feat: Mirror config (#9)

Author: isTravis

.env.enc

@@ -1,22 +1,24 @@
-#ENC[AES256_GCM,data:5YN6f+XIQasY,iv:70tE+1xTurmic6fcjiuDCVovEbYVhDbp2lvbONhNW5A=,tag:LkAy0bLDgDhNgwrGdqmp4Q==,type:comment]
-DATABASE_URL=ENC[AES256_GCM,data:/28bqrOFc9GcQH4Dv4spSwNgD71BzEOzm8rKN7nlwY9qQckHL76YOvBHNToU0sZqC9v5DT4=,iv:F4oswhOvlREkllYVooBIELUjM4WECckSwdRDxcu6E8I=,tag:V7+Hxt0Veij5+52PdyvSAQ==,type:str]
-SESSION_SECRET=ENC[AES256_GCM,data:MirMFVzowHq3jnaGrNPe82EKONv5XOppyhg3BI7R3h4=,iv:ehkoryGJcEL2c830LD9hZt/Uf6U3brbZlaJPNyJLiVE=,tag:oP/na2LsYuQhc4vGDc4ACw==,type:str]
-APP_PORT=ENC[AES256_GCM,data:o8oBKw==,iv:9lXQy+YaVb3um42QaHKKH2EXA6p9VzgX4cF4yZq17qE=,tag:QK+7vAQw4Q7qHk113pM6Qw==,type:str]
-API_PORT=ENC[AES256_GCM,data:QNqN5Q==,iv:3ChZ+9fWEUUFab4f8MFanSJcrRLEMO1yaCy+tCajWH8=,tag:xyA9zZepwJFt1pWvml67Eg==,type:str]
-#ENC[AES256_GCM,data:MrMg,iv:hdJ+cS1GtNPfpcsDoAI1TdjRW4tQTDhxhD59VFKlC3w=,tag:00P1/zjgi4mUztzvc8WXRw==,type:comment]
-S3_BUCKET=ENC[AES256_GCM,data:x6ZvFtFlBn4oGjSjBCbJ,iv:Fs+ehEL+6ZJH0LFz8RL2Vlr3PTSNTRhLOrqTCFMJchY=,tag:8V95MpTnaj6GbTn3YEYBsw==,type:str]
-S3_ENDPOINT=ENC[AES256_GCM,data:cyqC2I4kUYrdGw/9OTv88LQptYbKWzDrgc3Bbz7ag1GmzdWBPS/CAf7mIkDm/X2qWyecEg3MvNvYjCM8KKXDEfE=,iv:MKalw/HDyJ5au6Q7bia6pr7aUc3UQK+QuyuVXfctTI8=,tag:ieN8kXP02mQK/D+aqTS/Ng==,type:str]
-S3_ACCESS_KEY=ENC[AES256_GCM,data:L0XFIxbE/yu45PhMh5pIfc2PDun6t+hppD2mb2DQVno=,iv:fCDNYLqpW1gblgQjRSWxNtDpH3Wvk/bF4AZ+SX/qSCg=,tag:J4DA77pMJbAKUOphfyGtww==,type:str]
-S3_SECRET_KEY=ENC[AES256_GCM,data:T+uXZRXKFhwkkeEAzGtfNaeQbPKQrQmLgo4ekWMSR84rcMh3T8mul/Fmr6zQai1bvYRDR/RqXjVB8+grN33NtA==,iv:h0AG9TD66pZP5xGJmavBuH03nHbVz+t75ePqUP/M9O4=,tag:6iCaK84XTQ4sD9o0DjuvKg==,type:str]
-sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuUGFGMFFlT04wMmVSNHpm\ncUJTREVQeUsxM25hT3VOQWRTY3hMa2Q0U0VNCm9NeFMwVWRtdDVXT3l0dnRaUUNT\nTXZMZXBTWEozMCszMjQwQXp2SXYzTGMKLS0tICtWbWdZNUFEZVNXQlhlWnRkdWx0\nQjU5R0k4cVZ0akJiOTFhdnYwSVVFZHMKDbZsZkRamBqEZoKh1GqeTEETECW0FNwW\ne5jgJjK0t/uLa2GASecSGI0ONRM4n7J50jsBdtmb6lqaAgY3mDQWbA==\n-----END AGE ENCRYPTED FILE-----\n
+#ENC[AES256_GCM,data:OTvS9wE/1Y8D,iv:TH6FV7DEWuEFrHRUbPxWDn2wQH91kRdR7GiiIIbXZXM=,tag:mFIxqN+HaHJFBXmV9HwhmQ==,type:comment]
+DATABASE_URL=ENC[AES256_GCM,data:peVeoz3PtbZ/FDYyiYUYeGd12nv+CehcxL+PZPnCDTH0m2jC8hUoK7ORyX24gget6nmGYRI=,iv:dm3yToRlLYxawPyqukiAqQ5pL7SZzMUeC/UqLpc8yfU=,tag:w+O5b+8mpL0mUL1+QgEEjw==,type:str]
+SESSION_SECRET=ENC[AES256_GCM,data:UszhKBt+K7a9Rvm0RCb32XIPewEpavJgITzdvihqbM4=,iv:yJTgIzaZKSmYR2H8y5ZbtqGNj5WrG+MIYvLVqhQbCGI=,tag:9Vg0EbMoj7mkq3FEQ31/5g==,type:str]
+APP_PORT=ENC[AES256_GCM,data:Vb96ZA==,iv:y/sUKEViCx0lX6kAzrpiD8yICK+bOVA+5xF6yzdNneQ=,tag:bygtiSSg3NCc4tlULR3Mlg==,type:str]
+API_PORT=ENC[AES256_GCM,data:cimBEw==,iv:niHYZoy2P/an06znHc6M3P0sySyBdZRhnzanirhMbyE=,tag:7HIoxyhPNwuTyywt4cZMJA==,type:str]
+#ENC[AES256_GCM,data:nP8u,iv:kuXejWrfQYWksTiLT2YQ07WfsrRU6/UimFBCjgPG8iU=,tag:bdyvKXmUUrgjKKnQVcks5w==,type:comment]
+S3_BUCKET=ENC[AES256_GCM,data:MzahjK+0uTqAw/WhA8Se,iv:xLvpcYYV/1frYiTnwrOjHo3b8TCjgpgQ5QRLg1lhAc0=,tag:+DfZ2lWTi6S1lcJVJ+XjfQ==,type:str]
+S3_ENDPOINT=ENC[AES256_GCM,data:ybBuRodzg5hI5fa/iWmBkzCVimT+JHinLT3/6cZ2AIEWPWRcWeQcug4A+MDoWasYsWt9w2lRSHfxS355Pr3l4wA=,iv:9n/By1VXaIPODj/R5KqZgNEz1RUirJh+cHvvLci8344=,tag:aVx8J2V7+PMOvkqhYm79FQ==,type:str]
+S3_ACCESS_KEY=ENC[AES256_GCM,data:rOdXiMeBLu/3K8il8ayx9Rur3IlbrjQ4FnRAKKIMPgU=,iv:S5WiEHRCf3dBn2aVLCglnfc62qkLwyRoM+6QzoRWTTw=,tag:AaVNv6uSuKMbS2xdYpK35Q==,type:str]
+S3_SECRET_KEY=ENC[AES256_GCM,data:Feenm4pAlv8eglOUaU/1aPIf81WzdNzoqprB87jxzEfLJPc1BxKab7AqMaJOqQqOpQ7hNrK+I2dr01gFv6x/SA==,iv:kNTslAmOSNH3wSKtnE2qg1pIoASKUnZh6EW/kdrTxiQ=,tag:VdpCsHZ75yW0kDVaNxhMnw==,type:str]
+#ENC[AES256_GCM,data:z6C0FEY22W4af3lK1mx1BE3j,iv:BGNFYqhy/ySTaL9y9Bth4WqaaqUOTjDr6PigI2+zljc=,tag:C1+HDy9Vfopz3cwJn+NDFg==,type:comment]
+UNDERLAY_UPSTREAM_API_KEY=ENC[AES256_GCM,data:21NDl9yy4rvWiZOLBh6U5HrgzsAq5B2firmYYUxr9XCSemM=,iv:C4HYm3IF6cZEo5ZicNvCIcXo5qARHWKkZ4vwVTkn0Jk=,tag:GVB3atYFyk1p4Yr9j7u1Kg==,type:str]
+sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsenFsVmhwbU1rc3ZJWTAw\nZTl5L0xKYmJaMVVyTEZFb2pmdm5jVlV4bUZvCldtVlg5czFrdndPZmxIYVBCb3FC\nM21SY2JYTkxoQ214dGRlNitWcGhOcHcKLS0tIDJtcmVRSEs4amlraURZVjlnS3dr\nQnBaZHVTeElrTFNINGo4aVNRSmxPYVEKsiCgHDdHEyg1dK4+liXapmPIov3Twl3p\nL3JuNxYs7D2KUdvsxYjpl0gd9LKHo8BnR4x4ltOIJZS84NQEDyyE9A==\n-----END AGE ENCRYPTED FILE-----\n
 sops_age__list_0__map_recipient=age1wravpjmed26772xfjhawmnsnc4933htapg6y5xseqml0jdv8z9hqemzhcr
-sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSYnhoQ3hOL1V3TWVERmFy\nQ1hFNjYrK1RiS0R0T3RSbDJqRzYrcENLUTFvCnRhSmdIMCtvbkEyWlBLbkxGaFFS\nR3RiY2FnMzVRaVpXaHRYT0dITmZIMUkKLS0tIGRpRDBXSGlVRUdlYVNMeW90NGdS\nMWxuT01hRG4zWnFoOTFkYjlPNFVIRFEKc47+5w5UkcZn/cDQhoW1EqCqJ81fSU9s\nhmP2+FMkXl2iC8DvMXxvmv54lr0yVK4DH6g9NxpVR4ai/dWdEjvl9w==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBON0xxSDVqQ1hJU2NxWTRY\na1pFcmdPWE1EQ29oZDNiMXNjMzVHYmxGaVU0CjAvNTMrTzhGSndBWGVKeHNJM0hR\nckhWN0V0ZkgxcEFmNmNoYWI1aDZ1L0kKLS0tIHIrdjBBU25VWEh6SG5kZVNNTFdQ\nRDVuYjIwTUdyRHJRQU1wVExGVFJOU00KhSPc1Jd8ujgNKbddWNl5sOi4h+1t5/zw\n3Bd9k3ZZd+saU/PfOrxh9QUbR4RXS85sRGOPH54tIYhH8QoffthtJg==\n-----END AGE ENCRYPTED FILE-----\n
 sops_age__list_1__map_recipient=age1ysddqggsx3h8zkv7xn3z26sjak5pqms6pyqhnky9ukrvpk7es5jsayz8w7
-sops_age__list_2__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKbUxwNE1PRkhMNnFVM1dH\neERReFZWL0toSUg2ekRoNUFZQ1ZFL1YvVlU0CjRPN2NlNWpPakp4UWp6NURvZm1D\nblJmOFRka0I0NEorU2tNMFh2aWYzMFEKLS0tIDZhbmFoTERXNzgzVW82b094OVAr\nQmtTdTV1K0hkZXpIbkxRck1TVjZVTm8Kl2hj5e7mv0wRWLZaYCoqW/CZwncB9+vO\niUcostwDMBHR7Q9Iln+OcZnmhIQtyawZ5OU/ARynG9ps/yF++J+RGg==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_2__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuNitEVzFDNVBjZ054TWts\nNEpNQXpaS3BvWjRPY2ZTNG1BSVNwMmo5OWc4CjhQWTBtYkVQa3R6c3hsenNJTTRS\nYUgzbmtxaEtDODVqYWxaL1ZTVDNBK3MKLS0tIDR6VjNqNklRb2grN2hBdG9BbENn\nYUhFMXlkb3RsRjFmMWRXOCttN0h6WHcKqwZGyeJiTbMWS5V56EBidSOOba/eGGMM\nD1LUwZmdUKivD3gOfK1STO6M7mEvJMUdzUebJR7IyC6Ibt0vyV5Afg==\n-----END AGE ENCRYPTED FILE-----\n
 sops_age__list_2__map_recipient=age1pgxk292zq30wafwg03gge7hu5dlu3h7yfldp2y8kqekfaljjky7s752uwy
-sops_age__list_3__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBETDZhR3E3NUNPR3ZOTzBE\nY1kxRlRWY3dEeDM1TmJOOW45Ump1TWVUaUFnCkkrNEErYmRINEQ3c2UvQjFTcnJv\nOHJZbk1oUGpRWm5hM2wweGc4V1lSU2sKLS0tIEJCWTVRMzhhM0ZpYWl6aVliN1dk\nMDYzN01GUGtBRWI5NFRQdWJncUl2SGMKH2tGAaN0aTAz575Q39S4uorUjD/BO8Oa\n/aHc/ytU9Jpj2tdMkPx/dD39Tv0ZO/z+rPZijv3Oirzk/FmDeV8/2g==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_3__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUK3ZWeVRHS0VscmdpYXJt\naG5WaG13Si9JdnZaS1IxQWdvWWY3QzJSVHhnCmxpdW9WQmRBWHVPNFljeVg2c0Ry\nVCtoRkxsdXM5RGFxUUloYXhFU1g2cEUKLS0tIExCOHlXUzRKYndSYVJxVmZzcUhp\nRWJab3ZWRVlNME9sckIycUxwQ0JvRVUKr0F/Zd4TY448DpFc2+oqHybprN43ydKS\n3WmdCCHYY8GhmxgIlTSN7LCaJ2eTtOQaEX12Fhj5+JY5vmisW/cygg==\n-----END AGE ENCRYPTED FILE-----\n
 sops_age__list_3__map_recipient=age1qn0x93jhqjpqwvx5tgxnrwq5e3vuzur9whrkdnrvapd58esm45rqfkuxqh
-sops_lastmodified=2026-05-01T02:33:52Z
-sops_mac=ENC[AES256_GCM,data:5fsji5DmNyZFgmyV23bBj+OxmlFo0aBIH4w5Vz7gFVnYOv3p+TuResFll2aXzFPWLt02/spwhXeqwkDx/korefkL0zzKIuASRtS05UtAln098hL96zdWblP5TVzSORA2sDHvyz488EpV3BPywLvDPHRrKQu9TmEzlEBlmsWvHxo=,iv:RXQuKcZ4ybhhXPbaZUIDvGzwjZxjLTXarj7Zm84fepQ=,tag:/fPOM7H5B8bH7oGdfg/Sag==,type:str]
+sops_lastmodified=2026-05-02T02:32:16Z
+sops_mac=ENC[AES256_GCM,data:setdDRn3+KnoAJf43iTmzKRK4AG9Mgwp/jFY09FQQshVDUAB5STtH63nKB1GAOGHoDqUK53w+Fb1plFCMuHwn1/AWGisQ3pdkg9I13OhqhRAdsvsW9hI9Bx5C953K8t6GQdpvdO/kh3qDfh0RDpTQ9scv13Mmf8n7BqBj/gW9Fg=,iv:O+94d6Sy+d9pRiUp0f4njS6Eb8CouWHDqACppkAU2Gw=,tag:IWLf41HYQqMps9bjxR2wJg==,type:str]
 sops_unencrypted_suffix=_unencrypted
 sops_version=3.11.0

.github/workflows/deploy-mirror.yml

@@ -87,14 +87,9 @@ jobs:
           GHCR_USER: ${{ secrets.GHCR_USER }}
           GHCR_TOKEN: ${{ secrets.GHCR_TOKEN }}
           IMAGE_TAG: mirror-${{ github.sha }}
-          S3_ENDPOINT: ${{ secrets.S3_ENDPOINT }}
-          S3_REGION: ${{ secrets.S3_REGION }}
-          S3_ACCESS_KEY: ${{ secrets.S3_ACCESS_KEY }}
-          S3_SECRET_KEY: ${{ secrets.S3_SECRET_KEY }}
-          S3_BUCKET: ${{ secrets.S3_BUCKET }}
         run: |
           ssh "${SSH_USER}@${SSH_HOST}" \
-            "env GHCR_USER='${GHCR_USER}' GHCR_TOKEN='${GHCR_TOKEN}' IMAGE_TAG='${IMAGE_TAG}' S3_ENDPOINT='${S3_ENDPOINT}' S3_REGION='${S3_REGION}' S3_ACCESS_KEY='${S3_ACCESS_KEY}' S3_SECRET_KEY='${S3_SECRET_KEY}' S3_BUCKET='${S3_BUCKET}' bash -s -- '${REPO}' '${BRANCH}'" <<'EOS'
+            "env GHCR_USER='${GHCR_USER}' GHCR_TOKEN='${GHCR_TOKEN}' IMAGE_TAG='${IMAGE_TAG}' bash -s -- '${REPO}' '${BRANCH}'" <<'EOS'
           set -euo pipefail
 
           REPO="${1:?missing repo}"
@@ -123,6 +118,13 @@ jobs:
           git checkout "${BRANCH}"
           git pull origin "${BRANCH}"
 
+          # Decrypt .env.enc into this directory (self-contained, no dependency on prod)
+          umask 077
+          sops -d --input-type dotenv --output-type dotenv .env.enc > .env
+          set -a
+          source <(grep -v '^#' .env | grep -v '^$')
+          set +a
+
           # Init swarm if not already active
           if ! sudo docker info --format '{{.Swarm.LocalNodeState}}' | grep -qx active; then
             sudo docker swarm init
@@ -132,13 +134,14 @@ jobs:
 
           sudo docker pull "ghcr.io/${REPO}:${IMAGE_TAG}"
 
-          # Deploy using docker-compose.mirror.yml — Postgres is self-contained,
-          # only S3 credentials need to be passed through for file storage.
+          # Deploy using docker-compose.mirror.yml — Postgres is self-contained.
+          # S3 creds and API key are sourced from prod .env above.
           sudo env \
             IMAGE="ghcr.io/${REPO}" IMAGE_TAG="$IMAGE_TAG" \
-            S3_ENDPOINT="$S3_ENDPOINT" S3_REGION="$S3_REGION" \
-            S3_ACCESS_KEY="$S3_ACCESS_KEY" S3_SECRET_KEY="$S3_SECRET_KEY" \
+            S3_ENDPOINT="${S3_ENDPOINT:-}" S3_REGION="${S3_REGION:-auto}" \
+            S3_ACCESS_KEY="${S3_ACCESS_KEY:-}" S3_SECRET_KEY="${S3_SECRET_KEY:-}" \
             S3_BUCKET="${S3_BUCKET:-underlay}" \
+            UNDERLAY_UPSTREAM_API_KEY="${UNDERLAY_UPSTREAM_API_KEY:-}" \
             SESSION_SECRET="$(openssl rand -hex 32)" \
             docker stack deploy -c docker-compose.mirror.yml \
             --with-registry-auth --resolve-image always --prune "${STACK_NAME}"

docker-compose.mirror.yml

@@ -0,0 +1,144 @@
+# Mirror stack — deploy with: docker stack deploy -c docker-compose.mirror.yml underlay-mirror
+# Self-contained: spins up its own Postgres, no .env file needed.
+# Triggered manually via .github/workflows/deploy-mirror.yml
+
+services:
+  app:
+    image: ${IMAGE:-ghcr.io/knowledgefutures/underlay}:${IMAGE_TAG:-latest}
+    environment:
+      NODE_ENV: production
+      NODE_OPTIONS: "--max-old-space-size=448"
+      # Mirror-specific
+      UNDERLAY_MODE: mirror
+      UNDERLAY_UPSTREAM: https://www.underlay.org
+      UNDERLAY_NODE_NAME: IUA Mirror
+      UNDERLAY_SYNC_SCHEDULE: "0 0 * * 0"
+      # Database (internal to this stack)
+      DATABASE_URL: postgresql://mirror:mirror@postgres:5432/mirror
+      # S3 — shared bucket with prod (content-addressed = free dedup)
+      S3_ENDPOINT: ${S3_ENDPOINT:-}
+      S3_REGION: ${S3_REGION:-auto}
+      S3_ACCESS_KEY: ${S3_ACCESS_KEY:-}
+      S3_SECRET_KEY: ${S3_SECRET_KEY:-}
+      S3_BUCKET: ${S3_BUCKET:-underlay}
+      # Upstream API key (for authenticated sync — higher rate limit)
+      UNDERLAY_UPSTREAM_API_KEY: ${UNDERLAY_UPSTREAM_API_KEY:-}
+      # Session (for admin login)
+      SESSION_SECRET: ${SESSION_SECRET:-mirror-secret-change-me}
+    ports:
+      - "4323:4321"
+      - "3002:3000"
+    networks:
+      - mirrornet
+    depends_on:
+      - postgres
+    deploy:
+      replicas: 1
+      resources:
+        limits:
+          memory: 512m
+          cpus: "1.0"
+        reservations:
+          memory: 256m
+          cpus: "0.25"
+      update_config:
+        parallelism: 1
+        delay: 10s
+        order: start-first
+        failure_action: rollback
+      restart_policy:
+        condition: on-failure
+    healthcheck:
+      test: ["CMD-SHELL", "node -e \"const h=require('http'),check=(port,path)=>new Promise((res,rej)=>{h.get('http://127.0.0.1:'+port+path,r=>r.statusCode<400?res():rej()).on('error',rej)});Promise.all([check(3000,'/api/health'),check(4321,'/')]).then(()=>process.exit(0)).catch(()=>process.exit(1));\""]
+      interval: 30s
+      timeout: 5s
+      retries: 3
+      start_period: 30s
+    logging:
+      driver: json-file
+      options:
+        max-size: "10m"
+        max-file: "3"
+
+  cron:
+    image: ${IMAGE:-ghcr.io/knowledgefutures/underlay}:${IMAGE_TAG:-latest}
+    environment:
+      NODE_ENV: production
+      NODE_OPTIONS: "--max-old-space-size=128"
+      UNDERLAY_MODE: mirror
+      UNDERLAY_UPSTREAM: https://www.underlay.org
+      UNDERLAY_NODE_NAME: UK Mirror
+      UNDERLAY_SYNC_SCHEDULE: "0 0 * * 0"
+      DATABASE_URL: postgresql://mirror:mirror@postgres:5432/mirror
+      S3_ENDPOINT: ${S3_ENDPOINT:-}
+      S3_REGION: ${S3_REGION:-auto}
+      S3_ACCESS_KEY: ${S3_ACCESS_KEY:-}
+      S3_SECRET_KEY: ${S3_SECRET_KEY:-}
+      S3_BUCKET: ${S3_BUCKET:-underlay}
+      UNDERLAY_UPSTREAM_API_KEY: ${UNDERLAY_UPSTREAM_API_KEY:-}
+    command: ["node", "--import", "tsx/esm", "tools/cron.ts"]
+    networks:
+      - mirrornet
+    depends_on:
+      - postgres
+    deploy:
+      replicas: 1
+      resources:
+        limits:
+          memory: 192m
+          cpus: "0.5"
+        reservations:
+          memory: 64m
+          cpus: "0.1"
+      restart_policy:
+        condition: any
+    logging:
+      driver: json-file
+      options:
+        max-size: "5m"
+        max-file: "3"
+
+  postgres:
+    image: postgres:16-alpine
+    environment:
+      POSTGRES_USER: mirror
+      POSTGRES_PASSWORD: mirror
+      POSTGRES_DB: mirror
+    command: >
+      -c shared_buffers=256MB
+      -c effective_cache_size=512MB
+      -c work_mem=16MB
+      -c maintenance_work_mem=64MB
+      -c max_connections=50
+    volumes:
+      - mirror-pgdata:/var/lib/postgresql/data
+    networks:
+      - mirrornet
+    deploy:
+      replicas: 1
+      resources:
+        limits:
+          memory: 512m
+          cpus: "0.5"
+        reservations:
+          memory: 128m
+          cpus: "0.1"
+      restart_policy:
+        condition: any
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U mirror"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+    logging:
+      driver: json-file
+      options:
+        max-size: "5m"
+        max-file: "3"
+
+networks:
+  mirrornet:
+    driver: overlay
+
+volumes:
+  mirror-pgdata:

package.json

@@ -17,6 +17,7 @@
     "tool:backup": "tsx tools/backupDb.ts",
     "tool:restore": "tsx tools/restore.ts",
     "tool:pruneBackups": "tsx tools/pruneBackups.ts",
+    "tool:seed-mirror": "tsx tools/seedMirror.ts",
     "secrets:encrypt": "sops -e --input-type dotenv --output-type dotenv --output .env.enc .env",
     "secrets:encrypt:dev": "sops -e --input-type dotenv --output-type dotenv --output .env.dev.enc .env.dev",
     "secrets:decrypt": "sops -d --input-type dotenv --output-type dotenv --output .env .env.enc",

src/api/routes/admin.ts

@@ -0,0 +1,116 @@
+import type { FastifyInstance } from "fastify";
+import { getMirrorConfig } from "../../lib/mirror-config.js";
+import {
+  runMirrorSync,
+  testUpstreamConnection,
+  getMirrorStatus,
+  getSyncHistory,
+  syncEvents,
+  stopSync,
+  cleanupStaleRuns,
+  isSyncRunning,
+  getActiveRunId,
+  getActiveRunLogs,
+  type SyncProgressEvent,
+} from "../../lib/mirror-sync.js";
+
+export async function adminRoutes(app: FastifyInstance) {
+  // All admin routes require mirror mode to be enabled
+  app.addHook("onRequest", async (_request, reply) => {
+    const config = getMirrorConfig();
+    if (!config.enabled) {
+      return reply.status(404).send({ error: "Not found", statusCode: 404 });
+    }
+  });
+
+  // Get mirror status
+  app.get("/admin/mirror/status", async () => {
+    const status = await getMirrorStatus();
+    return status;
+  });
+
+  // Test upstream connection
+  app.post("/admin/mirror/test", async () => {
+    const config = getMirrorConfig();
+    const result = await testUpstreamConnection(config.upstream);
+    return result;
+  });
+
+  // Trigger a sync manually (fire-and-forget, client uses SSE for progress)
+  app.post("/admin/mirror/sync", async () => {
+    if (isSyncRunning()) {
+      return { started: false, error: "A sync is already running" };
+    }
+    // Start sync in background — don't await
+    runMirrorSync("manual").catch((err) => {
+      console.error("[mirror-sync] Unhandled sync error:", err);
+    });
+    return { started: true };
+  });
+
+  // Stop a running sync (also cleans up stale DB rows from crashed processes)
+  app.post("/admin/mirror/sync/stop", async () => {
+    const stopped = stopSync();
+    if (!stopped) {
+      // No active sync in this process — clean up stale DB rows
+      const cleaned = await cleanupStaleRuns();
+      return { stopped: false, cleaned };
+    }
+    return { stopped: true };
+  });
+
+  // SSE endpoint for live sync progress (replays buffered logs on connect)
+  app.get("/admin/mirror/sync/progress", async (request, reply) => {
+    reply.raw.writeHead(200, {
+      "Content-Type": "text/event-stream",
+      "Cache-Control": "no-cache",
+      Connection: "keep-alive",
+    });
+
+    // Replay buffered logs so reconnects/refreshes don't lose history
+    const buffered = getActiveRunLogs();
+    if (buffered.length > 0) {
+      for (const msg of buffered) {
+        const replayEvent: SyncProgressEvent = { type: "collection", message: msg, progress: { collectionsTotal: 0, collectionsProcessed: 0, versionsPulled: 0, filesDownloaded: 0, filesSkipped: 0, errors: 0 } };
+        reply.raw.write(`data: ${JSON.stringify(replayEvent)}\n\n`);
+      }
+    }
+
+    // If no sync is running, close immediately
+    if (!isSyncRunning()) {
+      reply.raw.end();
+      return;
+    }
+
+    function onProgress(event: SyncProgressEvent) {
+      reply.raw.write(`data: ${JSON.stringify(event)}\n\n`);
+      if (event.type === "done") {
+        setTimeout(() => reply.raw.end(), 100);
+      }
+    }
+
+    syncEvents.on("progress", onProgress);
+
+    request.raw.on("close", () => {
+      syncEvents.off("progress", onProgress);
+    });
+  });
+
+  // Get current sync running state (for page refresh reconnection)
+  app.get("/admin/mirror/sync/active", async () => {
+    return {
+      running: isSyncRunning(),
+      runId: getActiveRunId(),
+      logs: getActiveRunLogs(),
+    };
+  });
+
+  // Sync history
+  app.get("/admin/mirror/history", async (request) => {
+    const limit = Math.min(
+      Number((request.query as any)?.limit) || 20,
+      100,
+    );
+    return getSyncHistory(limit);
+  });
+}

src/api/server.ts

@@ -12,6 +12,7 @@ import { versionRoutes } from "./routes/versions.js";
 import { uploadRoutes } from "./routes/uploads.js";
 import { fileRoutes } from "./routes/files.js";
 import { schemaRoutes } from "./routes/schemas.js";
+import { adminRoutes } from "./routes/admin.js";
 import { queryRoutes } from "./routes/query.js";
 
 export async function buildApp() {
@@ -75,6 +76,7 @@ export async function buildApp() {
   await app.register(uploadRoutes, { prefix: "/api" });
   await app.register(fileRoutes, { prefix: "/api" });
   await app.register(schemaRoutes, { prefix: "/api" });
+  await app.register(adminRoutes, { prefix: "/api" });
   await app.register(queryRoutes, { prefix: "/api" });
 
   return app;