joakim/rick-infra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7c3b02e5adfd12d08dc20169fbae6b533ea18ad2
rick-infra/docs/sigvild-gallery-deployment.md

6.1 KiB
Raw Blame History

Sigvild Gallery Deployment Guide

Quick Start

Deploy the complete Sigvild Wedding Gallery with PocketBase API and SvelteKit frontend.

Prerequisites Setup

1. Vault Password Configuration

Create encrypted passwords for the gallery authentication:

# Create vault passwords (run from rick-infra directory)
ansible-vault encrypt_string 'your-host-password-here' --name 'vault_sigvild_host_password'
ansible-vault encrypt_string 'your-guest-password-here' --name 'vault_sigvild_guest_password'

Add the encrypted strings to host_vars/arch-vps/main.yml:

# Add to host_vars/arch-vps/main.yml
vault_sigvild_host_password: !vault |
          $ANSIBLE_VAULT;1.1;AES256
          66386439653765386...
          
vault_sigvild_guest_password: !vault |
          $ANSIBLE_VAULT;1.1;AES256  
          33663065383834313...

2. DNS Configuration

Ensure these domains point to your server:

  • sigvild.no → Frontend static site
  • api.sigvild.no → API backend proxy

3. Project Structure

Ensure the sigvild-gallery project is adjacent to rick-infra:

~/
├── rick-infra/          # This repository
└── sigvild-gallery/     # Sigvild gallery project
    ├── build_tmp/       # Production builds
    ├── sigvild-kit/     # Frontend source
    └── main.go          # Backend source

Deployment Commands

Full Infrastructure + Gallery

Deploy everything including Sigvild Gallery:

ansible-playbook site.yml

Gallery Only

Deploy just the Sigvild Gallery service:

ansible-playbook playbooks/deploy-sigvild.yml

Selective Updates

Update specific components:

# Frontend only (quick static file updates)
ansible-playbook site.yml --tags="frontend"

# Backend only (API service updates)  
ansible-playbook site.yml --tags="backend"

# Caddy configuration only
ansible-playbook site.yml --tags="caddy"

# Just build process (development)
ansible-playbook site.yml --tags="build"

Architecture Overview

Internet
    ↓
Caddy (Auto HTTPS)
    ├── sigvild.no → /var/www/sigvild-gallery/ (Static Files)
    └── api.sigvild.no → localhost:8090 (PocketBase API)
            ↓
        Go Binary (sigvild-gallery-server)
            ↓
        SQLite Database + File Storage

Service Management

Status Checks

# Gallery API service
systemctl status sigvild-gallery

# Caddy web server  
systemctl status caddy

# View gallery logs
journalctl -u sigvild-gallery -f

# View Caddy logs
journalctl -u caddy -f

Manual Operations

# Restart gallery service
systemctl restart sigvild-gallery

# Reload Caddy configuration
systemctl reload caddy

# Check API health
curl https://api.sigvild.no/api/health

Troubleshooting

Build Issues

Problem: Go build fails

# Ensure Go is installed locally
go version

# Check if you're in the right directory
ls sigvild-gallery/main.go

Problem: Frontend build fails

# Check Node.js and npm
node --version && npm --version

# Ensure dependencies are installed
cd sigvild-gallery/sigvild-kit
npm install

Service Issues

Problem: Service won't start

# Check service status
systemctl status sigvild-gallery

# Check service logs
journalctl -u sigvild-gallery --no-pager

# Verify binary permissions
ls -la /opt/sigvild-gallery/sigvild-gallery-server

Problem: Database permissions

# Check data directory ownership
ls -la /opt/sigvild-gallery/data/

# Fix ownership if needed
sudo chown -R sigvild:sigvild /opt/sigvild-gallery/

Network Issues

Problem: Domain not resolving

# Test DNS resolution
dig sigvild.no
dig api.sigvild.no

# Test local connectivity
curl -H "Host: sigvild.no" http://localhost
curl -H "Host: api.sigvild.no" http://localhost

Problem: HTTPS certificate issues

# Check Caddy logs for ACME errors
journalctl -u caddy | grep -i "acme\|certificate"

# Verify DNS challenge credentials
# (Check Cloudflare API token in vault)

Security Features

Environment Protection

  • No .env files: Secrets stored in systemd environment variables only
  • Vault encryption: All passwords encrypted with ansible-vault
  • Memory isolation: Secrets only exist in process memory

SystemD Sandboxing

  • Read-only filesystem: Application cannot modify system files
  • Isolated temporary: Private /tmp directory
  • Limited capabilities: No privilege escalation possible
  • Data directory only: Write access restricted to /opt/sigvild-gallery/data/

Web Security

  • Automatic HTTPS: Let's Encrypt certificates via DNS challenge
  • Security headers: XSS protection, frame options, content type sniffing prevention
  • CORS restrictions: API access limited to frontend domain
  • Rate limiting: API endpoint protection

File Locations

Application Files

  • Binary: /opt/sigvild-gallery/sigvild-gallery-server
  • Database: /opt/sigvild-gallery/data/data.db
  • File uploads: /opt/sigvild-gallery/data/storage/
  • Frontend: /var/www/sigvild-gallery/

Configuration Files

  • Service: /etc/systemd/system/sigvild-gallery.service
  • Caddy frontend: /etc/caddy/sites-enabled/sigvild-frontend.caddy
  • Caddy API: /etc/caddy/sites-enabled/sigvild-api.caddy

Log Files

  • Service logs: journalctl -u sigvild-gallery
  • Caddy logs: journalctl -u caddy
  • Access logs: /var/log/caddy/sigvild-*.log

Next Steps After Deployment

  1. Verify services: Check that both domains are accessible
  2. Test authentication: Login with host/guest credentials
  3. Upload test photo: Verify file upload functionality
  4. Monitor logs: Watch for any errors in service logs
  5. Backup setup: Configure regular database backups

Development Workflow

For ongoing development:

# 1. Make changes to sigvild-gallery project
cd ../sigvild-gallery

# 2. Test locally  
go run . serve &
cd sigvild-kit && npm run dev

# 3. Deploy updates
cd ../rick-infra
ansible-playbook site.yml --tags="sigvild"

The deployment system builds locally and transfers assets, so you don't need build tools on the server.

Reference in New Issue View Git Blame Copy Permalink