LafaekStreet Backend - Deployment
Quick Start
Deploy and update the backend from your Mac using these two scripts:
bash
cd lafaekstreet_backend
# First-time deploy to AWS Lightsail
./new_deploy_server.sh
# Update existing server
./new_update_server.shSee DEPLOY_GUIDE.md for full documentation.
Architecture
Mobile App (Flutter)
|
| HTTPS (port 443)
v
+---------------------+
| Amazon Lightsail |
| Ubuntu 22.04 LTS |
| |
| Nginx (reverse proxy)| <-- SSL termination, rate limiting, security headers
| | |
| Gunicorn + Uvicorn | <-- 2 async workers, port 8000
| | |
| FastAPI Application | <-- API endpoints, background tasks
+---------------------+
| | | | |
v v v v v
Aiven Aiven AWS S3 AWS Bedrock Hedera
PostgreSQL Valkey (images) (AI/Nova) (blockchain)What Runs Where
| Component | Location | Purpose |
|---|---|---|
| FastAPI + Gunicorn | Lightsail | API server (2 async workers) |
| Nginx | Lightsail | Reverse proxy, SSL, rate limiting |
| Fail2Ban | Lightsail | Brute-force protection |
| PostgreSQL | Aiven (managed) | Database |
| Valkey/Redis | Aiven (managed) | Cache + rate limiting |
| S3 | AWS (managed) | Image storage |
| Bedrock | AWS (managed) | AI damage detection + embeddings |
| KMS | AWS (managed) | Encryption keys |
| Hedera | Hedera Testnet | Blockchain verification |
Deployment Scripts
new_deploy_server.sh - First-Time Deploy
Run from your Mac. Creates Lightsail instance, uploads code, configures everything:
- Creates SSH key + Lightsail instance
- Uploads code via SCP
- Installs system deps (Python, Nginx, Certbot, Fail2Ban)
- Sets up Python venv + pip dependencies
- Configures systemd service (Gunicorn + Uvicorn)
- Configures Nginx (reverse proxy, rate limiting, security headers)
- Configures Fail2Ban + log rotation
- SSL certificate via Let's Encrypt
new_update_server.sh - Update Server
Run from your Mac. Three update options:
| Option | What it does |
|---|---|
| 1 - Env only | Updates .env file, restarts service |
| 2 - Full update | Code + .env + deps, with backup/rollback/health check |
| 3 - Code only | Updates code + deps, keeps existing .env on server |
Safety features: auto backup, import validation, health check, auto-rollback on failure.
Prerequisites
- AWS CLI configured:
aws configure .envfile inlafaekstreet_backend/directory- Run scripts from
lafaekstreet_backend/directory
Configuration
Default values in the scripts (edit if needed):
Instance: lafaekstreet-api
Region: us-east-1
Bundle: micro_3_0 (1 GB RAM, 2 vCPUs, 40 GB SSD)
Domain: api.lafaekstreet.com
SSH Key: ~/.ssh/lafaekstreet-key.pem
App Dir: /home/ubuntu/lafaekstreet (on server)Quick Reference Commands
bash
# SSH to server
ssh -i ~/.ssh/lafaekstreet-key.pem ubuntu@<IP>
# Service management (on server)
sudo systemctl status lafaekstreet
sudo systemctl restart lafaekstreet
# Logs (on server)
sudo journalctl -u lafaekstreet -f
sudo tail -f /var/log/lafaekstreet/error.log
# Health check
curl http://localhost:8000/health
# Security check (on server)
bash ~/lafaekstreet/deployment/verify_security.sh
# System resources
free -h && df -hServer Files
| File | Location | Purpose |
|---|---|---|
| Systemd service | /etc/systemd/system/lafaekstreet.service | Process management |
| Nginx config | /etc/nginx/sites-available/lafaekstreet | Reverse proxy |
| Environment | ~/lafaekstreet/.env | App configuration |
| Log rotation | /etc/logrotate.d/lafaekstreet | Log cleanup |
| Fail2Ban | /etc/fail2ban/jail.local | Brute-force protection |
| App logs | /var/log/lafaekstreet/ | Application logs |
| Backups | ~/backups/ | Pre-update backups |
Nginx Details
Optimized for Timor-Leste's slow connections:
| Setting | Value | Reason |
|---|---|---|
client_max_body_size | 12M | 10MB image limit + overhead |
client_body_timeout | 120s | Slow upload connections |
proxy_send_timeout (uploads) | 300s | 5 min for image pre-upload |
rate_limit | 10 req/s per IP | DDoS protection |
server_tokens | off | Hide Nginx version |
keepalive | 32 connections | Connection reuse |
Troubleshooting
See DEPLOY_GUIDE.md for detailed troubleshooting.
Quick fixes:
bash
# Service won't start
sudo journalctl -u lafaekstreet -n 50
# Test import
cd ~/lafaekstreet && source venv/bin/activate
python -c "from app.main import app"
# 502 Bad Gateway
sudo systemctl start lafaekstreet
sudo ss -tlnp | grep 8000
# SSL
sudo certbot --nginx -d api.lafaekstreet.comCost
| Service | Cost | Notes |
|---|---|---|
| Lightsail Instance | $5/month | 512MB RAM, 1 vCPU, 20GB SSD |
| Aiven PostgreSQL | $0 | Free tier |
| Aiven Valkey | $0 | Free tier |
| AWS S3 | ~$0.50 | Pay-per-use |
| AWS Bedrock | ~$2 | Pay-per-use |
| AWS KMS | ~$1 | Key storage |
| Total | ~$8.50/month |
Other Docs
- DEPLOY_GUIDE.md - Full deployment guide for new scripts
- verify_security.sh - Security verification script
- .env.production.example - Production env template