Deploying the Wiki Securely (HTTPS, nginx, systemd)

This page outlines a recommended production deployment for the protected wiki served at /wiki/.

Requirements (recommended):

  • A Linux server (Ubuntu/Debian recommended)
  • Python 3.10+ and a virtualenv
  • gunicorn to serve the Flask app in production
  • nginx as a reverse proxy and TLS terminator (Let's Encrypt certs)
  • certbot (for acquiring TLS certificates)

1) Create a virtualenv and install requirements

python -m venv venv
source venv/bin/activate
pip install -r requirements.txt gunicorn

2) Build the documentation site (so Flask can serve site/)

python -m mkdocs build

3) Example gunicorn systemd service (/etc/systemd/system/dampro.service)

[Unit]
Description=DAM Pro Flask app
After=network.target

[Service]
User=www-data
Group=www-data
WorkingDirectory=/path/to/stitch_digital_asset_manager_pro
Environment="FLASK_SECRET=replace-with-long-random-string"
Environment="PATH=/path/to/venv/bin:/usr/bin"
ExecStart=/path/to/venv/bin/gunicorn --bind 127.0.0.1:8000 server:app

[Install]
WantedBy=multi-user.target

4) Example nginx config to terminate TLS and proxy to gunicorn:

server {
    listen 80;
    server_name example.com;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    location / {
        proxy_pass http://127.0.0.1:8000/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    # Optional: restrict access to the /wiki/ path to only allow authenticated
    # sessions handled by the Flask app. Flask will redirect unauthenticated
    # requests to /sign_in.html as configured.
}

5) Acquire TLS cert with Certbot

sudo certbot --nginx -d example.com

6) Security recommendations

  • Set a strong FLASK_SECRET environment variable (keep it private).
  • Run the app under a dedicated unprivileged user (e.g., www-data).
  • Use a real database (Postgres/MySQL) and environment-specific config for production.
  • Enforce HTTPS and set secure cookie flags (Flask SESSION_COOKIE_SECURE=True).

If you'd like, I can add a small deploy/ folder with a sample systemd unit and Nginx config tailored to your domain.