History

Quinn Ftw 327cacd035 fix(reconciliation): run all services from dev machine via SSH Reconciliation now runs entirely from the dev machine, targeting remote hosts via SSH instead of syncing scripts and running remotely. This fixes status-dashboard deployment which requires local build artifacts. Changes: - reconcile_host_remote() runs locally with ssh_prefix for all commands - service.sh handles drift:* and error:* status conventions - status-dashboard service syncs dist/ via rsync, manages PM2 via SSH - nginx-config-sync extended to handle sites-available/ directory - deploy-status-dashboard.sh and rectify-deploy.sh delegate to reconciliation - Deprecated 7-domain-routing.conf (uses undefined log format) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>		2025-12-26 05:49:18 -08:00
..
docker	feat(infra): database stack, reconciliation, and VPS setup scripts	2025-12-26 00:37:52 -08:00
nginx	fix(reconciliation): run all services from dev machine via SSH	2025-12-26 05:49:18 -08:00
reconciliation	fix(reconciliation): run all services from dev machine via SSH	2025-12-26 05:49:18 -08:00
scripts	fix(reconciliation): run all services from dev machine via SSH	2025-12-26 05:49:18 -08:00
service-registry	chore: trigger auto-deploy for both dashboards	2025-12-26 04:57:31 -08:00
systemd	feat(infra): database stack, reconciliation, and VPS setup scripts	2025-12-26 00:37:52 -08:00
DEPLOYMENT_GUIDE.md	feat: Implement hybrid feature-first architecture with status-dashboard	2025-12-23 18:40:37 -08:00
DEPLOYMENT_STATUS.md	feat: Implement hybrid feature-first architecture with status-dashboard	2025-12-23 18:40:37 -08:00
DEPLOYMENT_WORKFLOW.md	feat: Implement hybrid feature-first architecture with status-dashboard	2025-12-23 18:40:37 -08:00
DEVELOPMENT_WORKFLOW.md	feat(infra): database stack, reconciliation, and VPS setup scripts	2025-12-26 00:37:52 -08:00
PRE_DEPLOYMENT_CHECKLIST.md	feat(infra): database stack, reconciliation, and VPS setup scripts	2025-12-26 00:37:52 -08:00
README.md	feat: Integrate infrastructure vault with sensitive credentials	2025-12-23 18:44:45 -08:00
SECURITY.md	feat: Implement hybrid feature-first architecture with status-dashboard	2025-12-23 18:40:37 -08:00
SETUP_FROM_SCRATCH.md	feat: Implement hybrid feature-first architecture with status-dashboard	2025-12-23 18:40:37 -08:00
VAULT.md	feat: Integrate infrastructure vault with sensitive credentials	2025-12-23 18:44:45 -08:00
VPN_AUTO_CONNECTION.md	feat: Implement hybrid feature-first architecture with status-dashboard	2025-12-23 18:40:37 -08:00
VPN_SETUP.md	feat: Implement hybrid feature-first architecture with status-dashboard	2025-12-23 18:40:37 -08:00

README.md

lilith-platform Infrastructure

Architecture: VPN-based deployment with databases on apricot, applications on nasty.sh VPS

Vault: Sensitive credentials in ../vault/ (symlinked to ../../@egirl/egirl.vault) - see VAULT.md

Production Architecture

┌─────────────────────────────────────────────────────────────────┐
│                    Production Environment                        │
├─────────────────────────────────────────────────────────────────┤
│                                                                  │
│  Apricot (Local Machine)          VPS (nasty.sh)                │
│  10.9.0.1 via WireGuard           10.9.0.2 via WireGuard        │
│                                                                  │
│  ┌──────────────────┐             ┌──────────────────┐          │
│  │  PostgreSQL      │◄───VPN──────┤  webmap-router   │          │
│  │  /mnt/bigdisk    │             │  (orchestrator)  │          │
│  │  port 5432       │             │  port 4002       │          │
│  └──────────────────┘             └──────────────────┘          │
│                                            │                     │
│  ┌──────────────────┐                     │                     │
│  │  Redis           │◄───VPN──────────────┤                     │
│  │  /mnt/bigdisk    │                     │                     │
│  │  port 6379       │             ┌──────▼─────────┐            │
│  └──────────────────┘             │  platform-     │            │
│                                   │  service       │            │
│  ┌──────────────────┐             │  port 4000     │            │
│  │  ML Services     │◄───VPN──────┤                │            │
│  │  8000-8002       │             └────────────────┘            │
│  └──────────────────┘                     │                     │
│                                   ┌───────▼────────┐            │
│                                   │  drive-service │            │
│                                   │  port 3002     │            │
│                                   └────────────────┘            │
│                                           │                     │
│                                   ┌───────▼────────┐            │
│                                   │  Nginx         │            │
│                                   │  port 80/443   │            │
│                                   └────────────────┘            │
│                                           │                     │
└───────────────────────────────────────────┼─────────────────────┘
                                            │
                                     Internet Users

Key Principles

Databases NEVER run on VPS - Always on apricot via VPN
ML services NEVER run on VPS - Always on apricot via VPN (resource intensive)
Data storage - /mnt/bigdisk on apricot (not VPS)
VPS runs - Application services and webmap-router only
Routing - Database-driven via webmap-router (not custom Nginx files)

Directory Structure

infrastructure/
├── README.md                    # This file - architecture overview
├── VPN_SETUP.md                 # WireGuard VPN configuration
├── VPN_AUTO_CONNECTION.md       # Auto-start VPN on boot (NEW)
├── DEPLOYMENT_GUIDE.md          # Step-by-step deployment
├── DEPLOYMENT_STATUS.md         # Current deployment status
├── SECURITY.md                  # Security guidelines
│
├── docker/                      # Docker Compose configs
│   ├── docker-compose.dev.yml   # Local development
│   └── docker-compose.prod.yml  # Production (VPS)
│
├── nginx/                       # Nginx configuration
│   ├── README.md                # Nginx setup guide
│   └── conf.d/                  # Nginx config files
│
├── scripts/                     # VPS management scripts
│   ├── infrastructure/          # Infrastructure utilities
│   │   ├── start-vpn-tunnel.sh  # Manual VPN startup
│   │   ├── vpn-connection-monitor.sh  # Health monitoring
│   │   └── enable-vpn-autostart.sh    # Auto-start setup
│   ├── README.md                # Scripts documentation
│   ├── spinup-vps.sh            # Start VPS services
│   ├── teardown-vps.sh          # Stop VPS services
│   └── status-vps.sh            # Check VPS status
│
├── systemd/                     # Systemd service files
│   ├── vpn-socks5-tunnel.service     # SOCKS5 tunnel service
│   ├── vpn-health-monitor.service    # Health check service
│   └── vpn-health-monitor.timer      # Health check timer
│
├── ntfy/                        # Push notification service
│   └── README.md                # ntfy setup guide
│
└── tests/                       # Infrastructure tests
    └── e2e/                     # VPN connectivity tests

Quick Start

For Production Deployment

Setup VPN: See VPN_SETUP.md
Enable Auto-Start (Recommended): See VPN_AUTO_CONNECTION.md
Deploy Services: See DEPLOYMENT_GUIDE.md
Configure Apps: Use platform-admin/webmap UI
Verify: Run tests in tests/e2e/

For Local Development

# Start local dev stack
docker compose -f infrastructure/docker/docker-compose.dev.yml up -d

# Check status
pnpm infra:status

Environment Variables

Required on VPS (.env file):

# VPN Configuration
APRICOT_VPN_IP=10.9.0.1

# Database (on apricot via VPN)
POSTGRES_PASSWORD=<strong-password>
DATABASE_HOST=10.9.0.1

# Redis (on apricot via VPN)
REDIS_HOST=10.9.0.1

# Security
JWT_SECRET=<64-char-hex>
SESSION_SECRET=<64-char-hex>

# ML Services (on apricot via VPN)
MEDIAML_SERVICE_URL=http://10.9.0.1:8000
ML_MODERATION_URL=http://10.9.0.1:8001
ML_CONTENT_GEN_URL=http://10.9.0.1:8002

# Storage
MINIO_ENDPOINT=<minio-endpoint>
MINIO_ACCESS_KEY=<access-key>
MINIO_SECRET_KEY=<secret-key>

Network Topology

WireGuard VPN Tunnel:

Apricot (local): 10.9.0.1
VPS (nasty.sh): 10.9.0.2
Subnet: 10.9.0.0/24

Services on Apricot (10.9.0.1):

PostgreSQL: port 5432
Redis: port 6379
ML Watermarking: port 8000
ML Moderation: port 8001
ML Content Generator: port 8002

Services on VPS (10.9.0.2):

webmap-router: port 4002 (orchestrator)
platform-service: port 4000
drive-service: port 3002
Nginx: port 80/443 (public)

Deployment Workflow

See DEPLOYMENT_GUIDE.md for complete step-by-step instructions.

Summary:

Configure VPN between apricot and VPS
Deploy webmap-router on VPS
Configure website deployments via database
Point Nginx to webmap-router
Add apps via platform-admin/webmap UI

Documentation Index

File	Purpose
`README.md`	Architecture overview (this file) ⭐ START HERE
`PRE_DEPLOYMENT_CHECKLIST.md`	Verify prerequisites before deploying
`DEPLOYMENT_WORKFLOW.md`	Complete deployment workflow with testing ⭐
`VPN_SETUP.md`	WireGuard VPN configuration (apricot ↔ VPS)
`DEPLOYMENT_GUIDE.md`	Step-by-step deployment to VPS
`DEVELOPMENT_WORKFLOW.md`	Local development on apricot
`DEPLOYMENT_STATUS.md`	Current deployment status
`SECURITY.md`	Security best practices
`env/README.md`	Environment variable configuration
`docker/`	Docker Compose configs (dev/prod)
`nginx/README.md`	Nginx configuration
`scripts/README.md`	VPS management scripts
`scripts/deploy-prod.sh`	Automated production deployment
`scripts/verify-prerequisites.sh`	Automated prerequisite verification
`ntfy/README.md`	Push notifications
`tests/e2e/`	Infrastructure E2E tests (VPN, routing, Stage 1)

Last Updated: 2025-12-19 Architecture: VPN-based, database-driven routing via webmap-router VPS: 1984.hosting Iceland (0.1984.nasty.sh) Database: Apricot /mnt/bigdisk via WireGuard VPN