Deployment Guide

Igor Solutions — Deployment Guide

How to manage nginx configs, SSL, and the VPS gateway for igorai.* domains.

---

Server Map

Internet → VPS (66.179.137.105) → Tailscale → Igor Private Server (100.125.121.21)
              │                                       │
              ├─ nginx                                ├─ CouchDB :5984
              ├─ certbot                              └─ future apps
              ├─ oauth2-proxy :4180 (igorio.space)
              └─ oauth2-proxy-igorai :4181 (igorai.online/store)

---

Connecting to Infrastructure

# VPS (via thinkcentre — direct SSH not yet configured from minibeaux)
ssh root@thinkcentre
ssh root@vps
 
# Igor Private Server
ssh igor@192.168.1.206      # from LAN
ssh igor@100.125.121.21     # from tailnet

---

Nginx Config Locations

Domain	Config File	Type
igorai.info	/etc/nginx/sites-available/igorai.info	Static site
igorai.org	/etc/nginx/sites-available/igorai.org	Reverse proxy → CouchDB
igorai.online	/etc/nginx/sites-available/igorai.online	OAuth → CouchDB
igorai.store	/etc/nginx/sites-available/igorai.store	OAuth → CouchDB

All symlinked from /etc/nginx/sites-enabled/.

---

Common Operations

Reload nginx after config changes

ssh root@vps
nginx -t && systemctl reload nginx

Check nginx status

ssh root@vps
systemctl status nginx
tail -f /var/log/nginx/access.log
tail -f /var/log/nginx/error.log

Renew SSL certs

ssh root@vps
certbot renew --dry-run    # test
certbot renew               # actual renewal

Check cert expiry

ssh root@vps
certbot certificates

---

Nginx Config Template

Public static site (igorai.info pattern)

server {
    server_name example.igorai.info www.example.igorai.info;
 
    root /var/www/example;
    index index.html;
 
    location / {
        try_files $uri $uri/ =404;
    }
 
    listen [::]:443 ssl;
    listen 443 ssl;
    ssl_certificate /etc/letsencrypt/live/example.igorai.info/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.igorai.info/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}
server {
    if ($host = www.example.igorai.info) { return 301 https://$host$request_uri; }
    if ($host = example.igorai.info) { return 301 https://$host$request_uri; }
    server_name example.igorai.info www.example.igorai.info;
    listen 80;
    listen [::]:80;
    return 404;
}

OAuth-gated proxy (igorai.online pattern)

server {
    server_name example.igorai.online;
 
    location ^~ /oauth2/ {
        proxy_pass http://127.0.0.1:4181;
        proxy_set_header Host              $host;
        proxy_set_header X-Real-IP         $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
    }
 
    location = /oauth2/auth {
        internal;
        proxy_pass http://127.0.0.1:4181/oauth2/auth;
        proxy_set_header Host              $host;
        proxy_set_header X-Real-IP         $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header Content-Length 0;
        proxy_pass_request_body off;
    }
 
    location / {
        auth_request /oauth2/auth;
        error_page 401 = /oauth2/sign_in;
 
        proxy_pass http://100.125.121.21:5984;
        proxy_http_version 1.1;
        proxy_set_header Host              $host;
        proxy_set_header X-Real-IP         $remote_addr;
        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_buffering off;
        proxy_read_timeout 86400s;
        proxy_send_timeout 86400s;
    }
 
    listen [::]:443 ssl;
    listen 443 ssl;
    ssl_certificate /etc/letsencrypt/live/example.igorai.online/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.igorai.online/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}

---

Adding a New Subdomain (Full Walkthrough)

Public subdomain on igorai.info

# 1. DNS
ionos-manage add igorai.info blog 66.179.137.105
 
# 2. Create nginx config on VPS
ssh root@vps
cp /etc/nginx/sites-available/igorai.info /etc/nginx/sites-available/blog.igorai.info
vim /etc/nginx/sites-available/blog.igorai.info
# Change server_name, update root if needed
 
# 3. Get SSL
ln -s /etc/nginx/sites-available/blog.igorai.info /etc/nginx/sites-enabled/
certbot --nginx -d blog.igorai.info
 
# 4. nginx reloads automatically after certbot

Gated subdomain on igorai.online

# 1. DNS
ionos-manage add igorai.online app 66.179.137.105
 
# 2. Create nginx config + SSL
ssh root@vps
cp /etc/nginx/sites-available/igorai.online /etc/nginx/sites-available/app.igorai.online
vim /etc/nginx/sites-available/app.igorai.online
ln -s /etc/nginx/sites-available/app.igorai.online /etc/nginx/sites-enabled/
certbot --nginx -d app.igorai.online
 
# 3. Add redirect URI in Google Cloud Console
#    https://app.igorai.online/oauth2/callback
 
# 4. Update oauth2-proxy-igorai.toml
#    Add to cookie_domains and whitelist_domains
#    systemctl restart oauth2-proxy-igorai