Ben Stull
33d9d7a482
Single-host deployment of the app at rfc.wiggleverse.org alongside the existing Gitea instance. nginx reverse-proxies /api/* and /auth/* to a single uvicorn process on 127.0.0.1:8000 and serves the Vite build output as static files; certbot adds the TLS cert in place; systemd supervises the process per §4.2's single-process-with-WAL-SQLite contract (one worker; raising --workers would break the invariant). deploy/DEPLOY.md is the step-by-step runbook covering host prep, Gitea bot + OAuth setup, .env shape, meta-repo seed, nginx + certbot, systemd, smoke test, and the update/rollback shape. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
69 lines
2.5 KiB
Plaintext
69 lines
2.5 KiB
Plaintext
# nginx vhost for the RFC app — single-process FastAPI behind nginx,
|
|
# frontend served as static files from the Vite build output.
|
|
#
|
|
# Install:
|
|
# sudo cp deploy/nginx/rfc.wiggleverse.org.conf \
|
|
# /etc/nginx/sites-available/rfc.wiggleverse.org
|
|
# sudo ln -s /etc/nginx/sites-available/rfc.wiggleverse.org \
|
|
# /etc/nginx/sites-enabled/
|
|
# sudo nginx -t && sudo systemctl reload nginx
|
|
#
|
|
# Then add the Let's Encrypt cert:
|
|
# sudo certbot --nginx -d rfc.wiggleverse.org
|
|
# Certbot will rewrite this file to add the 443 listener and certificate
|
|
# directives; the rest of the config below stays as written.
|
|
|
|
server {
|
|
listen 80;
|
|
listen [::]:80;
|
|
server_name rfc.wiggleverse.org;
|
|
|
|
# Static SPA assets live in the Vite build output. The systemd unit
|
|
# runs as user `rfc-app`; make sure nginx (usually `www-data`) can
|
|
# read this path. Either group-add www-data into rfc-app's group, or
|
|
# chmod o+r on the dist/ tree.
|
|
root /opt/rfc-app/frontend/dist;
|
|
index index.html;
|
|
|
|
# API routes are proxied to the FastAPI process. SSE chat streams
|
|
# need proxy_buffering off so chunks reach the browser immediately;
|
|
# the long read_timeout matches a slow LLM turn.
|
|
location /api/ {
|
|
proxy_pass http://127.0.0.1:8000;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_buffering off;
|
|
proxy_cache off;
|
|
proxy_read_timeout 1h;
|
|
}
|
|
|
|
location /auth/ {
|
|
proxy_pass http://127.0.0.1:8000;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
|
|
# SPA fallback — any non-asset path falls back to index.html so
|
|
# React Router can take over.
|
|
location / {
|
|
try_files $uri $uri/ /index.html;
|
|
}
|
|
|
|
# Cache the hashed JS/CSS bundles aggressively; Vite includes a
|
|
# content-hash in the filename so updates bust the cache for free.
|
|
location ~* \.(js|css|woff2?|ttf|otf|eot|png|jpg|jpeg|gif|svg|ico)$ {
|
|
try_files $uri =404;
|
|
expires 1y;
|
|
add_header Cache-Control "public, immutable";
|
|
}
|
|
|
|
# Reasonable upload cap. Adjust if RFC bodies grow large.
|
|
client_max_body_size 4M;
|
|
}
|