Production Deployment

Coolify (recommended)

Coolify is a self-hosted PaaS that handles Docker deployments, SSL, and reverse proxying.

The easiest setup uses the pre-built image from GHCR — Coolify pulls it directly without building anything on your server:

1. Add a new resource → Docker Image
2. Set image to ghcr.io/airenare/inkstone:latest
3. Set environment variables: VAULT_REPO, SECRET_KEY, HIDE_ATTRIBUTION, etc.
4. Set the exposed port to 8000
5. Enable Let's Encrypt for automatic SSL
6. Deploy

The container entrypoint clones your vault on first start and pulls it on subsequent starts. No build step, no source checkout needed.

Keeping InkStone up to date

When a new InkStone version is released, a fresh image is pushed to GHCR automatically. To pick it up:

• Manual — click Redeploy in Coolify. Since the image is already built, it takes a few seconds.
• Scheduled — in your Coolify app, enable Scheduled Deployments and set a cron expression (e.g. 0 3 * * * for nightly at 3 AM). Coolify will pull :latest and redeploy on that schedule.

There is no mechanism for instant push-triggered updates to third-party deployments — that would require adding a secret to the InkStone repo itself, which only the maintainer can do. Scheduled redeployment is the practical alternative.

Webhook for live updates

To update the site content without redeploying:

1. Set WEBHOOK_SECRET in your environment: bash WEBHOOK_SECRET=a-random-secret-string
2. Add a GitHub webhook on your vault repository:
3. Payload URL: https://yourdomain.com/webhook
4. Content type: application/json
5. Secret: same value as WEBHOOK_SECRET
6. Events: Just the push event

On every push to the vault repo, GitHub sends a POST to /webhook. InkStone validates the signature with WEBHOOK_SECRET, then pulls the latest vault content and reloads — no container restart needed.

Subpath hosting

If InkStone is hosted at a path prefix rather than the root (e.g. https://example.com/inkstone/):

URL_PATH_PREFIX=/inkstone

All generated attachment URLs, nav links, and feeds will include the prefix.

SSL

InkStone itself is HTTP only. SSL termination should be handled by a reverse proxy:

• Coolify — built-in Let's Encrypt
• Caddy — automatic HTTPS with a Caddyfile
• Nginx — configure as a proxy pass to localhost:8000 with Certbot

SECRET_KEY

Set a long random string to persist visitor sessions (theme preference, unlocked private notes) across restarts:

python3 -c "import secrets; print(secrets.token_hex(32))"

Without it, every server restart invalidates all sessions.