BetterFrame/deploy/README.md

# BetterFrame deployment

## Deployment shapes

BetterFrame ships as **two artifacts**, deployable in any combination:

| Variant      | What it runs                              | Where it runs                |
|--------------|-------------------------------------------|------------------------------|
| **bf-server**| Docker compose (server + Angie + Node-RED)| Coolify / VM / on-prem box   |
| **bf-client**| Rust kiosk binary + cage + plymouth       | Pi 5 (LAN-attached)          |
| *bf-aio*     | Both, single Pi                            | **Demo / single-site only**  |

The `bf-aio` mode (server + kiosk colocated on one Pi) is the simplest install
but couples failure domains — when the Pi dies, you lose both the displays it
drives AND the management plane for any other kiosks. Use for demos or a
single-display site. For anything else, run `bf-server` separately and have
`bf-client` Pis point at it.

### bf-server (Docker compose, Coolify-friendly)

Pull the repo on the host. Configure via env (overrides `sec-config.yaml`):

```
BF_DATA_DIR=/var/lib/betterframe
BF_SQLITE_PATH=/var/lib/betterframe/betterframe.db
BF_NODERED_URL=http://nodered:1880
BF_SELF_URL=http://server:18080
BF_FIRMWARE_SIGNING_KEY=        # paste Ed25519 PEM for stable signing key
BF_MQTT_URL=                     # optional MQTT telemetry export
```

In Coolify: create a Docker compose stack pointing at the repo's
`docker-compose.yml` (repo root), inject the env vars, set a domain on the
`angie` service. Backups via the admin UI (`/admin/backup`) — Coolify's S3
hook can pull these on a schedule.

### bf-client (kiosk Pi)

```bash
sudo apt install -y git
git clone https://github.com/BetterCorp/BetterFrame.git ~/betterframe
sudo ~/betterframe/deploy/scripts/setup-pi-kiosk.sh client
```

Pairs with whichever `bf-server` is set in `/etc/default/betterframe-kiosk`
(`BETTERFRAME_SERVER=http://<server-host>`).

## Recommended: Docker services + native kiosk

Run server, Angie/nginx, and Node-RED in Docker Compose. Only Angie publishes a
host port. The BetterFrame backend ports and Node-RED are internal to the Docker
network, which forces `/nrdp/`, `/in/kiosk/`, and admin traffic through the
proxy auth rules.

```bash
cd /opt/betterframe
docker compose up -d --build      # from repo root
```

Published:

- `80` -> Angie/nginx public edge

Internal only:

- `18080` -> admin service
- `18081` -> kiosk API service
- `18082` -> kiosk WebSocket service
- `1880` -> Node-RED

Access first-run setup at:

```text
http://<pi-ip>/setup
```

Node-RED editor is reachable only through:

```text
http://<pi-ip>/nrdp/
```

The proxy has four route surfaces:

- BetterFrame web/API: `/`, `/setup`, `/admin/*`, `/auth/*`, `/static/*`,
  `/api/admin/*`, `/api/kiosk/*`, `/api/pair/*`, `/ws/kiosk`
- Kiosk-only Node-RED ingress: `/in/kiosk/<node-red-path>`
- Kiosk-only Node-RED dashboards: `/dash/*`
- Public Node-RED HTTP-in URLs: any otherwise-unmatched root path, plus
  `/in/public/<node-red-path>`

For example, a Node-RED `http in` node at `/test1` is public at
`http://<pi-ip>/test1` and also available at
`http://<pi-ip>/in/public/test1`. Kiosk-authenticated traffic to that same
Node-RED path uses `http://<pi-ip>/in/kiosk/test1`.

Do not publish `18080`, `18081`, `18082`, or `1880` on the host.

If migrating from an older native install, stop the old host daemons first:

```bash
sudo systemctl disable --now betterframe-server betterframe-nodered angie nginx 2>/dev/null || true
```

## Kiosk

The kiosk still runs natively on the Pi because it needs Wayland/HDMI, GTK,
GStreamer, display power control, and local hardware access.

```bash
sudo apt install -y libgtk-4-dev libgstreamer1.0-dev \
    libgstreamer-plugins-base1.0-dev gstreamer1.0-plugins-good \
    gstreamer1.0-plugins-bad gstreamer1.0-libav \
    gstreamer1.0-gtk4 libwebkitgtk-6.0-dev libssl-dev

curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
source ~/.cargo/env

cd /opt/betterframe/kiosk
cargo build --release
sudo install -Dm755 target/release/betterframe-kiosk /opt/betterframe/kiosk/betterframe-kiosk

mkdir -p ~/.config/systemd/user
cp /opt/betterframe/deploy/systemd/betterframe-kiosk.service ~/.config/systemd/user/
systemctl --user daemon-reload
systemctl --user enable --now betterframe-kiosk
```

Kiosks should point at the proxy URL, not direct backend ports:

```bash
BETTERFRAME_SERVER=http://<pi-ip> /opt/betterframe/kiosk/betterframe-kiosk
```

## Native server mode

Native server mode is for development only. Run it manually when debugging; do
not install host daemons for BetterFrame server, Angie, or Node-RED in
production. The Docker stack owns those services.
feat: deployment artifacts + CEC relay + auth-check endpoint Deployment (deploy/): - systemd units for server (system) and kiosk (user session) - Angie/nginx proxy config — routes admin, api, ws, node-red - Dockerfile + docker-compose for containerized deployment - deploy/README.md with install instructions Auth: - /api/admin/_check endpoint for proxy auth_request subrequest - Returns 200 if admin session valid, 401/403 otherwise - Sets X-BetterFrame-User header for upstream CEC (Pi5 HDMI control): - kiosk/src/cec.rs wraps cec-ctl subprocess - Standby/wake/active-source commands - WS message types "standby" / "wake" dispatched to CEC - Admin UI: Wake/Standby buttons on kiosk edit page - Server sendToKiosk via coordinator 2026-05-10 20:45:56 +00:00			`# BetterFrame deployment`

fix(server): move rate-limit creation inside register fns (BSB schema extractor) Schema extractor evaluates module top-level statically; createRateLimiter calls at module scope threw ReferenceError during bsb-plugin-cli build. Lifting into the per-route register functions keeps build clean. Also: standardise display.standby/wake audit hooks. 2026-05-14 05:49:57 +00:00			`## Deployment shapes`

			`BetterFrame ships as two artifacts, deployable in any combination:`

			`\| Variant \| What it runs \| Where it runs \|`
			`\|--------------\|-------------------------------------------\|------------------------------\|`
			`\| bf-server\| Docker compose (server + Angie + Node-RED)\| Coolify / VM / on-prem box \|`
			`\| bf-client\| Rust kiosk binary + cage + plymouth \| Pi 5 (LAN-attached) \|`
			`\| bf-aio \| Both, single Pi \| Demo / single-site only \|`

			The `bf-aio` mode (server + kiosk colocated on one Pi) is the simplest install
			`but couples failure domains — when the Pi dies, you lose both the displays it`
			`drives AND the management plane for any other kiosks. Use for demos or a`
			single-display site. For anything else, run `bf-server` separately and have
			`bf-client` Pis point at it.

			`### bf-server (Docker compose, Coolify-friendly)`

			Pull the repo on the host. Configure via env (overrides `sec-config.yaml`):

			```
			`BF_DATA_DIR=/var/lib/betterframe`
			`BF_SQLITE_PATH=/var/lib/betterframe/betterframe.db`
			`BF_NODERED_URL=http://nodered:1880`
			`BF_SELF_URL=http://server:18080`
			`BF_FIRMWARE_SIGNING_KEY= # paste Ed25519 PEM for stable signing key`
			`BF_MQTT_URL= # optional MQTT telemetry export`
			```

fix(deploy): move docker-compose.yml to repo root Coolify passes --project-directory <repo-root> so relative paths in compose resolved from there, not from the compose file's directory. context: ../.. then climbed to / and lstat /deploy failed. Moving compose to repo root makes every relative path project-dir-relative regardless of who's invoking compose. Local 'docker compose up' from repo root and Coolify's --project-directory + -f both resolve identically. Coolify users: update the resource's compose path to 'docker-compose.yml' (was 'deploy/docker/docker-compose.yml'). Existing named volumes carry over since the named: directive keeps them. 2026-05-18 10:05:09 +00:00			`In Coolify: create a Docker compose stack pointing at the repo's`
			`docker-compose.yml` (repo root), inject the env vars, set a domain on the
			`angie` service. Backups via the admin UI (`/admin/backup`) — Coolify's S3
			`hook can pull these on a schedule.`
fix(server): move rate-limit creation inside register fns (BSB schema extractor) Schema extractor evaluates module top-level statically; createRateLimiter calls at module scope threw ReferenceError during bsb-plugin-cli build. Lifting into the per-route register functions keeps build clean. Also: standardise display.standby/wake audit hooks. 2026-05-14 05:49:57 +00:00
			`### bf-client (kiosk Pi)`

			```bash
			`sudo apt install -y git`
			`git clone https://github.com/BetterCorp/BetterFrame.git ~/betterframe`
			`sudo ~/betterframe/deploy/scripts/setup-pi-kiosk.sh client`
			```

			Pairs with whichever `bf-server` is set in `/etc/default/betterframe-kiosk`
			(`BETTERFRAME_SERVER=http://<server-host>`).

fix(deploy): make Docker the service runtime Remove host daemon deployment for server, proxy, and Node-RED so Node-RED is only reachable through the Compose proxy boundary. 2026-05-11 08:08:33 +00:00			`## Recommended: Docker services + native kiosk`
feat: deployment artifacts + CEC relay + auth-check endpoint Deployment (deploy/): - systemd units for server (system) and kiosk (user session) - Angie/nginx proxy config — routes admin, api, ws, node-red - Dockerfile + docker-compose for containerized deployment - deploy/README.md with install instructions Auth: - /api/admin/_check endpoint for proxy auth_request subrequest - Returns 200 if admin session valid, 401/403 otherwise - Sets X-BetterFrame-User header for upstream CEC (Pi5 HDMI control): - kiosk/src/cec.rs wraps cec-ctl subprocess - Standby/wake/active-source commands - WS message types "standby" / "wake" dispatched to CEC - Admin UI: Wake/Standby buttons on kiosk edit page - Server sendToKiosk via coordinator 2026-05-10 20:45:56 +00:00
fix(deploy): make Docker the service runtime Remove host daemon deployment for server, proxy, and Node-RED so Node-RED is only reachable through the Compose proxy boundary. 2026-05-11 08:08:33 +00:00			`Run server, Angie/nginx, and Node-RED in Docker Compose. Only Angie publishes a`
			`host port. The BetterFrame backend ports and Node-RED are internal to the Docker`
			network, which forces `/nrdp/`, `/in/kiosk/`, and admin traffic through the
			`proxy auth rules.`
feat: deployment artifacts + CEC relay + auth-check endpoint Deployment (deploy/): - systemd units for server (system) and kiosk (user session) - Angie/nginx proxy config — routes admin, api, ws, node-red - Dockerfile + docker-compose for containerized deployment - deploy/README.md with install instructions Auth: - /api/admin/_check endpoint for proxy auth_request subrequest - Returns 200 if admin session valid, 401/403 otherwise - Sets X-BetterFrame-User header for upstream CEC (Pi5 HDMI control): - kiosk/src/cec.rs wraps cec-ctl subprocess - Standby/wake/active-source commands - WS message types "standby" / "wake" dispatched to CEC - Admin UI: Wake/Standby buttons on kiosk edit page - Server sendToKiosk via coordinator 2026-05-10 20:45:56 +00:00
			```bash
			`cd /opt/betterframe`
fix(deploy): move docker-compose.yml to repo root Coolify passes --project-directory <repo-root> so relative paths in compose resolved from there, not from the compose file's directory. context: ../.. then climbed to / and lstat /deploy failed. Moving compose to repo root makes every relative path project-dir-relative regardless of who's invoking compose. Local 'docker compose up' from repo root and Coolify's --project-directory + -f both resolve identically. Coolify users: update the resource's compose path to 'docker-compose.yml' (was 'deploy/docker/docker-compose.yml'). Existing named volumes carry over since the named: directive keeps them. 2026-05-18 10:05:09 +00:00			`docker compose up -d --build # from repo root`
feat: deployment artifacts + CEC relay + auth-check endpoint Deployment (deploy/): - systemd units for server (system) and kiosk (user session) - Angie/nginx proxy config — routes admin, api, ws, node-red - Dockerfile + docker-compose for containerized deployment - deploy/README.md with install instructions Auth: - /api/admin/_check endpoint for proxy auth_request subrequest - Returns 200 if admin session valid, 401/403 otherwise - Sets X-BetterFrame-User header for upstream CEC (Pi5 HDMI control): - kiosk/src/cec.rs wraps cec-ctl subprocess - Standby/wake/active-source commands - WS message types "standby" / "wake" dispatched to CEC - Admin UI: Wake/Standby buttons on kiosk edit page - Server sendToKiosk via coordinator 2026-05-10 20:45:56 +00:00			```

fix(deploy): make Docker the service runtime Remove host daemon deployment for server, proxy, and Node-RED so Node-RED is only reachable through the Compose proxy boundary. 2026-05-11 08:08:33 +00:00			`Published:`
fix(deploy): require proxied local services Bind native backend services and Node-RED to loopback so Angie remains the public auth boundary. Keep Docker on an internal compose network and stop kiosk fallback to a layout when display default is none. 2026-05-11 07:51:00 +00:00
fix(deploy): make Docker the service runtime Remove host daemon deployment for server, proxy, and Node-RED so Node-RED is only reachable through the Compose proxy boundary. 2026-05-11 08:08:33 +00:00			- `80` -> Angie/nginx public edge

			`Internal only:`

			- `18080` -> admin service
			- `18081` -> kiosk API service
			- `18082` -> kiosk WebSocket service
			- `1880` -> Node-RED

			`Access first-run setup at:`

			```text
			`http://<pi-ip>/setup`
			```

fix(proxy): split Node-RED route surfaces Route backend, kiosk ingest, kiosk dashboards, and public Node-RED HTTP-in separately. Keep Node-RED editor under admin auth and attach kiosk auth when kiosk loads protected dashboard URLs. 2026-05-11 08:44:45 +00:00			`Node-RED editor is reachable only through:`
fix(deploy): make Docker the service runtime Remove host daemon deployment for server, proxy, and Node-RED so Node-RED is only reachable through the Compose proxy boundary. 2026-05-11 08:08:33 +00:00
			```text
			`http://<pi-ip>/nrdp/`
			```

fix(proxy): split Node-RED route surfaces Route backend, kiosk ingest, kiosk dashboards, and public Node-RED HTTP-in separately. Keep Node-RED editor under admin auth and attach kiosk auth when kiosk loads protected dashboard URLs. 2026-05-11 08:44:45 +00:00			`The proxy has four route surfaces:`
fix(proxy): strip Node-RED ingress bases Keep the two external ingress flows at /in/public and /in/kiosk while allowing Node-RED routes to stay path-local, such as /test1. 2026-05-11 08:38:32 +00:00
fix(proxy): split Node-RED route surfaces Route backend, kiosk ingest, kiosk dashboards, and public Node-RED HTTP-in separately. Keep Node-RED editor under admin auth and attach kiosk auth when kiosk loads protected dashboard URLs. 2026-05-11 08:44:45 +00:00			- BetterFrame web/API: `/`, `/setup`, `/admin/`, `/auth/`, `/static/*`,
			`/api/admin/`, `/api/kiosk/`, `/api/pair/*`, `/ws/kiosk`
			- Kiosk-only Node-RED ingress: `/in/kiosk/<node-red-path>`
			- Kiosk-only Node-RED dashboards: `/dash/*`
			`- Public Node-RED HTTP-in URLs: any otherwise-unmatched root path, plus`
			`/in/public/<node-red-path>`
fix(proxy): strip Node-RED ingress bases Keep the two external ingress flows at /in/public and /in/kiosk while allowing Node-RED routes to stay path-local, such as /test1. 2026-05-11 08:38:32 +00:00
fix(proxy): split Node-RED route surfaces Route backend, kiosk ingest, kiosk dashboards, and public Node-RED HTTP-in separately. Keep Node-RED editor under admin auth and attach kiosk auth when kiosk loads protected dashboard URLs. 2026-05-11 08:44:45 +00:00			For example, a Node-RED `http in` node at `/test1` is public at
			`http://<pi-ip>/test1` and also available at
			`http://<pi-ip>/in/public/test1`. Kiosk-authenticated traffic to that same
			Node-RED path uses `http://<pi-ip>/in/kiosk/test1`.
fix(proxy): strip Node-RED ingress bases Keep the two external ingress flows at /in/public and /in/kiosk while allowing Node-RED routes to stay path-local, such as /test1. 2026-05-11 08:38:32 +00:00
fix(deploy): make Docker the service runtime Remove host daemon deployment for server, proxy, and Node-RED so Node-RED is only reachable through the Compose proxy boundary. 2026-05-11 08:08:33 +00:00			Do not publish `18080`, `18081`, `18082`, or `1880` on the host.

			`If migrating from an older native install, stop the old host daemons first:`

			```bash
			`sudo systemctl disable --now betterframe-server betterframe-nodered angie nginx 2>/dev/null \|\| true`
			```

			`## Kiosk`

			`The kiosk still runs natively on the Pi because it needs Wayland/HDMI, GTK,`
			`GStreamer, display power control, and local hardware access.`
feat: deployment artifacts + CEC relay + auth-check endpoint Deployment (deploy/): - systemd units for server (system) and kiosk (user session) - Angie/nginx proxy config — routes admin, api, ws, node-red - Dockerfile + docker-compose for containerized deployment - deploy/README.md with install instructions Auth: - /api/admin/_check endpoint for proxy auth_request subrequest - Returns 200 if admin session valid, 401/403 otherwise - Sets X-BetterFrame-User header for upstream CEC (Pi5 HDMI control): - kiosk/src/cec.rs wraps cec-ctl subprocess - Standby/wake/active-source commands - WS message types "standby" / "wake" dispatched to CEC - Admin UI: Wake/Standby buttons on kiosk edit page - Server sendToKiosk via coordinator 2026-05-10 20:45:56 +00:00
			```bash
			`sudo apt install -y libgtk-4-dev libgstreamer1.0-dev \`
			`libgstreamer-plugins-base1.0-dev gstreamer1.0-plugins-good \`
			`gstreamer1.0-plugins-bad gstreamer1.0-libav \`
			`gstreamer1.0-gtk4 libwebkitgtk-6.0-dev libssl-dev`

			`curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs \| sh`
			`source ~/.cargo/env`

fix(deploy): make Docker the service runtime Remove host daemon deployment for server, proxy, and Node-RED so Node-RED is only reachable through the Compose proxy boundary. 2026-05-11 08:08:33 +00:00			`cd /opt/betterframe/kiosk`
feat: deployment artifacts + CEC relay + auth-check endpoint Deployment (deploy/): - systemd units for server (system) and kiosk (user session) - Angie/nginx proxy config — routes admin, api, ws, node-red - Dockerfile + docker-compose for containerized deployment - deploy/README.md with install instructions Auth: - /api/admin/_check endpoint for proxy auth_request subrequest - Returns 200 if admin session valid, 401/403 otherwise - Sets X-BetterFrame-User header for upstream CEC (Pi5 HDMI control): - kiosk/src/cec.rs wraps cec-ctl subprocess - Standby/wake/active-source commands - WS message types "standby" / "wake" dispatched to CEC - Admin UI: Wake/Standby buttons on kiosk edit page - Server sendToKiosk via coordinator 2026-05-10 20:45:56 +00:00			`cargo build --release`
			`sudo install -Dm755 target/release/betterframe-kiosk /opt/betterframe/kiosk/betterframe-kiosk`

			`mkdir -p ~/.config/systemd/user`
fix(deploy): make Docker the service runtime Remove host daemon deployment for server, proxy, and Node-RED so Node-RED is only reachable through the Compose proxy boundary. 2026-05-11 08:08:33 +00:00			`cp /opt/betterframe/deploy/systemd/betterframe-kiosk.service ~/.config/systemd/user/`
feat: deployment artifacts + CEC relay + auth-check endpoint Deployment (deploy/): - systemd units for server (system) and kiosk (user session) - Angie/nginx proxy config — routes admin, api, ws, node-red - Dockerfile + docker-compose for containerized deployment - deploy/README.md with install instructions Auth: - /api/admin/_check endpoint for proxy auth_request subrequest - Returns 200 if admin session valid, 401/403 otherwise - Sets X-BetterFrame-User header for upstream CEC (Pi5 HDMI control): - kiosk/src/cec.rs wraps cec-ctl subprocess - Standby/wake/active-source commands - WS message types "standby" / "wake" dispatched to CEC - Admin UI: Wake/Standby buttons on kiosk edit page - Server sendToKiosk via coordinator 2026-05-10 20:45:56 +00:00			`systemctl --user daemon-reload`
			`systemctl --user enable --now betterframe-kiosk`
			```

fix(deploy): make Docker the service runtime Remove host daemon deployment for server, proxy, and Node-RED so Node-RED is only reachable through the Compose proxy boundary. 2026-05-11 08:08:33 +00:00			`Kiosks should point at the proxy URL, not direct backend ports:`
feat: deployment artifacts + CEC relay + auth-check endpoint Deployment (deploy/): - systemd units for server (system) and kiosk (user session) - Angie/nginx proxy config — routes admin, api, ws, node-red - Dockerfile + docker-compose for containerized deployment - deploy/README.md with install instructions Auth: - /api/admin/_check endpoint for proxy auth_request subrequest - Returns 200 if admin session valid, 401/403 otherwise - Sets X-BetterFrame-User header for upstream CEC (Pi5 HDMI control): - kiosk/src/cec.rs wraps cec-ctl subprocess - Standby/wake/active-source commands - WS message types "standby" / "wake" dispatched to CEC - Admin UI: Wake/Standby buttons on kiosk edit page - Server sendToKiosk via coordinator 2026-05-10 20:45:56 +00:00
			```bash
fix(deploy): make Docker the service runtime Remove host daemon deployment for server, proxy, and Node-RED so Node-RED is only reachable through the Compose proxy boundary. 2026-05-11 08:08:33 +00:00			`BETTERFRAME_SERVER=http://<pi-ip> /opt/betterframe/kiosk/betterframe-kiosk`
feat: deployment artifacts + CEC relay + auth-check endpoint Deployment (deploy/): - systemd units for server (system) and kiosk (user session) - Angie/nginx proxy config — routes admin, api, ws, node-red - Dockerfile + docker-compose for containerized deployment - deploy/README.md with install instructions Auth: - /api/admin/_check endpoint for proxy auth_request subrequest - Returns 200 if admin session valid, 401/403 otherwise - Sets X-BetterFrame-User header for upstream CEC (Pi5 HDMI control): - kiosk/src/cec.rs wraps cec-ctl subprocess - Standby/wake/active-source commands - WS message types "standby" / "wake" dispatched to CEC - Admin UI: Wake/Standby buttons on kiosk edit page - Server sendToKiosk via coordinator 2026-05-10 20:45:56 +00:00			```

fix(deploy): make Docker the service runtime Remove host daemon deployment for server, proxy, and Node-RED so Node-RED is only reachable through the Compose proxy boundary. 2026-05-11 08:08:33 +00:00			`## Native server mode`
feat: deployment artifacts + CEC relay + auth-check endpoint Deployment (deploy/): - systemd units for server (system) and kiosk (user session) - Angie/nginx proxy config — routes admin, api, ws, node-red - Dockerfile + docker-compose for containerized deployment - deploy/README.md with install instructions Auth: - /api/admin/_check endpoint for proxy auth_request subrequest - Returns 200 if admin session valid, 401/403 otherwise - Sets X-BetterFrame-User header for upstream CEC (Pi5 HDMI control): - kiosk/src/cec.rs wraps cec-ctl subprocess - Standby/wake/active-source commands - WS message types "standby" / "wake" dispatched to CEC - Admin UI: Wake/Standby buttons on kiosk edit page - Server sendToKiosk via coordinator 2026-05-10 20:45:56 +00:00
fix(deploy): make Docker the service runtime Remove host daemon deployment for server, proxy, and Node-RED so Node-RED is only reachable through the Compose proxy boundary. 2026-05-11 08:08:33 +00:00			`Native server mode is for development only. Run it manually when debugging; do`
			`not install host daemons for BetterFrame server, Angie, or Node-RED in`
			`production. The Docker stack owns those services.`