Skip to content

deployment.md

Latest commit

 

History

History
77 lines (65 loc) · 2.73 KB

deployment.md

File metadata and controls

77 lines (65 loc) · 2.73 KB

Deployment Runbook

1) Required GitHub Secrets

Set only these secrets (free-tier compatible):

  • HUGGINGFACE_API_KEY (optional, only if using AI_PROVIDER=huggingface)
  • SECRET_KEY
  • DATABASE_URL
  • REDIS_URL
  • CELERY_BROKER_URL
  • CELERY_RESULT_BACKEND
  • NOTIFICATION_WEBHOOK_URL (optional)
  • MONITORING_ALERT_EMAIL (optional)

2) Runtime Environment Mapping

When deploying from GitHub Actions, map secrets to app env vars:

env:
  AI_PROVIDER: huggingface
  AI_API_KEY: ${{ secrets.HUGGINGFACE_API_KEY }}
  SECRET_KEY: ${{ secrets.SECRET_KEY }}
  DATABASE_URL: ${{ secrets.DATABASE_URL }}
  REDIS_URL: ${{ secrets.REDIS_URL }}
  CELERY_BROKER_URL: ${{ secrets.CELERY_BROKER_URL }}
  CELERY_RESULT_BACKEND: ${{ secrets.CELERY_RESULT_BACKEND }}
  NOTIFICATION_WEBHOOK_URL: ${{ secrets.NOTIFICATION_WEBHOOK_URL }}
  MONITORING_ALERT_EMAIL: ${{ secrets.MONITORING_ALERT_EMAIL }}

3) Container Deployment

Use the included docker-compose.yml for self-hosted deployment. The compose file injects container-safe defaults for DB/Redis/SMTP hosts (postgres, redis, mailhog), so your local .env can stay on localhost values for non-container runs.

docker compose pull
docker compose up -d --build

Services exposed:

  • API: http://localhost:8000
  • Frontend: http://localhost:5173
  • MailHog UI: http://localhost:8025
  • ChromaDB: http://localhost:8001

4) Post-Deploy Smoke Tests

curl -s http://localhost:8000/health
curl -s http://localhost:8000/api/v1/monitoring/portfolio
curl -s -X POST http://localhost:8000/api/v1/monitoring/alerts/run

5) Data Residency and Self-Hosting

You can keep all data inside your own VPC:

  • Postgres, Redis, ChromaDB on private subnets
  • API/Celery deployed on internal compute
  • Documents stored on local disk or private object storage
  • Optional AI modes can run fully local (heuristic or ollama)

No external SaaS dependency is required for core workflow execution.

6) Production Hardening Checklist

  • Put API/frontend behind reverse proxy (Nginx/Traefik/ALB).
  • Enforce TLS with managed certificates.
  • Restrict network access to Postgres/Redis/Chroma (private-only).
  • Enable automated Postgres backups and tested restore runbooks.
  • Add authentication and role-based access control before production usage.
  • Add API rate limiting and request-size limits.
  • Configure centralized logging and log retention policy.
  • Add monitoring/alerting for worker heartbeat and queue depth.
  • Rotate secrets and store in a proper secret manager.
  • Run periodic vulnerability scans on base images and dependencies.

7) Security Baseline

  • Never commit .env.
  • Keep secrets only in GitHub Secrets / runtime secret manager.
  • Secret scanning is enforced in CI via secrets-guard workflow.