Files
RelayOps/docs/deployment.md
2026-06-07 02:32:28 +03:00

103 lines
3.3 KiB
Markdown

# Deployment
## What Changed
This repository now includes:
- a production-oriented Compose file: `docker-compose.prod.yml`;
- a production environment template: `.env.production.example`;
- an Nginx reverse proxy config: `deploy/nginx/server-panel.conf`;
- a production frontend image build: `frontend/Dockerfile.prod`;
- an Alembic migration setup under `backend/alembic/`.
## Production Layout
The first-stage production deployment uses:
- `reverse-proxy` for public HTTP entry;
- `frontend` for the built static React app;
- `backend` for the FastAPI API;
- `worker` for queued service actions;
- `bot` for Telegram integration;
- `postgres` for persistence;
- `redis` for the current runtime foundation.
Only the reverse proxy is exposed publicly in the production Compose file.
## Configuration
1. Copy `.env.production.example` to `.env.production`.
2. Replace all placeholder secrets:
- `JWT_SECRET`
- `JWT_REFRESH_SECRET`
- `POSTGRES_PASSWORD`
- `TELEGRAM_BOT_API_SECRET`
3. Set the public panel origin in `CORS_ALLOWED_ORIGINS`.
4. Keep `FRONTEND_PUBLIC_API_BASE_URL=/api/v1` unless you intentionally expose the API elsewhere.
5. If SSH-based metrics or service control are required, mount the SSH key file into the containers and keep `SSH_PRIVATE_KEY_PATH` aligned with that mount.
Recommended:
- store `.env.production` outside version control;
- use a strong unique password for PostgreSQL;
- keep `SSH_ALLOW_UNKNOWN_HOST_KEYS=false` unless you have a controlled reason to relax it.
## How To Run
Build and start the production stack:
```bash
docker compose \
--env-file .env.production \
-f docker-compose.prod.yml \
up --build -d
```
After the stack is up, apply the latest schema revision explicitly:
```bash
docker compose \
--env-file .env.production \
-f docker-compose.prod.yml \
exec backend alembic upgrade head
```
Create the first admin once after the stack is healthy:
```bash
curl -X POST http://YOUR_HOST/api/v1/auth/bootstrap \
-H "Content-Type: application/json" \
-d '{"username":"admin","password":"strong-pass-123"}'
```
## Reverse Proxy
The supplied Nginx config routes:
- `/` to the frontend container;
- `/api/` to the backend API;
- `/health` to the backend health endpoint.
File:
- `deploy/nginx/server-panel.conf`
The config is HTTP-only by default. For public internet exposure, terminate TLS in front of this proxy or extend this config with certificates that are managed outside the repository.
## How To Verify
After startup, verify:
1. `http://YOUR_HOST/health` returns a backend health payload.
2. `http://YOUR_HOST/` opens the frontend.
3. `http://YOUR_HOST/api/v1/auth/login` is reachable through the proxy.
4. `docker compose --env-file .env.production -f docker-compose.prod.yml ps` shows all expected containers running.
5. A test login and one safe read-only flow, such as server list or health, works end-to-end.
## Notes
- `docker-compose.prod.yml` is intentionally separate from the local development Compose file.
- The production frontend image serves static files through Nginx instead of the Vite dev server.
- The baseline Alembic revision is additive and can stamp existing pre-migration development databases without recreating them.
- This deployment shape is suitable for an internal or early-stage rollout, not a fully hardened internet-scale setup.