Merge branch 'codex/hosting-drone-setup'

trying to merge this file
Prepare hosting deployment and Drone image builds
2026-03-18 19:14:09 +07:00 · 2026-03-18 19:12:13 +07:00 · 2026-03-18 15:26:18 +06:00 · 2026-01-22 10:37:05 +07:00 · 2026-01-22 10:32:21 +07:00
13 changed files with 201 additions and 149 deletions
--- a/.drone.yml
+++ b/.drone.yml
@@ -8,27 +8,21 @@ trigger:
    - pull_request
 steps:
-  - name: python-lint
+  - name: backend-sanity
    image: python:3.11-slim
    commands:
      - cd backend
-      - pip install flake8
+      - pip install --no-cache-dir -r requirements.txt
-      - flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics
+      - python -m py_compile main.py auth.py daemons.py oidc_config.py
-  - name: frontend-lint
+  - name: frontend-build-check
    image: node:20-alpine
    commands:
      - cd frontend
      - npm ci --silent
      - npm run build
      - npm run lint || echo "ESLint warnings found"
  - name: python-security
    image: python:3.11-slim
    commands:
      - cd backend
      - pip install safety
      - safety check --file=requirements.txt --exit-zero || echo "Security warnings found"
  - name: frontend-security
    image: node:20-alpine
    commands:
@@ -39,7 +33,7 @@ steps:
 ---
 kind: pipeline
 type: docker
-name: build-backend
+name: build-images
 trigger:
  branch:
@@ -61,8 +55,9 @@ steps:
      repo: registry.nevetime.ru/mc-panel-backend
      tags:
        - latest
-        - ${DRONE_COMMIT_SHA:0:8}
+        - "${DRONE_BUILD_NUMBER}"
-        - ${DRONE_BRANCH}
+        - "${DRONE_COMMIT_SHA:0:8}"
        - "${DRONE_BRANCH}"
      auto_tag: true
      dockerfile: backend/Dockerfile
      context: backend
@@ -70,33 +65,7 @@ steps:
        from_secret: docker_username
      password:
        from_secret: docker_password
      build_args:
        - BUILD_DATE=${DRONE_BUILD_CREATED}
        - VCS_REF=${DRONE_COMMIT_SHA}
        - VERSION=${DRONE_TAG:-${DRONE_BRANCH}}
    when:
      event:
        - push
        - tag
 ---
 kind: pipeline
 type: docker
 name: build-frontend
 trigger:
  branch:
    - main
    - master
    - develop
  event:
    - push
    - tag
 depends_on:
  - code-quality
 steps:
  - name: build-frontend-image
    image: plugins/docker
    settings:
@@ -104,12 +73,12 @@ steps:
      repo: registry.nevetime.ru/mc-panel-frontend
      tags:
        - latest
-        - ${DRONE_COMMIT_SHA:0:8}
+        - "${DRONE_BUILD_NUMBER}"
-        - ${DRONE_BRANCH}
+        - "${DRONE_COMMIT_SHA:0:8}"
        - "${DRONE_BRANCH}"
      auto_tag: true
      dockerfile: frontend/Dockerfile
      context: frontend
      target: production
      username:
        from_secret: docker_username
      password:
@@ -148,8 +117,8 @@ steps:
      repo: registry.nevetime.ru/mc-panel
      tags:
        - latest
-        - ${DRONE_COMMIT_SHA:0:8}
+        - "${DRONE_COMMIT_SHA:0:8}"
-        - ${DRONE_BRANCH}
+        - "${DRONE_BRANCH}"
      auto_tag: true
      dockerfile: Dockerfile
      context: .
@@ -165,69 +134,3 @@ steps:
      event:
        - push
        - tag
 ---
 kind: pipeline
 type: docker
 name: deploy-staging
 trigger:
  branch:
    - develop
  event:
    - push
 depends_on:
  - build-backend
  - build-frontend
  - build-monolith
 steps:
  - name: deploy-separate-services
    image: alpine:latest
    environment:
      STAGING_HOST:
        from_secret: staging_host
      STAGING_USER:
        from_secret: staging_user
      STAGING_KEY:
        from_secret: staging_ssh_key
    commands:
      - apk add --no-cache openssh-client
      - echo "Deploying separate services to staging..."
      - echo "$STAGING_KEY" | base64 -d > /tmp/ssh_key
      - chmod 600 /tmp/ssh_key
      - ssh -o StrictHostKeyChecking=no -i /tmp/ssh_key $STAGING_USER@$STAGING_HOST "docker pull registry.nevetime.ru/mc-panel-backend:${DRONE_COMMIT_SHA:0:8} && docker pull registry.nevetime.ru/mc-panel-frontend:${DRONE_COMMIT_SHA:0:8}"
 ---
 kind: pipeline
 type: docker
 name: deploy-production
 trigger:
  ref:
    - refs/tags/v*
  event:
    - tag
 depends_on:
  - build-backend
  - build-frontend
  - build-monolith
 steps:
  - name: deploy-separate-services
    image: alpine:latest
    environment:
      PROD_HOST:
        from_secret: production_host
      PROD_USER:
        from_secret: production_user
      PROD_KEY:
        from_secret: production_ssh_key
    commands:
      - apk add --no-cache openssh-client
      - echo "Deploying separate services to production..."
      - echo "$PROD_KEY" | base64 -d > /tmp/ssh_key
      - chmod 600 /tmp/ssh_key
      - ssh -o StrictHostKeyChecking=no -i /tmp/ssh_key $PROD_USER@$PROD_HOST "docker pull registry.nevetime.ru/mc-panel-backend:${DRONE_TAG} && docker pull registry.nevetime.ru/mc-panel-frontend:${DRONE_TAG}"
--- a/HOSTING_DEPLOY.md
+++ b/HOSTING_DEPLOY.md
@@ -0,0 +1,33 @@
 # Hosting Deployment
 ## 1) Prerequisites
 - Docker Engine + Docker Compose plugin
 - Domain pointing to your host IP
 - (Optional) HTTPS reverse proxy in front of port 80
 ## 2) Prepare environment
 ```bash
 cp backend/.env.example backend/.env
 cp deploy/.env.hosting.example deploy/.env
 ```
 Edit `backend/.env`:
 - `SECRET_KEY`
 - `BASE_URL` and `FRONTEND_URL` (your real domain)
 - `SSO_ENABLED=true` + `ZITADEL_*` only if you use SSO
 ## 3) Pull and run published images
 ```bash
 docker compose --env-file deploy/.env -f deploy/docker-compose.hosting.yml pull
 docker compose --env-file deploy/.env -f deploy/docker-compose.hosting.yml up -d
 ```
 ## 4) Verify
 - Frontend: `http://<your-host>/`
 - Backend health: `docker compose -f deploy/docker-compose.hosting.yml logs backend`
 - Frontend health: `docker compose -f deploy/docker-compose.hosting.yml logs frontend`
 ## Notes
 - Frontend uses same-origin `/api` in production, so no hardcoded API host is required.
 - Backend health endpoint is `/health`.
 - If you need local frontend->local backend development, use `frontend/.env.local`.
--- a/backend/.env.example
+++ b/backend/.env.example
@@ -0,0 +1,14 @@
 # JWT
 SECRET_KEY=change-me-in-production
 ALGORITHM=HS256
 ACCESS_TOKEN_EXPIRE_MINUTES=43200
 # OpenID Connect (SSO)
 SSO_ENABLED=false
 ZITADEL_ISSUER=
 ZITADEL_CLIENT_ID=
 ZITADEL_CLIENT_SECRET=
 # URLs
 BASE_URL=https://panel.example.com
 FRONTEND_URL=https://panel.example.com
--- a/backend/main.py
+++ b/backend/main.py
@@ -172,6 +172,11 @@ def check_server_access(user: dict, server_name: str):
        return False
    return server_name in user.get("servers", [])
 # Healthcheck endpoint for Docker/hosting probes
@app.get("/health")
 async def health():
    return {"status": "ok"}
 # API для аутентификации
 # OpenID Connect endpoints
@@ -1936,4 +1941,4 @@ app.include_router(daemons_router)
 if __name__ == "__main__":
    import uvicorn
-    uvicorn.run(app, host="0.0.0.0", port=8000)
+    uvicorn.run(app, host="0.0.0.0", port=4546)
--- a/backend/oidc_config.py
+++ b/backend/oidc_config.py
@@ -4,28 +4,58 @@
 import os
 from typing import Dict, Any
-# Конфигурация провайдеров OpenID Connect
+
-OIDC_PROVIDERS = {
+def _is_truthy(value: str) -> bool:
    """Безопасный парсинг bool из переменных окружения."""
    return value.strip().lower() in {"1", "true", "yes", "on"}
 def _is_config_value_set(value: str) -> bool:
    """Проверка, что значение реально задано, а не заглушка."""
    normalized = value.strip().lower()
    return normalized not in {"", "none", "null", "undefined"}
 def is_sso_enabled() -> bool:
    """Глобальный флаг включения SSO через env."""
    # По умолчанию SSO включён, чтобы не ломать существующее поведение.
    raw = os.getenv("SSO_ENABLED", "true")
    return _is_truthy(raw)
 def get_oidc_providers() -> Dict[str, Dict[str, Any]]:
    """Собрать конфигурацию OpenID Connect провайдеров из env."""
    issuer = os.getenv("ZITADEL_ISSUER", "")
    return {
        "zitadel": {
            "name": "ZITADEL",
            "client_id": os.getenv("ZITADEL_CLIENT_ID", ""),
            "client_secret": os.getenv("ZITADEL_CLIENT_SECRET", ""),
-        "server_metadata_url": os.getenv("ZITADEL_ISSUER", "") + "/.well-known/openid-configuration",
+            "server_metadata_url": issuer.rstrip("/") + "/.well-known/openid-configuration" if issuer else "",
-        "issuer": os.getenv("ZITADEL_ISSUER", ""),
+            "issuer": issuer,
            "scopes": ["openid", "email", "profile"],
            "icon": "🔐",
            "color": "bg-purple-600 hover:bg-purple-700"
        }
    }
 # Для обратной совместимости с импортами из других модулей
 OIDC_PROVIDERS = get_oidc_providers()
 def get_enabled_providers() -> Dict[str, Dict[str, Any]]:
-    """Получить список включённых провайдеров (с настроенными client_id)"""
+    """Получить список включённых провайдеров (с настроенным client_id)."""
-    enabled = {}
+    if not is_sso_enabled():
-    for provider_id, config in OIDC_PROVIDERS.items():
+        return {}
-        if config.get("client_id") and config.get("issuer"):
+
    enabled: Dict[str, Dict[str, Any]] = {}
    for provider_id, config in get_oidc_providers().items():
        if _is_config_value_set(config.get("client_id", "")) and _is_config_value_set(config.get("issuer", "")):
            enabled[provider_id] = config
    return enabled
 def get_redirect_uri(provider_id: str, base_url: str = "http://localhost:8000") -> str:
-    """Получить redirect URI для провайдера"""
+    """Получить redirect URI для провайдера."""
    return f"{base_url}/api/auth/oidc/{provider_id}/callback"
--- a/deploy/.env.hosting.example
+++ b/deploy/.env.hosting.example
@@ -0,0 +1,9 @@
 # Image tag produced by Drone (latest or build number)
 IMAGE_TAG=latest
 # Optional explicit image names
 # BACKEND_IMAGE=registry.nevetime.ru/mc-panel-backend:latest
 # FRONTEND_IMAGE=registry.nevetime.ru/mc-panel-frontend:latest
 # External port for the frontend container
 FRONTEND_PORT=80
--- a/deploy/docker-compose.hosting.yml
+++ b/deploy/docker-compose.hosting.yml
@@ -0,0 +1,56 @@
 version: '3.8'
 services:
  backend:
    image: ${BACKEND_IMAGE:-registry.nevetime.ru/mc-panel-backend:${IMAGE_TAG:-latest}}
    container_name: mc-panel-backend
    restart: unless-stopped
    env_file:
      - ../backend/.env
    environment:
      PORT: 8000
      WORKERS: 2
      PYTHONPATH: /app
      DEBUG: 'false'
    volumes:
      - mc_servers:/app/servers
      - mc_data:/app/data
      - mc_logs:/app/logs
    networks:
      - mc-panel-network
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8000/health"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 60s
  frontend:
    image: ${FRONTEND_IMAGE:-registry.nevetime.ru/mc-panel-frontend:${IMAGE_TAG:-latest}}
    container_name: mc-panel-frontend
    restart: unless-stopped
    ports:
      - "${FRONTEND_PORT:-80}:80"
    depends_on:
      backend:
        condition: service_healthy
    networks:
      - mc-panel-network
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost/health"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 30s
 volumes:
  mc_servers:
    driver: local
  mc_data:
    driver: local
  mc_logs:
    driver: local
 networks:
  mc-panel-network:
    driver: bridge
--- a/frontend/.env
+++ b/frontend/.env
@@ -1 +1 @@
-VITE_API_URL=http://26.62.117.104:8000
+VITE_API_URL=
--- a/frontend/.env.example
+++ b/frontend/.env.example
@@ -1,3 +1,4 @@
-# API URL (необязательно, по умолчанию определяется автоматически)
+# API URL:
-# Раскомментируйте и укажите ваш IP для удаленного доступа
+# - пусто: same-origin (/api), рекомендуется для production с nginx proxy
-# VITE_API_URL=http://26.123.45.67:8000
+# - http://localhost:4546: локальный backend
 VITE_API_URL=
--- a/frontend/.env.local.example
+++ b/frontend/.env.local.example
@@ -1,10 +1,10 @@
 # Создайте файл .env.local и раскомментируйте нужную строку
 # Для локального использования (по умолчанию)
-# VITE_API_URL=http://localhost:8000
+# VITE_API_URL=http://localhost:4546
 # Для Radmin VPN (замените на ваш IP)
-# VITE_API_URL=http://26.62.117.104:8000
+# VITE_API_URL=http://26.62.117.104:4546
 # Для Hamachi (замените на ваш IP)
-# VITE_API_URL=http://25.123.45.67:8000
+# VITE_API_URL=http://25.123.45.67:4546
--- a/frontend/src/components/Auth.jsx
+++ b/frontend/src/components/Auth.jsx
@@ -41,7 +41,7 @@ export default function Auth({ onLogin }) {
    try {
      await onLogin(username, password, isLogin);
    } catch (err) {
-      setError(err.message || 'Ошибка авторизации');
+      setError(err?.response?.data?.detail || err.message || 'Ошибка авторизации');
    } finally {
      setLoading(false);
    }
@@ -182,7 +182,7 @@ export default function Auth({ onLogin }) {
          {isLogin && (
            <div className={`mt-6 text-center text-sm ${currentTheme.textSecondary}`}>
              <p>Учётные данные по умолчанию:</p>
-              <p className={`${currentTheme.text} font-mono mt-1`}>none / none</p>
+              <p className={`${currentTheme.text} font-mono mt-1`}>admin / Admin</p>
            </div>
          )}
        </div>
--- a/frontend/src/components/UserManagement.jsx
+++ b/frontend/src/components/UserManagement.jsx
@@ -2,6 +2,7 @@ import { useState, useEffect } from 'react';
 import { Users, Shield, Ban, Trash2, UserCheck, Server } from 'lucide-react';
 import axios from 'axios';
 import { notify } from './NotificationSystem';
 import { API_URL } from '../config';
 const UserManagement = ({ token, currentUser }) => {
  const [users, setUsers] = useState([]);
@@ -10,8 +11,6 @@ const UserManagement = ({ token, currentUser }) => {
  const [showRoleModal, setShowRoleModal] = useState(false);
  const [showAccessModal, setShowAccessModal] = useState(false);
  const API_URL = import.meta.env.VITE_API_URL || 'http://localhost:8000';
  // Загрузка пользователей
  const loadUsers = async () => {
    try {
--- a/frontend/src/config.js
+++ b/frontend/src/config.js
@@ -1,21 +1,23 @@
 // Автоматически определяем API URL
 const getApiUrl = () => {
-  // Если задана переменная окружения, используем её
+  // Если переменная задана даже пустой строкой, используем её как явный override.
-  if (import.meta.env.VITE_API_URL) {
+  // Пустая строка = same-origin (/api через nginx proxy).
-    return import.meta.env.VITE_API_URL;
+  if (Object.prototype.hasOwnProperty.call(import.meta.env, 'VITE_API_URL')) {
    const value = import.meta.env.VITE_API_URL || '';
    return value.replace(/\/$/, '');
  }
-  // Иначе используем текущий хост с портом 8000
+  // Иначе используем текущий хост с портом 4546
  const protocol = window.location.protocol;
  const hostname = window.location.hostname;
-  // Если localhost, используем localhost:8000
+  // Если localhost, используем localhost:4546
  if (hostname === 'localhost' || hostname === '127.0.0.1') {
-    return `${protocol}//localhost:8000`;
+    return `${protocol}//localhost:4546`;
  }
-  // Для удаленного доступа используем IP:8000
+  // Для удаленного доступа используем IP:4546
-  return `${protocol}//${hostname}:8000`;
+  return `${protocol}//${hostname}:4546`;
 };
 export const API_URL = getApiUrl();
Author	SHA1	Message	Date
administrator	7388962a7d	Merge branch 'codex/hosting-drone-setup' Some checks failed continuous-integration/drone/push Build was killed Details	2026-03-18 19:14:09 +07:00
administrator	7c54c57633	trying to merge this file	2026-03-18 19:12:13 +07:00
arkonsadter	05b8efd0f2	Prepare hosting deployment and Drone image builds Some checks failed continuous-integration/drone/push Build was killed Details continuous-integration/drone/pr Build was killed Details	2026-03-18 15:26:18 +06:00
administrator	fd84094aa4	Another attempt to fix .drone.yml... Some checks failed continuous-integration/drone/push Build is failing Details	2026-01-22 10:37:05 +07:00
administrator	7eb2ea5662	An attempt to fix .drone.yml, deleted python-security stage Some checks failed continuous-integration/drone/push Build encountered an error Details	2026-01-22 10:32:21 +07:00
`@@ -1 +1 @@`
	`VITE_API_URL=http://26.62.117.104:8000`	`VITE_API_URL=`