cqrenet/aoc
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 29 Wiki Activity
Files
cfe9397cc56e0f51d09a34fb1e9656ad8f69f67a
aoc/DEPLOY.md
Tomas Kracmar 0ef50c91f7
Some checks failed
CI / lint-and-test (push) Failing after 41s
Details
Release / build-and-push (push) Successful in 1m33s
Details
feat: natural language query + production hardening 
Features:
- Add /api/ask endpoint for plain-language audit log queries
- Regex-based time/entity extraction (no LLM required for parsing)
- LLM-powered narrative summarisation with OpenAI-compatible APIs
- Graceful fallback to structured bullet lists when LLM is unavailable
- Frontend ask panel with markdown rendering and cited events

Production:
- Harden Dockerfile: non-root user, gunicorn+uvicorn workers
- Add docker-compose.prod.yml with internal networks and health checks
- Add nginx reverse proxy with security headers
- MongoDB no longer exposed externally in production

Tests:
- 29 new tests for ask parsing, query building, and endpoint behaviour
- Fix conftest monkeypatch for routes.ask events collection

Bump version to 1.1.0
2026-04-20 15:10:55 +02:00

2.6 KiB
Raw Blame History

Production Deployment Guide

Overview

AOC runs as a set of Docker containers orchestrated by Docker Compose:

  • nginx — reverse proxy, TLS termination, static file serving
  • backend — FastAPI application (Gunicorn + Uvicorn workers)
  • mongo — MongoDB data store (not exposed externally)

Prerequisites

  • Docker Engine 24+ and Docker Compose plugin
  • A server with ports 80/443 reachable from your users
  • TLS certificates (place in nginx/ssl/ or use Let's Encrypt)
  • A valid .env file at the repo root (see .env.example)

Quick start

  1. Clone / pull the latest release

    git checkout v1.1.0

  2. Copy and edit environment variables

    cp .env.example .env
# Edit .env and fill in real credentials

  3. Set the release version

    export AOC_VERSION=v1.1.0

  4. Deploy

    docker compose -f docker-compose.prod.yml pull
docker compose -f docker-compose.prod.yml up -d

  5. Verify

    curl http://localhost/health
curl http://localhost/api/events

Updating to a new release

export AOC_VERSION=v1.2.0
docker compose -f docker-compose.prod.yml pull
docker compose -f docker-compose.prod.yml up -d

Enabling HTTPS

Option A: Use your own certificates

  1. Place cert.pem and key.pem in nginx/ssl/

  2. Uncomment the HTTPS server block in nginx/nginx.conf

  3. Uncomment the HTTP → HTTPS redirect server block

  4. Reload nginx:

    docker compose -f docker-compose.prod.yml exec nginx nginx -s reload

Option B: Let's Encrypt with Certbot

Replace the nginx service in docker-compose.prod.yml with a Certbot-friendly setup (e.g., use the nginx-proxy + acme-companion stack) or mount the Certbot certificates into nginx/ssl/.

Security hardening

  • MongoDB is not exposed to the host — only the backend container can reach it.
  • The backend runs as a non-root (aoc) user inside the container.
  • nginx adds security headers (X-Frame-Options, X-Content-Type-Options, etc.).
  • Keep .env out of version control — it is listed in .gitignore.

Rollback

export AOC_VERSION=v1.0.3
docker compose -f docker-compose.prod.yml pull
docker compose -f docker-compose.prod.yml up -d

Monitoring

  • Prometheus metrics: http://your-host/metrics

  • Health check: http://your-host/health

  • Container logs:

    docker compose -f docker-compose.prod.yml logs -f backend
docker compose -f docker-compose.prod.yml logs -f nginx
docker compose -f docker-compose.prod.yml logs -f mongo
Reference in New Issue View Git Blame Copy Permalink