bincio-wiki/deployment/vps.md

# bincio_wiki — VPS configuration

## Server layout

```
/opt/bincio/            bincio_activity code (existing)
/opt/bincio_wiki/       bincio_wiki code (new)

/var/bincio/data/       bincio_activity data + shared DB
  instance.db           shared user/session/invite database
  <handle>/             per-user activity data

/var/bincio/wiki/       bincio_wiki content
  pages/                wiki markdown pages
  stories/              blog markdown stories

/var/www/bincio/        bincio_activity static build (existing, bincio.org)
/var/www/bincio/wiki/   bincio_wiki static build (wiki.bincio.org)
```

Ports:
- `4041` — bincio_activity FastAPI (existing)
- `4042` — bincio_wiki FastAPI (new)

---

## Deploy procedure

Builds run **locally**. We push the results to the VPS.

### bincio_wiki deploy script: `deploy/vps/deploy.sh`

```bash
#!/usr/bin/env bash
set -e
VPS=root@95.216.55.151
REMOTE_CODE=/opt/bincio_wiki
REMOTE_WEB=/var/www/bincio/wiki

echo "Building Astro..."
cd "$(dirname "$0")/../.."
cd site && npm ci --silent && npm run build
cd ..

echo "Pushing code..."
rsync -az --delete \
  --exclude='.git' \
  --exclude='site/node_modules' \
  --exclude='site/.astro' \
  --exclude='site/dist' \
  --exclude='__pycache__' \
  --exclude='*.pyc' \
  . "$VPS:$REMOTE_CODE/"

echo "Pushing static build..."
rsync -az --delete site/dist/ "$VPS:$REMOTE_WEB/"

echo "Restarting service..."
ssh "$VPS" systemctl restart bincio-wiki

echo "Done."
```

Run with: `bash deploy/vps/deploy.sh`

---

## Environment variables

### bincio_wiki FastAPI (`edit/server.py`)

| Variable | Production value | Local default |
|---|---|---|
| `SHARED_DB_PATH` | `/var/bincio/data/instance.db` | `../bincio_activity/data/instance.db` |
| `WIKI_PAGES_DIR` | `/var/bincio/wiki/pages` | `site/src/content/entries` |
| `WIKI_STORIES_DIR` | `/var/bincio/wiki/stories` | `site/src/content/blog` |
| `SESSION_DOMAIN` | `.bincio.org` | *(unset — host-only cookie)* |

### bincio_activity FastAPI (`bincio/serve/server.py`)

| Variable | Production value | Local default |
|---|---|---|
| `SESSION_DOMAIN` | `.bincio.org` | *(unset — host-only cookie)* |

### bincio_activity Astro build

| Variable | Production value | Purpose |
|---|---|---|
| `PUBLIC_WIKI_URL` | `https://wiki.bincio.org` | Wiki nav link + login redirect for wiki-only users |
| `PUBLIC_EDIT_ENABLED` | `true` | Enables edit UI in production |

### bincio_activity → bincio_activity (moved to activity subdomain)

| Variable | Production value |
|---|---|
| `PUBLIC_WIKI_URL` | `https://wiki.bincio.org` |
| `SESSION_DOMAIN` | `.bincio.org` |

---

## systemd service

`deploy/vps/bincio-wiki.service` — copy to `/etc/systemd/system/` on the VPS.

```ini
[Unit]
Description=BincioWiki API
After=network.target

[Service]
WorkingDirectory=/opt/bincio_wiki
ExecStart=/root/.local/bin/uv run uvicorn edit.server:app \
    --host 127.0.0.1 \
    --port 4042
Environment=SHARED_DB_PATH=/var/bincio/data/instance.db
Environment=WIKI_PAGES_DIR=/var/bincio/wiki/pages
Environment=WIKI_STORIES_DIR=/var/bincio/wiki/stories
Environment=SESSION_DOMAIN=.bincio.org
Restart=always
RestartSec=5

[Install]
WantedBy=multi-user.target
```

On the VPS:
```bash
cp /opt/bincio_wiki/deploy/vps/bincio-wiki.service /etc/systemd/system/
systemctl daemon-reload
systemctl enable bincio-wiki
systemctl start bincio-wiki
```

---

## nginx

### wiki.bincio.org — `deploy/vps/nginx-wiki.conf`

```nginx
server {
    server_name wiki.bincio.org;
    root /var/www/bincio/wiki;
    index index.html;

    location /api/ {
        proxy_pass http://127.0.0.1:4042;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
    location /pages/ {
        proxy_pass http://127.0.0.1:4042;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
    location /stories/ {
        proxy_pass http://127.0.0.1:4042;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
    location /rebuild/ {
        proxy_pass http://127.0.0.1:4042;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }

    location / {
        try_files $uri $uri/ $uri.html =404;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/wiki.bincio.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/wiki.bincio.org/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}

server {
    if ($host = wiki.bincio.org) {
        return 301 https://$host$request_uri;
    }
    listen 80;
    server_name wiki.bincio.org;
    return 404;
}
```

### activity.bincio.org (bincio_activity moves here)

Add this block to the existing bincio_activity nginx config. The current
`bincio.org` block keeps the `/api/` proxy but loses the activity-specific
routes (see plan.md Phase 5).

```nginx
server {
    server_name activity.bincio.org;
    root /var/www/bincio;
    index index.html;

    client_max_body_size 2G;
    client_body_timeout  300s;

    location /api/ {
        proxy_pass http://127.0.0.1:4041;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_read_timeout 120s;
    }
    location /data/ {
        alias /var/bincio/data/;
        add_header Cache-Control "no-cache, must-revalidate";
    }
    location /activity/ {
        try_files $uri $uri/ /activity/index.html;
    }
    location /u/ {
        try_files $uri $uri/ /index.html;
    }
    location / {
        try_files $uri $uri/ $uri.html =404;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/activity.bincio.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/activity.bincio.org/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}
```

---

## First-time VPS setup (wiki)

```bash
# 1. Create directories
mkdir -p /var/bincio/wiki/pages /var/bincio/wiki/stories
mkdir -p /var/www/bincio/wiki

# 2. Push initial deploy
bash deploy/vps/deploy.sh

# 3. Install and start service
cp /opt/bincio_wiki/deploy/vps/bincio-wiki.service /etc/systemd/system/
systemctl daemon-reload && systemctl enable --now bincio-wiki

# 4. SSL certificate for wiki subdomain
certbot --nginx -d wiki.bincio.org

# 5. Install nginx config
cp /opt/bincio_wiki/deploy/vps/nginx-wiki.conf /etc/nginx/sites-available/bincio-wiki
ln -s /etc/nginx/sites-available/bincio-wiki /etc/nginx/sites-enabled/
nginx -t && systemctl reload nginx

# 6. Run DB migration (after schema changes to bincio_activity)
sqlite3 /var/bincio/data/instance.db < /opt/bincio_wiki/deploy/migrate.sql
```

---

## DB migration script: `deploy/migrate.sql`

```sql
-- Add access flags to users
ALTER TABLE users ADD COLUMN wiki_access     INTEGER NOT NULL DEFAULT 1;
ALTER TABLE users ADD COLUMN activity_access INTEGER NOT NULL DEFAULT 0;

-- All existing users (bincio_activity members) get both flags
UPDATE users SET wiki_access = 1, activity_access = 1;

-- Add activity flag to invites
ALTER TABLE invites ADD COLUMN grants_activity INTEGER NOT NULL DEFAULT 0;

-- Set caps
INSERT OR REPLACE INTO settings VALUES ('max_wiki_users',     '100');
INSERT OR REPLACE INTO settings VALUES ('max_activity_users', '30');
```