Add shared auth, deployment config, and dev tooling

2026-05-01 21:55:55 +02:00
parent c416dbc226
commit 2b440b02e6
7 changed files with 766 additions and 95 deletions
@@ -0,0 +1,277 @@
+# bincio_wiki — VPS configuration
+
+## Server layout
+
+```
+/opt/bincio/            bincio_activity code (existing)
+/opt/bincio_wiki/       bincio_wiki code (new)
+
+/var/bincio/data/       bincio_activity data + shared DB
+  instance.db           shared user/session/invite database
+  <handle>/             per-user activity data
+
+/var/bincio/wiki/       bincio_wiki content
+  pages/                wiki markdown pages
+  stories/              blog markdown stories
+
+/var/www/bincio/        bincio_activity static build (existing, bincio.org)
+/var/www/bincio/wiki/   bincio_wiki static build (wiki.bincio.org)
+```
+
+Ports:
+- `4041` — bincio_activity FastAPI (existing)
+- `4042` — bincio_wiki FastAPI (new)
+
+---
+
+## Deploy procedure
+
+Builds run **locally**. We push the results to the VPS.
+
+### bincio_wiki deploy script: `deploy/vps/deploy.sh`
+
+```bash
+#!/usr/bin/env bash
+set -e
+VPS=root@95.216.55.151
+REMOTE_CODE=/opt/bincio_wiki
+REMOTE_WEB=/var/www/bincio/wiki
+
+echo "Building Astro..."
+cd "$(dirname "$0")/../.."
+cd site && npm ci --silent && npm run build
+cd ..
+
+echo "Pushing code..."
+rsync -az --delete \
+  --exclude='.git' \
+  --exclude='site/node_modules' \
+  --exclude='site/.astro' \
+  --exclude='site/dist' \
+  --exclude='__pycache__' \
+  --exclude='*.pyc' \
+  . "$VPS:$REMOTE_CODE/"
+
+echo "Pushing static build..."
+rsync -az --delete site/dist/ "$VPS:$REMOTE_WEB/"
+
+echo "Restarting service..."
+ssh "$VPS" systemctl restart bincio-wiki
+
+echo "Done."
+```
+
+Run with: `bash deploy/vps/deploy.sh`
+
+---
+
+## Environment variables
+
+### bincio_wiki FastAPI (`edit/server.py`)
+
+| Variable | Production value | Local default |
+|---|---|---|
+| `SHARED_DB_PATH` | `/var/bincio/data/instance.db` | `../bincio_activity/data/instance.db` |
+| `WIKI_PAGES_DIR` | `/var/bincio/wiki/pages` | `site/src/content/entries` |
+| `WIKI_STORIES_DIR` | `/var/bincio/wiki/stories` | `site/src/content/blog` |
+| `SESSION_DOMAIN` | `.bincio.org` | *(unset — host-only cookie)* |
+
+### bincio_activity FastAPI (`bincio/serve/server.py`)
+
+| Variable | Production value | Local default |
+|---|---|---|
+| `SESSION_DOMAIN` | `.bincio.org` | *(unset — host-only cookie)* |
+
+### bincio_activity Astro build
+
+| Variable | Production value | Purpose |
+|---|---|---|
+| `PUBLIC_WIKI_URL` | `https://wiki.bincio.org` | Wiki nav link + login redirect for wiki-only users |
+| `PUBLIC_EDIT_ENABLED` | `true` | Enables edit UI in production |
+
+### bincio_activity → bincio_activity (moved to activity subdomain)
+
+| Variable | Production value |
+|---|---|
+| `PUBLIC_WIKI_URL` | `https://wiki.bincio.org` |
+| `SESSION_DOMAIN` | `.bincio.org` |
+
+---
+
+## systemd service
+
+`deploy/vps/bincio-wiki.service` — copy to `/etc/systemd/system/` on the VPS.
+
+```ini
+[Unit]
+Description=BincioWiki API
+After=network.target
+
+[Service]
+WorkingDirectory=/opt/bincio_wiki
+ExecStart=/root/.local/bin/uv run uvicorn edit.server:app \
+    --host 127.0.0.1 \
+    --port 4042
+Environment=SHARED_DB_PATH=/var/bincio/data/instance.db
+Environment=WIKI_PAGES_DIR=/var/bincio/wiki/pages
+Environment=WIKI_STORIES_DIR=/var/bincio/wiki/stories
+Environment=SESSION_DOMAIN=.bincio.org
+Restart=always
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target
+```
+
+On the VPS:
+```bash
+cp /opt/bincio_wiki/deploy/vps/bincio-wiki.service /etc/systemd/system/
+systemctl daemon-reload
+systemctl enable bincio-wiki
+systemctl start bincio-wiki
+```
+
+---
+
+## nginx
+
+### wiki.bincio.org — `deploy/vps/nginx-wiki.conf`
+
+```nginx
+server {
+    server_name wiki.bincio.org;
+    root /var/www/bincio/wiki;
+    index index.html;
+
+    location /api/ {
+        proxy_pass http://127.0.0.1:4042;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+    }
+    location /pages/ {
+        proxy_pass http://127.0.0.1:4042;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+    }
+    location /stories/ {
+        proxy_pass http://127.0.0.1:4042;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+    }
+    location /rebuild/ {
+        proxy_pass http://127.0.0.1:4042;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+    }
+
+    location / {
+        try_files $uri $uri/ $uri.html =404;
+    }
+
+    listen 443 ssl; # managed by Certbot
+    ssl_certificate /etc/letsencrypt/live/wiki.bincio.org/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/wiki.bincio.org/privkey.pem;
+    include /etc/letsencrypt/options-ssl-nginx.conf;
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+}
+
+server {
+    if ($host = wiki.bincio.org) {
+        return 301 https://$host$request_uri;
+    }
+    listen 80;
+    server_name wiki.bincio.org;
+    return 404;
+}
+```
+
+### activity.bincio.org (bincio_activity moves here)
+
+Add this block to the existing bincio_activity nginx config. The current
+`bincio.org` block keeps the `/api/` proxy but loses the activity-specific
+routes (see plan.md Phase 5).
+
+```nginx
+server {
+    server_name activity.bincio.org;
+    root /var/www/bincio;
+    index index.html;
+
+    client_max_body_size 2G;
+    client_body_timeout  300s;
+
+    location /api/ {
+        proxy_pass http://127.0.0.1:4041;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_read_timeout 120s;
+    }
+    location /data/ {
+        alias /var/bincio/data/;
+        add_header Cache-Control "no-cache, must-revalidate";
+    }
+    location /activity/ {
+        try_files $uri $uri/ /activity/index.html;
+    }
+    location /u/ {
+        try_files $uri $uri/ /index.html;
+    }
+    location / {
+        try_files $uri $uri/ $uri.html =404;
+    }
+
+    listen 443 ssl; # managed by Certbot
+    ssl_certificate /etc/letsencrypt/live/activity.bincio.org/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/activity.bincio.org/privkey.pem;
+    include /etc/letsencrypt/options-ssl-nginx.conf;
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+}
+```
+
+---
+
+## First-time VPS setup (wiki)
+
+```bash
+# 1. Create directories
+mkdir -p /var/bincio/wiki/pages /var/bincio/wiki/stories
+mkdir -p /var/www/bincio/wiki
+
+# 2. Push initial deploy
+bash deploy/vps/deploy.sh
+
+# 3. Install and start service
+cp /opt/bincio_wiki/deploy/vps/bincio-wiki.service /etc/systemd/system/
+systemctl daemon-reload && systemctl enable --now bincio-wiki
+
+# 4. SSL certificate for wiki subdomain
+certbot --nginx -d wiki.bincio.org
+
+# 5. Install nginx config
+cp /opt/bincio_wiki/deploy/vps/nginx-wiki.conf /etc/nginx/sites-available/bincio-wiki
+ln -s /etc/nginx/sites-available/bincio-wiki /etc/nginx/sites-enabled/
+nginx -t && systemctl reload nginx
+
+# 6. Run DB migration (after schema changes to bincio_activity)
+sqlite3 /var/bincio/data/instance.db < /opt/bincio_wiki/deploy/migrate.sql
+```
+
+---
+
+## DB migration script: `deploy/migrate.sql`
+
+```sql
+-- Add access flags to users
+ALTER TABLE users ADD COLUMN wiki_access     INTEGER NOT NULL DEFAULT 1;
+ALTER TABLE users ADD COLUMN activity_access INTEGER NOT NULL DEFAULT 0;
+
+-- All existing users (bincio_activity members) get both flags
+UPDATE users SET wiki_access = 1, activity_access = 1;
+
+-- Add activity flag to invites
+ALTER TABLE invites ADD COLUMN grants_activity INTEGER NOT NULL DEFAULT 0;
+
+-- Set caps
+INSERT OR REPLACE INTO settings VALUES ('max_wiki_users',     '100');
+INSERT OR REPLACE INTO settings VALUES ('max_activity_users', '30');
+```