Rename all user-facing references (UI wordmark Sift+lode, titles, app name, legal pages, onboarding wizard, emails, README/docs) and infra paths (/srv/subfeed -> /srv/siftlode, image tag, deploy script, backup filenames). Internal identifiers kept on purpose: Postgres user/db "subfeed", logger namespace, localStorage keys, and the subfeed_pgdata volume (renaming would orphan the migrated production data). |
||
|---|---|---|
| .. | ||
| deploy.sh | ||
| README.md | ||
Deploying Siftlode to the public VPS (asgard)
The public test instance runs on the asgard VPS at https://siftlode.b1fr0st.eu, behind
Caddy (which terminates TLS and reverse-proxies to the app on 127.0.0.1:8080).
Layout on asgard
/srv/siftlode/
src/ git clone of this repo (build context + compose file)
.env secrets, mode 0600 — NEVER committed
The hardened compose is docker-compose.prod.yml: Postgres is
never published, the app binds to localhost only, and every service is memory/CPU-capped for
the small VPS.
First-time setup
-
DNS
A/AAAAforsiftlode→ asgard (done via the porkbun CLI). -
Caddy vhost block
siftlode.b1fr0st.eu { reverse_proxy 127.0.0.1:8080 }(+ the shared security-headers snippet), then reload Caddy. -
git clonethis repo to/srv/siftlode/src. -
Create
/srv/siftlode/.env(mode 0600) with the required keys — see.env.example. Generate the secrets:SECRET_KEY:python -c "import secrets; print(secrets.token_urlsafe(48))"TOKEN_ENCRYPTION_KEY:python -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"POSTGRES_PASSWORD: any long random string.OAUTH_REDIRECT_URL=https://siftlode.b1fr0st.eu/auth/callbackGOOGLE_CLIENT_ID/GOOGLE_CLIENT_SECRET/YOUTUBE_API_KEYfrom Google Cloud Console.ALLOWED_EMAILS/ADMIN_EMAILS= the invited Google accounts.
The app refuses to start in production (an
httpsredirect URL) ifSECRET_KEYis the placeholder/too short orTOKEN_ENCRYPTION_KEYis missing — by design.
Rolling out a new version
/srv/siftlode/src/deploy/deploy.sh
It pulls main, rebuilds the image on the host, and restarts the stack (migrations run
automatically via the entrypoint's alembic upgrade head).
CI
.forgejo/workflows/ci.yml type-checks/builds the frontend and byte-compiles the backend on
every push to main. It does not auto-deploy; rollout is the script above. (A future
improvement: a Forgejo-triggered or watchtower-based auto-rollout.)