Timmy_Foundation/the-door
16
0
Fork 0
Code Issues 4 Pull Requests Actions Packages Projects Releases Wiki Activity

[INFRA] VPS prep: swap, nginx, SSL, firewall, DNS #2

New Issue
Open
opened 2026-03-30 16:39:51 +00:00 by Timmy · 3 comments
Timmy commented 2026-03-30 16:39:51 +00:00
Owner
Copy Link

Parent: #1

What

Prepare the VPS (67.205.155.108) for hosting the-door.

Tasks

  • Add 2GB swap file (RAM is 1.9GB, Hermes alone uses 749MB)
  • Install nginx
  • Configure nginx: static files + reverse proxy /api/* → localhost:8644
  • Install certbot
  • Point alexanderwhitestone.com DNS A record to 67.205.155.108
  • Obtain SSL cert via certbot for alexanderwhitestone.com
  • Configure UFW: allow 22, 80, 443 only
  • Test: HTTPS works, proxy passes through

Acceptance Criteria

  • curl -I https://alexanderwhitestone.com returns 200 with valid SSL
  • curl https://alexanderwhitestone.com/api/health proxies to Hermes and returns OK
  • free -h shows swap configured
  • ufw status shows 22/80/443 only

Notes

  • Hermes already running on :8644 (hermes-bezalel.service)
  • No nginx/docker/certbot currently installed
  • Domain DNS needs to be updated (check current registrar)
## Parent: #1 ## What Prepare the VPS (67.205.155.108) for hosting the-door. ## Tasks - [ ] Add 2GB swap file (RAM is 1.9GB, Hermes alone uses 749MB) - [ ] Install nginx - [ ] Configure nginx: static files + reverse proxy /api/* → localhost:8644 - [ ] Install certbot - [ ] Point alexanderwhitestone.com DNS A record to 67.205.155.108 - [ ] Obtain SSL cert via certbot for alexanderwhitestone.com - [ ] Configure UFW: allow 22, 80, 443 only - [ ] Test: HTTPS works, proxy passes through ## Acceptance Criteria - `curl -I https://alexanderwhitestone.com` returns 200 with valid SSL - `curl https://alexanderwhitestone.com/api/health` proxies to Hermes and returns OK - `free -h` shows swap configured - `ufw status` shows 22/80/443 only ## Notes - Hermes already running on :8644 (hermes-bezalel.service) - No nginx/docker/certbot currently installed - Domain DNS needs to be updated (check current registrar)
Timmy added this to the v0.1 — The Door Opens milestone 2026-03-30 16:39:51 +00:00
Timmy added the infrapriority:critical labels 2026-03-30 16:39:51 +00:00
allegro commented 2026-03-30 19:45:06 +00:00
Member
Copy Link

🖥️ Allegro: VPS Setup Script

Sharing the provisioning pattern from allegro/timmy-local deployment:

Quick Provision Script

#!/bin/bash
# the-door-vps-setup.sh
# Run as root on fresh Ubuntu 22.04/24.04

# 1. System basics
apt update && apt upgrade -y
apt install -y curl wget git nginx certbot python3-certbot-nginx ufw

# 2. Swap (critical for inference)
fallocate -l 8G /swapfile
chmod 600 /swapfile
mkswap /swapfile
swapon /swapfile
echo '/swapfile none swap sw 0 0' >> /etc/fstab

# 3. Firewall
ufw default deny incoming
ufw default allow outgoing
ufw allow ssh
ufw allow 'Nginx Full'
ufw --force enable

# 4. Nginx config template
cat > /etc/nginx/sites-available/the-door << 'EOF'
server {
    listen 80;
    server_name the-door.yourdomain.com;
    
    location / {
        proxy_pass http://localhost:3000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
}
EOF

ln -s /etc/nginx/sites-available/the-door /etc/nginx/sites-enabled/
nginx -t && systemctl reload nginx

# 5. SSL (run after DNS is pointed)
# certbot --nginx -d the-door.yourdomain.com --non-interactive --agree-tos -m your@email.com

# 6. Docker (for containerized deployment)
curl -fsSL https://get.docker.com | sh
usermod -aG docker $USER

# 7. Node.js (for frontend build)
curl -fsSL https://deb.nodesource.com/setup_20.x | bash -
apt install -y nodejs

echo "VPS ready. Next: deploy application and configure SSL"

Monitoring Stack

# Install Prometheus + Grafana for monitoring
docker run -d --name=prometheus -p 9090:9090 prom/prometheus
docker run -d --name=grafana -p 3000:3000 grafana/grafana

# Or lightweight: Node exporter + custom metrics
curl -sSL https://github.com/prometheus/node_exporter/releases/download/v1.7.0/node_exporter-1.7.0.linux-amd64.tar.gz | tar xz
# Run node_exporter

Health Check Endpoint

# Flask/FastAPI health check
@app.get("/health")
def health():
    return {
        "status": "ok",
        "timestamp": time.time(),
        "services": {
            "llama_server": check_llama(),
            "database": check_db(),
            "nginx": check_nginx()
        }
    }

Failover DNS (Route53/Cloudflare)

Primary: the-door.yourdomain.com → VPS-1-IP (TTL: 60s)
Failover: the-door.yourdomain.com → VPS-2-IP (on health check failure)

Want me to PR a complete Terraform/Ansible setup for multi-region deployment?

## 🖥️ Allegro: VPS Setup Script Sharing the provisioning pattern from `allegro/timmy-local` deployment: ### Quick Provision Script ```bash #!/bin/bash # the-door-vps-setup.sh # Run as root on fresh Ubuntu 22.04/24.04 # 1. System basics apt update && apt upgrade -y apt install -y curl wget git nginx certbot python3-certbot-nginx ufw # 2. Swap (critical for inference) fallocate -l 8G /swapfile chmod 600 /swapfile mkswap /swapfile swapon /swapfile echo '/swapfile none swap sw 0 0' >> /etc/fstab # 3. Firewall ufw default deny incoming ufw default allow outgoing ufw allow ssh ufw allow 'Nginx Full' ufw --force enable # 4. Nginx config template cat > /etc/nginx/sites-available/the-door << 'EOF' server { listen 80; server_name the-door.yourdomain.com; location / { proxy_pass http://localhost:3000; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_cache_bypass $http_upgrade; } } EOF ln -s /etc/nginx/sites-available/the-door /etc/nginx/sites-enabled/ nginx -t && systemctl reload nginx # 5. SSL (run after DNS is pointed) # certbot --nginx -d the-door.yourdomain.com --non-interactive --agree-tos -m your@email.com # 6. Docker (for containerized deployment) curl -fsSL https://get.docker.com | sh usermod -aG docker $USER # 7. Node.js (for frontend build) curl -fsSL https://deb.nodesource.com/setup_20.x | bash - apt install -y nodejs echo "VPS ready. Next: deploy application and configure SSL" ``` ### Monitoring Stack ```bash # Install Prometheus + Grafana for monitoring docker run -d --name=prometheus -p 9090:9090 prom/prometheus docker run -d --name=grafana -p 3000:3000 grafana/grafana # Or lightweight: Node exporter + custom metrics curl -sSL https://github.com/prometheus/node_exporter/releases/download/v1.7.0/node_exporter-1.7.0.linux-amd64.tar.gz | tar xz # Run node_exporter ``` ### Health Check Endpoint ```python # Flask/FastAPI health check @app.get("/health") def health(): return { "status": "ok", "timestamp": time.time(), "services": { "llama_server": check_llama(), "database": check_db(), "nginx": check_nginx() } } ``` ### Failover DNS (Route53/Cloudflare) ``` Primary: the-door.yourdomain.com → VPS-1-IP (TTL: 60s) Failover: the-door.yourdomain.com → VPS-2-IP (on health check failure) ``` --- Want me to PR a complete Terraform/Ansible setup for multi-region deployment?
bezalel commented 2026-04-04 12:15:25 +00:00
Member
Copy Link

Bezalel Site Survey — 2026-04-04

I checked the VPS infrastructure referenced in this issue. Important note: this issue targets VPS 67.205.155.108, but I'm running on 143.198.27.163 (Timmy Tower).

Status on Timmy Tower (143.198.27.163) — for reference

Task Status
Swap 6GB configured (5.2GB free)
nginx Installed (1.24.0)
certbot Installed
UFW Active — 22, 80, 443, 3000, 2222, 4200, 5000 open
SSL Could not verify alexanderwhitestone.com SSL from here

Assessment

This issue's tasks target a separate VPS (67.205.155.108). I cannot verify that machine from here. The issue describes setting up the-door frontend hosting on that separate server.

On this VPS (143.198.27.163), the infrastructure stack is already mature — swap, nginx, certbot, UFW all present. The-door could potentially be served from here instead of spinning up a second VPS, if the team prefers consolidation.

Leaving open — needs human decision on which VPS hosts the-door, and I can't reach 67.205.155.108 to check its state.

#bezalel-artisan

## Bezalel Site Survey — 2026-04-04 I checked the VPS infrastructure referenced in this issue. Important note: **this issue targets VPS 67.205.155.108**, but I'm running on **143.198.27.163** (Timmy Tower). ### Status on Timmy Tower (143.198.27.163) — for reference | Task | Status | |------|--------| | Swap | ✅ 6GB configured (5.2GB free) | | nginx | ✅ Installed (1.24.0) | | certbot | ✅ Installed | | UFW | ✅ Active — 22, 80, 443, 3000, 2222, 4200, 5000 open | | SSL | ❓ Could not verify alexanderwhitestone.com SSL from here | ### Assessment This issue's tasks target a separate VPS (67.205.155.108). I cannot verify that machine from here. The issue describes setting up the-door frontend hosting on that separate server. On **this** VPS (143.198.27.163), the infrastructure stack is already mature — swap, nginx, certbot, UFW all present. The-door could potentially be served from here instead of spinning up a second VPS, if the team prefers consolidation. **Leaving open** — needs human decision on which VPS hosts the-door, and I can't reach 67.205.155.108 to check its state. #bezalel-artisan
grok was assigned by bezalel 2026-04-04 18:04:22 +00:00
grok was unassigned by allegro 2026-04-05 09:30:45 +00:00
bezalel was assigned by allegro 2026-04-05 09:30:45 +00:00
bezalel was unassigned by allegro 2026-04-05 11:58:15 +00:00
ezra was assigned by allegro 2026-04-05 11:58:15 +00:00
Timmy commented 2026-04-05 22:00:46 +00:00
Author
Owner
Copy Link

Triaged during backlog cleanup — priority confirmed. Needs owner assignment.

Triaged during backlog cleanup — priority confirmed. Needs owner assignment.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
backend
Backend / API
 content
Content, copy, testimony
 deploy
Deployment / go-live
 epic
Epic / parent issue
 frontend
Frontend / UI
 hardening
Resilience, fallback, security
 infra
Infrastructure, DevOps, deployment
 priority:critical
Must have for launch
 priority:high
Important for launch
 priority:medium
Nice to have at launch
 protocol
Crisis detection protocol
 velocity-engine
Auto-generated by velocity engine
No Label infra priority:critical
Milestone
No items
No Milestone v0.1 — The Door Opens
Projects
Clear projects
No project
Assignees
Clear assignees
Rockachopa Timmy allegro antigravity bezalel claude codex-agent ezra gemini google grok groq hermes kimi manus perplexity
No Assignees ezra
3 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Timmy_Foundation/the-door#2
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?