# Sigvild Gallery Ansible Role

Deploys the Sigvild Wedding Gallery application with PocketBase API backend and SvelteKit frontend.

## Architecture

- **Backend**: PocketBase-based Go application serving API on localhost:8090
- **Frontend**: SvelteKit static site served by Caddy
- **Database**: SQLite via PocketBase (file-based storage)
- **Authentication**: Shared password system (host/guest users)
- **Domains**: 
  - `sigvild.no` → Frontend static files
  - `api.sigvild.no` → Backend API proxy

## Prerequisites

- Caddy role deployed and configured
- Local sigvild-gallery project with built assets in `build_tmp/`
- Vault-encrypted passwords configured in inventory

## Variables

### Required Variables

```yaml
# Domains
sigvild_gallery_frontend_domain: "sigvild.no"
sigvild_gallery_api_domain: "api.sigvild.no"

# Vault-encrypted passwords
vault_sigvild_host_password: "your-encrypted-host-password"
vault_sigvild_guest_password: "your-encrypted-guest-password"
```

### Optional Variables

```yaml
# Service configuration
sigvild_gallery_user: "sigvild"
sigvild_gallery_port: 8090
sigvild_gallery_host: "127.0.0.1"

# Paths
sigvild_gallery_home: "/opt/sigvild-gallery"
sigvild_gallery_web_root: "/var/www/sigvild-gallery"
sigvild_gallery_local_project_path: "{{ ansible_env.PWD }}/sigvild-gallery"
```

## Usage

### Full Deployment

```bash
# Deploy complete infrastructure including Sigvild Gallery
ansible-playbook site.yml

# Deploy just Sigvild Gallery
ansible-playbook playbooks/deploy-sigvild.yml
```

### Selective Updates

```bash
# Update just the frontend
ansible-playbook site.yml --tags="frontend"

# Update just the backend API
ansible-playbook site.yml --tags="backend"

# Update Caddy configuration
ansible-playbook site.yml --tags="caddy"
```

## Security Features

### Environment Variables
- **No .env files**: Secrets managed via systemd Environment directives
- **Vault encrypted**: Passwords stored in Ansible vault
- **Memory-only**: Environment variables only exist in process memory

### SystemD Sandboxing
- `NoNewPrivileges=yes`: Prevents privilege escalation
- `PrivateTmp=yes`: Isolated temporary directory
- `ProtectSystem=strict`: Read-only filesystem protection
- `ProtectHome=yes`: Home directory protection
- `ReadWritePaths`: Only data directory is writable

### Caddy Security
- **Security headers**: XSS protection, frame options, content type sniffing prevention
- **CORS configuration**: Restricted to frontend domain
- **Rate limiting**: API endpoint protection
- **HTTPS only**: Automatic TLS with Let's Encrypt

## Directory Structure

```
/opt/sigvild-gallery/           # Application home
├── sigvild-gallery-server      # Go binary
└── data/                       # PocketBase data directory
    ├── data.db                 # SQLite database
    └── storage/                # File uploads

/var/www/sigvild-gallery/       # Frontend web root
├── index.html                  # SvelteKit build
├── _app/                       # Application assets
└── assets/                     # Static assets

/etc/systemd/system/
└── sigvild-gallery.service     # SystemD service

/etc/caddy/sites-enabled/
├── sigvild-frontend.caddy      # Frontend configuration
└── sigvild-api.caddy           # API proxy configuration
```

## Build Process

The role performs local builds then transfers assets:

1. **Backend**: `GOOS=linux GOARCH=amd64 go build -o sigvild-gallery-server .`
2. **Frontend**: `npm run build` in `sigvild-kit/` directory
3. **Transfer**: Copy binary and sync frontend build to server
4. **Deploy**: Update systemd service and Caddy configuration

## Service Management

```bash
# Check service status
systemctl status sigvild-gallery

# View logs
journalctl -u sigvild-gallery -f

# Restart service
systemctl restart sigvild-gallery

# Reload Caddy configuration
systemctl reload caddy
```

## Troubleshooting

### Build Failures
- Ensure Go toolchain is available locally
- Verify `sigvild-kit/` directory exists with `package.json`
- Check Node.js and npm are installed for frontend builds

### Service Startup Issues
- Check systemd logs: `journalctl -u sigvild-gallery`
- Verify binary permissions and ownership
- Ensure data directory is writable by service user

### Domain Resolution
- Verify DNS records point to server IP
- Check Caddy logs: `journalctl -u caddy`
- Test local connectivity: `curl -H "Host: api.sigvild.no" http://localhost:8090`

## Dependencies

- **caddy**: Required for web server and reverse proxy
- **systemd**: Service management
- **Local build tools**: Go compiler, Node.js/npm

## Files Created

- `/etc/systemd/system/sigvild-gallery.service`
- `/etc/caddy/sites-enabled/sigvild-frontend.caddy`
- `/etc/caddy/sites-enabled/sigvild-api.caddy`
- `/opt/sigvild-gallery/` (application directory)
- `/var/www/sigvild-gallery/` (frontend files)

## Tags

- `sigvild`: Complete Sigvild Gallery deployment
- `backend`: API service deployment
- `frontend`: Static site deployment  
- `build`: Local build processes
- `service`: SystemD service management
- `caddy`: Caddy configuration
- `verify`: Post-deployment verification