Add Sigvild Gallery wedding photo application with automated deployment and improve Caddy plugin management
This commit is contained in:
262
docs/sigvild-gallery-deployment.md
Normal file
262
docs/sigvild-gallery-deployment.md
Normal file
@@ -0,0 +1,262 @@
|
||||
# Sigvild Gallery Deployment Guide
|
||||
|
||||
## Quick Start
|
||||
|
||||
Deploy the complete Sigvild Wedding Gallery with PocketBase API and SvelteKit frontend.
|
||||
|
||||
## Prerequisites Setup
|
||||
|
||||
### 1. Vault Password Configuration
|
||||
|
||||
Create encrypted passwords for the gallery authentication:
|
||||
|
||||
```bash
|
||||
# Create vault passwords (run from rick-infra directory)
|
||||
ansible-vault encrypt_string 'your-host-password-here' --name 'vault_sigvild_host_password'
|
||||
ansible-vault encrypt_string 'your-guest-password-here' --name 'vault_sigvild_guest_password'
|
||||
```
|
||||
|
||||
Add the encrypted strings to `host_vars/arch-vps/main.yml`:
|
||||
|
||||
```yaml
|
||||
# Add to host_vars/arch-vps/main.yml
|
||||
vault_sigvild_host_password: !vault |
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
66386439653765386...
|
||||
|
||||
vault_sigvild_guest_password: !vault |
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
33663065383834313...
|
||||
```
|
||||
|
||||
### 2. DNS Configuration
|
||||
|
||||
Ensure these domains point to your server:
|
||||
- `sigvild.no` → Frontend static site
|
||||
- `api.sigvild.no` → API backend proxy
|
||||
|
||||
### 3. Project Structure
|
||||
|
||||
Ensure the sigvild-gallery project is adjacent to rick-infra:
|
||||
|
||||
```
|
||||
~/
|
||||
├── rick-infra/ # This repository
|
||||
└── sigvild-gallery/ # Sigvild gallery project
|
||||
├── build_tmp/ # Production builds
|
||||
├── sigvild-kit/ # Frontend source
|
||||
└── main.go # Backend source
|
||||
```
|
||||
|
||||
## Deployment Commands
|
||||
|
||||
### Full Infrastructure + Gallery
|
||||
|
||||
Deploy everything including Sigvild Gallery:
|
||||
|
||||
```bash
|
||||
ansible-playbook site.yml
|
||||
```
|
||||
|
||||
### Gallery Only
|
||||
|
||||
Deploy just the Sigvild Gallery service:
|
||||
|
||||
```bash
|
||||
ansible-playbook playbooks/deploy-sigvild.yml
|
||||
```
|
||||
|
||||
### Selective Updates
|
||||
|
||||
Update specific components:
|
||||
|
||||
```bash
|
||||
# Frontend only (quick static file updates)
|
||||
ansible-playbook site.yml --tags="frontend"
|
||||
|
||||
# Backend only (API service updates)
|
||||
ansible-playbook site.yml --tags="backend"
|
||||
|
||||
# Caddy configuration only
|
||||
ansible-playbook site.yml --tags="caddy"
|
||||
|
||||
# Just build process (development)
|
||||
ansible-playbook site.yml --tags="build"
|
||||
```
|
||||
|
||||
## Architecture Overview
|
||||
|
||||
```
|
||||
Internet
|
||||
↓
|
||||
Caddy (Auto HTTPS)
|
||||
├── sigvild.no → /var/www/sigvild-gallery/ (Static Files)
|
||||
└── api.sigvild.no → localhost:8090 (PocketBase API)
|
||||
↓
|
||||
Go Binary (sigvild-gallery-server)
|
||||
↓
|
||||
SQLite Database + File Storage
|
||||
```
|
||||
|
||||
## Service Management
|
||||
|
||||
### Status Checks
|
||||
|
||||
```bash
|
||||
# Gallery API service
|
||||
systemctl status sigvild-gallery
|
||||
|
||||
# Caddy web server
|
||||
systemctl status caddy
|
||||
|
||||
# View gallery logs
|
||||
journalctl -u sigvild-gallery -f
|
||||
|
||||
# View Caddy logs
|
||||
journalctl -u caddy -f
|
||||
```
|
||||
|
||||
### Manual Operations
|
||||
|
||||
```bash
|
||||
# Restart gallery service
|
||||
systemctl restart sigvild-gallery
|
||||
|
||||
# Reload Caddy configuration
|
||||
systemctl reload caddy
|
||||
|
||||
# Check API health
|
||||
curl https://api.sigvild.no/api/health
|
||||
```
|
||||
|
||||
## Troubleshooting
|
||||
|
||||
### Build Issues
|
||||
|
||||
**Problem**: Go build fails
|
||||
```bash
|
||||
# Ensure Go is installed locally
|
||||
go version
|
||||
|
||||
# Check if you're in the right directory
|
||||
ls sigvild-gallery/main.go
|
||||
```
|
||||
|
||||
**Problem**: Frontend build fails
|
||||
```bash
|
||||
# Check Node.js and npm
|
||||
node --version && npm --version
|
||||
|
||||
# Ensure dependencies are installed
|
||||
cd sigvild-gallery/sigvild-kit
|
||||
npm install
|
||||
```
|
||||
|
||||
### Service Issues
|
||||
|
||||
**Problem**: Service won't start
|
||||
```bash
|
||||
# Check service status
|
||||
systemctl status sigvild-gallery
|
||||
|
||||
# Check service logs
|
||||
journalctl -u sigvild-gallery --no-pager
|
||||
|
||||
# Verify binary permissions
|
||||
ls -la /opt/sigvild-gallery/sigvild-gallery-server
|
||||
```
|
||||
|
||||
**Problem**: Database permissions
|
||||
```bash
|
||||
# Check data directory ownership
|
||||
ls -la /opt/sigvild-gallery/data/
|
||||
|
||||
# Fix ownership if needed
|
||||
sudo chown -R sigvild:sigvild /opt/sigvild-gallery/
|
||||
```
|
||||
|
||||
### Network Issues
|
||||
|
||||
**Problem**: Domain not resolving
|
||||
```bash
|
||||
# Test DNS resolution
|
||||
dig sigvild.no
|
||||
dig api.sigvild.no
|
||||
|
||||
# Test local connectivity
|
||||
curl -H "Host: sigvild.no" http://localhost
|
||||
curl -H "Host: api.sigvild.no" http://localhost
|
||||
```
|
||||
|
||||
**Problem**: HTTPS certificate issues
|
||||
```bash
|
||||
# Check Caddy logs for ACME errors
|
||||
journalctl -u caddy | grep -i "acme\|certificate"
|
||||
|
||||
# Verify DNS challenge credentials
|
||||
# (Check Cloudflare API token in vault)
|
||||
```
|
||||
|
||||
## Security Features
|
||||
|
||||
### Environment Protection
|
||||
- **No .env files**: Secrets stored in systemd environment variables only
|
||||
- **Vault encryption**: All passwords encrypted with ansible-vault
|
||||
- **Memory isolation**: Secrets only exist in process memory
|
||||
|
||||
### SystemD Sandboxing
|
||||
- **Read-only filesystem**: Application cannot modify system files
|
||||
- **Isolated temporary**: Private /tmp directory
|
||||
- **Limited capabilities**: No privilege escalation possible
|
||||
- **Data directory only**: Write access restricted to /opt/sigvild-gallery/data/
|
||||
|
||||
### Web Security
|
||||
- **Automatic HTTPS**: Let's Encrypt certificates via DNS challenge
|
||||
- **Security headers**: XSS protection, frame options, content type sniffing prevention
|
||||
- **CORS restrictions**: API access limited to frontend domain
|
||||
- **Rate limiting**: API endpoint protection
|
||||
|
||||
## File Locations
|
||||
|
||||
### Application Files
|
||||
- **Binary**: `/opt/sigvild-gallery/sigvild-gallery-server`
|
||||
- **Database**: `/opt/sigvild-gallery/data/data.db`
|
||||
- **File uploads**: `/opt/sigvild-gallery/data/storage/`
|
||||
- **Frontend**: `/var/www/sigvild-gallery/`
|
||||
|
||||
### Configuration Files
|
||||
- **Service**: `/etc/systemd/system/sigvild-gallery.service`
|
||||
- **Caddy frontend**: `/etc/caddy/sites-enabled/sigvild-frontend.caddy`
|
||||
- **Caddy API**: `/etc/caddy/sites-enabled/sigvild-api.caddy`
|
||||
|
||||
### Log Files
|
||||
- **Service logs**: `journalctl -u sigvild-gallery`
|
||||
- **Caddy logs**: `journalctl -u caddy`
|
||||
- **Access logs**: `/var/log/caddy/sigvild-*.log`
|
||||
|
||||
## Next Steps After Deployment
|
||||
|
||||
1. **Verify services**: Check that both domains are accessible
|
||||
2. **Test authentication**: Login with host/guest credentials
|
||||
3. **Upload test photo**: Verify file upload functionality
|
||||
4. **Monitor logs**: Watch for any errors in service logs
|
||||
5. **Backup setup**: Configure regular database backups
|
||||
|
||||
## Development Workflow
|
||||
|
||||
For ongoing development:
|
||||
|
||||
```bash
|
||||
# 1. Make changes to sigvild-gallery project
|
||||
cd ../sigvild-gallery
|
||||
|
||||
# 2. Test locally
|
||||
go run . serve &
|
||||
cd sigvild-kit && npm run dev
|
||||
|
||||
# 3. Deploy updates
|
||||
cd ../rick-infra
|
||||
ansible-playbook site.yml --tags="sigvild"
|
||||
```
|
||||
|
||||
The deployment system builds locally and transfers assets, so you don't need build tools on the server.
|
||||
Reference in New Issue
Block a user