From 35af9c99d5b3949d3549e3391b43fd1b70976e18 Mon Sep 17 00:00:00 2001
From: user <user@Mac.lan guest wan>
Date: Tue, 17 Mar 2026 02:17:15 -0700
Subject: [PATCH] =?UTF-8?q?Add=20=C2=B5PaaS=20deployment=20setup=20for=20f?=
 =?UTF-8?q?sn1app1?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Add Docker HEALTHCHECK instruction probing /.well-known/healthcheck.json
  (30s interval, 5s timeout, 10s start period, 3 retries) for µPaaS
  container health verification
- Create deploy/README.md with full µPaaS app configuration reference
  (app name, repo URL, branch, env vars, volumes, ports, production config)
- Add Deployment section to README.md linking to deploy docs
- Add deploy/ to .dockerignore (docs not needed in build context)
---
 .dockerignore    |  1 +
 Dockerfile       |  3 ++
 README.md        | 11 +++++++
 deploy/README.md | 78 ++++++++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 93 insertions(+)
 create mode 100644 deploy/README.md

diff --git a/.dockerignore b/.dockerignore
index 8fa00fc..4a30112 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -6,3 +6,4 @@
 node_modules
 bin/
 data/
+deploy/
diff --git a/Dockerfile b/Dockerfile
index 8609f76..06a6ede 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -75,4 +75,7 @@ WORKDIR /var/lib/pixa
 
 EXPOSE 8080
 
+HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
+    CMD wget -q --spider http://localhost:8080/.well-known/healthcheck.json
+
 ENTRYPOINT ["/usr/local/bin/pixad", "--config", "/etc/pixa/config.yml"]
diff --git a/README.md b/README.md
index 96b4c1a..f7950f4 100644
--- a/README.md
+++ b/README.md
@@ -125,6 +125,17 @@ See `config.example.yml` for all options with defaults.
 - **Metrics**: Prometheus
 - **Logging**: stdlib slog
 
+## Deployment
+
+Pixa is deployed via
+[µPaaS](https://git.eeqj.de/sneak/upaas) on `fsn1app1`
+(paas.datavi.be). Pushes to `main` trigger automatic builds and
+deployments. The Dockerfile includes a `HEALTHCHECK` that probes
+`/.well-known/healthcheck.json`.
+
+See [deploy/README.md](deploy/README.md) for the full µPaaS app
+configuration, volume mounts, and production setup instructions.
+
 ## TODO
 
 See [TODO.md](TODO.md) for the full prioritized task list.
diff --git a/deploy/README.md b/deploy/README.md
new file mode 100644
index 0000000..2232299
--- /dev/null
+++ b/deploy/README.md
@@ -0,0 +1,78 @@
+# Pixa Deployment via µPaaS
+
+Pixa is deployed on `fsn1app1` via
+[µPaaS](https://git.eeqj.de/sneak/upaas) (paas.datavi.be).
+
+## µPaaS App Configuration
+
+Create the app in the µPaaS web UI with these settings:
+
+| Setting | Value |
+| --- | --- |
+| **App name** | `pixa` |
+| **Repo URL** | `git@git.eeqj.de:sneak/pixa.git` |
+| **Branch** | `main` |
+| **Dockerfile path** | `Dockerfile` |
+
+### Environment Variables
+
+| Variable | Description | Required |
+| --- | --- | --- |
+| `PORT` | HTTP listen port (default: 8080) | No |
+
+Configuration is provided via the config file baked into the Docker
+image at `/etc/pixa/config.yml`. To override it, mount a custom
+config file as a volume (see below).
+
+### Volumes
+
+| Host Path | Container Path | Description |
+| --- | --- | --- |
+| `/srv/pixa/data` | `/var/lib/pixa` | SQLite database and image cache |
+| `/srv/pixa/config.yml` | `/etc/pixa/config.yml` | Production config (signing key, whitelist, etc.) |
+
+### Ports
+
+| Host Port | Container Port | Protocol |
+| --- | --- | --- |
+| (assigned) | 8080 | TCP |
+
+### Docker Network
+
+Attach to the shared reverse-proxy network if using Caddy/Traefik
+for TLS termination.
+
+## Production Configuration
+
+Copy `config.example.yml` from the repo root and customize for
+production:
+
+```yaml
+port: 8080
+debug: false
+maintenance_mode: false
+state_dir: /var/lib/pixa
+signing_key: "<generate with: openssl rand -base64 32>"
+whitelist_hosts:
+    - s3.sneak.cloud
+    - static.sneak.cloud
+    - sneak.berlin
+allow_http: false
+```
+
+**Important:** Generate a unique `signing_key` for production. Never
+use the default placeholder value.
+
+## Health Check
+
+The Dockerfile includes a `HEALTHCHECK` instruction that probes
+`/.well-known/healthcheck.json` every 30 seconds. µPaaS verifies
+container health 60 seconds after deployment.
+
+## Deployment Flow
+
+1. Push to `main` triggers the Gitea webhook
+2. µPaaS clones the repo and runs `docker build .`
+3. The Dockerfile runs `make check` (format, lint, test) during build
+4. On success, µPaaS stops the old container and starts the new one
+5. After 60 seconds, µPaaS checks container health