# Pixa Deployment via µPaaS Pixa is deployed on `fsn1app1` via [µPaaS](https://git.eeqj.de/sneak/upaas) (paas.datavi.be). ## µPaaS App Configuration Create the app in the µPaaS web UI with these settings: | Setting | Value | | --- | --- | | **App name** | `pixa` | | **Repo URL** | `git@git.eeqj.de:sneak/pixa.git` | | **Branch** | `main` | | **Dockerfile path** | `Dockerfile` | ### Environment Variables | Variable | Description | Required | | --- | --- | --- | | `PORT` | HTTP listen port (default: 8080) | No | Configuration is provided via the config file baked into the Docker image at `/etc/pixa/config.yml`. To override it, mount a custom config file as a volume (see below). ### Volumes | Host Path | Container Path | Description | | --- | --- | --- | | `/srv/pixa/data` | `/var/lib/pixa` | SQLite database and image cache | | `/srv/pixa/config.yml` | `/etc/pixa/config.yml` | Production config (signing key, whitelist, etc.) | ### Ports | Host Port | Container Port | Protocol | | --- | --- | --- | | (assigned) | 8080 | TCP | ### Docker Network Attach to the shared reverse-proxy network if using Caddy/Traefik for TLS termination. ## Production Configuration Copy `config.example.yml` from the repo root and customize for production: ```yaml port: 8080 debug: false maintenance_mode: false state_dir: /var/lib/pixa signing_key: "" whitelist_hosts: - s3.sneak.cloud - static.sneak.cloud - sneak.berlin allow_http: false ``` **Important:** Generate a unique `signing_key` for production. Never use the default placeholder value. ## Health Check The Dockerfile includes a `HEALTHCHECK` instruction that probes `/.well-known/healthcheck.json` every 30 seconds. µPaaS verifies container health 60 seconds after deployment. ## Deployment Flow 1. Push to `main` triggers the Gitea webhook 2. µPaaS clones the repo and runs `docker build .` 3. The Dockerfile runs `make check` (format, lint, test) during build 4. On success, µPaaS stops the old container and starts the new one 5. After 60 seconds, µPaaS checks container health