vietreport-admin/solution-erp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[CLAUDE] VPS setup scripts + SSL + runner + FE prod config + master runbook
Some checks failed
Deploy SOLUTION_ERP / build-backend (push) Failing after 9s
Details
Deploy SOLUTION_ERP / build-fe-admin (push) Has been cancelled
Details
Deploy SOLUTION_ERP / build-fe-user (push) Has been cancelled
Details
Deploy SOLUTION_ERP / deploy-iis (push) Has been cancelled
Details

Browse Source 
Scripts moi (PowerShell admin trên VPS Windows Server):
- setup-sql-db.ps1: tao DB SolutionErp + grant db_owner cho vrapp (user shared voi VIETREPORT). Idempotent.
- setup-iis-sites.ps1: app pool SolutionErp-Api (NoManagedCode + AlwaysRunning + no idle) + 3 site (SolutionErp-Api/Admin/User) voi host header, C:\inetpub\solution-erp\{api,fe-admin,fe-user,logs,uploads}. Placeholder index.html + SPA web.config voi URL rewrite fallback + security headers. Firewall rule. ACL grant AppPool identity Modify. Naming prefix SolutionErp-* tranh conflict VIETREPORT.
- setup-ssl.ps1: download win-acme v2.2.9 → issue cert Let's Encrypt 3 domain (api/admin/user.huypham.vn) qua HTTP-01 challenge + auto install IIS binding + HTTP→HTTPS redirect + scheduled task 90d renew.
- setup-gitea-runner.ps1: download act_runner.exe → register voi Gitea git.baocaogiaoduc.vn, install Windows service, labels windows-latest,self-hosted,windows,x64 (cho phep share voi VIETREPORT).

FE production config:
- fe-admin/.env.production + fe-user/.env.production: VITE_API_BASE_URL=https://api.huypham.vn
- fe-admin/src/lib/api.ts + fe-user/src/lib/api.ts: BASE_URL = (import.meta.env.VITE_API_BASE_URL ?? '') + '/api'
  - Dev: empty prefix → /api qua Vite proxy :5443
  - Prod: https://api.huypham.vn/api (cross-origin CORS da config AllowedOrigins)

Docs:
- docs/guides/vps-setup.md MOI (master runbook): prereq, 4 script chay theo thu tu, set 5 Gitea secrets, first deploy, appsettings.Production.json pattern (file hoac user-secrets), smoke test 3 curl, post go-live checklist (doi admin password, rotate secrets chat-exposed, backup schedule, disable Swagger prod, monitor logs), table co-existence VIETREPORT
- CLAUDE.md root: add vps-setup.md reference

Gitea repo da setup (extern):
- https://git.baocaogiaoduc.vn/vietreport-admin/solution-erp (private)
- Secrets set via API: IIS_HOST=103.124.94.38, IIS_USER=Administrator, DB_CONNECTION (voi vrapp password), JWT_SECRET placeholder
- CON THIEU: IIS_PASSWORD (Windows admin — user cung cap), JWT_SECRET real value (64-char tu vps-jwt-key.txt — user update qua Gitea UI)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
pqhuy1987
2026-04-21 13:34:26 +07:00
parent fba0754110
commit b1a4571c86
10 changed files with 612 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

113
scripts/setup-ssl.ps1 Normal file
View File

@ -0,0 +1,113 @@
# Cài HTTPS cert Let's Encrypt cho 3 domain SOLUTION_ERP qua win-acme (WACS).
# Chạy trên VPS Windows Server với admin privilege.
# Idempotent: chạy lại sẽ bỏ qua cert còn valid.
#
# Usage:
# .\setup-ssl.ps1
#
# Prereq:
# - IIS sites đã tạo (chạy setup-iis-sites.ps1 trước)
# - Port 80 từ Internet → VPS mở (Let's Encrypt HTTP-01 challenge)
# - 3 domain api/admin/user.huypham.vn đã trỏ DNS về VPS IP
#
# Output:
# - 3 cert trong Windows Cert Store (LocalMachine\My)
# - HTTPS binding port 443 cho 3 site
# - Scheduled task auto-renew (90 day cycle Let's Encrypt, win-acme tự renew khi còn 30 ngày)
$ErrorActionPreference = 'Stop'
$WacsDir = "C:\Program Files\win-acme"
$WacsExe = Join-Path $WacsDir "wacs.exe"
# ===================== 1. Download + install win-acme =====================
if (-not (Test-Path $WacsExe)) {
Write-Host "==> Download win-acme (WACS)..." -ForegroundColor Cyan
$url = "https://github.com/win-acme/win-acme/releases/download/v2.2.9.1701/win-acme.v2.2.9.1701.x64.trimmed.zip"
$zip = "$env:TEMP\wacs.zip"
Invoke-WebRequest -Uri $url -OutFile $zip -UseBasicParsing
if (-not (Test-Path $WacsDir)) { New-Item -ItemType Directory -Force -Path $WacsDir | Out-Null }
Expand-Archive -Path $zip -DestinationPath $WacsDir -Force
Remove-Item $zip
Write-Host " Installed to $WacsDir"
} else {
Write-Host "==> win-acme đã cài tại $WacsDir"
}
# ===================== 2. Check IIS sites exist =====================
Import-Module WebAdministration
$domains = @(
@{ Site = "SolutionErp-Api"; Host = "api.huypham.vn" },
@{ Site = "SolutionErp-Admin"; Host = "admin.huypham.vn" },
@{ Site = "SolutionErp-User"; Host = "user.huypham.vn" }
)
foreach ($d in $domains) {
if (-not (Test-Path "IIS:\Sites\$($d.Site)")) {
Write-Error "Site '$($d.Site)' chưa tồn tại. Chạy setup-iis-sites.ps1 trước."
exit 1
}
}
Write-Host " 3 IIS site đã ready"
# ===================== 3. Run win-acme cho từng domain =====================
foreach ($d in $domains) {
Write-Host "`n==> Issue cert cho $($d.Host)" -ForegroundColor Cyan
# win-acme CLI non-interactive:
# --target iis → lấy hostname từ IIS binding
# --host → domain cụ thể
# --installation iis → auto bind HTTPS 443 + http→https redirect
# --accepttos → auto chấp nhận Let's Encrypt terms
# --emailaddress → email contact nhận alert expiry (đổi cho phù hợp)
$args = @(
"--target", "manual",
"--host", $d.Host,
"--siteid", (Get-Website $d.Site).Id,
"--store", "certificatestore",
"--installation", "iis",
"--accepttos",
"--emailaddress", "admin@huypham.vn"
)
& $WacsExe @args
if ($LASTEXITCODE -ne 0) {
Write-Warning "Issue cert cho $($d.Host) FAIL exit $LASTEXITCODE — kiểm tra:"
Write-Warning " 1. Port 80 Internet → VPS mở (Let's Encrypt reach qua HTTP-01)?"
Write-Warning " 2. DNS $($d.Host)$((Resolve-DnsName $d.Host -Type A -ErrorAction SilentlyContinue).IPAddress)?"
Write-Warning " 3. IIS site $($d.Site) binding port 80 có host header $($d.Host)?"
} else {
Write-Host " ✅ Cert installed"
}
}
# ===================== 4. HTTP → HTTPS redirect rule =====================
Write-Host "`n==> Setup HTTP → HTTPS redirect (URL Rewrite)" -ForegroundColor Cyan
$redirectConfig = @'
<rewrite>
<rules>
<rule name="Redirect HTTP to HTTPS" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="^OFF$" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
</rule>
</rules>
</rewrite>
'@
# win-acme --installation iis đã tự add redirect rule khi binding xong — skip manual.
Write-Host " (win-acme tự setup redirect)"
# ===================== 5. Verify scheduled task =====================
Write-Host "`n==> Verify scheduled task auto-renew"
$task = Get-ScheduledTask -TaskName "win-acme renew (acme-v02.api.letsencrypt.org)" -ErrorAction SilentlyContinue
if ($task) {
Write-Host " ✅ Task '$($task.TaskName)' exists — auto renew 9h daily"
} else {
Write-Warning " Task chưa tạo — chạy tay: $WacsExe --renew --baseuri https://acme-v02.api.letsencrypt.org/"
}
Write-Host "`n✅ SSL setup DONE" -ForegroundColor Green
Write-Host " Test: openssl s_client -connect api.huypham.vn:443 < /dev/null | openssl x509 -noout -subject -dates"
Write-Host " hoặc browser: https://api.huypham.vn/health/live"