# Bitbucket And EC2 Deployment

This guide deploys the Skola backend API to an Ubuntu EC2 instance. The Word add-in still runs from the Office add-in host during local development; the backend is exposed from EC2 through Nginx.

## 1. Create The Bitbucket Repo

Create an empty Bitbucket repository, then push local `main`:

```powershell
.\deploy\bitbucket\push-main.ps1 -Workspace "<bitbucket-workspace>" -RepoSlug "<repo-slug>"
```

That script sets `origin` to:

```text
git@bitbucket.org:<bitbucket-workspace>/<repo-slug>.git
```

## 2. Prepare EC2

Recommended starting point:

- Ubuntu 22.04 LTS or 24.04 LTS.
- Security group inbound: SSH `22` from your IP, HTTP `80` from your users, HTTPS `443` if you later add TLS.
- Do not expose MariaDB `3306` publicly.

SSH into the instance:

```bash
ssh -i /path/to/key.pem ubuntu@<ec2-public-ip-or-dns>
```

Create the app directory:

```bash
sudo mkdir -p /opt/skola
```

## 3. Give EC2 Read Access To Bitbucket

Before the first clone, prepare the `skola` service user and app directory:

```bash
sudo apt-get update
sudo apt-get install -y ca-certificates curl gnupg git nginx mariadb-server
sudo useradd --system --create-home --shell /bin/bash skola || true
sudo mkdir -p /opt/skola
sudo chown -R skola:skola /opt/skola
```

Create the Bitbucket deploy key as the `skola` user:

```bash
sudo -u skola mkdir -p /home/skola/.ssh
sudo -u skola ssh-keygen -t ed25519 -C "skola-ec2-deploy" -f /home/skola/.ssh/skola_bitbucket
sudo -u skola cat /home/skola/.ssh/skola_bitbucket.pub
```

Add that public key in Bitbucket as a repository access key with read access.

Create SSH config:

```bash
sudo -u skola tee /home/skola/.ssh/config >/dev/null <<'EOF'
Host bitbucket.org
  HostName bitbucket.org
  User git
  IdentityFile /home/skola/.ssh/skola_bitbucket
  IdentitiesOnly yes
EOF
sudo chmod 600 /home/skola/.ssh/config
sudo -u skola ssh -T git@bitbucket.org
```

Clone:

```bash
sudo -u skola git clone git@bitbucket.org:<bitbucket-workspace>/<repo-slug>.git /opt/skola/current
```

## 4. Bootstrap The Server

```bash
cd /opt/skola/current
sudo SKOLA_DB_PASSWORD="<strong-db-password>" bash deploy/ec2/bootstrap-ubuntu.sh
```

Edit the production environment file:

```bash
sudo nano /etc/skola/skola-api.env
```

At minimum set:

```text
SKOLA_AUTH_BASE_URL=https://skola.lekalakala.com
SKOLA_AUTH_SECRET=<long-random-secret>
SKOLA_SMTP_PASS=<gmail-app-password-for-RahoshiL@gmail.com>
OPENAI_API_KEY=<openai-key-if-provider-is-openai>
```

If the Word add-in is still being served locally from `https://localhost:3000`, keep `CORS_ORIGIN` as:

```text
CORS_ORIGIN=https://localhost:3000,https://skola.lekalakala.com
```

## 5. Deploy Or Update

```bash
sudo bash /opt/skola/current/deploy/ec2/deploy.sh
```

Check service status:

```bash
sudo systemctl status skola-api --no-pager
curl http://127.0.0.1:4000/health
curl http://skola.lekalakala.com/health
```

## 6. Point The Word Add-In At EC2

When running the local Office add-in host against the EC2 API, start or build the add-in with:

```powershell
$env:SKOLA_API_BASE_URL="https://skola.lekalakala.com"
npm run dev:word
```

For a production add-in bundle:

```powershell
$env:SKOLA_API_BASE_URL="https://skola.lekalakala.com"
npm run build -w @skola/word-addin
```

## 7. Useful Operations

View logs:

```bash
sudo journalctl -u skola-api -f
```

Restart backend:

```bash
sudo systemctl restart skola-api
```

Pull and redeploy:

```bash
cd /opt/skola/current
sudo bash deploy/ec2/deploy.sh
```

## 8. TLS Setup

Once a domain points to the EC2 public IP, install Certbot and issue a certificate for the domain. Then set:

```bash
sudo apt-get install -y certbot python3-certbot-nginx
sudo certbot --nginx -d skola.lekalakala.com
```

```text
SKOLA_AUTH_BASE_URL=https://skola.lekalakala.com
CORS_ORIGIN=https://localhost:3000,https://skola.lekalakala.com
```