discadmin/disclosure-bureau
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
disclosure-bureau/infra/disclosure-stack/README.md

3.2 KiB
Raw Blame History

disclosure-stack — portable deployment

Single-folder deployment unit. Edit .env, run scripts, app deploys to the VPS.

When migrating to another VPS: change ONLY the VPS_ block in .env*, run ./scripts/gen-secrets.sh (regenerates per-VPS secrets), then ./scripts/deploy.sh. Done.

Layout

infra/disclosure-stack/
├── .env                    ← active config (gitignored, secrets in here)
├── .env.example            ← template, safe to commit
├── docker-compose.yml      ← TODO — supabase + next + meili + imgproxy
└── scripts/
    ├── _lib.sh             ← shared SSH/rsync helpers
    ├── ssh.sh              ← interactive SSH or one-shot remote command
    ├── status.sh           ← VPS + stack health report
    ├── gen-secrets.sh      ← rotate per-VPS secrets (JWT, Postgres, etc.)
    ├── sync-data.sh        ← rsync wiki/processing/raw to VPS
    ├── deploy.sh           ← upload + docker compose up
    └── logs.sh             ← tail logs of a service

Pre-reqs on your laptop

brew install hudochenkov/sshpass/sshpass  # for password SSH (testing VPS)

For real production, generate an SSH key, copy it to the VPS, and switch VPS_AUTH=key in .env.

Daily ops

# Open shell on VPS
./scripts/ssh.sh

# One-shot command
./scripts/ssh.sh "docker ps"

# Full health report
./scripts/status.sh

# Tail Postgres logs
./scripts/logs.sh postgres

# Push fresh wiki data (after running the local pipeline)
./scripts/sync-data.sh

# Deploy stack changes
./scripts/deploy.sh

Migrating to a different VPS

  1. Edit .env — change VPS_HOST, VPS_PASSWORD (or switch to VPS_AUTH=key), VPS_DEPLOY_ROOT if needed.
  2. Rotate secrets: 
    ./scripts/gen-secrets.sh
    This regenerates POSTGRES_PASSWORD, JWT_SECRET, ANON_KEY, SERVICE_ROLE_KEY, DASHBOARD_PASSWORD, etc., and writes them back to .env. The old .env is backed up.
  3. Sync data: 
    ./scripts/sync-data.sh
  4. Deploy: 
    ./scripts/deploy.sh

That's it. The new VPS now hosts the full stack with fresh secrets, isolated from the old one.

What still needs to be built

The docker-compose.yml itself. Will include:

  • Supabase Postgres + GoTrue + PostgREST + Storage + Kong + Studio + Realtime
  • Next.js (built from this repo's /web dir)
  • Meilisearch
  • Imgproxy
  • Caddy (TLS + reverse proxy on subdomains from .env)
  • restic-cron for backups (if BACKUP_ENABLED=true)

I'll generate that next.

Coexistence with existing VPS projects

On the testing VPS, 8 other Supabase-based stacks are already running (unimed-, irmed-, v2irmed-, top10-, cf-, nirvana-, plegal-*). This stack:

  • Uses unique container names (disclosure-* prefix)
  • Uses unique host ports (PORT_* block in .env, all 18xxx)
  • Mounts its own data volumes under /data/disclosure/
  • Caddy on this stack only binds to PORT_KONG_HTTP/HTTPS and friends — does NOT take 80/443

When you move to the dedicated 4cpu/16GB VPS, you can:

  • Keep ports as-is (works)
  • OR remap PORT_KONG_HTTP=80, PORT_KONG_HTTPS=443 since nothing else uses them

The stack is portable in both directions.