Merge pull request 'fix: cd to site dir before docker compose commands' (#18 ) from fix/deploy-workdir into main

fix: cd to site dir before docker compose commands
docker compose stats the cwd when parsing compose files; if cwd is not accessible to the deploy user the command fails. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-03-01 09:40:43 +00:00 · 2026-03-01 09:38:54 +00:00 · 2026-02-28 22:16:30 +00:00 · 2026-02-28 22:15:02 +00:00 · 2026-02-28 22:08:29 +00:00 · 2026-02-28 21:55:58 +00:00
10 changed files with 176 additions and 6 deletions
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -2,6 +2,9 @@ name: CI

 on:
  pull_request:
+  push:
+    branches:
+      - main
  schedule:
    - cron: "0 2 * * *"

@@ -188,3 +191,15 @@ jobs:
      - name: Remove CI image
        if: always()
        run: docker image rm -f "$CI_IMAGE" || true
+
+  deploy:
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Deploy to lintel-prod-01
+        uses: appleboy/ssh-action@v1
+        with:
+          host: ${{ secrets.PROD_SSH_HOST }}
+          username: deploy
+          key: ${{ secrets.PROD_SSH_KEY }}
+          script: bash /srv/sum/nohype/app/deploy/deploy.sh
--- a/config/settings/development.py
+++ b/config/settings/development.py
@@ -4,10 +4,10 @@ DEBUG = True

 INTERNAL_IPS = ["127.0.0.1"]

-# In dev, drop WhiteNoise from middleware and use plain static file storage.
-# WhiteNoise serves from STATIC_ROOT which is empty without collectstatic,
-# so it intercepts every /static/ request and returns nothing.
-# Django's runserver handles static files natively when DEBUG=True.
+# Drop WhiteNoise in dev — it serves from STATIC_ROOT which is empty without
+# collectstatic, so it 404s every asset. Django's runserver serves static and
+# media files natively when DEBUG=True (via django.contrib.staticfiles + the
+# media URL pattern in urls.py).
 MIDDLEWARE = [m for m in MIDDLEWARE if m != "whitenoise.middleware.WhiteNoiseMiddleware"]
 STATICFILES_STORAGE = "django.contrib.staticfiles.storage.StaticFilesStorage"

--- a/config/settings/production.py
+++ b/config/settings/production.py
@@ -2,8 +2,16 @@ from .base import *  # noqa

 DEBUG = False

+# Behind Caddy: trust the forwarded proto header so Django knows it's HTTPS.
+# SECURE_SSL_REDIRECT is intentionally off — Caddy handles HTTPS redirects
+# before the request reaches Django; enabling it here causes redirect loops.
 SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")
 USE_X_FORWARDED_HOST = True
-SECURE_SSL_REDIRECT = True
+SECURE_SSL_REDIRECT = False
 SESSION_COOKIE_SECURE = True
 CSRF_COOKIE_SECURE = True
+
+CSRF_TRUSTED_ORIGINS = [
+    "https://nohypeai.net",
+    "https://www.nohypeai.net",
+]
--- a/config/urls.py
+++ b/config/urls.py
@@ -1,3 +1,5 @@
+from django.conf import settings
+from django.conf.urls.static import static
 from django.contrib import admin
 from django.urls import include, path
 from django.views.generic import RedirectView
@@ -21,3 +23,6 @@ urlpatterns = [
    path("admin/", RedirectView.as_view(url="/cms/", permanent=False)),
    path("", include(wagtail_urls)),
 ]
+
+if settings.DEBUG:
+    urlpatterns += static(settings.MEDIA_URL, document_root=settings.MEDIA_ROOT)
--- a/deploy/caddy/nohype.caddy
+++ b/deploy/caddy/nohype.caddy
@@ -0,0 +1,23 @@
+nohypeai.net, www.nohypeai.net {
+  encode gzip zstd
+
+  header {
+    X-Content-Type-Options nosniff
+    X-Frame-Options DENY
+    Referrer-Policy strict-origin-when-cross-origin
+    Permissions-Policy "geolocation=(), microphone=(), camera=()"
+    X-Forwarded-Proto https
+  }
+
+  handle_path /static/* {
+    root * /srv/sum/nohype/static
+    file_server
+  }
+
+  handle_path /media/* {
+    root * /srv/sum/nohype/media
+    file_server
+  }
+
+  reverse_proxy localhost:8001
+}
--- a/deploy/deploy.sh
+++ b/deploy/deploy.sh
@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+# Deploy script for No Hype AI — runs on lintel-prod-01 as deploy user.
+# Called by CI after a successful push to main.
+set -euo pipefail
+
+SITE_DIR=/srv/sum/nohype
+APP_DIR=${SITE_DIR}/app
+
+cd "${SITE_DIR}"
+
+echo "==> Pulling latest code"
+git -C "${APP_DIR}" pull origin main
+
+echo "==> Updating compose file"
+cp "${APP_DIR}/docker-compose.prod.yml" "${SITE_DIR}/docker-compose.prod.yml"
+
+echo "==> Ensuring static/media directories exist"
+mkdir -p "${SITE_DIR}/static" "${SITE_DIR}/media"
+
+echo "==> Rebuilding and recreating web container"
+docker compose -f "${SITE_DIR}/docker-compose.prod.yml" up -d --no-deps --build --force-recreate web
+
+echo "==> Waiting for health check"
+for i in $(seq 1 30); do
+  if curl -fsS -H "Host: nohypeai.net" http://localhost:8001/ >/dev/null 2>&1; then
+    echo "==> Site is up"
+    exit 0
+  fi
+  sleep 3
+done
+echo "ERROR: site did not come up after 90s" >&2
+docker compose -f "${SITE_DIR}/docker-compose.prod.yml" logs --tail=50 web
+exit 1
--- a/deploy/entrypoint.prod.sh
+++ b/deploy/entrypoint.prod.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+set -e
+
+python manage.py tailwind install --no-input
+python manage.py tailwind build
+python manage.py migrate --noinput
+python manage.py collectstatic --noinput
+
+# Set Wagtail site hostname from first entry in ALLOWED_HOSTS
+python manage.py shell -c "
+from wagtail.models import Site
+import os
+hostname = os.environ.get('ALLOWED_HOSTS', 'localhost').split(',')[0].strip()
+Site.objects.update(hostname=hostname, port=443, site_name='No Hype AI')
+"
+
+exec gunicorn config.wsgi:application \
+    --workers 3 \
+    --bind 0.0.0.0:8000 \
+    --access-logfile - \
+    --error-logfile - \
+    --capture-output
--- a/deploy/sum-nohype.service
+++ b/deploy/sum-nohype.service
@@ -0,0 +1,26 @@
+[Unit]
+Description=No Hype AI (Docker Compose)
+Requires=docker.service
+After=docker.service network-online.target
+
+[Service]
+Type=simple
+User=deploy
+Group=www-data
+WorkingDirectory=/srv/sum/nohype
+
+ExecStartPre=docker compose -f docker-compose.prod.yml pull --ignore-pull-failures
+ExecStart=docker compose -f docker-compose.prod.yml up --build
+ExecStop=docker compose -f docker-compose.prod.yml down
+
+Restart=always
+RestartSec=10
+TimeoutStartSec=300
+TimeoutStopSec=30
+
+StandardOutput=journal
+StandardError=journal
+SyslogIdentifier=sum-nohype
+
+[Install]
+WantedBy=multi-user.target
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -0,0 +1,36 @@
+services:
+  web:
+    build: app
+    working_dir: /app
+    command: /app/deploy/entrypoint.prod.sh
+    env_file: .env
+    environment:
+      DJANGO_SETTINGS_MODULE: config.settings.production
+    volumes:
+      - /srv/sum/nohype/static:/app/staticfiles
+      - /srv/sum/nohype/media:/app/media
+    ports:
+      - "127.0.0.1:8001:8000"
+    depends_on:
+      db:
+        condition: service_healthy
+    restart: unless-stopped
+
+  db:
+    image: postgres:16-alpine
+    env_file: .env
+    environment:
+      POSTGRES_DB: nohype
+      POSTGRES_USER: nohype
+    volumes:
+      - nohype_pg:/var/lib/postgresql/data
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U nohype -d nohype"]
+      interval: 5s
+      timeout: 5s
+      retries: 10
+      start_period: 10s
+    restart: unless-stopped
+
+volumes:
+  nohype_pg:
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -3,7 +3,9 @@ services:
    build: .
    working_dir: /app
    command: >
-      sh -c "python manage.py migrate --noinput &&
+      sh -c "python manage.py tailwind install --no-input &&
+             python manage.py tailwind build &&
+             python manage.py migrate --noinput &&
             python manage.py seed_e2e_content &&
             python manage.py runserver 0.0.0.0:8000"
    volumes:
Author	SHA1	Message	Date
codex_a	a880643d65	Merge pull request 'fix: cd to site dir before docker compose commands' (#18 ) from fix/deploy-workdir into main All checks were successful CI / ci (push) Has been skipped Details CI / pr-e2e (push) Has been skipped Details CI / nightly-e2e (push) Has been skipped Details CI / deploy (push) Successful in 25s Details	2026-03-01 09:40:43 +00:00
codex_a	229c0f8b48	fix: cd to site dir before docker compose commands All checks were successful CI / nightly-e2e (pull_request) Has been skipped Details CI / deploy (pull_request) Has been skipped Details CI / pr-e2e (pull_request) Successful in 1m7s Details CI / ci (pull_request) Successful in 1m15s Details docker compose stats the cwd when parsing compose files; if cwd is not accessible to the deploy user the command fails. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-03-01 09:38:54 +00:00
codex_a	d7bfb44ced	Merge pull request 'fix: remove sudo from deploy script' (#17 ) from fix/deploy-no-sudo into main Some checks failed CI / ci (push) Has been skipped Details CI / pr-e2e (push) Has been skipped Details CI / deploy (push) Has been skipped Details CI / nightly-e2e (push) Failing after 44s Details	2026-02-28 22:16:30 +00:00
codex_a	ec3e1ee1bf	fix: remove sudo from deploy script, use docker compose directly Some checks failed CI / nightly-e2e (pull_request) Has been skipped Details CI / deploy (pull_request) Has been skipped Details CI / pr-e2e (pull_request) Failing after 42s Details CI / ci (pull_request) Successful in 1m1s Details deploy user has no sudo for systemctl. Instead: - Use 'docker compose up -d --force-recreate' to recreate the web container without needing systemctl - Change Restart=always so systemd re-attaches after the container is recreated - Replace 'sudo journalctl' with 'docker compose logs' in error path Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-02-28 22:15:02 +00:00
codex_a	44ffae7f99	Merge pull request 'fix: auto-set Wagtail site hostname on startup' (#16 ) from fix/prod-site-hostname into main Some checks failed CI / ci (push) Has been skipped Details CI / pr-e2e (push) Has been skipped Details CI / nightly-e2e (push) Has been skipped Details CI / deploy (push) Failing after 2m30s Details	2026-02-28 22:08:29 +00:00
codex_a	c9dab3e93b	fix: use correct Host header in deploy health check Some checks failed CI / nightly-e2e (pull_request) Has been skipped Details CI / deploy (pull_request) Has been skipped Details CI / pr-e2e (pull_request) Failing after 44s Details CI / ci (pull_request) Successful in 1m2s Details ALLOWED_HOSTS doesn't include localhost, so curl with default Host header always gets a 400 and the health check fails. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-02-28 21:55:58 +00:00
codex_a	349f1db721	fix: auto-set Wagtail site hostname from ALLOWED_HOSTS on startup All checks were successful CI / nightly-e2e (pull_request) Has been skipped Details CI / deploy (pull_request) Has been skipped Details CI / pr-e2e (pull_request) Successful in 1m4s Details CI / ci (pull_request) Successful in 1m15s Details Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-02-28 21:54:27 +00:00
codex_a	de56b564c5	Merge pull request 'feat: production deploy pipeline' (#15 ) from feat/deploy-pipeline into main Some checks failed CI / ci (push) Has been skipped Details CI / pr-e2e (push) Has been skipped Details CI / nightly-e2e (push) Has been skipped Details CI / deploy (push) Failing after 1s Details	2026-02-28 21:50:04 +00:00
codex_a	833ff378ea	fix: use entrypoint script for prod container startup All checks were successful CI / nightly-e2e (pull_request) Has been skipped Details CI / deploy (pull_request) Has been skipped Details CI / pr-e2e (pull_request) Successful in 1m4s Details CI / ci (pull_request) Successful in 1m15s Details YAML folded block scalar (>) was preserving newlines for more-indented continuation lines, so gunicorn received no arguments and defaulted to binding on 127.0.0.1:8000. Replace with an explicit entrypoint script so all args are passed correctly. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-02-28 21:47:02 +00:00
codex_a	754b0ca5f6	fix: set build context to app/ in prod compose The compose file lives in /srv/sum/nohype/ while the code is in /srv/sum/nohype/app/ so the Dockerfile is at app/Dockerfile. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-02-28 21:42:06 +00:00
mark	03fcbdb5ad	Merge pull request 'feat: production deploy pipeline' (#14 ) from feat/deploy-pipeline into main Some checks failed CI / ci (push) Has been skipped Details CI / pr-e2e (push) Has been skipped Details CI / nightly-e2e (push) Has been skipped Details CI / deploy (push) Failing after 5s Details Reviewed-on: #14	2026-02-28 21:40:03 +00:00
codex_a	0cbac68ec1	feat: add production deploy pipeline and fix dev CSS All checks were successful CI / nightly-e2e (pull_request) Has been skipped Details CI / deploy (pull_request) Has been skipped Details CI / pr-e2e (pull_request) Successful in 1m4s Details CI / ci (pull_request) Successful in 1m23s Details Dev: - Add tailwind install + build to docker-compose startup so CSS is built inside the container — not dependent on local filesystem Production (docker-compose.prod.yml): - Gunicorn on 127.0.0.1:8001, bind-mounted static/media to host paths so Caddy can serve them directly - Runs migrate, tailwind build, collectstatic on startup Settings (production.py): - Disable SECURE_SSL_REDIRECT (Caddy handles redirects; Django would loop) - Add CSRF_TRUSTED_ORIGINS for nohypeai.net CI (.gitea/workflows/ci.yml): - Add push-to-main trigger - Add deploy job: SSHes to lintel-prod-01 as deploy, runs deploy/deploy.sh Server config (deploy/): - deploy/caddy/nohype.caddy — Caddy site config for nohypeai.net - deploy/sum-nohype.service — systemd unit for the compose stack - deploy/deploy.sh — deploy script (pull, build, restart) One-time manual steps required on lintel-prod-01 (need root): sudo cp deploy/sum-nohype.service /etc/systemd/system/ sudo cp deploy/caddy/nohype.caddy /etc/caddy/sites-enabled/ sudo systemctl daemon-reload && sudo systemctl enable sum-nohype sudo systemctl reload caddy Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-02-28 21:34:13 +00:00
mark	4c27cfe1dd	Merge pull request 'fix: make docker compose up work out of the box' (#13 ) from fix/dev-setup into main Reviewed-on: #13	2026-02-28 21:00:10 +00:00
codex_a	a598727888	fix: fix all dev static/media serving issues All checks were successful CI / nightly-e2e (pull_request) Has been skipped Details CI / pr-e2e (pull_request) Successful in 1m4s Details CI / ci (pull_request) Successful in 1m22s Details - Remove WhiteNoise from MIDDLEWARE in development: it intercepts /static/ requests and serves from STATIC_ROOT, which is empty without collectstatic. Django's runserver serves static files natively with DEBUG=True. - Switch to StaticFilesStorage in dev: no manifest required. - Add media URL pattern in DEBUG mode: runserver does not serve MEDIA_ROOT automatically, so uploaded images were 404ing in local dev. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-02-28 20:57:54 +00:00