Remote Server

This document is the project source of truth for remote server and deploy environment rules.

Server Inventory

  • Deploy target host is mathbox.90.cz.
  • Default assumption is a single Docker host running all four modules on one shared internal network.
  • Public HTTPS hostname for whatsapp-adapter-api is https://whatsapp-adapter-api.mathbox.90.cz. This hostname is assigned in DNS, but reverse proxy and certificate setup are still incomplete and need to be configured according to python-application-skill before publication is complete.
  • Public HTTPS hostname for whatsapp-adapter-app is https://whatsapp-adapter-app.mathbox.90.cz. This hostname is assigned in DNS, but reverse proxy and certificate setup are still incomplete and need to be configured according to python-application-skill before publication is complete.
  • Public HTTPS hostname for whatsapp-adapter-docs is https://whatsapp-adapter-docs.mathbox.90.cz.
  • WAHA operator dashboard entry on mathbox is https://waha.mathbox.90.cz/dashboard/.

Deploy Rules

  • Deploy starts from repo root with ./script/deploy.sh or per-module deploy scripts.
  • Production config source of truth is secrets/prod/<module>.env.
  • Production modules on mathbox run with HOST_UID=1001 and HOST_GID=1001.
  • Each module deploy reads its own materialized .env.server.
  • Root deploy renders local .env.server files from SOPS before each module deploy and removes those local plaintext artifacts after the run.
  • Remote deploy copies the module directory and runs the module deploy script on the remote host.
  • Remote deploy does not overwrite bind-mounted runtime state directories such as data/, logs/, conf/, sessions/, or media/.

Exposure Rules

  • whatsapp-adapter-waha remains outside the public project API contract.
  • If operator access is exposed on mathbox, expose the dashboard entry explicitly and do not treat the vendor host as a general public API surface.
  • whatsapp-adapter-api is the primary candidate for public exposure when external systems need REST access.
  • whatsapp-adapter-app may be public only when protected by SimpleAuth and reverse proxy TLS.
  • whatsapp-adapter-docs may be public when documentation needs a standalone published site.
  • Until hostnames are assigned, all compose defaults bind to 127.0.0.1.

When Public Domains Are Added

  • whatsapp-adapter-api is published at https://whatsapp-adapter-api.mathbox.90.cz.
  • whatsapp-adapter-app is published at https://whatsapp-adapter-app.mathbox.90.cz.
  • whatsapp-adapter-docs is published at https://whatsapp-adapter-docs.mathbox.90.cz.
  • whatsapp-adapter-waha operator dashboard is at https://waha.mathbox.90.cz/dashboard/.
  • Keep API and app publication marked incomplete until reverse proxy routing, TLS certificates, and related app settings are configured according to python-application-skill.
  • Set whatsapp-adapter-app DOCS_BASE_URL to the final docs URL for that environment when the docs site does not live on the same host and default docs port.
  • Record reverse proxy routes and certificate workflow.
  • Verify HTTPS from the final hostname after deploy.