disclosure-bureau/infra/coolify/INSTALL.md

# Coolify — VPS install

Coolify is the self-hosted PaaS that runs everything else. One curl command installs it.

## Pre-reqs on the VPS

- Ubuntu 22.04+ or Debian 12+
- root or sudo
- Open ports: **22, 80, 443, 8000** (Coolify dashboard during install; can be locked behind subdomain later)
- A DNS A record like `coolify.disclosure.top` pointing at the VPS IP (any subdomain works)

## Install

SSH into the VPS, then:

```bash
curl -fsSL https://cdn.coollabs.io/coolify/install.sh | sudo bash
```

This sets up:
- Docker + Docker Compose
- The Coolify control plane in `/data/coolify/`
- A built-in Traefik that handles TLS

Boot takes ~5 min. When done you'll see a URL like `http://<your-ip>:8000` — open it, create the admin user.

## Post-install — hardening

1. **Point a subdomain at the panel** in Coolify Settings → "Instance Domain": `coolify.disclosure.top`. Save. It auto-issues TLS via Let's Encrypt.

2. **Disable port 8000 publicly** — once subdomain works, edit firewall:
   ```bash
   ufw allow 22/tcp
   ufw allow 80/tcp
   ufw allow 443/tcp
   ufw deny 8000/tcp
   ufw enable
   ```

3. **Add S3 backup destination** in Coolify Settings → Backups (Backblaze B2 recommended — $0.005/GB/mo).

4. **Optional: Cloudflare proxy** — pointing the wildcard `*.disclosure.top` through Cloudflare as proxy adds DDoS mitigation + edge caching. Set DNS-only (grey cloud) for first TLS issuance, then re-enable proxy (orange) after the cert is issued.

## What's next

Once you can log in to the Coolify dashboard at `https://coolify.disclosure.top`:

→ [`SUPABASE.md`](SUPABASE.md) — create the first Supabase project
baseline: Disclosure Bureau pipeline + Next.js UI + Supabase stack 2026-05-18 01:44:36 +00:00			`# Coolify — VPS install`

			`Coolify is the self-hosted PaaS that runs everything else. One curl command installs it.`

			`## Pre-reqs on the VPS`

			`- Ubuntu 22.04+ or Debian 12+`
			`- root or sudo`
			`- Open ports: 22, 80, 443, 8000 (Coolify dashboard during install; can be locked behind subdomain later)`
			- A DNS A record like `coolify.disclosure.top` pointing at the VPS IP (any subdomain works)

			`## Install`

			`SSH into the VPS, then:`

			```bash
			`curl -fsSL https://cdn.coollabs.io/coolify/install.sh \| sudo bash`
			```

			`This sets up:`
			`- Docker + Docker Compose`
			- The Coolify control plane in `/data/coolify/`
			`- A built-in Traefik that handles TLS`

			Boot takes ~5 min. When done you'll see a URL like `http://<your-ip>:8000` — open it, create the admin user.

			`## Post-install — hardening`

			1. Point a subdomain at the panel in Coolify Settings → "Instance Domain": `coolify.disclosure.top`. Save. It auto-issues TLS via Let's Encrypt.

			`2. Disable port 8000 publicly — once subdomain works, edit firewall:`
			```bash
			`ufw allow 22/tcp`
			`ufw allow 80/tcp`
			`ufw allow 443/tcp`
			`ufw deny 8000/tcp`
			`ufw enable`
			```

			`3. Add S3 backup destination in Coolify Settings → Backups (Backblaze B2 recommended — $0.005/GB/mo).`

			4. Optional: Cloudflare proxy — pointing the wildcard `*.disclosure.top` through Cloudflare as proxy adds DDoS mitigation + edge caching. Set DNS-only (grey cloud) for first TLS issuance, then re-enable proxy (orange) after the cert is issued.

			`## What's next`

			Once you can log in to the Coolify dashboard at `https://coolify.disclosure.top`:

			→ [`SUPABASE.md`](SUPABASE.md) — create the first Supabase project