refactor(infra): switch from Docker nginx to host nginx

- Remove nginx/certbot Docker services (port conflict with host nginx)
- Add infra/nginx/bcsd-api.conf for host nginx sites-enabled
- API containers expose host ports (8001/8002 for blue/green)
- deploy.sh copies conf to /etc/nginx/sites-enabled/ and reloads host nginx
- Health check uses curl on host port instead of docker exec
- init-ssl.sh uses host certbot instead of Docker certbot

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: ImTotem

.env.example

@@ -39,7 +39,12 @@ MONGO_PORT=27017
 MONGO_VOLUME_PATH=/home/ubuntu/bcsd-data/mongo
 
 # === Deployment ===
-# Blue-green 배포 시 graceful shutdown 대기 시간 (초)
+# Blue-green API 호스트 포트 (호스트 nginx에서 프록시)
+API_BLUE_PORT=8001
+API_GREEN_PORT=8002
+# n8n 호스트 포트
+N8N_PORT=5678
+# Graceful shutdown 대기 시간 (초)
 GRACEFUL_TIMEOUT=10
 
 # === Infrastructure ===

infra/docker/docker-compose.yml

@@ -8,25 +8,27 @@ services:
       - ../../.env
     volumes:
       - ../../${GOOGLE_SERVICE_ACCOUNT_FILE}:/app/${GOOGLE_SERVICE_ACCOUNT_FILE}:ro
-    expose:
-      - "8000"
+    ports:
+      - "${API_BLUE_PORT}:8000"
     command: ["uvicorn", "bcsd_api.main:app", "--host", "0.0.0.0", "--port", "8000", "--timeout-graceful-shutdown", "${GRACEFUL_TIMEOUT}"]
     stop_grace_period: ${GRACEFUL_TIMEOUT}s
     networks:
       - bcsd
 
   api-green:
     <<: *api
+    ports:
+      - "${API_GREEN_PORT}:8000"
 
   n8n:
     image: n8nio/n8n:latest
     restart: unless-stopped
-    expose:
-      - "5678"
+    ports:
+      - "${N8N_PORT}:5678"
     environment:
-      N8N_HOST: n8n.bcsdlab.com
+      N8N_HOST: "${N8N_DOMAIN}"
       N8N_PROTOCOL: https
-      WEBHOOK_URL: https://n8n.bcsdlab.com/
+      WEBHOOK_URL: "https://${N8N_DOMAIN}/"
       N8N_BASIC_AUTH_ACTIVE: "true"
       N8N_BASIC_AUTH_USER: "${N8N_AUTH_USER}"
       N8N_BASIC_AUTH_PASSWORD: "${N8N_AUTH_PASSWORD}"
@@ -36,39 +38,8 @@ services:
     networks:
       - bcsd
 
-  nginx:
-    image: nginx:alpine
-    restart: unless-stopped
-    ports:
-      - "80:80"
-      - "443:443"
-    volumes:
-      - ./nginx.conf:/etc/nginx/conf.d/default.conf:ro
-      - certbot-webroot:/var/www/certbot:ro
-      - certbot-certs:/etc/letsencrypt:ro
-    depends_on:
-      - api-blue
-      - api-green
-      - n8n
-    networks:
-      - bcsd
-
-  certbot:
-    image: certbot/certbot:latest
-    volumes:
-      - certbot-webroot:/var/www/certbot
-      - certbot-certs:/etc/letsencrypt
-      - ../scripts/certbot_slack.py:/usr/local/bin/certbot_slack.py:ro
-    environment:
-      SLACK_BOT_TOKEN: "${SLACK_BOT_TOKEN}"
-      SLACK_CERTBOT_CHANNEL: "${SLACK_CERTBOT_CHANNEL}"
-      SLACK_SERVER_NAME: "${SLACK_SERVER_NAME}"
-    entrypoint: /bin/sh -c "trap exit TERM; while :; do python /usr/local/bin/certbot_slack.py; sleep 12h & wait $${!}; done"
-
 volumes:
   n8n-data:
-  certbot-webroot:
-  certbot-certs:
 
 networks:
   bcsd:

infra/docker/nginx.conf infra/nginx/bcsd-api.confinfra/docker/nginx.conf renamed to infra/nginx/bcsd-api.conf

@@ -4,15 +4,19 @@ map $http_upgrade $connection_upgrade {
 }
 
 upstream api_blue {
-    server api-blue:8000;
+    server 127.0.0.1:8001;
 }
 
 upstream api_green {
-    server api-green:8000;
+    server 127.0.0.1:8002;
+}
+
+upstream n8n {
+    server 127.0.0.1:5678;
 }
 
 upstream frontend {
-    server frontend:8080;
+    server 127.0.0.1:8080;
 }
 
 # --- HTTP: ACME + redirect ---
@@ -148,7 +152,7 @@ server {
     add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
 
     location / {
-        proxy_pass http://n8n:5678;
+        proxy_pass http://n8n;
         proxy_http_version 1.1;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;

infra/scripts/deploy.sh

@@ -3,7 +3,8 @@ set -euo pipefail
 
 COMPOSE="sudo docker compose --env-file .env -f infra/docker/docker-compose.yml"
 COMPOSE_DB="sudo docker compose --env-file .env -f infra/docker/docker-compose.db.yml"
-NGINX_CONF="infra/docker/nginx.conf"
+NGINX_CONF="infra/nginx/bcsd-api.conf"
+NGINX_DEST="/etc/nginx/sites-enabled/bcsd-api.conf"
 HEALTH_PATH="/openapi.json"
 MAX_RETRIES=10
 
@@ -16,12 +17,11 @@ next_slot() {
 }
 
 health_check() {
-    local container="api-${1}"
+    local port
+    port=$(grep -m1 "^API_$(echo "$1" | tr '[:lower:]' '[:upper:]')_PORT=" .env | cut -d= -f2-)
     local retries=0
     while [ $retries -lt $MAX_RETRIES ]; do
-        if $COMPOSE exec "$container" python -c \
-            "import urllib.request; urllib.request.urlopen('http://localhost:8000${HEALTH_PATH}')" \
-            > /dev/null 2>&1; then
+        if curl -sf "http://localhost:${port}${HEALTH_PATH}" > /dev/null 2>&1; then
             return 0
         fi
         retries=$((retries + 1))
@@ -63,8 +63,8 @@ echo "Current: $CURRENT → Deploying: $NEXT"
 echo "1. Building $NEXT..."
 $COMPOSE build "api-${NEXT}"
 
-echo "2. Starting $NEXT + nginx..."
-$COMPOSE up -d "api-${NEXT}" nginx
+echo "2. Starting $NEXT..."
+$COMPOSE up -d "api-${NEXT}"
 
 echo "3. Health check on api-${NEXT}..."
 if ! health_check "$NEXT"; then
@@ -77,8 +77,9 @@ if ! health_check "$NEXT"; then
 fi
 
 echo "4. Switching nginx → $NEXT"
-sed -i "s/proxy_pass http:\/\/api_${CURRENT}/proxy_pass http:\/\/api_${NEXT}/" "$NGINX_CONF"
-$COMPOSE exec nginx nginx -s reload
+sed -i "s/proxy_pass http:\/\/api_${CURRENT}/proxy_pass http:\/\/api_${NEXT}/g" "$NGINX_CONF"
+sudo cp "$NGINX_CONF" "$NGINX_DEST"
+sudo nginx -t && sudo nginx -s reload
 
 echo "5. Stopping old ($CURRENT)..."
 $COMPOSE stop "api-${CURRENT}"

infra/scripts/init-ssl.sh

@@ -5,27 +5,23 @@ if [ -f .env ]; then
     set -a; source .env; set +a
 fi
 
-COMPOSE="sudo docker compose --env-file .env -f infra/docker/docker-compose.yml"
 DOMAIN="${DOMAIN:?Set DOMAIN in .env}"
 N8N_DOMAIN="${N8N_DOMAIN}"
 FRONTEND_DOMAIN="${FRONTEND_DOMAIN}"
 
 echo "=== Initial SSL Certificate Setup ==="
 
-echo "1. Starting nginx for ACME challenge..."
-$COMPOSE up -d nginx
-
-echo "2. Requesting certificate for $DOMAIN..."
-$COMPOSE run --rm certbot certonly \
+echo "1. Requesting certificate for $DOMAIN..."
+sudo certbot certonly \
     --webroot \
     -w /var/www/certbot \
     -d "$DOMAIN" \
     --register-unsafely-without-email \
     --agree-tos
 
 if [ -n "$N8N_DOMAIN" ]; then
-    echo "3. Requesting certificate for $N8N_DOMAIN..."
-    $COMPOSE run --rm certbot certonly \
+    echo "2. Requesting certificate for $N8N_DOMAIN..."
+    sudo certbot certonly \
         --webroot \
         -w /var/www/certbot \
         -d "$N8N_DOMAIN" \
@@ -34,8 +30,8 @@ if [ -n "$N8N_DOMAIN" ]; then
 fi
 
 if [ -n "$FRONTEND_DOMAIN" ]; then
-    echo "4. Requesting certificate for $FRONTEND_DOMAIN (+ internal.bcsdlab.com)..."
-    $COMPOSE run --rm certbot certonly \
+    echo "3. Requesting certificate for $FRONTEND_DOMAIN (+ internal.bcsdlab.com)..."
+    sudo certbot certonly \
         --webroot \
         -w /var/www/certbot \
         -d "$FRONTEND_DOMAIN" \
@@ -44,8 +40,8 @@ if [ -n "$FRONTEND_DOMAIN" ]; then
         --agree-tos
 fi
 
-echo "5. Reloading nginx with SSL..."
-$COMPOSE exec nginx nginx -s reload
+echo "4. Reloading nginx..."
+sudo nginx -t && sudo nginx -s reload
 
 echo "=== SSL setup complete ==="
-echo "Auto-renewal is handled by the certbot container."
+echo "Auto-renewal: sudo certbot renew (via system cron/timer)"