HokmPlay/deploy/SUBDOMAIN_SPLIT.md

# Subdomain split: marketing site + game + API

After this change there are **three** public hosts (all → edge nginx `185.239.1.100`):

| Host | Serves | Upstream (on 171.22.25.73) |
|---|---|---|
| `bargevasat.ir`, `www.bargevasat.ir` | Marketing site (`hokm-site`) | `:1520` |
| `app.bargevasat.ir` | The game (`hokm-web`) | `:1500` |
| `api.bargevasat.ir` | API + SignalR (`hokm-server`) | `:1505` (CDN **bypass**) |

## 1. DNS
Add/confirm A‑records (all → `185.239.1.100`):
```
bargevasat.ir       A  185.239.1.100   (CDN ok)
www.bargevasat.ir   A  185.239.1.100   (CDN ok)
app.bargevasat.ir   A  185.239.1.100   (CDN ok)
api.bargevasat.ir   A  185.239.1.100   (CDN BYPASS / DNS-only)
```

## 2. TLS cert — reissue to include `app`
The current cert covers `bargevasat.ir, www, api` — add `app`:
```bash
sudo certbot certonly --webroot -w /var/www/certbot \
  -d bargevasat.ir -d www.bargevasat.ir -d app.bargevasat.ir -d api.bargevasat.ir \
  --agree-tos --no-eff-email --email you@example.com
# then copy/symlink fullchain.pem + privkey.pem into /etc/ssl/bargevasat/
```
(Or DNS‑01 if behind the CDN — see SSL notes.)

## 3. nginx (edit /root/mirror-server/nginx/nginx.conf)
Replace the single Barg‑e Vasat web block with these three:

```nginx
# Redirect http → https for all three
server {
    listen 80;
    server_name bargevasat.ir www.bargevasat.ir app.bargevasat.ir api.bargevasat.ir;
    location /.well-known/acme-challenge/ { root /var/www/certbot; }
    location / { return 301 https://$host$request_uri; }
}

# Marketing site → hokm-site :1520
server {
    listen 443 ssl;
    http2 on;
    server_name bargevasat.ir www.bargevasat.ir;
    ssl_certificate     /etc/ssl/bargevasat/fullchain.pem;
    ssl_certificate_key /etc/ssl/bargevasat/privateKey.pem;
    location / {
        proxy_pass http://171.22.25.73:1520;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

# Game (Next static SPA) → hokm-web :1500
server {
    listen 443 ssl;
    http2 on;
    server_name app.bargevasat.ir;
    client_max_body_size 25m;
    ssl_certificate     /etc/ssl/bargevasat/fullchain.pem;
    ssl_certificate_key /etc/ssl/bargevasat/privateKey.pem;
    location / {
        proxy_pass http://171.22.25.73:1500;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

# API + SignalR → hokm-server :1505 (WebSocket; keep CDN bypassed for this host)
server {
    listen 443 ssl;
    http2 on;
    server_name api.bargevasat.ir;
    client_max_body_size 50m;
    ssl_certificate     /etc/ssl/bargevasat/fullchain.pem;
    ssl_certificate_key /etc/ssl/bargevasat/privateKey.pem;
    location / {
        proxy_pass http://171.22.25.73:1505;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_read_timeout 3600s;
    }
}
```
Reload: `docker compose exec nginx nginx -t && docker compose exec nginx nginx -s reload`

## 4. ENV_FILE secret (Gitea) — add/confirm
```
SITE_PORT=1520
NEXT_PUBLIC_APP_URL=https://app.bargevasat.ir
NEXT_PUBLIC_SITE_URL=https://bargevasat.ir
NEXT_PUBLIC_SERVER_URL=https://api.bargevasat.ir
CORS_ORIGINS=https://bargevasat.ir,https://www.bargevasat.ir,https://app.bargevasat.ir
ADMIN_TOKEN=<openssl rand -hex 24>
```

## 5. Deploy
`docker compose build site web server && docker compose up -d`
(Add the `site` service to the CI deploy job's build/up + health‑wait, same pattern as web.)

## 6. Verify
```bash
curl -I https://bargevasat.ir         # marketing (200)
curl -I https://app.bargevasat.ir     # game (200)
curl -I https://api.bargevasat.ir     # API (405 to HEAD is fine)
```
Admin: open `https://bargevasat.ir/admin`, enter `ADMIN_TOKEN`, set Bazaar/Myket links → Save.