Add µPaaS deployment setup for fsn1app1

- Add Docker HEALTHCHECK instruction probing /.well-known/healthcheck.json
  (30s interval, 5s timeout, 10s start period, 3 retries) for µPaaS
  container health verification
- Create deploy/README.md with full µPaaS app configuration reference
  (app name, repo URL, branch, env vars, volumes, ports, production config)
- Add Deployment section to README.md linking to deploy docs
- Add deploy/ to .dockerignore (docs not needed in build context)

.dockerignore

@@ -6,3 +6,4 @@
 node_modules
 bin/
 data/
+deploy/

Dockerfile

@@ -1,32 +1,31 @@
-# Lint stage — fast feedback on formatting and lint issues
-# golangci/golangci-lint:v2.10.1, 2026-03-01
-FROM golangci/golangci-lint@sha256:ea84d14c2fef724411be7dc45e09e6ef721d748315252b02df19a7e3113ee763 AS lint
+# Lint stage
+# golangci/golangci-lint:v2.10.1-alpine, 2026-02-17
+FROM golangci/golangci-lint:v2.10.1-alpine@sha256:33bc6b6156d4c7da87175f187090019769903d04dd408833b83083ed214b0ddf AS lint
 
-# Install CGO dependencies needed for static analysis of vips/libheif code
-RUN apt-get update && apt-get install -y --no-install-recommends \
-    libvips-dev \
-    libheif-dev \
-    pkg-config \
-    && rm -rf /var/lib/apt/lists/*
+RUN apk add --no-cache make build-base vips-dev libheif-dev pkgconfig
 
 WORKDIR /src
+
+# Copy go mod files first for better layer caching
 COPY go.mod go.sum ./
 RUN go mod download
 
+# Copy source code
 COPY . .
 
+# Run formatting check and linter
 RUN make fmt-check
 RUN make lint
 
-# Build stage — tests and compilation
+# Build stage
 # golang:1.25.4-alpine, 2026-02-25
 FROM golang:1.25.4-alpine@sha256:d3f0cf7723f3429e3f9ed846243970b20a2de7bae6a5b66fc5914e228d831bbb AS builder
 
-ARG VERSION=dev
-
-# Force BuildKit to run the lint stage by creating a stage dependency
+# Depend on lint stage passing
 COPY --from=lint /src/go.sum /dev/null
 
+ARG VERSION=dev
+
 # Install build dependencies for CGO image libraries
 RUN apk add --no-cache \
     build-base \
@@ -76,4 +75,7 @@ WORKDIR /var/lib/pixa
 
 EXPOSE 8080
 
+HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
+    CMD wget -q --spider http://localhost:8080/.well-known/healthcheck.json
+
 ENTRYPOINT ["/usr/local/bin/pixad", "--config", "/etc/pixa/config.yml"]

README.md

@@ -125,6 +125,17 @@ See `config.example.yml` for all options with defaults.
 - **Metrics**: Prometheus
 - **Logging**: stdlib slog
 
+## Deployment
+
+Pixa is deployed via
+[µPaaS](https://git.eeqj.de/sneak/upaas) on `fsn1app1`
+(paas.datavi.be). Pushes to `main` trigger automatic builds and
+deployments. The Dockerfile includes a `HEALTHCHECK` that probes
+`/.well-known/healthcheck.json`.
+
+See [deploy/README.md](deploy/README.md) for the full µPaaS app
+configuration, volume mounts, and production setup instructions.
+
 ## TODO
 
 See [TODO.md](TODO.md) for the full prioritized task list.

TODO.md

@@ -6,7 +6,7 @@ Remaining tasks sorted by priority for a working 1.0 release.
 
 ### Image Processing
 - [x] Add WebP encoding support (currently returns error)
-- [ ] Add AVIF encoding support (currently returns error)
+- [x] Add AVIF encoding support (implemented via govips)
 
 ### Manual Testing (verify auth/encrypted URLs work)
 - [ ] Manual test: visit `/`, see login form

deploy/README.md

@@ -0,0 +1,78 @@
+# Pixa Deployment via µPaaS
+
+Pixa is deployed on `fsn1app1` via
+[µPaaS](https://git.eeqj.de/sneak/upaas) (paas.datavi.be).
+
+## µPaaS App Configuration
+
+Create the app in the µPaaS web UI with these settings:
+
+| Setting | Value |
+| --- | --- |
+| **App name** | `pixa` |
+| **Repo URL** | `git@git.eeqj.de:sneak/pixa.git` |
+| **Branch** | `main` |
+| **Dockerfile path** | `Dockerfile` |
+
+### Environment Variables
+
+| Variable | Description | Required |
+| --- | --- | --- |
+| `PORT` | HTTP listen port (default: 8080) | No |
+
+Configuration is provided via the config file baked into the Docker
+image at `/etc/pixa/config.yml`. To override it, mount a custom
+config file as a volume (see below).
+
+### Volumes
+
+| Host Path | Container Path | Description |
+| --- | --- | --- |
+| `/srv/pixa/data` | `/var/lib/pixa` | SQLite database and image cache |
+| `/srv/pixa/config.yml` | `/etc/pixa/config.yml` | Production config (signing key, whitelist, etc.) |
+
+### Ports
+
+| Host Port | Container Port | Protocol |
+| --- | --- | --- |
+| (assigned) | 8080 | TCP |
+
+### Docker Network
+
+Attach to the shared reverse-proxy network if using Caddy/Traefik
+for TLS termination.
+
+## Production Configuration
+
+Copy `config.example.yml` from the repo root and customize for
+production:
+
+```yaml
+port: 8080
+debug: false
+maintenance_mode: false
+state_dir: /var/lib/pixa
+signing_key: "<generate with: openssl rand -base64 32>"
+whitelist_hosts:
+    - s3.sneak.cloud
+    - static.sneak.cloud
+    - sneak.berlin
+allow_http: false
+```
+
+**Important:** Generate a unique `signing_key` for production. Never
+use the default placeholder value.
+
+## Health Check
+
+The Dockerfile includes a `HEALTHCHECK` instruction that probes
+`/.well-known/healthcheck.json` every 30 seconds. µPaaS verifies
+container health 60 seconds after deployment.
+
+## Deployment Flow
+
+1. Push to `main` triggers the Gitea webhook
+2. µPaaS clones the repo and runs `docker build .`
+3. The Dockerfile runs `make check` (format, lint, test) during build
+4. On success, µPaaS stops the old container and starts the new one
+5. After 60 seconds, µPaaS checks container health

scripts/manual-test.sh

@@ -48,7 +48,7 @@ fi
 
 # Test 3: Wrong password shows error
 echo "--- Test 3: Login with wrong password ---"
-WRONG_LOGIN=$(curl -sf -X POST "$BASE_URL/" -d "password=wrong-key" -c "$COOKIE_JAR")
+WRONG_LOGIN=$(curl -sf -X POST "$BASE_URL/" -d "key=wrong-key" -c "$COOKIE_JAR")
 if echo "$WRONG_LOGIN" | grep -qi "invalid\|error\|incorrect\|wrong"; then
     pass "Wrong password shows error message"
 else
@@ -57,7 +57,7 @@ fi
 
 # Test 4: Correct password redirects to generator
 echo "--- Test 4: Login with correct signing key ---"
-curl -sf -X POST "$BASE_URL/" -d "password=$SIGNING_KEY" -c "$COOKIE_JAR" -b "$COOKIE_JAR" -L -o /dev/null
+curl -sf -X POST "$BASE_URL/" -d "key=$SIGNING_KEY" -c "$COOKIE_JAR" -b "$COOKIE_JAR" -L -o /dev/null
 GENERATOR_PAGE=$(curl -sf "$BASE_URL/" -b "$COOKIE_JAR")
 if echo "$GENERATOR_PAGE" | grep -qi "generate\|url\|source\|logout"; then
     pass "Correct password shows generator page"
@@ -68,12 +68,12 @@ fi
 # Test 5: Generate encrypted URL
 echo "--- Test 5: Generate encrypted URL ---"
 GEN_RESULT=$(curl -sf -X POST "$BASE_URL/generate" -b "$COOKIE_JAR" \
-    -d "source_url=$TEST_IMAGE_URL" \
+    -d "url=$TEST_IMAGE_URL" \
     -d "width=800" \
     -d "height=600" \
     -d "format=jpeg" \
     -d "quality=85" \
-    -d "fit_mode=cover" \
+    -d "fit=cover" \
     -d "ttl=3600")
 if echo "$GEN_RESULT" | grep -q "/v1/e/"; then
     pass "Encrypted URL generated"
@@ -121,10 +121,10 @@ fi
 # Test 9: Generate short-TTL URL and verify expiration
 echo "--- Test 9: Expired URL returns 410 ---"
 # Login again
-curl -sf -X POST "$BASE_URL/" -d "password=$SIGNING_KEY" -c "$COOKIE_JAR" -b "$COOKIE_JAR" -L -o /dev/null
+curl -sf -X POST "$BASE_URL/" -d "key=$SIGNING_KEY" -c "$COOKIE_JAR" -b "$COOKIE_JAR" -L -o /dev/null
 # Generate URL with 1 second TTL
 GEN_RESULT=$(curl -sf -X POST "$BASE_URL/generate" -b "$COOKIE_JAR" \
-    -d "source_url=$TEST_IMAGE_URL" \
+    -d "url=$TEST_IMAGE_URL" \
     -d "width=100" \
     -d "height=100" \
     -d "format=jpeg" \