bert.hausmans/crewli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4a8bb97764c31998f2e87bf6f38bd8b1bc04a596
crewli/deploy
History
bert.hausmans a748c9ee7a chore(deploy): single-host deploy config — drop apps/portal build, retire portal.crewli.app 
deploy.sh referenced apps/portal which was deleted in WS-3 PR-B1; the
script has been broken in main since that merge (npm run build
-w apps/portal would fail). Collapse to a single-app build.

Changes:
- deploy.sh: replace dual-build block (build app + portal, verify both
  dist/) with single-app build (build app, verify dist/index.html)
- deploy/nginx/csp-portal.conf: deleted (content was identical to
  csp-spa.conf — verified before removal)
- deploy/README.md: replace "Portal (portal.crewli.app)" server-block
  section with "Legacy portal redirect" — a 301 server block
  template that redirects portal.crewli.app → crewli.app preserving
  the request URI. Notes that DNS retirement is a separate ops task

Out of scope: actually retiring the portal.crewli.app DNS record
(operational, tracked separately).

bash -n deploy.sh: clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-06 00:24:40 +02:00
..
nginx
chore(deploy): single-host deploy config — drop apps/portal build, retire portal.crewli.app
2026-05-06 00:24:40 +02:00
README.md
chore(deploy): single-host deploy config — drop apps/portal build, retire portal.crewli.app
2026-05-06 00:24:40 +02:00

README.md

Crewli Deployment — Security Configuration

Nginx Security Headers

Copy the configuration snippets to your Nginx server:

API (api.crewli.app)

server {
    server_name api.crewli.app;

    include /path/to/deploy/nginx/security-headers.conf;
    include /path/to/deploy/nginx/csp-api.conf;

    # ... rest of config
}

Organizer App (crewli.app)

server {
    server_name crewli.app;

    include /path/to/deploy/nginx/security-headers.conf;
    include /path/to/deploy/nginx/csp-spa.conf;

    # ... rest of config
}

Legacy portal redirect (portal.crewli.app)

Pre-WS-3 (April 2026), Crewli ran a separate portal SPA at portal.crewli.app. The dual-SPA was consolidated into a single workspace; the legacy host should redirect 301 → crewli.app:

server {
    server_name portal.crewli.app;
    listen 443 ssl;
    # ... TLS config from DirectAdmin / Let's Encrypt ...

    return 301 https://crewli.app$request_uri;
}

DNS retirement of portal.crewli.app is a separate operational task tracked outside this repo. Until DNS is repointed, this redirect handles any stale links.

CSP Rollout Process

  1. Start with Content-Security-Policy-Report-Only (uncomment in csp-spa.conf)
  2. Monitor browser console for CSP violations for 1-2 weeks
  3. Add any missing sources to the policy
  4. Switch to enforcing Content-Security-Policy
  5. Monitor for false positives after enforcement

DirectAdmin Integration

If using DirectAdmin with Nginx:

  1. Place the .conf files in /usr/local/directadmin/data/users/USERNAME/nginx.conf or use DirectAdmin's custom Nginx configuration feature
  2. Reload Nginx: service nginx reload
  3. Verify headers: curl -I https://crewli.app | grep -i security
Reference in New Issue View Git Blame Copy Permalink