flatrender/deploy/README.md

Deploying FlatRender (Gitea CI/CD → 171.22.25.73, behind mirror-nginx)

Push to Gitea triggers .gitea/workflows/ci-cd.yml: a frontend tsc check, then a self-hosted deploy job that builds the whole compose stack and brings it up. The existing central mirror-nginx (owns 80/443, manual TLS certs) reverse-proxies the three public domains to FlatRender's host ports — FlatRender does not run Caddy here. GitHub (origin) stays a backup and never deploys.

Stack: gateway · identity · content · studio (.NET/Go) · file · render · notification (Go) · Next.js frontend · Postgres · MinIO. All package installs route through mirror.soroushasadi.com (Nexus).

                      mirror-nginx (:443, /etc/ssl/flatrender)
  flatrender.ir         → 171.22.25.73:1600  (fr2-frontend)
  api.flatrender.ir     → 171.22.25.73:1605  (fr2-gateway)
  pay.flatrender.ir     → 171.22.25.73:1607  (fr2-payment, ZarinPal broker)
  storage.flatrender.ir → 171.22.25.73:1610  (fr2-minio)

The payment broker (fr2-payment, pay.flatrender.ir) is a standalone generic ZarinPal gateway shared by FlatRender + meezi.ir + bargevasat.ir — ZarinPal only accepts callbacks on that one verified domain. It does NOT sit behind the API gateway (clients authenticate with an API key + HMAC). See PAYMENTS.md for the integration contract. The payment schema is migrations 31_payment_broker.sql (tables) + 33_payment_settings.sql (admin-editable ZarinPal config + transactions.is_test) — apply BOTH, in order, on an existing DB volume (migrations only auto-run on first volume creation):

docker exec -i fr2-postgres psql -U flatrender -d flatrender < backend/db/migrations/31_payment_broker.sql
docker exec -i fr2-postgres psql -U flatrender -d flatrender < backend/db/migrations/33_payment_settings.sql

The broker image expects is_test (migration 33) — deploy it together with both migrations.

One-time setup (do these BEFORE the first git push gitea master)

1. DNS — this box sits BEHIND NAT: its interface IP is 171.22.25.73 (private), public NAT IPs are 31.171.101.127/.211, and inbound 443 normally arrives via the edge/CDN 185.239.1.100 (same entry your other sites use, e.g. meezi.ir). So a new domain must enter the SAME way the others do — either:
   • register flatrender.ir + api + pay + storage + www in that edge/CDN (origin = this server) and point DNS there, or
   • bypass the CDN and point DNS straight at the server's public IP (like the hokm api subdomain does — "must bypass"). Pointing DNS at a random/registrar IP shows that host's default page (e.g. a "not licensed" page), NOT FlatRender.
2. TLS cert — ⚠️ mirror-nginx mounts cert dirs INDIVIDUALLY, so a fresh /etc/ssl/flatrender/ on the host is invisible inside the container. Nest the cert under an already-mounted dir (the conf references this path):

   mkdir -p /etc/ssl/soroushasadi/flatrender
   cp <yourcert>/fullchain.pem  /etc/ssl/soroushasadi/flatrender/
   cp <yourcert>/privateKey.pem /etc/ssl/soroushasadi/flatrender/
   

   Cert must cover flatrender.ir + api. + pay. + storage. (wildcard *.flatrender.ir + apex, or SAN).
3. mirror-nginx — add the server blocks from mirror-nginx-flatrender.conf to the proxy's http{} (the host file is /root/mirror-server/nginx/nginx.conf), then: docker exec mirror-nginx nginx -t && docker exec mirror-nginx nginx -s reload. ⚠️ If you edited the conf with sed -i (which swaps the file inode), the running container keeps the old inode → docker restart mirror-nginx instead (~3s blip). Verify locally (bypasses DNS): curl -sk --resolve flatrender.ir:443:127.0.0.1 https://flatrender.ir/ | head -c 60 must show <html lang="fa" dir="rtl">. (Do this after the first deploy is up, or it 502s.)
4. ENV_FILE secret — at …/soroushdes/flatrender/settings/secrets, create ENV_FILE from ENV_FILE.production.example (already filled for flatrender.ir; generate each secret with openssl rand -hex 32).
5. Gitea Actions enabled for this repo; act_runner has the self-hosted:host label (the standard box already has this). daemon.json already mirrors Docker Hub via Nexus.

Go live

git push gitea master      # triggers CI + deploy

Watch https://git.soroushasadi.com/soroushdes/flatrender/actions. First run ~15–25 min (cold Nexus cache + all images build). When the deploy is green, add/reload the nginx blocks (step 3) and visit https://flatrender.ir.

Host ports (must be free on 171.22.25.73)

1600 frontend · 1605 gateway · 1607 payment broker · 1610 MinIO · 1611 MinIO console. Postgres (5432) and render (5010) bind to 127.0.0.1 only. Avoid :3000 (Gitea), :8081-8083 (Nexus), :1500/1505/1520 (bargevasat), :3010/3101-3103/5080/5081 (meezi), :3020, :2569. Change them via FRONTEND_PORT/GATEWAY_PORT/PAY_PORT/MINIO_PORT in the secret if any collide.

First-run notes

• Migrations auto-run once via deploy/postgres-initdb/00-init.sh (mounted as the whole /docker-entrypoint-initdb.d directory — a single-file bind mount left a stale empty dir → "Is a directory") when the Postgres volume is first created. Later schema changes are applied manually with psql (the volume persists). ⚠️ If a deploy ever ran with a wrong/empty secret, the volume bakes the wrong password + may skip init → docker rm -f fr2-postgres && docker volume rm flatrender_pgdata (only while there's no real data) then re-run, so it re-inits with the current password + migrations.
• Rendering — no After Effects node on the server, so RENDER_DEV_WORKER=false. Disable rendering in Admin → فارم رندر → موتور رندر so users see an "unavailable" notice instead of jobs that never finish. Point real render nodes at the server later.
• MinIO public URLs — verify an uploaded image + a render download resolve over https://storage.flatrender.ir. If not, recheck MINIO_HOST_ENDPOINT / MINIO_HOST_USE_SSL / NEXT_PUBLIC_MINIO_URL in the secret and redeploy.

Redeploy / rotate secrets

Edit ENV_FILE in Gitea (or push any commit) → the deploy re-runs. It backs up the DB to /opt/flatrender-backups/ before each deploy and never runs docker compose down -v. Changing a NEXT_PUBLIC_* value only takes effect after the redeploy (baked at build).