rick-infra/roles/sigvild-gallery

Sigvild Gallery Ansible Role

Deploys the Sigvild Wedding Gallery application with PocketBase API backend and SvelteKit frontend.

Architecture

• Backend: PocketBase-based Go application serving API on localhost:8090
• Frontend: SvelteKit static site served by Caddy
• Database: SQLite via PocketBase (file-based storage)
• Authentication: Shared password system (host/guest users)
• Domains:
  • sigvild.no → Frontend static files
  • api.sigvild.no → Backend API proxy

Prerequisites

• Caddy role deployed and configured
• Local sigvild-gallery project with built assets in build_tmp/
• Vault-encrypted passwords configured in inventory

Variables

Required Variables

# Domains
sigvild_gallery_frontend_domain: "sigvild.no"
sigvild_gallery_api_domain: "api.sigvild.no"

# Vault-encrypted passwords
vault_sigvild_host_password: "your-encrypted-host-password"
vault_sigvild_guest_password: "your-encrypted-guest-password"

Optional Variables

# Service configuration
sigvild_gallery_user: "sigvild"
sigvild_gallery_port: 8090
sigvild_gallery_host: "127.0.0.1"

# Paths
sigvild_gallery_home: "/opt/sigvild-gallery"
sigvild_gallery_web_root: "/var/www/sigvild-gallery"
sigvild_gallery_local_project_path: "{{ ansible_env.PWD }}/sigvild-gallery"

Usage

Full Deployment

# Deploy complete infrastructure including Sigvild Gallery
ansible-playbook site.yml

# Deploy just Sigvild Gallery
ansible-playbook playbooks/deploy-sigvild.yml

Selective Updates

# Update just the frontend
ansible-playbook site.yml --tags="frontend"

# Update just the backend API
ansible-playbook site.yml --tags="backend"

# Update Caddy configuration
ansible-playbook site.yml --tags="caddy"

Security Features

Environment Variables

• No .env files: Secrets managed via systemd Environment directives
• Vault encrypted: Passwords stored in Ansible vault
• Memory-only: Environment variables only exist in process memory

SystemD Sandboxing

• NoNewPrivileges=yes: Prevents privilege escalation
• PrivateTmp=yes: Isolated temporary directory
• ProtectSystem=strict: Read-only filesystem protection
• ProtectHome=yes: Home directory protection
• ReadWritePaths: Only data directory is writable

Caddy Security

• Security headers: XSS protection, frame options, content type sniffing prevention
• CORS configuration: Restricted to frontend domain
• Rate limiting: API endpoint protection
• HTTPS only: Automatic TLS with Let's Encrypt

Directory Structure

/opt/sigvild-gallery/           # Application home
├── sigvild-gallery-server      # Go binary
└── data/                       # PocketBase data directory
    ├── data.db                 # SQLite database
    └── storage/                # File uploads

/var/www/sigvild-gallery/       # Frontend web root
├── index.html                  # SvelteKit build
├── _app/                       # Application assets
└── assets/                     # Static assets

/etc/systemd/system/
└── sigvild-gallery.service     # SystemD service

/etc/caddy/sites-enabled/
├── sigvild-frontend.caddy      # Frontend configuration
└── sigvild-api.caddy           # API proxy configuration

Build Process

The role performs local builds then transfers assets:

1. Backend: GOOS=linux GOARCH=amd64 go build -o sigvild-gallery-server .
2. Frontend: npm run build in sigvild-kit/ directory
3. Transfer: Copy binary and sync frontend build to server
4. Deploy: Update systemd service and Caddy configuration

Service Management

# Check service status
systemctl status sigvild-gallery

# View logs
journalctl -u sigvild-gallery -f

# Restart service
systemctl restart sigvild-gallery

# Reload Caddy configuration
systemctl reload caddy

Troubleshooting

Build Failures

• Ensure Go toolchain is available locally
• Verify sigvild-kit/ directory exists with package.json
• Check Node.js and npm are installed for frontend builds

Service Startup Issues

• Check systemd logs: journalctl -u sigvild-gallery
• Verify binary permissions and ownership
• Ensure data directory is writable by service user

Domain Resolution

• Verify DNS records point to server IP
• Check Caddy logs: journalctl -u caddy
• Test local connectivity: curl -H "Host: api.sigvild.no" http://localhost:8090

Dependencies

• caddy: Required for web server and reverse proxy
• systemd: Service management
• Local build tools: Go compiler, Node.js/npm

Files Created

• /etc/systemd/system/sigvild-gallery.service
• /etc/caddy/sites-enabled/sigvild-frontend.caddy
• /etc/caddy/sites-enabled/sigvild-api.caddy
• /opt/sigvild-gallery/ (application directory)
• /var/www/sigvild-gallery/ (frontend files)

Tags

• sigvild: Complete Sigvild Gallery deployment
• backend: API service deployment
• frontend: Static site deployment
• build: Local build processes
• service: SystemD service management
• caddy: Caddy configuration
• verify: Post-deployment verification