siftlode/deploy
npeter83 898a6ae338 chore: rebrand Subfeed -> Siftlode
Rename all user-facing references (UI wordmark Sift+lode, titles, app name,
legal pages, onboarding wizard, emails, README/docs) and infra paths
(/srv/subfeed -> /srv/siftlode, image tag, deploy script, backup filenames).

Internal identifiers kept on purpose: Postgres user/db "subfeed", logger
namespace, localStorage keys, and the subfeed_pgdata volume (renaming would
orphan the migrated production data).
2026-06-14 04:40:22 +02:00
..
deploy.sh chore: rebrand Subfeed -> Siftlode 2026-06-14 04:40:22 +02:00
README.md chore: rebrand Subfeed -> Siftlode 2026-06-14 04:40:22 +02:00

Deploying Siftlode to the public VPS (asgard)

The public test instance runs on the asgard VPS at https://siftlode.b1fr0st.eu, behind Caddy (which terminates TLS and reverse-proxies to the app on 127.0.0.1:8080).

Layout on asgard

/srv/siftlode/
  src/                 git clone of this repo (build context + compose file)
  .env                 secrets, mode 0600 — NEVER committed

The hardened compose is docker-compose.prod.yml: Postgres is never published, the app binds to localhost only, and every service is memory/CPU-capped for the small VPS.

First-time setup

  1. DNS A/AAAA for siftlode → asgard (done via the porkbun CLI).

  2. Caddy vhost block siftlode.b1fr0st.eu { reverse_proxy 127.0.0.1:8080 } (+ the shared security-headers snippet), then reload Caddy.

  3. git clone this repo to /srv/siftlode/src.

  4. Create /srv/siftlode/.env (mode 0600) with the required keys — see .env.example. Generate the secrets:

    • SECRET_KEY: python -c "import secrets; print(secrets.token_urlsafe(48))"
    • TOKEN_ENCRYPTION_KEY: python -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"
    • POSTGRES_PASSWORD: any long random string.
    • OAUTH_REDIRECT_URL=https://siftlode.b1fr0st.eu/auth/callback
    • GOOGLE_CLIENT_ID / GOOGLE_CLIENT_SECRET / YOUTUBE_API_KEY from Google Cloud Console.
    • ALLOWED_EMAILS / ADMIN_EMAILS = the invited Google accounts.

    The app refuses to start in production (an https redirect URL) if SECRET_KEY is the placeholder/too short or TOKEN_ENCRYPTION_KEY is missing — by design.

Rolling out a new version

/srv/siftlode/src/deploy/deploy.sh

It pulls main, rebuilds the image on the host, and restarts the stack (migrations run automatically via the entrypoint's alembic upgrade head).

CI

.forgejo/workflows/ci.yml type-checks/builds the frontend and byte-compiles the backend on every push to main. It does not auto-deploy; rollout is the script above. (A future improvement: a Forgejo-triggered or watchtower-based auto-rollout.)