feat: production deployment - full update with providers, admin, glossaries, pricing, tests
Major changes across backend, frontend, infrastructure: - Provider system with model selection (Google, DeepL, OpenAI, Ollama, Google Cloud) - Admin panel: user management, pricing, settings - Glossary system with CSV import/export - Subscription and tier quota management - Security hardening (rate limiting, API key auth, path traversal fixes) - Docker compose for dev, prod, and IONOS deployment - Alembic migrations for new tables - Frontend: dashboard, pricing page, landing page, i18n (en/fr) - Test suite and verification scripts Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
@@ -188,6 +188,18 @@ kubectl get hpa -n translate-api
|
||||
|
||||
## 🔒 SSL/TLS Configuration
|
||||
|
||||
### Reverse proxy (Nginx – Story 6.5)
|
||||
|
||||
En production, le reverse proxy Nginx fournit :
|
||||
|
||||
- **HTTP → HTTPS** : redirection 301 (sauf `/health` et `/.well-known/acme-challenge/` pour Let's Encrypt).
|
||||
- **TLS 1.2+** : `ssl_protocols TLSv1.2 TLSv1.3` (SSLv3 et TLS 1.0/1.1 désactivés).
|
||||
- **HSTS** : en-tête `Strict-Transport-Security` avec `max-age=31536000; includeSubDomains`.
|
||||
- **Routage** : `/api/` et `/api/*` → backend (FastAPI, port 8000) ; `/*` → frontend (Next.js, port 3000). Les en-têtes `X-Forwarded-For` et `X-Forwarded-Proto` sont transmis. Une route alternative `location /translate` est configurée pour compatibilité (proxy vers `backend/translate`) ; l’API versionnée reste `POST /api/v1/translate`.
|
||||
- **Health check** : `GET https://domain/health` est proxyfié vers le backend (pour orchestrateurs et monitoring). Le healthcheck Docker du conteneur nginx ne fait que `nginx -t` (syntaxe) ; pour vérifier la disponibilité via le proxy, exécuter depuis l’hôte : `curl -f https://your-domain/health`.
|
||||
|
||||
Configuration : `docker/nginx/nginx.conf` et `docker/nginx/conf.d/default.conf`. Certificats dans `docker/nginx/ssl/` (voir options ci-dessous).
|
||||
|
||||
### Option 1: Let's Encrypt (Recommended)
|
||||
|
||||
```bash
|
||||
@@ -217,13 +229,25 @@ openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
|
||||
|
||||
## ⚙️ Environment Configuration
|
||||
|
||||
### Required Variables
|
||||
### Configuration procedure (Story 6.6 – NFR10)
|
||||
|
||||
1. Copy the example file: `cp .env.example .env` (or `.env.production` for production).
|
||||
2. Fill all **required** variables (see `.env.example` comments: "Required" vs "Optional").
|
||||
3. In production, the app **fails at startup** with a clear message if any required variable is missing (e.g. `JWT_SECRET_KEY`, `ADMIN_USERNAME`, `ADMIN_PASSWORD` or `ADMIN_PASSWORD_HASH`, `ADMIN_TOKEN_SECRET`, `DATABASE_URL`, `REDIS_URL` when rate limiting is enabled). No secrets in code; see `.env.example` for the full list.
|
||||
|
||||
### Required Variables (production)
|
||||
|
||||
When `ENV=production`, the app fails at startup if any of these are missing. See `.env.example` for the full list and Optional vs Required.
|
||||
|
||||
| Variable | Description | Default |
|
||||
|----------|-------------|---------|
|
||||
| `DOMAIN` | Your domain name | - |
|
||||
| `JWT_SECRET_KEY` | JWT signing key | - |
|
||||
| `ADMIN_USERNAME` | Admin login | admin |
|
||||
| `ADMIN_PASSWORD` | Admin password | changeme123 |
|
||||
| `ADMIN_PASSWORD` or `ADMIN_PASSWORD_HASH` | Admin auth | - |
|
||||
| `ADMIN_TOKEN_SECRET` | Admin session tokens | - |
|
||||
| `DATABASE_URL` | PostgreSQL connection string (or use `POSTGRES_*`) | - |
|
||||
| `REDIS_URL` | Redis URL (when `RATE_LIMIT_ENABLED=true`) | - |
|
||||
| `DOMAIN` | Your domain (for proxy/SSL) | - |
|
||||
| `TRANSLATION_SERVICE` | Default provider | ollama |
|
||||
|
||||
### Translation Providers
|
||||
|
||||
Reference in New Issue
Block a user