chore: initial commit

Author: evedes

.claude/settings.local.json

@@ -0,0 +1,8 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(ls:*)"
+    ],
+    "deny": []
+  }
+}

.github/workflows/deploy.yaml

@@ -0,0 +1,59 @@
+name: Deploy to Batman Server
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code (for access to docker-compose-reverseproxy.yaml and nginx.conf)
+        uses: actions/checkout@v4
+
+      - name: Connect to Tailscale
+        uses: tailscale/github-action@v2
+        with:
+          oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }}
+          oauth-secret: ${{ secrets.TS_OAUTH_SECRET }}
+          tags: tag:batman-ci
+
+      - name: Copy nginx.conf to Batman Server
+        uses: appleboy/scp-action@v0.1.7
+        with:
+          source: "docker-compose-reverseproxy.yaml,nginx.conf"
+          target: /home/${{ secrets.BATMAN_SERVER_USER}}/
+          host: ${{ secrets.BATMAN_SERVER_IP }}
+          username: ${{ secrets.BATMAN_SERVER_USER }}
+          key: ${{ secrets.BATMAN_SERVER_SSH_KEY }}
+
+      - name: Deploy to Batman Server
+        uses: appleboy/ssh-action@v0.1.0
+        with:
+          host: ${{ secrets.BATMAN_SERVER_IP }}
+          username: ${{ secrets.BATMAN_SERVER_USER }}
+          key: ${{ secrets.BATMAN_SERVER_SSH_KEY }}
+          port: 22
+          script: |
+            echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+            docker compose -f docker-compose-reverseproxy.yaml up -d
+
+      - name: List and remove non-latest images in Batman Server
+        uses: appleboy/ssh-action@v0.1.0
+        with:
+          host: ${{ secrets.BATMAN_SERVER_IP }}
+          username: ${{ secrets.BATMAN_SERVER_USER }}
+          key: ${{ secrets.BATMAN_SERVER_SSH_KEY }}
+          port: 22
+          script: |
+            images=$(docker images --format '{{.Repository}}:{{.Tag}} {{.ID}}' | grep -v ':latest')
+            echo "Images to be removed:"
+            echo "$images"
+
+            while IFS= read -r image; do
+             repo_tag=$(echo $image | awk '{print $1}')
+             image_id=$(echo $image | awk '{print $2}')
+             echo "Removing image $repo_tag with ID $image_id"
+             docker rmi "$image_id" || true
+            done <<< "$images"

CLAUDE.md

@@ -0,0 +1,51 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Project Overview
+
+This is a Docker-based Nginx reverse proxy for the Batman server that handles SSL termination and routing for multiple domains including eduardovedes.com.
+
+## Architecture
+
+- **nginx.conf**: Main Nginx configuration file that defines server blocks for each domain
+- **docker-compose-reverseproxy.yaml**: Docker Compose configuration for the Nginx reverse proxy container
+- **SSL certificates**: Mounted from ./ssl/{domain}/ directories containing fullchain.pem and privkey.pem files
+- **External network**: Uses 'batmanvps' external Docker network to communicate with backend services
+
+## Common Commands
+
+```bash
+# Start the reverse proxy
+docker-compose -f docker-compose-reverseproxy.yaml up -d
+
+# Stop the reverse proxy
+docker-compose -f docker-compose-reverseproxy.yaml down
+
+# View logs
+docker-compose -f docker-compose-reverseproxy.yaml logs -f
+
+# Restart Nginx (reload configuration)
+docker-compose -f docker-compose-reverseproxy.yaml restart nginx
+
+# Test Nginx configuration syntax
+docker exec nginx-reverseproxy nginx -t
+```
+
+## Domain Configuration Pattern
+
+Each domain follows this pattern in nginx.conf:
+
+- HTTP (port 80): Redirects to HTTPS
+- HTTPS (port 443): SSL termination with proxy_pass to backend services
+- Backend services are accessed via Docker network names (e.g., `frontend-{domain}:3000`)
+- API endpoints for some domains are routed to separate backend services on port 3001
+
+## SSL Configuration
+
+SSL certificates are expected in ./ssl/{domain}/ directories with:
+
+- fullchain.pem (certificate chain)
+- privkey.pem (private key)
+
+All domains use TLSv1.2 and TLSv1.3 with HSTS headers for security.

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 Eduardo Vedes
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,3 @@
+# batman-reverse-proxy
+
+A Docker-based Nginx reverse proxy for the Batman dedicated server that handles SSL termination and routing for eduardovedes.com and its subdomains.

docker-compose-reverseproxy.yaml

@@ -0,0 +1,16 @@
+services:
+  nginx:
+    image: nginx:latest
+    container_name: nginx-reverseproxy
+    restart: unless-stopped
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - ./nginx.conf:/etc/nginx/conf.d/default.conf
+      - ./ssl/eduardovedes:/etc/nginx/ssl/eduardovedes
+    networks:
+      - batmanvps
+networks:
+  batmanvps:
+    external: true

nginx.conf

@@ -0,0 +1,44 @@
+# Global SSL session cache
+ssl_session_cache shared:SSL:10m;
+ssl_session_timeout 10m;
+
+# Enable gzip compression
+gzip on;
+gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+server {
+  listen 80;
+  server_name eduardovedes.com www.eduardovedes.com
+
+  access_log /var/log/nginx/http_redirect.access.log;
+  error_log /var/log/nginx/http_redirect.error.log;
+
+  location / {
+    return 301 https://$host$request_uri;
+  }
+}
+
+server {
+  listen 443 ssl;
+  server_name eduardovedes.com www.eduardovedes.com;
+  client_max_body_size 500M;
+
+  access_log /var/log/nginx/eduardovedes.access.log;
+  error_log /var/log/nginx/eduardovedes.error.log;
+
+  ssl_certificate /etc/nginx/ssl/eduardovedes/fullchain.pem;
+  ssl_certificate_key /etc/nginx/ssl/eduardovedes/privkey.pem;
+
+  ssl_protocols TLSv1.2 TLSv1.3;
+  ssl_prefer_server_ciphers on;
+  ssl_ciphers HIGH:!aNULL:!MD5;
+  add_header Strict-Transport-Security "max-age=31536000" always;
+
+  location / {
+    proxy_pass http://frontend-eduardovedes:3000;
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+  }
+}