103 lines
3.3 KiB
Markdown
103 lines
3.3 KiB
Markdown
# Deployment
|
|
|
|
## What Changed
|
|
|
|
This repository now includes:
|
|
|
|
- a production-oriented Compose file: `docker-compose.prod.yml`;
|
|
- a production environment template: `.env.production.example`;
|
|
- an Nginx reverse proxy config: `deploy/nginx/server-panel.conf`;
|
|
- a production frontend image build: `frontend/Dockerfile.prod`;
|
|
- an Alembic migration setup under `backend/alembic/`.
|
|
|
|
## Production Layout
|
|
|
|
The first-stage production deployment uses:
|
|
|
|
- `reverse-proxy` for public HTTP entry;
|
|
- `frontend` for the built static React app;
|
|
- `backend` for the FastAPI API;
|
|
- `worker` for queued service actions;
|
|
- `bot` for Telegram integration;
|
|
- `postgres` for persistence;
|
|
- `redis` for the current runtime foundation.
|
|
|
|
Only the reverse proxy is exposed publicly in the production Compose file.
|
|
|
|
## Configuration
|
|
|
|
1. Copy `.env.production.example` to `.env.production`.
|
|
2. Replace all placeholder secrets:
|
|
- `JWT_SECRET`
|
|
- `JWT_REFRESH_SECRET`
|
|
- `POSTGRES_PASSWORD`
|
|
- `TELEGRAM_BOT_API_SECRET`
|
|
3. Set the public panel origin in `CORS_ALLOWED_ORIGINS`.
|
|
4. Keep `FRONTEND_PUBLIC_API_BASE_URL=/api/v1` unless you intentionally expose the API elsewhere.
|
|
5. If SSH-based metrics or service control are required, mount the SSH key file into the containers and keep `SSH_PRIVATE_KEY_PATH` aligned with that mount.
|
|
|
|
Recommended:
|
|
|
|
- store `.env.production` outside version control;
|
|
- use a strong unique password for PostgreSQL;
|
|
- keep `SSH_ALLOW_UNKNOWN_HOST_KEYS=false` unless you have a controlled reason to relax it.
|
|
|
|
## How To Run
|
|
|
|
Build and start the production stack:
|
|
|
|
```bash
|
|
docker compose \
|
|
--env-file .env.production \
|
|
-f docker-compose.prod.yml \
|
|
up --build -d
|
|
```
|
|
|
|
After the stack is up, apply the latest schema revision explicitly:
|
|
|
|
```bash
|
|
docker compose \
|
|
--env-file .env.production \
|
|
-f docker-compose.prod.yml \
|
|
exec backend alembic upgrade head
|
|
```
|
|
|
|
Create the first admin once after the stack is healthy:
|
|
|
|
```bash
|
|
curl -X POST http://YOUR_HOST/api/v1/auth/bootstrap \
|
|
-H "Content-Type: application/json" \
|
|
-d '{"username":"admin","password":"strong-pass-123"}'
|
|
```
|
|
|
|
## Reverse Proxy
|
|
|
|
The supplied Nginx config routes:
|
|
|
|
- `/` to the frontend container;
|
|
- `/api/` to the backend API;
|
|
- `/health` to the backend health endpoint.
|
|
|
|
File:
|
|
|
|
- `deploy/nginx/server-panel.conf`
|
|
|
|
The config is HTTP-only by default. For public internet exposure, terminate TLS in front of this proxy or extend this config with certificates that are managed outside the repository.
|
|
|
|
## How To Verify
|
|
|
|
After startup, verify:
|
|
|
|
1. `http://YOUR_HOST/health` returns a backend health payload.
|
|
2. `http://YOUR_HOST/` opens the frontend.
|
|
3. `http://YOUR_HOST/api/v1/auth/login` is reachable through the proxy.
|
|
4. `docker compose --env-file .env.production -f docker-compose.prod.yml ps` shows all expected containers running.
|
|
5. A test login and one safe read-only flow, such as server list or health, works end-to-end.
|
|
|
|
## Notes
|
|
|
|
- `docker-compose.prod.yml` is intentionally separate from the local development Compose file.
|
|
- The production frontend image serves static files through Nginx instead of the Vite dev server.
|
|
- The baseline Alembic revision is additive and can stamp existing pre-migration development databases without recreating them.
|
|
- This deployment shape is suitable for an internal or early-stage rollout, not a fully hardened internet-scale setup.
|