fix(deploy): make LXC deploys atomic and fail-fast

Rebuild the deployment flow to prepare releases remotely, validate env/sudo prerequisites, run migrations in-release, and auto-rollback on health failures. Consolidate deployment docs and add a manual CI workflow so laptop and CI use the same push-based deploy path.
2026-03-07 01:14:30 +01:00 · 2026-03-07 01:14:30 +01:00 · 2efdb2b785
commit 2efdb2b785
parent d228b44209
8 changed files with 1057 additions and 319 deletions
--- a/docs/DEPLOYMENT-QUICKSTART.md
+++ b/docs/DEPLOYMENT-QUICKSTART.md
@ -0,0 +1,97 @@
+# Deployment Quickstart
+
+This is the short operator checklist. Full details are in `docs/DEPLOYMENT.md`.
+
+Canonical env file locations (and only these):
+
+- `/opt/innercontext/shared/backend/.env`
+- `/opt/innercontext/shared/frontend/.env.production`
+
+## 1) Server prerequisites (once)
+
+```bash
+mkdir -p /opt/innercontext/releases
+mkdir -p /opt/innercontext/shared/backend
+mkdir -p /opt/innercontext/shared/frontend
+mkdir -p /opt/innercontext/scripts
+chown -R innercontext:innercontext /opt/innercontext
+```
+
+Create shared env files:
+
+```bash
+cat > /opt/innercontext/shared/backend/.env <<'EOF'
+DATABASE_URL=postgresql+psycopg://innercontext:change-me@<pg-ip>/innercontext
+GEMINI_API_KEY=your-key
+EOF
+
+cat > /opt/innercontext/shared/frontend/.env.production <<'EOF'
+PUBLIC_API_BASE=http://127.0.0.1:8000
+ORIGIN=http://innercontext.lan
+EOF
+
+chmod 600 /opt/innercontext/shared/backend/.env
+chmod 600 /opt/innercontext/shared/frontend/.env.production
+chown innercontext:innercontext /opt/innercontext/shared/backend/.env
+chown innercontext:innercontext /opt/innercontext/shared/frontend/.env.production
+```
+
+Deploy sudoers:
+
+```bash
+cat > /etc/sudoers.d/innercontext-deploy << 'EOF'
+innercontext ALL=(root) NOPASSWD: \
+    /usr/bin/systemctl restart innercontext, \
+    /usr/bin/systemctl restart innercontext-node, \
+    /usr/bin/systemctl restart innercontext-pricing-worker, \
+    /usr/bin/systemctl is-active innercontext, \
+    /usr/bin/systemctl is-active innercontext-node, \
+    /usr/bin/systemctl is-active innercontext-pricing-worker
+EOF
+chmod 440 /etc/sudoers.d/innercontext-deploy
+visudo -c -f /etc/sudoers.d/innercontext-deploy
+sudo -u innercontext sudo -n -l
+```
+
+## 2) Local SSH config
+
+`~/.ssh/config`:
+
+```
+Host innercontext
+    HostName <lxc-ip>
+    User innercontext
+```
+
+## 3) Deploy from your machine
+
+```bash
+./deploy.sh
+./deploy.sh backend
+./deploy.sh frontend
+./deploy.sh list
+./deploy.sh rollback
+```
+
+## 4) Verify
+
+```bash
+curl -sf http://innercontext.lan/api/health-check
+curl -sf http://innercontext.lan/
+```
+
+## 5) Common fixes
+
+Lock stuck:
+
+```bash
+rm -f /opt/innercontext/.deploy.lock
+```
+
+Show service logs:
+
+```bash
+journalctl -u innercontext -n 100
+journalctl -u innercontext-node -n 100
+journalctl -u innercontext-pricing-worker -n 100
+```