feat: 서버 nginx 직접 설정 배포로 변경

- Docker nginx 대신 서버 nginx 설정 직접 적용
- sudo NOPASSWD 특정 명령어만 허용하여 보안 유지
- nginx -t 및 systemctl reload 자동화
- README.md 배포 플로우 업데이트

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

.github/workflows/deploy.yml

@@ -26,7 +26,7 @@ jobs:
           ssh -o StrictHostKeyChecking=no -p $PORT $USER@$HOST "rm -rf ~/robeing-nginx/* || true; mkdir -p ~/robeing-nginx"
           tar --exclude='.git' -czf - . | ssh -o StrictHostKeyChecking=no -p $PORT $USER@$HOST "cd ~/robeing-nginx && tar -xzf -"
 
-      - name: Start services via SSH
+      - name: Apply nginx config via SSH
         env:
           HOST: ${{ secrets.NAS_HOST }}
           PORT: ${{ secrets.NAS_PORT }}
@@ -34,6 +34,8 @@ jobs:
         run: |
           ssh -o StrictHostKeyChecking=no -p $PORT $USER@$HOST << 'EOF'
             cd ~/robeing-nginx
+            sudo cp server-nginx-default /etc/nginx/sites-available/default
+            sudo nginx -t
+            sudo systemctl reload nginx
             docker compose down || true
-            docker compose up -d
           EOF

README.md

@@ -17,7 +17,7 @@ nginx-deploy/
 1. **main 브랜치에 push**
 2. **GitHub Actions** 자동 실행
 3. **파일 전송** (Ubuntu 서버 ~/robeing-nginx)
-4. **Docker Compose** 자동 재시작
+4. **nginx 설정 적용** (서버 nginx 자동 reload)
 
 ## 서버 설정
 
@@ -31,8 +31,8 @@ NAS_SSH_KEY_ADMIN: SSH 개인키
 
 ### 서버 요구사항
 - Ubuntu 22.04 LTS  
-- Docker & Docker Compose 설치
-- admin 사용자 sudo 권한 (NOPASSWD)
+- Nginx 설치 및 SSL 설정 완료
+- admin 사용자 특정 명령어 sudo 권한 (NOPASSWD)
 - 포트 80, 443 오픈
 
 ## 프록시 라우팅

server-nginx-default

@@ -0,0 +1,193 @@
+##
+# You should look at the following URL's in order to grasp a solid understanding
+# of Nginx configuration files in order to fully unleash the power of Nginx.
+# https://www.nginx.com/resources/wiki/start/
+# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
+# https://wiki.debian.org/Nginx/DirectoryStructure
+#
+# In most cases, administrators will remove this file from sites-enabled/ and
+# leave it as reference inside of sites-available where it will continue to be
+# updated by the nginx packaging team.
+#
+# This file will automatically load configuration files provided by other
+# applications, such as Drupal or Wordpress. These applications will be made
+# available underneath a path with that package name, such as /drupal8.
+#
+# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
+##
+
+# Default server configuration
+#
+server {
+        listen 80 default_server;
+        listen [::]:80 default_server;
+
+        # SSL configuration
+        #
+        # listen 443 ssl default_server;
+        # listen [::]:443 ssl default_server;
+        #
+        # Note: You should disable gzip for SSL traffic.
+        # See: https://bugs.debian.org/773332
+        #
+        # Read up on ssl_ciphers to ensure a secure configuration.
+        # See: https://bugs.debian.org/765782
+        #
+        # Self signed certs generated by the ssl-cert package
+        # Don't use them in a production server!
+        #
+        # include snippets/snakeoil.conf;
+
+        root /var/www/html;
+
+        # Add index.php to the list if you are using PHP
+        index index.html index.htm index.nginx-debian.html;
+
+        server_name _;
+
+        location / {
+                # First attempt to serve request as file, then
+                # as directory, then fall back to displaying a 404.
+                try_files $uri $uri/ =404;
+        }
+
+        location /.well-known/acme-challenge/ {
+            alias /var/www/html/.well-known/acme-challenge/;
+        }
+
+
+        # pass PHP scripts to FastCGI server
+        #
+        #location ~ \.php$ {
+        #       include snippets/fastcgi-php.conf;
+        #
+        #       # With php-fpm (or other unix sockets):
+        #       fastcgi_pass unix:/run/php/php7.4-fpm.sock;
+        #       # With php-cgi (or other tcp sockets):
+        #       fastcgi_pass 127.0.0.1:9000;
+        #}
+
+        # deny access to .htaccess files, if Apache's document root
+        # concurs with nginx's one
+        #
+        #location ~ /\.ht {
+        #       deny all;
+        #}
+}
+
+
+# Virtual Host configuration for example.com
+#
+# You can move that to a different file under sites-available/ and symlink that
+# to sites-enabled/ to enable it.
+#
+#server {
+#       listen 80;
+#       listen [::]:80;
+#
+#       server_name example.com;
+#
+#       root /var/www/example.com;
+#       index index.html;
+#
+#       location / {
+#               try_files $uri $uri/ =404;
+#       }
+#}
+
+server {
+
+        # SSL configuration
+        #
+        # listen 443 ssl default_server;
+        # listen [::]:443 ssl default_server;
+        #
+        # Note: You should disable gzip for SSL traffic.
+        # See: https://bugs.debian.org/773332
+        #
+        # Read up on ssl_ciphers to ensure a secure configuration.
+        # See: https://bugs.debian.org/765782
+        #
+        # Self signed certs generated by the ssl-cert package
+        # Don't use them in a production server!
+        #
+        # include snippets/snakeoil.conf;
+
+        root /var/www/html;
+
+        # Add index.php to the list if you are using PHP
+        index index.html index.htm index.nginx-debian.html;
+    server_name ro-being.com; # managed by Certbot
+
+        # Main application proxy
+        location / {
+            proxy_pass http://localhost:5173;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+        }
+
+        # API endpoints
+        location /api/ {
+            proxy_pass http://localhost:18000;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+        }
+
+        # RB8001 API endpoints
+        location /rb8001/ {
+            proxy_pass http://localhost:8001;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+        }
+
+        location /.well-known/acme-challenge/ {
+            alias /var/www/html/.well-known/acme-challenge/;
+        }
+
+
+        # pass PHP scripts to FastCGI server
+        #
+        #location ~ \.php$ {
+        #       include snippets/fastcgi-php.conf;
+        #
+        #       # With php-fpm (or other unix sockets):
+        #       fastcgi_pass unix:/run/php/php7.4-fpm.sock;
+        #       # With php-cgi (or other tcp sockets):
+        #       fastcgi_pass 127.0.0.1:9000;
+        #}
+
+        # deny access to .htaccess files, if Apache's document root
+        # concurs with nginx's one
+        #
+        #location ~ /\.ht {
+        #       deny all;
+        #}
+
+
+    listen [::]:443 ssl ipv6only=on; # managed by Certbot
+    listen 443 ssl; # managed by Certbot
+    ssl_certificate /etc/letsencrypt/live/ro-being.com/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/ro-being.com/privkey.pem; # managed by Certbot
+    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+
+}
+server {
+    if ($host = ro-being.com) {
+        return 301 https://$host$request_uri;
+    } # managed by Certbot
+
+
+        listen 80 ;
+        listen [::]:80 ;
+    server_name ro-being.com;
+    return 404; # managed by Certbot
+
+
+}