Reflect what the live deploy actually required:
- cert must be NESTED under an already-mounted dir (/etc/ssl/soroushasadi/flatrender/)
— mirror-nginx mounts cert dirs individually, so a fresh /etc/ssl/flatrender is
invisible in the container.
- after a sed -i edit of the bind-mounted nginx.conf, restart (not reload) — inode swap.
- DNS: box is behind NAT (171.22.25.73 private; public via edge/CDN 185.239.1.100 or
direct 31.171.101.x) — register the domain the same way the other sites enter.
- local SNI test command to verify routing bypassing DNS.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The server's central mirror-nginx already owns 80/443 + manages TLS, so FlatRender
can't run its own Caddy there. Adapt the deploy to the host-port + reverse-proxy model:
- compose: Caddy moved behind `profiles: [edge]` (not started by default); frontend/
gateway/minio host ports are now EDGE_BIND + FRONTEND_PORT/GATEWAY_PORT/MINIO_PORT
(so they can avoid Gitea's :3000 etc.); postgres/render stay on HOST_BIND loopback.
- deploy/ENV_FILE.production.example: nginx model, pre-filled for flatrender.ir,
host ports 1600/1605/1610, no Caddy/ACME vars.
- deploy/mirror-nginx-flatrender.conf: ready-to-paste server blocks routing
flatrender.ir / api / storage → 171.22.25.73:{1600,1605,1610}.
- deploy/README.md: nginx integration + cert step.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
soroush.asadi