diff options
Diffstat (limited to 'deployment')
| -rw-r--r-- | deployment/apache.conf | 45 | ||||
| -rw-r--r-- | deployment/task-dashboard.service | 25 |
2 files changed, 70 insertions, 0 deletions
diff --git a/deployment/apache.conf b/deployment/apache.conf new file mode 100644 index 0000000..3942bf6 --- /dev/null +++ b/deployment/apache.conf @@ -0,0 +1,45 @@ +<VirtualHost *:80> + ServerName ${FQDN} + + # Redirect HTTP to HTTPS + RewriteEngine On + RewriteCond %{HTTPS} off + RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] +</VirtualHost> + +<VirtualHost *:443> + ServerName ${FQDN} + + # SSL Configuration (adjust paths as needed) + SSLEngine on + SSLCertificateFile /etc/letsencrypt/live/${FQDN}/fullchain.pem + SSLCertificateKeyFile /etc/letsencrypt/live/${FQDN}/privkey.pem + + # Document root for static files served directly by Apache + DocumentRoot /site/${FQDN}/public + + # Serve static files directly via Apache (bypasses Go app) + <Directory /site/${FQDN}/public> + Options -Indexes +FollowSymLinks + AllowOverride None + Require all granted + + # Cache static assets + <FilesMatch "\.(css|js|png|jpg|jpeg|gif|ico|svg|woff|woff2)$"> + Header set Cache-Control "max-age=31536000, public" + </FilesMatch> + </Directory> + + # Static files served by Apache + Alias /static /site/${FQDN}/public + + # Proxy all other requests to Go application + ProxyPreserveHost On + ProxyPass /static ! + ProxyPass / http://127.0.0.1:8080/ + ProxyPassReverse / http://127.0.0.1:8080/ + + # Logging + ErrorLog ${APACHE_LOG_DIR}/${FQDN}-error.log + CustomLog ${APACHE_LOG_DIR}/${FQDN}-access.log combined +</VirtualHost> diff --git a/deployment/task-dashboard.service b/deployment/task-dashboard.service new file mode 100644 index 0000000..7afd9d9 --- /dev/null +++ b/deployment/task-dashboard.service @@ -0,0 +1,25 @@ +[Unit] +Description=Task Dashboard - Personal task aggregation dashboard +After=network.target + +[Service] +Type=simple +User=www-data +Group=www-data +WorkingDirectory=/site/%i +ExecStart=/site/%i/app +Restart=always +RestartSec=5 + +# Environment file for secrets and configuration +EnvironmentFile=/site/%i/.env + +# Security hardening +NoNewPrivileges=true +ProtectSystem=strict +ProtectHome=true +ReadWritePaths=/site/%i/data +PrivateTmp=true + +[Install] +WantedBy=multi-user.target |