Add deploy/ — nginx vhost, systemd unit, runbook

Single-host deployment of the app at rfc.wiggleverse.org alongside the existing Gitea instance. nginx reverse-proxies /api/* and /auth/* to a single uvicorn process on 127.0.0.1:8000 and serves the Vite build output as static files; certbot adds the TLS cert in place; systemd supervises the process per §4.2's single-process-with-WAL-SQLite contract (one worker; raising --workers would break the invariant). deploy/DEPLOY.md is the step-by-step runbook covering host prep, Gitea bot + OAuth setup, .env shape, meta-repo seed, nginx + certbot, systemd, smoke test, and the update/rollback shape. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-24 05:18:28 -07:00
parent c82328e9ad
commit 33d9d7a482
4 changed files with 400 additions and 0 deletions
@@ -0,0 +1,68 @@
+# nginx vhost for the RFC app — single-process FastAPI behind nginx,
+# frontend served as static files from the Vite build output.
+#
+# Install:
+#   sudo cp deploy/nginx/rfc.wiggleverse.org.conf \
+#       /etc/nginx/sites-available/rfc.wiggleverse.org
+#   sudo ln -s /etc/nginx/sites-available/rfc.wiggleverse.org \
+#       /etc/nginx/sites-enabled/
+#   sudo nginx -t && sudo systemctl reload nginx
+#
+# Then add the Let's Encrypt cert:
+#   sudo certbot --nginx -d rfc.wiggleverse.org
+# Certbot will rewrite this file to add the 443 listener and certificate
+# directives; the rest of the config below stays as written.
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name rfc.wiggleverse.org;
+
+    # Static SPA assets live in the Vite build output. The systemd unit
+    # runs as user `rfc-app`; make sure nginx (usually `www-data`) can
+    # read this path. Either group-add www-data into rfc-app's group, or
+    # chmod o+r on the dist/ tree.
+    root /opt/rfc-app/frontend/dist;
+    index index.html;
+
+    # API routes are proxied to the FastAPI process. SSE chat streams
+    # need proxy_buffering off so chunks reach the browser immediately;
+    # the long read_timeout matches a slow LLM turn.
+    location /api/ {
+        proxy_pass http://127.0.0.1:8000;
+        proxy_http_version 1.1;
+        proxy_set_header Host              $host;
+        proxy_set_header X-Real-IP         $remote_addr;
+        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_buffering off;
+        proxy_cache off;
+        proxy_read_timeout 1h;
+    }
+
+    location /auth/ {
+        proxy_pass http://127.0.0.1:8000;
+        proxy_http_version 1.1;
+        proxy_set_header Host              $host;
+        proxy_set_header X-Real-IP         $remote_addr;
+        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    # SPA fallback — any non-asset path falls back to index.html so
+    # React Router can take over.
+    location / {
+        try_files $uri $uri/ /index.html;
+    }
+
+    # Cache the hashed JS/CSS bundles aggressively; Vite includes a
+    # content-hash in the filename so updates bust the cache for free.
+    location ~* \.(js|css|woff2?|ttf|otf|eot|png|jpg|jpeg|gif|svg|ico)$ {
+        try_files $uri =404;
+        expires 1y;
+        add_header Cache-Control "public, immutable";
+    }
+
+    # Reasonable upload cap. Adjust if RFC bodies grow large.
+    client_max_body_size 4M;
+}