262 lines
6.1 KiB
Markdown
262 lines
6.1 KiB
Markdown
# Sigvild Gallery Deployment Guide
|
|
|
|
## Quick Start
|
|
|
|
Deploy the complete Sigvild Wedding Gallery with PocketBase API and SvelteKit frontend.
|
|
|
|
## Prerequisites Setup
|
|
|
|
### 1. Vault Password Configuration
|
|
|
|
Create encrypted passwords for the gallery authentication:
|
|
|
|
```bash
|
|
# Create vault passwords (run from rick-infra directory)
|
|
ansible-vault encrypt_string 'your-host-password-here' --name 'vault_sigvild_host_password'
|
|
ansible-vault encrypt_string 'your-guest-password-here' --name 'vault_sigvild_guest_password'
|
|
```
|
|
|
|
Add the encrypted strings to `host_vars/arch-vps/main.yml`:
|
|
|
|
```yaml
|
|
# Add to host_vars/arch-vps/main.yml
|
|
vault_sigvild_host_password: !vault |
|
|
$ANSIBLE_VAULT;1.1;AES256
|
|
66386439653765386...
|
|
|
|
vault_sigvild_guest_password: !vault |
|
|
$ANSIBLE_VAULT;1.1;AES256
|
|
33663065383834313...
|
|
```
|
|
|
|
### 2. DNS Configuration
|
|
|
|
Ensure these domains point to your server:
|
|
- `sigvild.no` → Frontend static site
|
|
- `api.sigvild.no` → API backend proxy
|
|
|
|
### 3. Project Structure
|
|
|
|
Ensure the sigvild-gallery project is adjacent to rick-infra:
|
|
|
|
```
|
|
~/
|
|
├── rick-infra/ # This repository
|
|
└── sigvild-gallery/ # Sigvild gallery project
|
|
├── build_tmp/ # Production builds
|
|
├── sigvild-kit/ # Frontend source
|
|
└── main.go # Backend source
|
|
```
|
|
|
|
## Deployment Commands
|
|
|
|
### Full Infrastructure + Gallery
|
|
|
|
Deploy everything including Sigvild Gallery:
|
|
|
|
```bash
|
|
ansible-playbook site.yml
|
|
```
|
|
|
|
### Gallery Only
|
|
|
|
Deploy just the Sigvild Gallery service:
|
|
|
|
```bash
|
|
ansible-playbook playbooks/deploy-sigvild.yml
|
|
```
|
|
|
|
### Selective Updates
|
|
|
|
Update specific components:
|
|
|
|
```bash
|
|
# Frontend only (quick static file updates)
|
|
ansible-playbook site.yml --tags="frontend"
|
|
|
|
# Backend only (API service updates)
|
|
ansible-playbook site.yml --tags="backend"
|
|
|
|
# Caddy configuration only
|
|
ansible-playbook site.yml --tags="caddy"
|
|
|
|
# Just build process (development)
|
|
ansible-playbook site.yml --tags="build"
|
|
```
|
|
|
|
## Architecture Overview
|
|
|
|
```
|
|
Internet
|
|
↓
|
|
Caddy (Auto HTTPS)
|
|
├── sigvild.no → /var/www/sigvild-gallery/ (Static Files)
|
|
└── api.sigvild.no → localhost:8090 (PocketBase API)
|
|
↓
|
|
Go Binary (sigvild-gallery-server)
|
|
↓
|
|
SQLite Database + File Storage
|
|
```
|
|
|
|
## Service Management
|
|
|
|
### Status Checks
|
|
|
|
```bash
|
|
# Gallery API service
|
|
systemctl status sigvild-gallery
|
|
|
|
# Caddy web server
|
|
systemctl status caddy
|
|
|
|
# View gallery logs
|
|
journalctl -u sigvild-gallery -f
|
|
|
|
# View Caddy logs
|
|
journalctl -u caddy -f
|
|
```
|
|
|
|
### Manual Operations
|
|
|
|
```bash
|
|
# Restart gallery service
|
|
systemctl restart sigvild-gallery
|
|
|
|
# Reload Caddy configuration
|
|
systemctl reload caddy
|
|
|
|
# Check API health
|
|
curl https://api.sigvild.no/api/health
|
|
```
|
|
|
|
## Troubleshooting
|
|
|
|
### Build Issues
|
|
|
|
**Problem**: Go build fails
|
|
```bash
|
|
# Ensure Go is installed locally
|
|
go version
|
|
|
|
# Check if you're in the right directory
|
|
ls sigvild-gallery/main.go
|
|
```
|
|
|
|
**Problem**: Frontend build fails
|
|
```bash
|
|
# Check Node.js and npm
|
|
node --version && npm --version
|
|
|
|
# Ensure dependencies are installed
|
|
cd sigvild-gallery/sigvild-kit
|
|
npm install
|
|
```
|
|
|
|
### Service Issues
|
|
|
|
**Problem**: Service won't start
|
|
```bash
|
|
# Check service status
|
|
systemctl status sigvild-gallery
|
|
|
|
# Check service logs
|
|
journalctl -u sigvild-gallery --no-pager
|
|
|
|
# Verify binary permissions
|
|
ls -la /opt/sigvild-gallery/sigvild-gallery-server
|
|
```
|
|
|
|
**Problem**: Database permissions
|
|
```bash
|
|
# Check data directory ownership
|
|
ls -la /opt/sigvild-gallery/data/
|
|
|
|
# Fix ownership if needed
|
|
sudo chown -R sigvild:sigvild /opt/sigvild-gallery/
|
|
```
|
|
|
|
### Network Issues
|
|
|
|
**Problem**: Domain not resolving
|
|
```bash
|
|
# Test DNS resolution
|
|
dig sigvild.no
|
|
dig api.sigvild.no
|
|
|
|
# Test local connectivity
|
|
curl -H "Host: sigvild.no" http://localhost
|
|
curl -H "Host: api.sigvild.no" http://localhost
|
|
```
|
|
|
|
**Problem**: HTTPS certificate issues
|
|
```bash
|
|
# Check Caddy logs for ACME errors
|
|
journalctl -u caddy | grep -i "acme\|certificate"
|
|
|
|
# Verify DNS challenge credentials
|
|
# (Check Cloudflare API token in vault)
|
|
```
|
|
|
|
## Security Features
|
|
|
|
### Environment Protection
|
|
- **No .env files**: Secrets stored in systemd environment variables only
|
|
- **Vault encryption**: All passwords encrypted with ansible-vault
|
|
- **Memory isolation**: Secrets only exist in process memory
|
|
|
|
### SystemD Sandboxing
|
|
- **Read-only filesystem**: Application cannot modify system files
|
|
- **Isolated temporary**: Private /tmp directory
|
|
- **Limited capabilities**: No privilege escalation possible
|
|
- **Data directory only**: Write access restricted to /opt/sigvild-gallery/data/
|
|
|
|
### Web Security
|
|
- **Automatic HTTPS**: Let's Encrypt certificates via DNS challenge
|
|
- **Security headers**: XSS protection, frame options, content type sniffing prevention
|
|
- **CORS restrictions**: API access limited to frontend domain
|
|
- **Rate limiting**: API endpoint protection
|
|
|
|
## File Locations
|
|
|
|
### Application Files
|
|
- **Binary**: `/opt/sigvild-gallery/sigvild-gallery-server`
|
|
- **Database**: `/opt/sigvild-gallery/data/data.db`
|
|
- **File uploads**: `/opt/sigvild-gallery/data/storage/`
|
|
- **Frontend**: `/var/www/sigvild-gallery/`
|
|
|
|
### Configuration Files
|
|
- **Service**: `/etc/systemd/system/sigvild-gallery.service`
|
|
- **Caddy frontend**: `/etc/caddy/sites-enabled/sigvild-frontend.caddy`
|
|
- **Caddy API**: `/etc/caddy/sites-enabled/sigvild-api.caddy`
|
|
|
|
### Log Files
|
|
- **Service logs**: `journalctl -u sigvild-gallery`
|
|
- **Caddy logs**: `journalctl -u caddy`
|
|
- **Access logs**: `/var/log/caddy/sigvild-*.log`
|
|
|
|
## Next Steps After Deployment
|
|
|
|
1. **Verify services**: Check that both domains are accessible
|
|
2. **Test authentication**: Login with host/guest credentials
|
|
3. **Upload test photo**: Verify file upload functionality
|
|
4. **Monitor logs**: Watch for any errors in service logs
|
|
5. **Backup setup**: Configure regular database backups
|
|
|
|
## Development Workflow
|
|
|
|
For ongoing development:
|
|
|
|
```bash
|
|
# 1. Make changes to sigvild-gallery project
|
|
cd ../sigvild-gallery
|
|
|
|
# 2. Test locally
|
|
go run . serve &
|
|
cd sigvild-kit && npm run dev
|
|
|
|
# 3. Deploy updates
|
|
cd ../rick-infra
|
|
ansible-playbook site.yml --tags="sigvild"
|
|
```
|
|
|
|
The deployment system builds locally and transfers assets, so you don't need build tools on the server. |