Merge pull request #1 from chilleco/add-relay

Add Relay

Author: kosyachniy

.env.example

@@ -27,13 +27,16 @@ GRAFANA_PASS=
 
 # Sentry
 SENTRY_PORT=9002
+SENTRY_RELAY_PORT=9003
 SENTRY_SECRET_KEY=
+SENTRY_RELAY_OPEN_REGISTRATION=true
 SENTRY_SINGLE_ORGANIZATION=1
 SENTRY_EVENT_RETENTION_DAYS=30
 SENTRY_DB_NAME=sentry
 SENTRY_DB_USER=sentry
 SENTRY_DB_PASS=
 SENTRY_SERVER_EMAIL=sentry@chill.services
+# Optional: required only for email notifications / password reset emails
 SENTRY_SMTP_HOST=
 SENTRY_SMTP_PORT=587
 SENTRY_SMTP_USER=

.gitignore

@@ -14,3 +14,6 @@ env/
 
 # Data
 /data/
+
+# Relay credentials (generated locally)
+infra/sentry/relay/credentials.json

AGENTS.md

@@ -4,13 +4,14 @@
 This repository manages the infrastructure stack for the `chill` ecosystem.
 
 - `compose.yml`: main Docker Compose definition for MinIO, MongoDB, Prometheus, Loki, Alloy, Grafana, and Sentry.
-- `infra/`: service-level configuration (`nginx/`, `mongo/`, `prometheus/`, `loki/`, `alloy/`, `grafana/`).
+- `infra/`: service-level configuration (`nginx/`, `mongo/`, `prometheus/`, `loki/`, `alloy/`, `grafana/`, `sentry/`).
 - `scripts/`: helper scripts (`scripts/main.py`, `scripts/lib/s3.py`).
 - `.github/workflows/deploy.yml`: deploy pipeline for `main`.
 - `.env.example`: template for local environment variables.
 
 ## Build, Test, and Development Commands
 - `make up`: build and start all services in detached mode (`docker compose -p base up --build -d`).
+- `make sentry-init`: generate Relay credentials file for Sentry (`infra/sentry/relay/credentials.json`) if it does not exist.
 - `make down`: stop running stack containers.
 - `make status`: show container status and exposed ports.
 - `make mongo`: open `mongosh` inside the running MongoDB container.
@@ -22,6 +23,7 @@ This repository manages the infrastructure stack for the `chill` ecosystem.
 - YAML/Compose: 2-space indentation, lowercase service names (`base-mongo`, `base-grafana`).
 - Environment variables: uppercase with clear prefixes (`MONGO_*`, `GRAFANA_*`, `SENTRY_*`, ...) with entity suffix (`USER` for admin/user login, `PASS` for admin/user password/key, `ID` for account/user/application ID, `TOKEN` for account/user/application secret token, `PORT` for container port exporting, ...).
 - Keep config files service-scoped under `infra/<service>/` and avoid cross-service coupling in a single file.
+- Nginx routing: keep Sentry ingest routes (`/api/store/`, `/api/<project>/...`, `/api/0/relays/`) before the catch-all `/` route and proxy them to Relay.
 
 ## Testing Guidelines
 There is no formal automated test suite yet. Validate changes with infrastructure smoke checks:
@@ -43,4 +45,5 @@ There is no formal automated test suite yet. Validate changes with infrastructur
 - Never commit real secrets; copy `.env.example` to `.env` and keep credentials local.
 - Ensure `DATA_PATH` directories exist and are writable before `make up`.
 - Set strong local values for `SENTRY_SECRET_KEY` and `SENTRY_DB_PASS` before enabling Sentry.
+- Keep `infra/sentry/relay/credentials.json` local-only (generated on host and gitignored).
 - Treat `make set` and TLS changes as production-impacting operations; review host/domain variables first.

Makefile

@@ -10,8 +10,8 @@ set:
 	sudo chmod -R a+w ~/data/
 	sudo chmod 0700 ~/.ssh
 	sudo chmod -R 0600 ~/.ssh/*
-	export EXTERNAL_HOST=${EXTERNAL_HOST} DATA_PATH=${DATA_PATH} PROMETHEUS_PORT=${PROMETHEUS_PORT} GRAFANA_PORT=${GRAFANA_PORT} SENTRY_PORT=${SENTRY_PORT}; \
-	envsubst '$${EXTERNAL_HOST} $${DATA_PATH} $${PROMETHEUS_PORT} $${GRAFANA_PORT} $${SENTRY_PORT}' < infra/nginx/prod.conf > /etc/nginx/sites-enabled/base.conf
+	export EXTERNAL_HOST=${EXTERNAL_HOST} DATA_PATH=${DATA_PATH} PROMETHEUS_PORT=${PROMETHEUS_PORT} GRAFANA_PORT=${GRAFANA_PORT} SENTRY_PORT=${SENTRY_PORT} SENTRY_RELAY_PORT=${SENTRY_RELAY_PORT}; \
+	envsubst '$${EXTERNAL_HOST} $${DATA_PATH} $${PROMETHEUS_PORT} $${GRAFANA_PORT} $${SENTRY_PORT} $${SENTRY_RELAY_PORT}' < infra/nginx/prod.conf > /etc/nginx/sites-enabled/base.conf
 	sudo systemctl restart nginx
 	sudo certbot --nginx
 
@@ -21,11 +21,15 @@ certs:
 	sudo systemctl restart nginx
 	sudo certbot --nginx
 
+.PHONY: sentry-init
+sentry-init:
+	./scripts/ensure_sentry_relay_credentials.sh
+
 # ============================================================================
 # Lifecycle
 # ============================================================================
 
-up:
+up: sentry-init
 	docker compose -p base up --build -d
 
 down:

README.md

@@ -11,7 +11,7 @@ A base of file storages and databases to support projects ecosystem
 sudo sysctl -w vm.max_map_count=262144
 ```
 
-4. Run `make run`
+4. Run `make up` (it auto-generates `infra/sentry/relay/credentials.json` on first run)
 
 5. Set up domains `make set`
 
@@ -23,3 +23,5 @@ sudo sysctl -w vm.max_map_count=262144
 
 9. Create Sentry admin user after stack startup:
 `docker exec -it base-sentry-web sentry createuser --superuser --email <email>`
+
+10. SMTP is optional for Sentry startup; leave `SENTRY_SMTP_*` empty if you do not need email notifications.

compose.yml

@@ -1,7 +1,7 @@
-version: "3.11"
 x-sentry-env: &sentry_env
   SENTRY_SECRET_KEY: ${SENTRY_SECRET_KEY:-change-me}
   SENTRY_SINGLE_ORGANIZATION: ${SENTRY_SINGLE_ORGANIZATION:-1}
+  SENTRY_RELAY_OPEN_REGISTRATION: ${SENTRY_RELAY_OPEN_REGISTRATION:-true}
   SENTRY_EVENT_RETENTION_DAYS: ${SENTRY_EVENT_RETENTION_DAYS:-30}
   SENTRY_POSTGRES_HOST: sentry-postgres
   SENTRY_DB_NAME: ${SENTRY_DB_NAME:-sentry}
@@ -238,6 +238,24 @@ services:
       sentry-redis:
         condition: service_healthy
 
+  sentry-relay:
+    image: getsentry/relay:latest
+    container_name: base-sentry-relay
+    restart: unless-stopped
+    volumes:
+      - ./infra/sentry/relay:/work/.relay
+    command: run --config /work/.relay
+    ports:
+      - "${SENTRY_RELAY_PORT:-9003}:3000"
+    healthcheck:
+      test: ["CMD", "/bin/relay", "healthcheck"]
+      interval: 15s
+      timeout: 5s
+      retries: 10
+    depends_on:
+      sentry-web:
+        condition: service_started
+
   sentry-worker:
     image: getsentry/sentry:latest
     container_name: base-sentry-worker

infra/nginx/prod.conf

@@ -91,8 +91,35 @@ server {
 
     root /;
 
+    location /api/store/ {
+        proxy_pass http://0.0.0.0:${SENTRY_RELAY_PORT};
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_http_version 1.1;
+    }
+
+    location ~ ^/api/[1-9]\d*/ {
+        proxy_pass http://0.0.0.0:${SENTRY_RELAY_PORT};
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_http_version 1.1;
+    }
+
+    location ^~ /api/0/relays/ {
+        proxy_pass http://0.0.0.0:${SENTRY_RELAY_PORT};
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_http_version 1.1;
+    }
+
     location / {
-        proxy_pass http://0.0.0.0:${SENTRY_PORT}$request_uri;
+        proxy_pass http://0.0.0.0:${SENTRY_PORT};
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

infra/sentry/relay/config.yml

@@ -0,0 +1,8 @@
+relay:
+  mode: managed
+  upstream: "http://sentry-web:9000/"
+  host: 0.0.0.0
+  port: 3000
+
+logging:
+  level: WARN

scripts/ensure_sentry_relay_credentials.sh

@@ -0,0 +1,82 @@
+#!/usr/bin/env bash
+# chmod +x /root/base/scripts/ensure_sentry_relay_credentials.sh
+
+set -euo pipefail
+
+project="${1:-base}"
+relay_dir="infra/sentry/relay"
+relay_config="${relay_dir}/config.yml"
+relay_credentials="${relay_dir}/credentials.json"
+
+is_valid_credentials() {
+  local file_path="$1"
+  grep -q '"public_key"' "${file_path}" && grep -q '"secret_key"' "${file_path}"
+}
+
+ensure_relay_permissions() {
+  chmod 755 "${relay_dir}" 2>/dev/null || true
+  [[ -e "${relay_config}" ]] && chmod 644 "${relay_config}" 2>/dev/null || true
+  [[ -e "${relay_credentials}" ]] && chmod 644 "${relay_credentials}" 2>/dev/null || true
+}
+
+write_default_relay_config() {
+  cat > "${relay_config}" <<'YAML'
+relay:
+  mode: managed
+  upstream: "http://sentry-web:9000/"
+  host: 0.0.0.0
+  port: 3000
+
+logging:
+  level: WARN
+YAML
+}
+
+mkdir -p "${relay_dir}"
+ensure_relay_permissions
+
+if [[ ! -s "${relay_config}" ]]; then
+  write_default_relay_config
+fi
+ensure_relay_permissions
+
+if grep -q '^[[:space:]]*processing:' "${relay_config}" && ! grep -q 'kafka_config' "${relay_config}"; then
+  echo "Relay config has 'processing' enabled without 'kafka_config', resetting to default config."
+  write_default_relay_config
+fi
+
+if [[ -e "${relay_credentials}" && ! -s "${relay_credentials}" ]]; then
+  echo "Relay credentials are empty, regenerating: ${relay_credentials}"
+  rm -f "${relay_credentials}"
+fi
+
+if [[ -s "${relay_credentials}" ]]; then
+  if is_valid_credentials "${relay_credentials}"; then
+    ensure_relay_permissions
+    echo "Relay credentials already exist: ${relay_credentials}"
+    exit 0
+  fi
+
+  echo "Relay credentials are invalid, regenerating: ${relay_credentials}"
+  rm -f "${relay_credentials}"
+fi
+
+tmp_credentials="${relay_credentials}.tmp"
+rm -f "${tmp_credentials}"
+
+# Pull first to avoid implicit pull output polluting generated JSON.
+docker compose -p "${project}" pull sentry-relay >/dev/null 2>&1 || true
+docker compose -p "${project}" run --rm --no-deps -T sentry-relay credentials generate --stdout > "${tmp_credentials}"
+
+if ! is_valid_credentials "${tmp_credentials}"; then
+  echo "Failed to generate valid relay credentials."
+  echo "--- ${tmp_credentials} ---"
+  cat "${tmp_credentials}" || true
+  echo "--- end ---"
+  rm -f "${tmp_credentials}"
+  exit 1
+fi
+
+mv "${tmp_credentials}" "${relay_credentials}"
+ensure_relay_permissions
+echo "Relay credentials written to ${relay_credentials}"