chore: update environment configuration and Caddyfile for Lightsail deployment

[BeforeLights]

• Changed database name in api.env.example from 'nail_star' to 'postgres' and added SSL support.
• Refactored Caddyfile to improve request handling for API and health check routes.
• Updated deployment documentation to reflect changes in expected costs and SSL requirements for PostgreSQL.

Summary by CodeRabbit

• New Features

  • Introduced automated deployment pipeline for production environment.

• Documentation

  • Updated deployment guide with step-by-step setup instructions and AWS cost estimates.
  • Added guidance for various deployment scenarios and configuration requirements.

• Chores

  • Updated deployment environment configuration files.

[coderabbitai]

Caution

Review failed

Failed to post review comments

📝 Walkthrough

Walkthrough

This PR introduces automated Lightsail deployment via GitHub Actions, refactors Caddyfile routing with named matchers, updates environment configuration to use PostgreSQL with SSL support, and documents the new CI/CD deployment process and pre-domain configuration.

Changes

Lightsail Deployment Automation

Layer / File(s)	Summary
Server Configuration deploy/lightsail/Caddyfile	Named matchers (@api, @health) replace inline routes; static content consolidated into a single handle block for cleaner routing logic.
Environment Setup deploy/lightsail/api.env.example	DB_NAME changed from nail_star to postgres; DB_SSL=true added to enable encrypted database connections.
CI/CD Workflow .github/workflows/deploy-lightsail.yml	New workflow file defines verify (lint, tests, build, docker image) and deploy (SSH checkout, build, rsync assets, docker compose, health checks) jobs triggered on main push or manual dispatch.
Documentation docs/deploy-lightsail.md	Added GitHub Actions Deployment section with required secrets (LIGHTSAIL_HOST, LIGHTSAIL_USER, LIGHTSAIL_SSH_KEY, LIGHTSAIL_APP_DIR, PRODUCTION_BACKEND_URL); documented pre-domain deployment configuration for APP_DOMAIN, VITE_BACKEND_URL, CORS_ORIGINS, and COOKIE_SECURE; updated AWS cost estimate to $30–$45/month.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• Nail-Addison/nail-star#5: Adds database SSL connection logic that directly complements the new DB_SSL=true environment variable in this PR.
• Nail-Addison/nail-star#2: Modifies related Lightsail deployment configuration files and documentation that overlap with this PR's scope.

Poem

🐰 A workflow born to automate,
Named matchers route the API gate,
SSL-secure from start to end,
On main-push the code shall send!
Lightsail deploys with GitHub's care. ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main changes: updating environment configuration (api.env.example) and Caddyfile for Lightsail deployment, which are the core modifications across multiple files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/deployment-configs

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[qodo-code-review]

Review Summary by Qodo

Add GitHub Actions deployment workflow and improve Lightsail configuration

✨ Enhancement 📝 Documentation

Walkthroughs

Description

• Add GitHub Actions workflow for automated Lightsail deployment
• Refactor Caddyfile with named matchers for cleaner request routing
• Update environment config with SSL support and postgres database name
• Expand deployment documentation with GitHub Actions setup and pre-domain guidance

Diagram

flowchart LR
  GHA["GitHub Actions<br/>Workflow"] -->|SSH Deploy| Lightsail["Lightsail Instance"]
  Caddyfile["Caddyfile<br/>Refactored"] -->|Route Requests| API["API Service"]
  EnvConfig["Environment Config<br/>SSL + postgres"] -->|Configure| API
  Docs["Deployment Docs<br/>Expanded"] -->|Guide| GHA

Loading

File Changes

1. .github/workflows/deploy-lightsail.yml ✨ Enhancement +84/-0

Add GitHub Actions automated deployment workflow

• New GitHub Actions workflow for automated deployment to Lightsail on main branch pushes
• Verify job runs linting, tests, and builds for both API and web applications
• Deploy job executes SSH commands to pull latest code, build frontend, and restart Docker services
• Includes health check verification after deployment

.github/workflows/deploy-lightsail.yml

---

2. deploy/lightsail/Caddyfile ✨ Enhancement +9/-5

Refactor Caddyfile with named matchers

• Refactor route handling using named matchers (@api, @health) for improved clarity
• Consolidate static file serving into explicit handle block with root directive
• Maintain existing functionality while improving code organization and readability

deploy/lightsail/Caddyfile

---

3. deploy/lightsail/api.env.example ⚙️ Configuration changes +2/-1

Add SSL support and update database name

• Change default database name from 'nail_star' to 'postgres'
• Add DB_SSL=true configuration for Lightsail PostgreSQL SSL requirement

deploy/lightsail/api.env.example

---

View more (1)

4. docs/deploy-lightsail.md 📝 Documentation +18/-2

Expand deployment documentation with GitHub Actions

• Update baseline cost estimate from $30-$35 to $30-$45 per month with database plan note
• Add SSL requirement documentation for Lightsail PostgreSQL setup
• Add guidance for pre-domain deployment using static IP with HTTP configuration
• Add comprehensive GitHub Actions deployment section with required repository secrets
• Document runtime secrets management and local environment file requirements

docs/deploy-lightsail.md

---

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (3) 📘 Rule violations (0)

1. Unpinned SSH action 🐞 Bug ⛨ Security

Description

The deployment workflow runs appleboy/ssh-action pinned to a mutable tag (v1.2.0), which is a
supply-chain risk because the referenced code can change without a workflow change and would execute
with production deployment privileges.

Code

.github/workflows/deploy-lightsail.yml[57]

+        uses: appleboy/ssh-action@v1.2.0

Evidence

Using a third-party GitHub Action by version tag rather than an immutable commit SHA allows upstream
changes (malicious or accidental) to alter what runs in CI/CD without any change to this repo.

.github/workflows/deploy-lightsail.yml[56-65]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The workflow references a third-party GitHub Action via a mutable tag, which creates a supply-chain risk for production deploys.

### Issue Context
`uses: appleboy/ssh-action@v1.2.0` should be pinned to an immutable commit SHA.

### Fix Focus Areas
- .github/workflows/deploy-lightsail.yml[56-65]

### Suggested change
Replace the tag with the action’s commit SHA (from the action’s release page / Marketplace), e.g.:
```yaml
- uses: appleboy/ssh-action@<FULL_COMMIT_SHA>
```
Optionally keep a comment indicating which release the SHA corresponds to.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. DB SSL skips verification 🐞 Bug ⛨ Security

Description

With DB_SSL=true now required by the Lightsail deployment docs, the API’s Sequelize TLS
configuration uses rejectUnauthorized: false, disabling server certificate verification and
permitting MITM against the database connection.

Code

deploy/lightsail/api.env.example[R5-6]

+DB_NAME=postgres
+DB_SSL=true

Evidence

The Lightsail deployment now enables SSL via environment configuration, and the API code turns on
TLS when DB_SSL === "true" but hard-codes rejectUnauthorized: false, which disables certificate
validation.

deploy/lightsail/api.env.example[5-6]
docs/deploy-lightsail.md[24-27]
apps/api/src/config/database.ts[6-29]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
When DB SSL is enabled (`DB_SSL=true`), the API config disables certificate verification (`rejectUnauthorized: false`). This undermines TLS and allows man-in-the-middle attacks on the DB connection.

### Issue Context
Lightsail docs instruct keeping `DB_SSL=true`, so this insecure TLS mode becomes the default for production.

### Fix Focus Areas
- apps/api/src/config/database.ts[6-29]
- deploy/lightsail/api.env.example[5-6]
- docs/deploy-lightsail.md[24-27]

### Suggested change
Make certificate verification the default, and allow explicit override only when required:
- Set `rejectUnauthorized: true` by default.
- Optionally support a CA bundle env var (e.g., `DB_SSL_CA`) and/or an explicit opt-out (e.g., `DB_SSL_REJECT_UNAUTHORIZED=false`) for exceptional cases.

Example:
```ts
const useSsl = process.env.DB_SSL === "true";
const rejectUnauthorized = process.env.DB_SSL_REJECT_UNAUTHORIZED !== "false";

// ...
dialectOptions: {
 ssl: useSsl ? {
   require: true,
   rejectUnauthorized,
   ca: process.env.DB_SSL_CA,
 } : undefined,
}
```
Then update the Lightsail env example/docs to document the CA/override options rather than relying on `rejectUnauthorized: false`.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

3. Brittle health URL parsing 🐞 Bug ≡ Correctness

Description

The deploy workflow computes HEALTH_BASE via ${BACKEND_URL%/api}, which only strips an exact
/api suffix; if PRODUCTION_BACKEND_URL is set to .../api/ (common trailing-slash variant), the
subsequent curls will hit incorrect paths (e.g., /api//api/healthz) and fail the deploy job.

Code

.github/workflows/deploy-lightsail.yml[R82-84]

+            HEALTH_BASE="${BACKEND_URL%/api}"
+            curl -fsS "$HEALTH_BASE/healthz"
+            curl -fsS "$HEALTH_BASE/api/healthz"

Evidence

The workflow uses Bash suffix removal to strip /api and then appends /healthz and
/api/healthz. Bash %/api will not match /api/ (or any other variation), so the constructed
URLs can be wrong depending on how the secret is entered.

.github/workflows/deploy-lightsail.yml[82-84]
docs/deploy-lightsail.md[98-101]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The deploy workflow’s health-check URL computation is brittle because it assumes `PRODUCTION_BACKEND_URL` ends with exactly `/api`. Trailing slashes (e.g., `/api/`) or other variants can cause health checks to query the wrong endpoints and fail deployments.

### Issue Context
`HEALTH_BASE="${BACKEND_URL%/api}"` only strips the exact `/api` suffix, not `/api/`.

### Fix Focus Areas
- .github/workflows/deploy-lightsail.yml[82-84]

### Suggested change
In the SSH script, normalize the URL first, then compute base robustly, e.g.:
```bash
BACKEND_URL="${BACKEND_URL%/}"          # drop trailing slash
HEALTH_BASE="$BACKEND_URL"
HEALTH_BASE="${HEALTH_BASE%/api}"       # drop /api if present
HEALTH_BASE="${HEALTH_BASE%/}"          # ensure no trailing slash

curl -fsS "$HEALTH_BASE/healthz"
curl -fsS "$HEALTH_BASE/api/healthz"
```
Optionally, add a guard that errors with a clear message if `BACKEND_URL` doesn’t contain `/api`.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---