disqualifier 6498c5b6d5 rename <dev> path segment to <workspace>, unify /srv paths

Host paths now follow one shape: /srv/<kind>/<workspace>/<project>/ across
configs, logs, and mounts (mounts added as its own row; configs gains the
workspace segment it was missing).

- deploy.md: compose volumes, paths table, secrets path + rotation snippet
  all use <workspace>; add a yellow (warning) admonition ABOVE the table
  explaining it — individual dev = lowercase username (ricky, xattam),
  shared/official project = workspace (bots, web, apis) — so it stands out
  from the all-blue palette and reads before the table.
- index.md: placeholder example uses <workspace>.

Verified in-browser; mkdocs build --strict clean.

Signed-off-by: disqualifier <dev@disqualifier.me>

2026-06-29 23:50:42 -04:00

5.7 KiB

Raw Blame History

Deployment Guide

How a project gets onto rethink-net — our Ubuntu 26.x servers. Get your container to follow a few consistent rules and deploying is mostly handing us a compose.yaml.

!!! tip "What can run here" APIs, websites, applets, bots, monitors.

Docker — the services account

Every service runs containerized as the shared services account: uid/gid 1337, fixed fleet-wide. Build your image to be uid-agnostic so it runs cleanly as that account.

FROM python:3.12-slim
ENV HOME=/tmp                                  # (1)!

WORKDIR /app
RUN apt-get update \
    && apt-get install -y --no-install-recommends git \
    && rm -rf /var/lib/apt/lists/*            # (2)!

COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt   # (3)!

COPY . .
RUN chmod -R a+rwX /app                        # (4)!
CMD ["python", "-m", "yourapp"]

HOME=/tmp — the services account has no home dir; anything writing to $HOME (caches, configs) needs a writable target.
Include git only if the container itself needs it — e.g. you pip install from git, or the app shells out to git at runtime. The build and host always have git; this line is about what's inside the image.
Install deps before copying the code (see layer caching).
chmod -R a+rwX /app makes the app tree writable by any uid — that's what "uid-agnostic" means.

services:
  yourapp:
    build: .
    user: "1337:1337"                          # (1)!
    environment:
      HOME: /tmp
    volumes:
      - /srv/configs/<workspace>/<project>:/app/config:ro  # (2)!
      - /srv/logs/<workspace>/<project>:/app/logs          # (3)!
      - yourapp-data:/app/data                             # (4)!

volumes:
  yourapp-data:

Run as the shared account. No in-container user/useradd — don't bake a user into the image; set it here.
Configs: host-managed bind mount, mounted read-only.
Logs: bind mount — live and rolled, scraped for monitoring.
Everything else: a named volume. Docker owns it, so there are no host permissions to fiddle with.

Paths and mounts

Everything host-side follows one shape: /srv/<kind>/<workspace>/<project>/.

!!! warning "What <workspace> is" <workspace> is the owning bucket for a project.

- **An individual dev?** It's your **lowercase username** — `ricky`, `xattam`, …
- **A shared / official project?** It's the **workspace** it belongs to —
  `bots`, `web`, `apis`, …

What	Where	How
Configs	`/srv/configs/<workspace>/<project>/`	bind mount, host-managed, read-only
Logs	`/srv/logs/<workspace>/<project>/`	bind mount; live + rolled, scraped
Mounts (other host-visible data)	`/srv/mounts/<workspace>/<project>/`	bind mount, host-managed
Caches, profiles, scratch	named volume	Docker manages ownership

!!! note "If your service won't start or its logs aren't persisting" That's usually a host-side bind-mount ownership thing — the kind of detail we sort out at deploy time, not something you need to chown or provision. If a bot won't come up or logs/caches keep vanishing, flag it and we'll fix the mount perms. Stick to a clean compose.yaml and let us handle the host.

Layer caching

Copy requirements.txt and pip install before COPY . .. Docker caches layers in order, so deps only reinstall when requirements.txt changes — not on every code edit. Get this backwards and every one-line change triggers a full dependency reinstall.

COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt   # cached until deps change
COPY . .                                             # changes every build

Subprocess and browser workloads

Bots that spawn Chrome, Xvfb, ffmpeg, or other child processes need three extra knobs in compose:

services:
  yourbot:
    build: .
    user: "1337:1337"
    init: true              # (1)!
    shm_size: "2gb"         # (2)!
    mem_limit: "4g"         # (3)!

Runs tini as PID 1 to reap zombie subprocesses and forward signals. Without it, spawned Chrome/Xvfb processes leak as zombies.
Chrome and most headless browsers crash on Docker's default 64 MB /dev/shm. Bump it for any browser workload.
Bound memory — especially when each worker spawns a browser. Raise it as worker count grows.

!!! warning "The PID-1 gotcha with shell-wrapper CMDs" If your CMD is a shell-script wrapper (e.g. xvfb-run ...), it must not be PID 1, or the real process dies on startup. init: true is exactly what fixes this — tini takes PID 1, and your wrapper runs as a normal child.

What your compose / Dockerfile needs

user: "1337:1337"
bind mounts for configs + logs
named volumes for the rest
secrets bind-mounted :ro
HOME=/tmp
chmod -R a+rwX /app
deps installed before the code copy (layer caching)
git in the image if the container needs it
for browser/subprocess workloads: init: true, shm_size, mem_limit

Secrets

!!! warning "Secrets never go in the image" We do not commit secrets (usually, lol). They stay gitignored, live on the host at /srv/configs/<workspace>/<project>/, and are bind-mounted read-only at runtime. Add them to .dockerignore so a COPY . . can't sweep them into a layer.

Rotating a secret = edit the host file and restart. No rebuild.

vim /srv/configs/<workspace>/<project>/secrets.env   # edit on the host
docker compose restart yourapp                       # pick up the change — no rebuild

5.7 KiB Raw Blame History