The Door: crisis front door for broken men

Single-file HTML frontend (<25KB), crisis system prompt, nginx config, deployment script. Closes #1 #2 #3 #4 #5
2026-03-30 12:46:11 -04:00
parent 31fec4e082
commit 9bc06163c6
6 changed files with 1326 additions and 2 deletions
--- a/deploy/deploy.sh
+++ b/deploy/deploy.sh
@@ -0,0 +1,59 @@
+#!/bin/bash
+# Deploy The Door to VPS
+# Run on VPS as root: bash deploy.sh
+
+set -e
+
+echo "=== The Door — Deployment ==="
+
+# 1. Swap
+if ! swapon --show | grep -q swap; then
+    echo "Adding 2GB swap..."
+    fallocate -l 2G /swapfile
+    chmod 600 /swapfile
+    mkswap /swapfile
+    swapon /swapfile
+    echo '/swapfile none swap sw 0 0' >> /etc/fstab
+fi
+
+# 2. Install nginx + certbot
+echo "Installing nginx and certbot..."
+apt-get update -qq
+apt-get install -y nginx certbot python3-certbot-nginx
+
+# 3. Copy site files
+echo "Deploying static files..."
+mkdir -p /var/www/the-door
+cp index.html /var/www/the-door/
+
+# 4. nginx config
+cp deploy/nginx.conf /etc/nginx/sites-available/the-door
+
+# Add rate limit zone to nginx.conf if not present
+if ! grep -q "limit_req_zone.*api" /etc/nginx/nginx.conf; then
+    sed -i '/http {/a \    limit_req_zone $binary_remote_addr zone=api:10m rate=10r/m;' /etc/nginx/nginx.conf
+fi
+
+ln -sf /etc/nginx/sites-available/the-door /etc/nginx/sites-enabled/
+rm -f /etc/nginx/sites-enabled/default
+nginx -t && systemctl reload nginx
+
+# 5. SSL (requires DNS to be pointed first)
+echo ""
+echo "=== DNS CHECK ==="
+echo "Point alexanderwhitestone.com A record to $(curl -s ifconfig.me)"
+echo "Then run: certbot --nginx -d alexanderwhitestone.com -d www.alexanderwhitestone.com"
+echo ""
+
+# 6. Firewall
+echo "Configuring firewall..."
+ufw allow 22/tcp
+ufw allow 80/tcp
+ufw allow 443/tcp
+ufw --force enable
+
+echo ""
+echo "=== Deployment complete ==="
+echo "Static site: /var/www/the-door/"
+echo "nginx config: /etc/nginx/sites-available/the-door"
+echo "Next: point DNS, then run certbot"
--- a/deploy/nginx.conf
+++ b/deploy/nginx.conf
@@ -0,0 +1,57 @@
+# The Door — nginx config for alexanderwhitestone.com
+# Place at /etc/nginx/sites-available/the-door
+
+server {
+    listen 80;
+    server_name alexanderwhitestone.com www.alexanderwhitestone.com;
+    return 301 https://$server_name$request_uri;
+}
+
+server {
+    listen 443 ssl http2;
+    server_name alexanderwhitestone.com www.alexanderwhitestone.com;
+
+    ssl_certificate /etc/letsencrypt/live/alexanderwhitestone.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/alexanderwhitestone.com/privkey.pem;
+
+    root /var/www/the-door;
+    index index.html;
+
+    # Static files
+    location / {
+        try_files $uri $uri/ /index.html;
+        add_header X-Content-Type-Options nosniff;
+        add_header X-Frame-Options DENY;
+        add_header X-XSS-Protection "1; mode=block";
+        add_header Referrer-Policy "no-referrer";
+        add_header Content-Security-Policy "default-src 'self'; script-src 'unsafe-inline'; style-src 'unsafe-inline'; connect-src 'self'";
+    }
+
+    # API proxy to Hermes
+    location /api/ {
+        proxy_pass http://127.0.0.1:8644/;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        # SSE streaming support
+        proxy_set_header Connection '';
+        proxy_buffering off;
+        proxy_cache off;
+        chunked_transfer_encoding on;
+        proxy_read_timeout 300s;
+
+        # Rate limiting
+        limit_req zone=api burst=5 nodelay;
+    }
+
+    # Health check
+    location /health {
+        proxy_pass http://127.0.0.1:8644/health;
+    }
+
+    # Rate limit zone (define in http block of nginx.conf)
+    # limit_req_zone $binary_remote_addr zone=api:10m rate=10r/m;
+}