# disclosure-stack — portable deployment

Single-folder deployment unit. Edit `.env`, run scripts, app deploys to the VPS.

When migrating to another VPS: **change ONLY the VPS_* block in `.env`**, run `./scripts/gen-secrets.sh` (regenerates per-VPS secrets), then `./scripts/deploy.sh`. Done.

## Layout

```
infra/disclosure-stack/
├── .env                    ← active config (gitignored, secrets in here)
├── .env.example            ← template, safe to commit
├── docker-compose.yml      ← TODO — supabase + next + meili + imgproxy
└── scripts/
    ├── _lib.sh             ← shared SSH/rsync helpers
    ├── ssh.sh              ← interactive SSH or one-shot remote command
    ├── status.sh           ← VPS + stack health report
    ├── gen-secrets.sh      ← rotate per-VPS secrets (JWT, Postgres, etc.)
    ├── sync-data.sh        ← rsync wiki/processing/raw to VPS
    ├── deploy.sh           ← upload + docker compose up
    └── logs.sh             ← tail logs of a service
```

## Pre-reqs on your laptop

```bash
brew install hudochenkov/sshpass/sshpass  # for password SSH (testing VPS)
```

For real production, generate an SSH key, copy it to the VPS, and switch `VPS_AUTH=key` in `.env`.

## Daily ops

```bash
# Open shell on VPS
./scripts/ssh.sh

# One-shot command
./scripts/ssh.sh "docker ps"

# Full health report
./scripts/status.sh

# Tail Postgres logs
./scripts/logs.sh postgres

# Push fresh wiki data (after running the local pipeline)
./scripts/sync-data.sh

# Deploy stack changes
./scripts/deploy.sh
```

## Migrating to a different VPS

1. **Edit `.env`** — change `VPS_HOST`, `VPS_PASSWORD` (or switch to `VPS_AUTH=key`), `VPS_DEPLOY_ROOT` if needed.
2. **Rotate secrets**:
   ```bash
   ./scripts/gen-secrets.sh
   ```
   This regenerates `POSTGRES_PASSWORD`, `JWT_SECRET`, `ANON_KEY`, `SERVICE_ROLE_KEY`, `DASHBOARD_PASSWORD`, etc., and writes them back to `.env`. The old `.env` is backed up.
3. **Sync data**:
   ```bash
   ./scripts/sync-data.sh
   ```
4. **Deploy**:
   ```bash
   ./scripts/deploy.sh
   ```

That's it. The new VPS now hosts the full stack with fresh secrets, isolated from the old one.

## What still needs to be built

The `docker-compose.yml` itself. Will include:
- Supabase Postgres + GoTrue + PostgREST + Storage + Kong + Studio + Realtime
- Next.js (built from this repo's `/web` dir)
- Meilisearch
- Imgproxy
- Caddy (TLS + reverse proxy on subdomains from `.env`)
- restic-cron for backups (if `BACKUP_ENABLED=true`)

I'll generate that next.

## Coexistence with existing VPS projects

On the testing VPS, 8 other Supabase-based stacks are already running (unimed-*, irmed-*, v2irmed-*, top10-*, cf-*, nirvana-*, plegal-*). This stack:
- Uses unique container names (`disclosure-*` prefix)
- Uses unique host ports (`PORT_*` block in `.env`, all 18xxx)
- Mounts its own data volumes under `/data/disclosure/`
- Caddy on this stack only binds to `PORT_KONG_HTTP/HTTPS` and friends — does NOT take 80/443

When you move to the dedicated 4cpu/16GB VPS, you can:
- Keep ports as-is (works)
- OR remap PORT_KONG_HTTP=80, PORT_KONG_HTTPS=443 since nothing else uses them

The stack is **portable in both directions**.