# Deployment ## What Changed This repository now includes: - a production-oriented Compose file: `docker-compose.prod.yml`; - a production environment template: `.env.production.example`; - an Nginx reverse proxy config: `deploy/nginx/server-panel.conf`; - a production frontend image build: `frontend/Dockerfile.prod`; - an Alembic migration setup under `backend/alembic/`. ## Production Layout The first-stage production deployment uses: - `reverse-proxy` for public HTTP entry; - `frontend` for the built static React app; - `backend` for the FastAPI API; - `worker` for queued service actions; - `bot` for Telegram integration; - `postgres` for persistence; - `redis` for the current runtime foundation. Only the reverse proxy is exposed publicly in the production Compose file. ## Configuration 1. Copy `.env.production.example` to `.env.production`. 2. Replace all placeholder secrets: - `JWT_SECRET` - `JWT_REFRESH_SECRET` - `POSTGRES_PASSWORD` - `TELEGRAM_BOT_API_SECRET` 3. Set the public panel origin in `CORS_ALLOWED_ORIGINS`. 4. Keep `FRONTEND_PUBLIC_API_BASE_URL=/api/v1` unless you intentionally expose the API elsewhere. 5. If SSH-based metrics or service control are required, mount the SSH key file into the containers and keep `SSH_PRIVATE_KEY_PATH` aligned with that mount. Recommended: - store `.env.production` outside version control; - use a strong unique password for PostgreSQL; - keep `SSH_ALLOW_UNKNOWN_HOST_KEYS=false` unless you have a controlled reason to relax it. ## How To Run Build and start the production stack: ```bash docker compose \ --env-file .env.production \ -f docker-compose.prod.yml \ up --build -d ``` After the stack is up, apply the latest schema revision explicitly: ```bash docker compose \ --env-file .env.production \ -f docker-compose.prod.yml \ exec backend alembic upgrade head ``` Create the first admin once after the stack is healthy: ```bash curl -X POST http://YOUR_HOST/api/v1/auth/bootstrap \ -H "Content-Type: application/json" \ -d '{"username":"admin","password":"strong-pass-123"}' ``` ## Reverse Proxy The supplied Nginx config routes: - `/` to the frontend container; - `/api/` to the backend API; - `/health` to the backend health endpoint. File: - `deploy/nginx/server-panel.conf` The config is HTTP-only by default. For public internet exposure, terminate TLS in front of this proxy or extend this config with certificates that are managed outside the repository. ## How To Verify After startup, verify: 1. `http://YOUR_HOST/health` returns a backend health payload. 2. `http://YOUR_HOST/` opens the frontend. 3. `http://YOUR_HOST/api/v1/auth/login` is reachable through the proxy. 4. `docker compose --env-file .env.production -f docker-compose.prod.yml ps` shows all expected containers running. 5. A test login and one safe read-only flow, such as server list or health, works end-to-end. ## Notes - `docker-compose.prod.yml` is intentionally separate from the local development Compose file. - The production frontend image serves static files through Nginx instead of the Vite dev server. - The baseline Alembic revision is additive and can stamp existing pre-migration development databases without recreating them. - This deployment shape is suitable for an internal or early-stage rollout, not a fully hardened internet-scale setup.