# Deployment Quickstart

This is the short operator checklist. Full details are in `docs/DEPLOYMENT.md`.

Canonical env file locations (and only these):

- `/opt/innercontext/shared/backend/.env`
- `/opt/innercontext/shared/frontend/.env.production`

## 1) Server prerequisites (once)

```bash
mkdir -p /opt/innercontext/releases
mkdir -p /opt/innercontext/shared/backend
mkdir -p /opt/innercontext/shared/frontend
mkdir -p /opt/innercontext/scripts
chown -R innercontext:innercontext /opt/innercontext
```

Create shared env files:

```bash
cat > /opt/innercontext/shared/backend/.env <<'EOF'
DATABASE_URL=postgresql+psycopg://innercontext:change-me@<pg-ip>/innercontext
GEMINI_API_KEY=your-key
EOF

cat > /opt/innercontext/shared/frontend/.env.production <<'EOF'
PUBLIC_API_BASE=http://127.0.0.1:8000
ORIGIN=http://innercontext.lan
EOF

chmod 600 /opt/innercontext/shared/backend/.env
chmod 600 /opt/innercontext/shared/frontend/.env.production
chown innercontext:innercontext /opt/innercontext/shared/backend/.env
chown innercontext:innercontext /opt/innercontext/shared/frontend/.env.production
```

Deploy sudoers:

```bash
cat > /etc/sudoers.d/innercontext-deploy << 'EOF'
innercontext ALL=(root) NOPASSWD: \
    /usr/bin/systemctl restart innercontext, \
    /usr/bin/systemctl restart innercontext-node, \
    /usr/bin/systemctl restart innercontext-pricing-worker, \
    /usr/bin/systemctl is-active innercontext, \
    /usr/bin/systemctl is-active innercontext-node, \
    /usr/bin/systemctl is-active innercontext-pricing-worker
EOF
chmod 440 /etc/sudoers.d/innercontext-deploy
visudo -c -f /etc/sudoers.d/innercontext-deploy
sudo -u innercontext sudo -n -l
```

## 2) Local SSH config

`~/.ssh/config`:

```
Host innercontext
    HostName <lxc-ip>
    User innercontext
```

## 3) Deploy from your machine

```bash
./deploy.sh
./deploy.sh backend
./deploy.sh frontend
./deploy.sh list
./deploy.sh rollback
```

## 4) Verify

```bash
curl -sf http://innercontext.lan/api/health-check
curl -sf http://innercontext.lan/
```

## 5) Common fixes

Lock stuck:

```bash
rm -f /opt/innercontext/.deploy.lock
```

Show service logs:

```bash
journalctl -u innercontext -n 100
journalctl -u innercontext-node -n 100
journalctl -u innercontext-pricing-worker -n 100
```