given the unlikelihood of anyone else actually running this thing, deployment does not have to be heavily streamlined, but some streamlining would be nice.
things that have to be plugged into other things in the course of deployment
webserver needs to serve files from okayworld/web (as the root of the domain, ideally)
okayworld needs to read server's https certificate and private key
okayworld needs to start on server startup and should be manageable as a service
one possibility is a fragile deploy script that has to be run as root on ubuntu, installs nginx and certbot if they're not present, creates a certificate-users group if it's not present and sets the certificates readable to it, and adds okayworld to systemd if it's not there, basically assuming the entire point of the server is to be dedicated to a particular okayworld configuration. that script would only need to be interactive for getting the initial admin username and password and the site's domain name name
given the unlikelihood of anyone else actually running this thing, deployment does not have to be heavily streamlined, but some streamlining would be nice.
things that have to be plugged into other things in the course of deployment
one possibility is a fragile deploy script that has to be run as root on ubuntu, installs nginx and certbot if they're not present, creates a certificate-users group if it's not present and sets the certificates readable to it, and adds okayworld to systemd if it's not there, basically assuming the entire point of the server is to be dedicated to a particular okayworld configuration. that script would only need to be interactive for getting the initial admin username and password and the site's domain name name