05-03 18:30:38 +05:30
parent 59d398abc3
commit eeb684b46c
86 changed files with 20349 additions and 1655 deletions
--- a/infrastructure/desineuron_ingress/api.desineuron.in.nginx.conf
+++ b/infrastructure/desineuron_ingress/api.desineuron.in.nginx.conf
@@ -1,21 +1,95 @@
+# Project Velocity production API ingress.
+#
+# Install into /etc/nginx/sites-available/api.desineuron.in.conf and symlink to
+# sites-enabled when Nginx is the public TLS terminator. Do not enable this
+# 80/443 vhost at the same time as the Caddy public terminator for this domain.
+
+map $http_upgrade $velocity_connection_upgrade {
+    default upgrade;
+    ""      close;
+}
+
+upstream velocity_fastapi_backend {
+    server 127.0.0.1:8001 max_fails=3 fail_timeout=10s;
+    server 127.0.0.1:8000 backup max_fails=3 fail_timeout=10s;
+    keepalive 64;
+}
+
 server {
-    listen 443 ssl http2;
+    listen 80;
+    listen [::]:80;
    server_name api.desineuron.in;

-    ssl_certificate     /etc/letsencrypt/live/desineuron-infra/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/desineuron-infra/privkey.pem;
-
-    access_log /var/log/nginx/api.desineuron.in.access.log;
-    error_log  /var/log/nginx/api.desineuron.in.error.log;
+    location ^~ /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+        default_type "text/plain";
+    }

    location / {
-        proxy_pass http://127.0.0.1:8001;
+        return 301 https://$host$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name api.desineuron.in;
+
+    ssl_certificate     /etc/letsencrypt/live/api.desineuron.in/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/api.desineuron.in/privkey.pem;
+    ssl_protocols       TLSv1.2 TLSv1.3;
+    ssl_prefer_server_ciphers off;
+    ssl_session_cache   shared:VelocityAPI:20m;
+    ssl_session_timeout 1d;
+    ssl_session_tickets off;
+
+    client_max_body_size 250m;
+    proxy_read_timeout  3600s;
+    proxy_send_timeout  3600s;
+    proxy_connect_timeout 30s;
+
+    access_log /var/log/nginx/api.desineuron.in.access.log;
+    error_log  /var/log/nginx/api.desineuron.in.error.log warn;
+
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+
+    location = /health {
+        proxy_pass http://velocity_fastapi_backend/health;
        proxy_http_version 1.1;
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Proto https;
+        proxy_set_header X-Forwarded-Host $host;
+    }
+
+    location ~ ^/(api/sentinel/ws|api/oracle/ws|ws|api/.*/ws) {
+        proxy_pass http://velocity_fastapi_backend;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $velocity_connection_upgrade;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_buffering off;
+    }
+
+    location / {
+        proxy_pass http://velocity_fastapi_backend;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $velocity_connection_upgrade;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Request-ID $request_id;
+        proxy_redirect off;
    }
 }