From 5f99a0460c7f61543e4a72b35ec5637ca848a530 Mon Sep 17 00:00:00 2001
From: Telegram Bot <rick.daye@dr.com>
Date: Wed, 29 Apr 2026 01:28:59 +0300
Subject: [PATCH] infra: deploy script + webhook server + S3 uploader (saguaro
 test)

---
 infra/README.md         |  31 ++++++
 infra/deploy-ptp.sh     |   9 ++
 infra/uploader.py       | 228 ++++++++++++++++++++++++++++++++++++++++
 infra/webhook-server.py |  41 ++++++++
 4 files changed, 309 insertions(+)
 create mode 100644 infra/README.md
 create mode 100644 infra/deploy-ptp.sh
 create mode 100644 infra/uploader.py
 create mode 100644 infra/webhook-server.py

diff --git a/infra/README.md b/infra/README.md
new file mode 100644
index 0000000..fd643ff
--- /dev/null
+++ b/infra/README.md
@@ -0,0 +1,31 @@
+# PTP Infrastructure Scripts
+
+## deploy-ptp.sh
+Deploy script: git pull mirror → hugo build → /var/www/html
+Triggered by Gitea webhook on push to mirror/main.
+Service: ptp-webhook (port 9000)
+
+## webhook-server.py  
+HTTP server на порту 9000.
+Принимает POST /deploy от Gitea (HMAC-SHA256 подпись).
+Secret: ptp-deploy-2026
+
+## uploader.py
+Flask-приложение на порту 9001.
+Drag-and-drop загрузка фото → S3 reg.ru (sleeptrip-dev/images/).
+Защищено Basic Auth через nginx.
+Поддерживает: jpg, png, gif, webp, heic, mp4, mov.
+HEIC автоматически конвертируется в JPG.
+
+## Systemd services
+- ptp-webhook.service → webhook-server.py
+- ptp-uploader.service → uploader.py
+
+## Nginx snippets
+- /etc/nginx/snippets/ptp-webhook.conf
+- /etc/nginx/snippets/ptp-uploader.conf
+
+## Gitea webhook
+Repo: ptpadmin/ptp, hook id: 1
+URL: http://127.0.0.1:9000/deploy
+Branch filter: mirror
diff --git a/infra/deploy-ptp.sh b/infra/deploy-ptp.sh
new file mode 100644
index 0000000..f4562b7
--- /dev/null
+++ b/infra/deploy-ptp.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+set -e
+LOG=/var/log/ptp-deploy.log
+echo "[2026-04-29 00:05:28] Deploy started" >> $LOG
+cd /var/www/hugo-source
+git checkout mirror >> $LOG 2>&1
+git pull gitea mirror >> $LOG 2>&1
+hugo -d /var/www/html --baseURL 'https://ptp.saguaro-cactus.ru' >> $LOG 2>&1
+echo "[2026-04-29 00:05:28] Deploy done" >> $LOG
diff --git a/infra/uploader.py b/infra/uploader.py
new file mode 100644
index 0000000..d127081
--- /dev/null
+++ b/infra/uploader.py
@@ -0,0 +1,228 @@
+#!/usr/bin/env python3
+import os, tempfile
+from flask import Flask, request, jsonify
+import boto3
+from botocore.client import Config
+from botocore.exceptions import ClientError
+import pillow_heif
+from PIL import Image
+pillow_heif.register_heif_opener()
+
+app = Flask(__name__)
+app.config['MAX_CONTENT_LENGTH'] = 50 * 1024 * 1024  # 50MB
+
+S3_CONFIG = dict(
+    endpoint_url='https://s3.regru.cloud',
+    aws_access_key_id='TXBN3MRO1YCC2Y593URD',
+    aws_secret_access_key='GIMA9lJetvXgMtl8GCO4dNSpJDGHvKgGBVfiA9zV',
+    region_name='ru-1',
+    config=Config(signature_version='s3v4')
+)
+BUCKET = 'sleeptrip-dev'
+PREFIX = 'images/'
+ALLOWED = {'jpg', 'jpeg', 'png', 'gif', 'webp', 'mp4', 'mov', 'heic', 'heif'}
+MIME = {
+    'jpg': 'image/jpeg', 'jpeg': 'image/jpeg', 'png': 'image/png',
+    'gif': 'image/gif', 'webp': 'image/webp',
+    'mp4': 'video/mp4', 'mov': 'video/quicktime',
+    'heic': 'image/jpeg', 'heif': 'image/jpeg'
+}
+
+PAGE = """<!DOCTYPE html>
+<html lang="ru">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width,initial-scale=1">
+<title>Upload to S3</title>
+<style>
+*{box-sizing:border-box;margin:0;padding:0}
+body{background:#0d1117;color:#e6edf3;font-family:-apple-system,BlinkMacSystemFont,monospace;display:flex;align-items:center;justify-content:center;min-height:100vh;padding:24px}
+.card{background:#161b22;border:1px solid #30363d;border-radius:12px;padding:32px;width:100%;max-width:520px}
+h1{font-size:16px;font-weight:600;margin-bottom:4px}
+.sub{font-size:12px;color:#8b949e;margin-bottom:24px}
+.drop{border:2px dashed #30363d;border-radius:8px;padding:48px 24px;text-align:center;cursor:pointer;transition:all .2s}
+.drop.over{border-color:#58a6ff;background:rgba(88,166,255,.05)}
+.drop input{display:none}
+.drop-icon{font-size:36px;margin-bottom:12px}
+.drop-text{font-size:13px;color:#8b949e}
+.drop-text b{color:#58a6ff;cursor:pointer}
+.progress{margin-top:16px;display:none}
+.bar-wrap{background:#21262d;border-radius:4px;height:6px;margin-top:8px}
+.bar{background:#58a6ff;height:6px;border-radius:4px;width:0;transition:width .15s}
+.status{font-size:12px;color:#8b949e;margin-top:6px}
+.result{margin-top:20px;display:none}
+.url-box{background:#0d1117;border:1px solid #3fb950;border-radius:6px;padding:12px 14px;font-size:12px;font-family:monospace;word-break:break-all;color:#3fb950;cursor:pointer}
+.url-box:hover{background:rgba(63,185,80,.05)}
+.copy-hint{font-size:11px;color:#8b949e;margin-top:6px}
+.preview{margin-top:12px;max-width:100%;max-height:200px;border-radius:6px;display:none}
+.err{color:#f85149;font-size:12px;margin-top:12px;display:none;padding:8px 12px;background:rgba(248,81,73,.08);border-radius:6px}
+.hist{margin-top:24px;border-top:1px solid #21262d;padding-top:16px;display:none}
+.hist h2{font-size:11px;text-transform:uppercase;letter-spacing:1px;color:#8b949e;margin-bottom:10px}
+.hi{font-size:11px;font-family:monospace;color:#8b949e;padding:5px 0;border-bottom:1px solid #21262d;cursor:pointer;overflow:hidden;text-overflow:ellipsis;white-space:nowrap}
+.hi:hover{color:#58a6ff}
+</style>
+</head>
+<body>
+<div class="card">
+  <h1>Upload &rarr; S3</h1>
+  <p class="sub">sleeptrip-dev &middot; s3.regru.cloud/images/</p>
+  <div class="drop" id="drop">
+    <input type="file" id="fi" accept="image/*,video/*" multiple>
+    <div class="drop-icon">&#8679;</div>
+    <div class="drop-text">Перетащи или <b id="btn">выбери файл</b></div>
+  </div>
+  <div class="progress" id="prog">
+    <div class="bar-wrap"><div class="bar" id="bar"></div></div>
+    <div class="status" id="stat">Загружаем...</div>
+  </div>
+  <div class="err" id="err"></div>
+  <div class="result" id="res">
+    <div class="url-box" id="url" onclick="copy(this)"></div>
+    <div class="copy-hint" id="hint">Нажми чтобы скопировать</div>
+    <img class="preview" id="prev">
+  </div>
+  <div class="hist" id="hist">
+    <h2>История</h2>
+    <div id="hl"></div>
+  </div>
+</div>
+<script>
+var urls = [];
+var drop = document.getElementById('drop');
+var fi = document.getElementById('fi');
+document.getElementById('btn').onclick = function(){ fi.click(); };
+drop.addEventListener('dragover', function(e){ e.preventDefault(); drop.classList.add('over'); });
+drop.addEventListener('dragleave', function(){ drop.classList.remove('over'); });
+drop.addEventListener('drop', function(e){ e.preventDefault(); drop.classList.remove('over'); for(var i=0;i<e.dataTransfer.files.length;i++) doUpload(e.dataTransfer.files[i]); });
+fi.addEventListener('change', function(){ for(var i=0;i<fi.files.length;i++) doUpload(fi.files[i]); });
+
+function doUpload(file) {
+  var prog = document.getElementById('prog');
+  var res = document.getElementById('res');
+  var err = document.getElementById('err');
+  prog.style.display = 'block';
+  res.style.display = 'none';
+  err.style.display = 'none';
+  document.getElementById('bar').style.width = '0';
+  document.getElementById('stat').textContent = file.name + ' ...';
+  var fd = new FormData();
+  fd.append('file', file);
+  var xhr = new XMLHttpRequest();
+  xhr.upload.onprogress = function(e){ if(e.lengthComputable) document.getElementById('bar').style.width = (e.loaded/e.total*100)+'%'; };
+  xhr.onload = function(){
+    prog.style.display = 'none';
+    if(xhr.status === 200){
+      var r = JSON.parse(xhr.responseText);
+      showRes(r.url, file.type.indexOf('image')===0);
+    } else {
+      var msg = 'Ошибка '+xhr.status;
+      try{ msg = JSON.parse(xhr.responseText).error; }catch(e){}
+      showErr(msg);
+    }
+  };
+  xhr.onerror = function(){ prog.style.display='none'; showErr('Сетевая ошибка'); };
+  xhr.open('POST', '/upload/api');
+  xhr.withCredentials = true;
+  xhr.send(fd);
+}
+
+function showRes(url, isImg) {
+  var el = document.getElementById('url');
+  el.textContent = url;
+  document.getElementById('res').style.display = 'block';
+  document.getElementById('hint').textContent = 'Нажми чтобы скопировать';
+  var p = document.getElementById('prev');
+  if(isImg){ p.src=url; p.style.display='block'; } else { p.style.display='none'; }
+  urls.unshift(url);
+  updateHist();
+}
+
+function showErr(msg){ var e=document.getElementById('err'); e.textContent=msg; e.style.display='block'; }
+
+function copy(el){
+  navigator.clipboard.writeText(el.textContent).then(function(){
+    document.getElementById('hint').textContent='Скопировано!';
+    setTimeout(function(){ document.getElementById('hint').textContent='Нажми чтобы скопировать'; }, 2000);
+  });
+}
+
+function updateHist(){
+  document.getElementById('hist').style.display='block';
+  var html = '';
+  for(var i=0;i<urls.length;i++){
+    html += '<div class="hi" data-url="'+urls[i]+'">'+urls[i]+'</div>';
+  }
+  document.getElementById('hl').innerHTML = html;
+  var items = document.getElementById('hl').querySelectorAll('.hi');
+  for(var j=0;j<items.length;j++){
+    items[j].onclick = (function(u){ return function(){ navigator.clipboard.writeText(u); this.textContent='Скопировано!'; }; })(items[j].getAttribute('data-url'));
+  }
+}
+</script>
+</body>
+</html>"""
+
+
+@app.route('/upload/')
+def index():
+    return PAGE
+
+
+@app.route('/upload/api', methods=['POST'])
+def upload_file():
+    if 'file' not in request.files:
+        return jsonify({'error': 'Нет файла'}), 400
+
+    f = request.files['file']
+    if not f.filename:
+        return jsonify({'error': 'Пустое имя файла'}), 400
+
+    ext = f.filename.rsplit('.', 1)[-1].lower() if '.' in f.filename else ''
+    if ext not in ALLOWED:
+        return jsonify({'error': 'Формат .{} не поддерживается'.format(ext)}), 400
+
+    original_name = os.path.splitext(f.filename)[0]
+
+    # HEIC/HEIF → конвертируем в JPG
+    is_heic = ext in ('heic', 'heif')
+    out_ext = 'jpg' if is_heic else ext
+    s3_key = '{}{}.{}'.format(PREFIX, original_name, out_ext)
+
+    tmp_path = None
+    try:
+        with tempfile.NamedTemporaryFile(delete=False, suffix='.{}'.format(ext)) as tmp:
+            f.save(tmp.name)
+            tmp_path = tmp.name
+
+        if is_heic:
+            img = Image.open(tmp_path)
+            converted = tmp_path.replace('.{}'.format(ext), '.jpg')
+            img.convert('RGB').save(converted, 'JPEG', quality=92)
+            os.unlink(tmp_path)
+            tmp_path = converted
+
+        import urllib3
+        urllib3.disable_warnings()
+
+        s3 = boto3.client('s3', verify=False, **S3_CONFIG)
+        s3.upload_file(
+            tmp_path, BUCKET, s3_key,
+            ExtraArgs={
+                'ContentType': MIME.get(ext, 'application/octet-stream'),
+                'CacheControl': 'max-age=31536000'
+            }
+        )
+
+        url = 'https://s3.regru.cloud/{}/{}'.format(BUCKET, s3_key)
+        # hint: HEIC was converted to JPG
+        return jsonify({'url': url})
+
+    except Exception as e:
+        return jsonify({'error': str(e)}), 500
+    finally:
+        if tmp_path and os.path.exists(tmp_path):
+            os.unlink(tmp_path)
+
+
+if __name__ == '__main__':
+    app.run(host='127.0.0.1', port=9001, debug=False)
diff --git a/infra/webhook-server.py b/infra/webhook-server.py
new file mode 100644
index 0000000..6fc4e42
--- /dev/null
+++ b/infra/webhook-server.py
@@ -0,0 +1,41 @@
+#!/usr/bin/env python3
+import http.server, subprocess, hashlib, hmac, json, os, sys
+
+SECRET = os.environ.get('WEBHOOK_SECRET', 'ptp-deploy-2026')
+PORT = 9000
+
+class Handler(http.server.BaseHTTPRequestHandler):
+    def do_POST(self):
+        if self.path != '/deploy':
+            self.send_response(404); self.end_headers(); return
+        
+        length = int(self.headers.get('Content-Length', 0))
+        body = self.rfile.read(length)
+        
+        # Verify signature (Gitea sends X-Gitea-Signature)
+        sig = self.headers.get('X-Gitea-Signature', '')
+        expected = hmac.new(SECRET.encode(), body, hashlib.sha256).hexdigest()
+        
+        if not hmac.compare_digest(sig, expected):
+            self.send_response(403); self.end_headers()
+            self.wfile.write(b'Bad signature'); return
+        
+        try:
+            data = json.loads(body)
+            ref = data.get('ref', '')
+            if ref not in ('refs/heads/mirror', 'refs/heads/main'):
+                self.send_response(200); self.end_headers()
+                self.wfile.write(b'Skipped (not mirror/main)'); return
+        except: pass
+        
+        subprocess.Popen(['/usr/local/bin/deploy-ptp.sh'])
+        self.send_response(200); self.end_headers()
+        self.wfile.write(b'Deploy triggered')
+
+    def log_message(self, fmt, *args):
+        pass  # silent
+
+if __name__ == '__main__':
+    httpd = http.server.HTTPServer(('127.0.0.1', PORT), Handler)
+    print(f'Webhook server on port {PORT}')
+    httpd.serve_forever()