the-door/deploy/README.md

# The Door — Deployment Guide

The crisis front door infrastructure.

## VPS Details

- **Host**: alexanderwhitestone.com
- **Domain**: alexanderwhitestone.com
- **RAM**: 1.9GB (with 2GB swap)
- **OS**: Ubuntu/Debian

## Quick Deploy

### Option 1: Ansible (recommended)

```bash
cd deploy
ansible-playbook -i inventory.ini playbook.yml
```

Or from repo root:

```bash
make deploy
```

### Option 2: Bash script (SSH into VPS)

```bash
ssh root@alexanderwhitestone.com
cd /opt/the-door
bash deploy/deploy.sh
```

### Option 3: Fast site update only

```bash
make push
```

## What Gets Provisioned

1. **Swap** — 2GB swap file (RAM is tight at 1.9GB)
2. **nginx** — Static files + reverse proxy /api/* → localhost:8644
3. **SSL** — Let's Encrypt via certbot (requires DNS pointed first)
4. **Firewall** — UFW allows 22, 80, 443 only
5. **Site files** — index.html, manifest.json, sw.js, etc.

## Architecture

```
Browser → nginx (SSL, port 443)
           ├── /var/www/the-door (static HTML)
           └── /api/* → localhost:8644 (Hermes Gateway)
```

## SSL Setup

SSL requires DNS to be pointed first:

```bash
# Check if DNS resolves
dig +short alexanderwhitestone.com @8.8.8.8

# If it points to alexanderwhitestone.com on the target VPS, run:
certbot --nginx -d alexanderwhitestone.com -d www.alexanderwhitestone.com
```

## Health Check

```bash
make check
# or
ssh root@alexanderwhitestone.com "bash /opt/the-door/deploy/deploy.sh --check"
```

## Files

- `playbook.yml` — Ansible playbook (full VPS provisioning)
- `inventory.ini` — VPS host configuration
- `ansible.cfg` — Ansible settings
- `deploy.sh` — Bash deploy script (alternative to Ansible)
- `nginx.conf` — nginx site config
- `rate-limit.conf` — Rate limiting zone definition