98 lines
3.2 KiB
Markdown
98 lines
3.2 KiB
Markdown
|
# disclosure-stack — portable deployment
|
||
|
|
|
||
|
|
Single-folder deployment unit. Edit `.env`, run scripts, app deploys to the VPS.
|
||
|
|
|
||
|
|
When migrating to another VPS: **change ONLY the VPS_* block in `.env`**, run `./scripts/gen-secrets.sh` (regenerates per-VPS secrets), then `./scripts/deploy.sh`. Done.
|
||
|
|
|
||
|
|
## Layout
|
||
|
|
|
||
|
|
```
|
||
|
|
infra/disclosure-stack/
|
||
|
|
├── .env ← active config (gitignored, secrets in here)
|
||
|
|
├── .env.example ← template, safe to commit
|
||
|
|
├── docker-compose.yml ← TODO — supabase + next + meili + imgproxy
|
||
|
|
└── scripts/
|
||
|
|
├── _lib.sh ← shared SSH/rsync helpers
|
||
|
|
├── ssh.sh ← interactive SSH or one-shot remote command
|
||
|
|
├── status.sh ← VPS + stack health report
|
||
|
|
├── gen-secrets.sh ← rotate per-VPS secrets (JWT, Postgres, etc.)
|
||
|
|
├── sync-data.sh ← rsync wiki/processing/raw to VPS
|
||
|
|
├── deploy.sh ← upload + docker compose up
|
||
|
|
└── logs.sh ← tail logs of a service
|
||
|
|
```
|
||
|
|
|
||
|
|
## Pre-reqs on your laptop
|
||
|
|
|
||
|
|
```bash
|
||
|
|
brew install hudochenkov/sshpass/sshpass # for password SSH (testing VPS)
|
||
|
|
```
|
||
|
|
|
||
|
|
For real production, generate an SSH key, copy it to the VPS, and switch `VPS_AUTH=key` in `.env`.
|
||
|
|
|
||
|
|
## Daily ops
|
||
|
|
|
||
|
|
```bash
|
||
|
|
# Open shell on VPS
|
||
|
|
./scripts/ssh.sh
|
||
|
|
|
||
|
|
# One-shot command
|
||
|
|
./scripts/ssh.sh "docker ps"
|
||
|
|
|
||
|
|
# Full health report
|
||
|
|
./scripts/status.sh
|
||
|
|
|
||
|
|
# Tail Postgres logs
|
||
|
|
./scripts/logs.sh postgres
|
||
|
|
|
||
|
|
# Push fresh wiki data (after running the local pipeline)
|
||
|
|
./scripts/sync-data.sh
|
||
|
|
|
||
|
|
# Deploy stack changes
|
||
|
|
./scripts/deploy.sh
|
||
|
|
```
|
||
|
|
|
||
|
|
## Migrating to a different VPS
|
||
|
|
|
||
|
|
1. **Edit `.env`** — change `VPS_HOST`, `VPS_PASSWORD` (or switch to `VPS_AUTH=key`), `VPS_DEPLOY_ROOT` if needed.
|
||
|
|
2. **Rotate secrets**:
|
||
|
|
```bash
|
||
|
|
./scripts/gen-secrets.sh
|
||
|
|
```
|
||
|
|
This regenerates `POSTGRES_PASSWORD`, `JWT_SECRET`, `ANON_KEY`, `SERVICE_ROLE_KEY`, `DASHBOARD_PASSWORD`, etc., and writes them back to `.env`. The old `.env` is backed up.
|
||
|
|
3. **Sync data**:
|
||
|
|
```bash
|
||
|
|
./scripts/sync-data.sh
|
||
|
|
```
|
||
|
|
4. **Deploy**:
|
||
|
|
```bash
|
||
|
|
./scripts/deploy.sh
|
||
|
|
```
|
||
|
|
|
||
|
|
That's it. The new VPS now hosts the full stack with fresh secrets, isolated from the old one.
|
||
|
|
|
||
|
|
## What still needs to be built
|
||
|
|
|
||
|
|
The `docker-compose.yml` itself. Will include:
|
||
|
|
- Supabase Postgres + GoTrue + PostgREST + Storage + Kong + Studio + Realtime
|
||
|
|
- Next.js (built from this repo's `/web` dir)
|
||
|
|
- Meilisearch
|
||
|
|
- Imgproxy
|
||
|
|
- Caddy (TLS + reverse proxy on subdomains from `.env`)
|
||
|
|
- restic-cron for backups (if `BACKUP_ENABLED=true`)
|
||
|
|
|
||
|
|
I'll generate that next.
|
||
|
|
|
||
|
|
## Coexistence with existing VPS projects
|
||
|
|
|
||
|
|
On the testing VPS, 8 other Supabase-based stacks are already running (unimed-*, irmed-*, v2irmed-*, top10-*, cf-*, nirvana-*, plegal-*). This stack:
|
||
|
|
- Uses unique container names (`disclosure-*` prefix)
|
||
|
|
- Uses unique host ports (`PORT_*` block in `.env`, all 18xxx)
|
||
|
|
- Mounts its own data volumes under `/data/disclosure/`
|
||
|
|
- Caddy on this stack only binds to `PORT_KONG_HTTP/HTTPS` and friends — does NOT take 80/443
|
||
|
|
|
||
|
|
When you move to the dedicated 4cpu/16GB VPS, you can:
|
||
|
|
- Keep ports as-is (works)
|
||
|
|
- OR remap PORT_KONG_HTTP=80, PORT_KONG_HTTPS=443 since nothing else uses them
|
||
|
|
|
||
|
|
The stack is **portable in both directions**.
|