# Deploying BizGaze Support The app runs as a Docker container behind the existing **Nginx Proxy Manager**, which terminates TLS and proxies `https://remote.bizgaze.com` → `bizgaze-support:8090` on the shared `nginx_proxy_manager_default` network. No host ports are published. Deployment model: **the server holds a git clone of this repo.** Each deploy is a `git pull` + rebuild via [`deploy.sh`](deploy.sh). Two files are *not* in git and live only on the server — they survive every pull: | File | Purpose | |------|---------| | `.env` | Secrets — TURN credentials, optional `SSO_SECRET`, `BIZGAZE_WEBHOOK_URL`. See [.env.example](.env.example). | | `server/cert.pem`, `server/key.pem` | Self-signed cert for the app's *optional* direct-HTTPS listener (8443). Not needed behind NPM, but harmless. | Server facts: - Host: `root@118.95.33.89` port `61` - App path: `/opt/bizgaze-support` - Data: Docker named volume `bizgaze_support_data` → `/data/data.db` (persists across rebuilds) - Backups: `/opt/bizgaze-support.backups/` (newest 3 `.tgz` snapshots, auto-rotated) --- ## One-time bootstrap (server → git clone) Run **once** to convert the existing folder into a git checkout without losing the secrets. Prerequisite: the deployment files (Dockerfile, docker-compose.yml, deploy.sh, etc.) are committed and pushed to `origin/master` first. ```bash ssh -p 61 root@118.95.33.89 # or: plink -ssh -P 61 -pw '' root@118.95.33.89 # 1. Store git credentials so pulls are non-interactive (once per server). git config --global credential.helper store printf 'https://devops%%40bizgaze.com:Bizgaze%%40123@code.bizgaze.com\n' > ~/.git-credentials chmod 600 ~/.git-credentials # 2. Stash the live secrets. cd /opt cp -a bizgaze-support /opt/bizgaze-support.preclone.bak mkdir -p /tmp/bzsecrets cp bizgaze-support/.env /tmp/bzsecrets/ 2>/dev/null || true cp bizgaze-support/server/cert.pem /tmp/bzsecrets/ 2>/dev/null || true cp bizgaze-support/server/key.pem /tmp/bzsecrets/ 2>/dev/null || true # 3. Replace the folder with a fresh clone. rm -rf bizgaze-support git clone https://code.bizgaze.com/Sravan/BizGaze_Remote.git bizgaze-support cd bizgaze-support # 4. Restore the secrets the clone doesn't carry. cp /tmp/bzsecrets/.env ./.env cp /tmp/bzsecrets/cert.pem ./server/cert.pem 2>/dev/null || true cp /tmp/bzsecrets/key.pem ./server/key.pem 2>/dev/null || true rm -rf /tmp/bzsecrets # 5. Build & launch. chmod +x deploy.sh docker compose up -d --build docker compose ps ``` If `.env` did not exist yet, create it from the template and fill in the TURN secret: ```bash cp .env.example .env && nano .env ``` --- ## Routine deploy After pushing changes to `origin/master`: ```bash ssh -p 61 root@118.95.33.89 'cd /opt/bizgaze-support && ./deploy.sh' ``` `deploy.sh` snapshots the current tree (keeping 3 backups), `git reset --hard`s to `origin/master`, rebuilds, and verifies `/api/ice`. Flags: - `./deploy.sh --no-pull` — rebuild the current checkout without pulling - `./deploy.sh --rollback` — restore the newest backup snapshot and rebuild --- ## Verify ```bash curl https://remote.bizgaze.com/api/ice ``` Response must list the public STUN entry **and** a TURN entry at `global.relay.metered.ca`. If only STUN appears, `.env` isn't reaching the container — check `docker exec bizgaze-support env | grep TURN`. --- ## Rollback ```bash cd /opt/bizgaze-support && ./deploy.sh --rollback # newest snapshot # or restore a specific snapshot: ls -1t /opt/bizgaze-support.backups/*.tgz tar -xzf /opt/bizgaze-support.backups/.tgz -C /opt/bizgaze-support && docker compose up -d --build ``` The `data.db` volume is never overwritten by a rebuild, so data is retained regardless of code version.