Files
RelayOps/docs/deployment.md
2026-06-07 02:32:28 +03:00

3.3 KiB

Deployment

What Changed

This repository now includes:

  • a production-oriented Compose file: docker-compose.prod.yml;
  • a production environment template: .env.production.example;
  • an Nginx reverse proxy config: deploy/nginx/server-panel.conf;
  • a production frontend image build: frontend/Dockerfile.prod;
  • an Alembic migration setup under backend/alembic/.

Production Layout

The first-stage production deployment uses:

  • reverse-proxy for public HTTP entry;
  • frontend for the built static React app;
  • backend for the FastAPI API;
  • worker for queued service actions;
  • bot for Telegram integration;
  • postgres for persistence;
  • redis for the current runtime foundation.

Only the reverse proxy is exposed publicly in the production Compose file.

Configuration

  1. Copy .env.production.example to .env.production.
  2. Replace all placeholder secrets:
    • JWT_SECRET
    • JWT_REFRESH_SECRET
    • POSTGRES_PASSWORD
    • TELEGRAM_BOT_API_SECRET
  3. Set the public panel origin in CORS_ALLOWED_ORIGINS.
  4. Keep FRONTEND_PUBLIC_API_BASE_URL=/api/v1 unless you intentionally expose the API elsewhere.
  5. If SSH-based metrics or service control are required, mount the SSH key file into the containers and keep SSH_PRIVATE_KEY_PATH aligned with that mount.

Recommended:

  • store .env.production outside version control;
  • use a strong unique password for PostgreSQL;
  • keep SSH_ALLOW_UNKNOWN_HOST_KEYS=false unless you have a controlled reason to relax it.

How To Run

Build and start the production stack:

docker compose \
  --env-file .env.production \
  -f docker-compose.prod.yml \
  up --build -d

After the stack is up, apply the latest schema revision explicitly:

docker compose \
  --env-file .env.production \
  -f docker-compose.prod.yml \
  exec backend alembic upgrade head

Create the first admin once after the stack is healthy:

curl -X POST http://YOUR_HOST/api/v1/auth/bootstrap \
  -H "Content-Type: application/json" \
  -d '{"username":"admin","password":"strong-pass-123"}'

Reverse Proxy

The supplied Nginx config routes:

  • / to the frontend container;
  • /api/ to the backend API;
  • /health to the backend health endpoint.

File:

  • deploy/nginx/server-panel.conf

The config is HTTP-only by default. For public internet exposure, terminate TLS in front of this proxy or extend this config with certificates that are managed outside the repository.

How To Verify

After startup, verify:

  1. http://YOUR_HOST/health returns a backend health payload.
  2. http://YOUR_HOST/ opens the frontend.
  3. http://YOUR_HOST/api/v1/auth/login is reachable through the proxy.
  4. docker compose --env-file .env.production -f docker-compose.prod.yml ps shows all expected containers running.
  5. A test login and one safe read-only flow, such as server list or health, works end-to-end.

Notes

  • docker-compose.prod.yml is intentionally separate from the local development Compose file.
  • The production frontend image serves static files through Nginx instead of the Vite dev server.
  • The baseline Alembic revision is additive and can stamp existing pre-migration development databases without recreating them.
  • This deployment shape is suitable for an internal or early-stage rollout, not a fully hardened internet-scale setup.