feat(selfhost): one-command self-host package (epic 6d)

- docker-compose.selfhost.yml pulls the published image (forge.b1fr0st.eu/peter/siftlode) with a
  bundled Postgres — no source build on the operator's host.
- install.sh / install.ps1 generate the four required secrets (.env: POSTGRES_PASSWORD, SECRET_KEY,
  a valid Fernet TOKEN_ENCRYPTION_KEY, OAUTH_REDIRECT_URL), start the stack, and print the first-run
  setup-wizard URL. Everything else is configured in the web wizard.
- docs/self-hosting.md: the copy-paste playbook (get the files, run the installer, finish in the
  wizard, optional Google/SMTP, HTTPS/reverse-proxy, updates + backups).
- Verified end-to-end: a fresh install from the published image boots into setup mode and serves
  the wizard.
This commit is contained in:
npeter83 2026-06-21 01:42:18 +02:00
parent e4b997d754
commit 659e175755
4 changed files with 269 additions and 0 deletions

53
install.sh Executable file
View file

@ -0,0 +1,53 @@
#!/usr/bin/env bash
# Siftlode self-host installer (Linux/macOS). Generates secrets into .env, starts the stack from
# the prebuilt image, and prints the first-run setup-wizard URL. Re-running is safe: an existing
# .env is left untouched. Requires Docker (with the compose plugin) and openssl.
set -euo pipefail
COMPOSE="docker compose -f docker-compose.selfhost.yml"
PORT="${HTTP_PORT:-8080}"
if [ -f .env ]; then
echo ".env already exists — leaving it untouched (delete it to re-generate)."
else
printf "Public URL where this instance will be reached [http://localhost:%s]: " "$PORT"
read -r URL
URL="${URL:-http://localhost:$PORT}"
URL="${URL%/}"
# Secrets — openssl only, no Python needed. The Fernet key is urlsafe base64 of 32 bytes.
SECRET_KEY="$(openssl rand -hex 32)"
TOKEN_ENCRYPTION_KEY="$(openssl rand -base64 32 | tr '+/' '-_')"
POSTGRES_PASSWORD="$(openssl rand -hex 16)"
cat > .env <<EOF
# Generated by install.sh — keep secret (chmod 600), never commit. Re-run after deleting to reset.
POSTGRES_PASSWORD=$POSTGRES_PASSWORD
SECRET_KEY=$SECRET_KEY
TOKEN_ENCRYPTION_KEY=$TOKEN_ENCRYPTION_KEY
OAUTH_REDIRECT_URL=$URL/auth/callback
EOF
chmod 600 .env
echo "Wrote .env (secrets generated)."
fi
echo "Pulling and starting Siftlode…"
$COMPOSE pull
$COMPOSE up -d
echo "Waiting for the app to come up…"
for _ in $(seq 1 30); do
curl -fsS -o /dev/null "http://localhost:$PORT/healthz" 2>/dev/null && break
sleep 2
done
echo
echo "==================================================================="
echo " Siftlode is up. Open the first-run setup wizard at:"
URL_LINE="$($COMPOSE logs api 2>/dev/null | grep -o 'http[s]*://[^ ]*setup?token=[A-Za-z0-9_-]*' | tail -1)"
if [ -n "$URL_LINE" ]; then
echo " $URL_LINE"
else
echo " (not found yet — run: $COMPOSE logs api | grep 'setup?token=')"
fi
echo "==================================================================="