feat: push-to-deploy pipeline on Hermes VPS (task #47)
vps/ directory — all versioned, installed on VPS with one command:
- vps/deploy.sh: pull from Hermes Gitea → pnpm build → deploy bundle
→ health check → auto-rollback on failure
- vps/webhook.js: Node.js webhook receiver (port 9000, HMAC-SHA256)
validates Gitea signature, runs deploy.sh, skips non-main branches
- vps/timmy-deploy-hook.service: systemd unit for webhook receiver
- vps/timmy-health.service + .timer: health watchdog every 5 min,
auto-restarts timmy-tower if /api/health returns non-200
- vps/install.sh: one-time VPS setup — installs scripts, sets
WEBHOOK_SECRET in .env, adds nginx /webhook/deploy block, enables services
Gitea webhook configured on admin/timmy-tower (id: 1):
- URL: http://143.198.27.163/webhook/deploy
- HMAC secret stored in .local/deploy-webhook-secret (gitignored)
One-time install command:
WEBHOOK_SECRET=$(cat .local/deploy-webhook-secret) \
ssh root@143.198.27.163 'bash -s' < vps/install.sh
replit.md: removed stale bore-tunnel push instructions; documented
sovereign deploy workflow, monitoring commands, and rollback procedure
06396e2b35