From dafc1dcacdf6e0bf5472b68fb7846e8fc0b954b4 Mon Sep 17 00:00:00 2001 From: disqualifier Date: Tue, 30 Jun 2026 00:57:24 -0400 Subject: [PATCH] fix path: /srv/configs -> /srv/config (singular); fix broken anchor MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - deploy.md: /srv/configs -> /srv/config (singular is canonical) across the compose mount, paths table, secrets path, and rotation snippet. Add the repo+compose row (/srv/docker//, created by the clone, not pre-provisioned) and a note that all /srv paths are owned by the services user (1337) — rounding out the canonical layout. - workflow.md: the first 'per-project git identity' link pointed at a nonexistent #per-project-git-identity anchor; point it at #handy-shell-setup (where the gitsetup alias lives), matching the other link to the same spot. Did not touch pip/requirements, chmod a+rwX + user 1337, HOME=/tmp, init, layer caching, or the git-install caveat — all intentional standards. Verified: mkdocs build --strict clean (validates anchors); table renders. Signed-off-by: disqualifier --- docs/deploy.md | 11 +++++++---- docs/workflow.md | 2 +- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/docs/deploy.md b/docs/deploy.md index 6f43045..6900828 100644 --- a/docs/deploy.md +++ b/docs/deploy.md @@ -48,7 +48,7 @@ services: environment: HOME: /tmp volumes: - - /srv/configs//:/app/config:ro # (2)! + - /srv/config//:/app/config:ro # (2)! - /srv/logs//:/app/logs # (3)! - yourapp-data:/app/data # (4)! @@ -76,11 +76,14 @@ Everything host-side follows one shape: `/srv////`. | What | Where | How | | --- | --- | --- | -| Configs | `/srv/configs///` | bind mount, host-managed, read-only | +| Repo + compose | `/srv/docker///` | created by the git clone, not pre-provisioned | +| Config | `/srv/config///` | bind mount, host-managed, read-only | | Logs | `/srv/logs///` | bind mount; live + rolled, scraped | | Mounts (other host-visible data) | `/srv/mounts///` | bind mount, host-managed | | Caches, profiles, scratch | named volume | Docker manages ownership | +All `/srv/...` paths are owned by the `services` user (uid/gid **1337**). + !!! note "If your service won't start or its logs aren't persisting" That's usually a host-side bind-mount **ownership** thing — the kind of detail **we sort out at deploy time**, not something you need to chown or provision. @@ -143,13 +146,13 @@ services: !!! warning "Secrets never go in the image" We do **not** commit secrets (usually, lol). They stay **gitignored**, live on - the host at `/srv/configs///`, and are bind-mounted + the host at `/srv/config///`, and are bind-mounted **read-only** at runtime. Add them to `.dockerignore` so a `COPY . .` can't sweep them into a layer. Rotating a secret = edit the host file and restart. No rebuild. ```bash -vim /srv/configs///secrets.env # edit on the host +vim /srv/config///secrets.env # edit on the host docker compose restart yourapp # pick up the change — no rebuild ``` diff --git a/docs/workflow.md b/docs/workflow.md index c647626..ae49de5 100644 --- a/docs/workflow.md +++ b/docs/workflow.md @@ -56,7 +56,7 @@ with the right one per project. We solve that with **per-repo local git config** — run a small alias inside a repo to set its local user and the SSH key it pushes with (see -[per-project git identity](#per-project-git-identity) below). No global identity +[per-project git identity](#handy-shell-setup) below). No global identity juggling. Our conventions, in short: