Updates to build and pipelines

.dockerignore

@@ -0,0 +1,18 @@
+node_modules
+build
+.git
+.gitignore
+*.md
+.cursor
+.devcontainer
+.eslintrc.cjs
+.prettierrc
+.prettierignore
+.eslintignore
+e2e
+playwright.config.ts
+vitest.config.ts
+test.txt
+docs
+.woodpecker.yml
+.woodpecker

.woodpecker/ci.yml

@@ -1,3 +1,4 @@
+# CI: runs on every push. Lint, check, test, build (dev), e2e.
 steps:
     build:
         image: node:22-bookworm-slim

.woodpecker/deploy.yml

@@ -0,0 +1,73 @@
+# Deploy: build image, push to registry, trigger Portainer stack redeploy.
+# Runs on push/tag/manual to main only, after ci workflow succeeds.
+when:
+    branch: main
+    event: [push, tag, manual]
+depends_on:
+    - ci
+steps:
+    - name: Docker image build
+      image: docker:latest
+      environment:
+          REGISTRY_REPO: git.mifi.dev/mifi-holdings/mifi-links
+      volumes:
+          - /var/run/docker.sock:/var/run/docker.sock
+      commands:
+          - set -e
+          - echo "=== Building Docker image ==="
+          - 'echo "Commit SHA: ${CI_COMMIT_SHA:0:8}"'
+          - 'echo "Registry repo: $REGISTRY_REPO"'
+          - |
+              docker build \
+                --tag $REGISTRY_REPO:${CI_COMMIT_SHA} \
+                --tag $REGISTRY_REPO:latest \
+                --label "git.commit=${CI_COMMIT_SHA}" \
+                --label "git.branch=${CI_COMMIT_BRANCH}" \
+                .
+          - echo "✓ Docker image built successfully"
+
+    - name: Push to registry
+      image: docker:latest
+      environment:
+          REGISTRY_URL: git.mifi.dev
+          REGISTRY_REPO: git.mifi.dev/mifi-holdings/mifi-links
+          REGISTRY_USERNAME:
+              from_secret: gitea_registry_username
+          REGISTRY_PASSWORD:
+              from_secret: gitea_package_token
+      volumes:
+          - /var/run/docker.sock:/var/run/docker.sock
+      commands:
+          - set -e
+          - echo "=== Pushing to registry ==="
+          - 'echo "Registry: $REGISTRY_URL"'
+          - 'echo "Repository: $REGISTRY_REPO"'
+          - |
+              echo "$REGISTRY_PASSWORD" | docker login "$REGISTRY_URL" \
+                -u "$REGISTRY_USERNAME" \
+                --password-stdin
+          - docker push $REGISTRY_REPO:${CI_COMMIT_SHA}
+          - docker push $REGISTRY_REPO:latest
+          - echo "✓ Images pushed successfully"
+      depends_on:
+          - Docker image build
+
+    - name: Trigger Portainer stack redeploy
+      image: curlimages/curl:latest
+      environment:
+          PORTAINER_WEBHOOK_URL:
+              from_secret: portainer_webhook_url
+      commands:
+          - set -e
+          - echo "=== Triggering Portainer stack redeploy ==="
+          - |
+              resp=$(curl -s -w "\n%{http_code}" -X POST "$PORTAINER_WEBHOOK_URL")
+              body=$(echo "$resp" | head -n -1)
+              code=$(echo "$resp" | tail -n 1)
+              if [ "$code" != "200" ] && [ "$code" != "204" ]; then
+                echo "Webhook failed (HTTP $code): $body"
+                exit 1
+              fi
+              echo "✓ Portainer redeploy triggered (HTTP $code)"
+      depends_on:
+          - Push to registry

AGENTS.md

@@ -19,7 +19,7 @@ This repo is a **one-page static** Linktree-style site for mifi.dev. It is **not
 - Use **semantic HTML** and **JSON-LD** for SEO; target **WCAG 2.2 AAA** for accessibility.
 - **No unsafe-inline** scripts; all JS via `<script src="...">`.
 - **Dev container** uses the same Linux + Playwright Chromium as CI so e2e/visual-regression snapshots are comparable.
-- **Docker:** Static server is **nginx**; Traefik labels for `mifi.dev`, `www.mifi.dev`, network `marina-net`.
+- **Docker:** Single image with both variants; **nginx** does host-based routing (mifi.dev / www.mifi.dev → `/html/dev`, mifi.bio / www.mifi.bio → `/html/bio`). Traefik labels for both hosts; network `marina-net`. Dockerfile builds both with `CONTENT_VARIANT=dev` and `CONTENT_VARIANT=bio`.
 - **CI:** Woodpecker; pipeline runs lint, unit tests, e2e/visual regression, build (pnpm).
 
 ## Key paths
@@ -29,7 +29,9 @@ This repo is a **one-page static** Linktree-style site for mifi.dev. It is **not
 - `src/app.html` – HTML shell
 - `scripts/critical-css.mjs` – post-build critical CSS
 - `.devcontainer/` – dev container (Node, pnpm, Playwright Linux)
-- `docker-compose` – nginx + Traefik (in repo root when added)
+- `Dockerfile` – multi-stage build (both dev + bio variants), then nginx with host-based routing
+- `nginx/default.conf` – nginx server blocks for mifi.dev and mifi.bio
+- `docker-compose.yml` – one service, registry image, Traefik labels for both hosts
 
 ## Commands
 

Dockerfile

@@ -0,0 +1,33 @@
+# Multi-stage: build both variants (dev + bio), then nginx with host-based routing.
+# No buildx; plain docker build.
+
+FROM node:22-bookworm-slim AS builder
+
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    ca-certificates \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN corepack enable && corepack prepare pnpm@latest --activate
+
+WORKDIR /app
+
+COPY package.json pnpm-lock.yaml ./
+RUN pnpm install --frozen-lockfile
+
+COPY . .
+
+# Build dev variant, move output, then build bio variant (same build/ dir).
+RUN set -e && \
+    CONTENT_VARIANT=dev pnpm run build && \
+    cp -r build /out/dev && \
+    CONTENT_VARIANT=bio pnpm run build && \
+    cp -r build /out/bio
+
+# Runtime: nginx serves /out/dev and /out/bio by Host header.
+FROM nginx:alpine
+
+COPY --from=builder /out/dev /usr/share/nginx/html/dev
+COPY --from=builder /out/bio /usr/share/nginx/html/bio
+COPY nginx/default.conf /etc/nginx/conf.d/default.conf
+
+EXPOSE 80

README.md

@@ -65,10 +65,24 @@ pnpm preview      # preview build at http://localhost:4173
 - **E2E / visual regression:** Playwright (use same Linux build in dev container and CI)
 - **Critical CSS:** Post-build step via `critical` (run `pnpm build:full` with Chromium installed)
 
+## Build and run with Docker
+
+One image contains both variants (mifi.dev and mifi.bio). The Dockerfile runs two SvelteKit builds (`CONTENT_VARIANT=dev` and `CONTENT_VARIANT=bio`) and nginx serves by host.
+
+```bash
+docker build -t mifi-links:local .
+docker run --rm -p 8080:80 mifi-links:local
+```
+
+Then open `http://localhost:8080` with `Host: mifi.dev` or `Host: mifi.bio` (e.g. add `127.0.0.1 mifi.dev` to `/etc/hosts` and visit `http://mifi.dev:8080`).
+
+For production, the Portainer stack uses the image from the package registry. To run the stack locally with the built image, use the same `docker-compose.yml` and either point it at your local tag or run `docker compose build` then `docker compose up`.
+
 ## Deploy
 
-- Repo: `git.mifi.dev/mifi-holdings/mifi-dev-landing`
+- Repo: `git.mifi.dev/mifi-holdings/mifi-links`
-- Deploy via webhook to Portainer stack; `docker-compose` in repo defines nginx + Traefik labels for `mifi.dev` and `www.mifi.dev` on network `marina-net`.
+- One image (both mifi.dev and mifi.bio); deploy via webhook to Portainer stack.
+- `docker-compose.yml` defines one service with nginx and Traefik labels for `mifi.dev`, `www.mifi.dev`, `mifi.bio`, and `www.mifi.bio` on network `marina-net`.
 
 ## Fonts
 

docker-compose.yml

@@ -1,14 +1,31 @@
 services:
     web:
-        image: nginx:alpine
+        image: git.mifi.dev/mifi-holdings/mifi-links:latest
+        container_name: mifi-links
+        pull_policy: always
         restart: unless-stopped
-        volumes:
+        healthcheck:
-            - ./build:/usr/share/nginx/html:ro
+            test:
+                ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://127.0.0.1/"]
+            interval: 30s
+            timeout: 3s
+            start_period: 5s
+            retries: 3
         labels:
             - 'traefik.enable=true'
+            - 'traefik.docker.network=marina-net'
             - 'traefik.http.routers.mifi-dev.rule=Host(`mifi.dev`) || Host(`www.mifi.dev`)'
             - 'traefik.http.routers.mifi-dev.entrypoints=websecure'
             - 'traefik.http.services.mifi-dev.loadbalancer.server.port=80'
+            - 'traefik.http.routers.mifi-dev.middlewares=security-supermax-with-analytics@file,redirect-www-to-non-www@file'
+            - 'traefik.http.routers.mifi-dev.tls=true'
+            - 'traefik.http.routers.mifi-dev.tls.certresolver=letsencrypt'
+            - 'traefik.http.routers.mifi-bio.rule=Host(`mifi.bio`) || Host(`www.mifi.bio`)'
+            - 'traefik.http.routers.mifi-bio.entrypoints=websecure'
+            - 'traefik.http.services.mifi-bio.loadbalancer.server.port=80'
+            - 'traefik.http.routers.mifi-bio.middlewares=security-supermax-with-analytics@file,redirect-www-to-non-www@file'
+            - 'traefik.http.routers.mifi-bio.tls=true'
+            - 'traefik.http.routers.mifi-bio.tls.certresolver=letsencrypt'
         networks:
             - marina-net
 

nginx/default.conf

@@ -0,0 +1,20 @@
+# Host-based routing: mifi.dev / www.mifi.dev → dev root, mifi.bio / www.mifi.bio → bio root
+server {
+    listen 80 default_server;
+    server_name mifi.dev www.mifi.dev;
+    root /usr/share/nginx/html/dev;
+    index index.html;
+    location / {
+        try_files $uri $uri/ /index.html;
+    }
+}
+
+server {
+    listen 80;
+    server_name mifi.bio www.mifi.bio;
+    root /usr/share/nginx/html/bio;
+    index index.html;
+    location / {
+        try_files $uri $uri/ /index.html;
+    }
+}

package.json

@@ -1,6 +1,6 @@
 {
     "name": "mifi-linktree",
-    "version": "0.0.1",
+    "version": "1.0.0",
     "private": true,
     "scripts": {
         "dev:bio": "CONTENT_VARIANT=bio vite dev",
@@ -54,5 +54,10 @@
     "type": "module",
     "dependencies": {
         "@lucide/svelte": "^0.563.1"
+    },
+    "packageManager": "pnpm@10.28.2",
+    "repository": {
+        "type": "git",
+        "url": "https://git.mifi.dev/mifi-holdings/mifi-links.git"
     }
 }