Add a VERSION file (0.1.0) and inject APP_VERSION/GIT_SHA/BUILD_DATE as Docker build-args (both stages; Vite inlines them into the SPA). New public GET /api/version returns app_version, git_sha, build_date and the Alembic head as the database revision. deploy.sh and the localdev build pass the args. |
||
|---|---|---|
| .. | ||
| deploy.sh | ||
| README.md | ||
Deploying Siftlode to the public VPS
The public test instance runs on a VPS at https://siftlode.b1fr0st.eu, behind
Caddy (which terminates TLS and reverse-proxies to the app on 127.0.0.1:8080).
Layout on the host
/srv/siftlode/
src/ git clone of this repo (build context + compose file)
.env secrets, mode 0600 — NEVER committed
The hardened compose is docker-compose.prod.yml: Postgres is
never published, the app binds to localhost only, and every service is memory/CPU-capped for
the small VPS.
First-time setup
-
DNS
A/AAAAforsiftlode→ the VPS (via your DNS provider). -
Caddy vhost block
siftlode.b1fr0st.eu { reverse_proxy 127.0.0.1:8080 }(+ the shared security-headers snippet), then reload Caddy. -
git clonethis repo to/srv/siftlode/src. -
Create
/srv/siftlode/.env(mode 0600) with the required keys — see.env.example. Generate the secrets:SECRET_KEY:python -c "import secrets; print(secrets.token_urlsafe(48))"TOKEN_ENCRYPTION_KEY:python -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"POSTGRES_PASSWORD: any long random string.OAUTH_REDIRECT_URL=https://siftlode.b1fr0st.eu/auth/callbackGOOGLE_CLIENT_ID/GOOGLE_CLIENT_SECRET/YOUTUBE_API_KEYfrom Google Cloud Console.ALLOWED_EMAILS/ADMIN_EMAILS= the invited Google accounts.
The app refuses to start in production (an
httpsredirect URL) ifSECRET_KEYis the placeholder/too short orTOKEN_ENCRYPTION_KEYis missing — by design.
Rolling out a new version
/srv/siftlode/src/deploy/deploy.sh
It pulls main, rebuilds the image on the host, and restarts the stack (migrations run
automatically via the entrypoint's alembic upgrade head).
CI
.forgejo/workflows/ci.yml type-checks/builds the frontend and byte-compiles the backend on
every push to main. It does not auto-deploy; rollout is the script above. (A future
improvement: a Forgejo-triggered or watchtower-based auto-rollout.)