husniddin's notes

Menu

Qisqa arxitektura
Deploy
Deploy bosqichlari
Static site va botlar
Loglar va rebuild
Xavfsizlik
Yakun

Ancha avval tinchost.uz qurgandim. Odamlar ishlatishgan. Faqatgina static saytlarni host qilish uchun edi. Experiment qilgandim, bo’sh noutbugimdan unumli foydalanish uchun qurgandim bu tizimni. Hozir tinchost.uz dam olyapti). Lekin o’shanda o’zimga yoqqandi. Odamlar haqiqiy loyihalarini ishga tushirishgani, men qurgan narsadan haqiqiy odamlar foydalanishi albatta yoqimli. Lekin ko’p texnik sabablarga ko’ra tinchost o’chdi. shitob uchun reasearch o’sha paytda nboshlangan. Qanday qilib bitta vps ichida ko’plab loyihalarni ishlatish haqida o’yladim. Eng ko’p muammo cheklovlar edi. Men serverning haqiqiy resurslariga egalikni bera olmasdim. Texnik narxi juda qimmatlashib ketardi. Men barcha uchun alohida container hosil qilib, ularni ishga tushirardim bu juda qimmatga tushdi. Bundan ish chiqmasligini bildim va izladim. Menga kerak narsa oddiy: odamlar shunchaki kirib oddiy loyihalarni tez host qilishi kerak. Quyida qanaqa qilib qurganim haqida aytaman. Eng oxirida(agar erinmasdan oxirigacha o’qisangiz, yoki shunchaki menudan “yakun” bo’limiga o’ting) yana gaplarim bor

Men xohlagan narsa:

GitHub repo beraman → ishlaydi
FastAPI/Django/Golang web app, Telegram bot, static sitelar ishlasin
Bitta VPS ichida ko‘p user’lar app’lari ishlasin, lekin bir‑birini buzmasin
Resurslar nazoratda bo‘lsin (memory/cpu)

Qisqa arxitektura

Shitob uchta asosiy qismdan iborat:

Nix: build reproducible
systemd: runtime (har bir deployment alohida unit)
nginx: routing (*.shitob.live)

backend:

Go + Fiber: API
DB/PostgreSQL: deployments, userlar
Redis: real‑time log stream va boshqa narsalar uchun

Deploy

Deploy paytida platforma aniq pipeline bo‘yicha ishlaydi:

sequenceDiagram
  participant U as User (Dashboard)
  participant API as Shitob API (Go/Fiber)
  participant DB as Postgres
  participant B as Builder (Nix)
  participant SD as systemd
  participant N as nginx

  U->>API: POST /api/deployments (repo_url, app_type, name, env_vars)
  API->>DB: create deployment (status=deploying, tier, limits)
  API->>API: allocate port (8000-9000), generate subdomain
  API->>B: clone repo + detect type + generate flake + nix build
  B-->>API: nix_store_path (build result)
  API->>SD: systemd-run (DynamicUser, MemoryMax, CPUQuota, sandbox)
  API->>N: write subdomain config -> localhost:PORT
  API->>N: reload nginx
  API->>API: health-check / waitForService
  API->>DB: status=running, expires_at (tierga qarab)
  API-->>U: URL: https://subdomain.shitob.live

Oddiy deploy bosqichlari

1) Repo’ni olish (clone)

GitHub App bo‘lsa: installation token bilan clone
Bo‘lmasa OAuth token cookie yoki public repo

2) Build (Nix bilan)

Repo structure tekshiriladi (fastapi/django/golan/static).
Kerakli flake/config generatsiya qilinadi(Base flake bor)
nix build natijasi Nix store path bo‘lib qoladi

3) Ishga tushirish (systemd-run)

Har bur deployment systemd unit:

DynamicUser=yes
ProtectSystem=strict
ProtectHome=yes
PrivateTmp=yes
PrivateDevices=yes
MemoryMax=...
CPUQuota=...

Web app unit’da IPAddressAllow=localhost kabi cheklovlar bor: tashqaridan trafik nginx orqali kiradi

4) Routing (nginx)

Port ajratiladi (8000–9000)(shu hozir eng katta cheklovlardan biri)
Subdomain generatsiya qilinadi
nginx config: subdomain.shitob.live -> 127.0.0.1:PORT
nginx reload

5) Health‑check

status=running faqat service start bo‘lganda emas, port tekshirilgandan keyin yoziladi(yaxshigina muammo bo’ldi. zombie protses qolibi ketsa crash bo’lmasligi uchun)

Static site va botlar

Static site

Port kerak emas
systemd shart emas
Build natija /var/www/shitob/static/<subdomain>/(tinchost’da shunday edi)
nginx direct serve qiladi

Telegram bot

nginx kerak emas
port kerak emas
systemd kerak (doimiy run, restart)

Loglar va CI/CD

Loglar

systemd journal (journalctl -u <service>)
dashboard WebSocket orqali real‑time log stream(hozir maqolani yozayotgan paytdim bug ko’rib qoldim, iwill fix that future)

CI/CD

GitHub push event keladi (main/master)
running deploymentlar topiladi
RebuildDeployment chaqiriladi

Judayam minimal. Hozircha so’rovlar yukini kamaytirish uchun limit qo’yilgan. Githubdan so’rovlar kelishini cheklash uchun

Xavfsizlik

Men havfsizlik haqida keyinroq o’ylashni boshladim. Men uchun eng muhimi shunchaki loyiha ishlasa edi. Agar buzmoqchi bo’lsangiz yoki muammo ko’rsangiz menga yozing(mehmonov.husniddin1@gmail.com). Rahmat

Hozir bor himoya

API auth: /api/* route’lar user_session JWT cookie bilan.
systemd izolatsiya: DynamicUser, ProtectSystem=strict, PrivateTmp, PrivateDevices.
Resource limit: MemoryMax, CPUQuota tier bo‘yicha.
Web app network lock: IPAddressDeny=any + IPAddressAllow=localhost.
Webhook signature: GitHub/Lemon webhook’lar secret bo‘lsa signature tekshiradi.

Yakun

Shitob’ni qurishda maqsadim “katta platforma” emas, oddiy, tez loyihalarni onlayn qilish mumkin bo’lgan xizmat yaratish. Eng asosiysi yangi narsalarni bilan tajriba qilib ko’rish. Va qilib ko’rdim ham