ops: attach vault-dash to proxy-net and document vd1 route

docker-compose.deploy.yml

@@ -17,9 +17,22 @@ services:
       CORS_ORIGINS: ${CORS_ORIGINS:-*}
     ports:
       - "${APP_BIND_ADDRESS:-127.0.0.1}:${APP_PORT:-8000}:8000"
+    networks:
+      - default
+      - proxy-net
     healthcheck:
-      test: ["CMD", "curl", "-fsS", "http://127.0.0.1:8000/health"]
+      test:
+        [
+          "CMD",
+          "python",
+          "-c",
+          "import sys, urllib.request; urllib.request.urlopen('http://127.0.0.1:8000/health', timeout=3); sys.exit(0)",
+        ]
       interval: 30s
       timeout: 5s
       retries: 5
       start_period: 20s
+
+networks:
+  proxy-net:
+    external: true

docs/DEVOPS_DEPLOY_PROMPT.md

@@ -78,11 +78,19 @@ env:
 4. **Configure Docker on the VPS**:
    - Ensure Docker and Docker Compose are installed
    - The deploy script will pull the container image from the registry
+   - Ensure the shared external Docker network `proxy-net` exists so Caddy can reverse proxy the deployment by container name
 
-5. **Verify network connectivity**:
+5. **Publish VPN route through Caddy**:
+   - Add `http://vd1.uncloud.vpn` to `/opt/caddy/Caddyfile`
+   - Restrict access with the existing `@not-vpn` matcher for `10.100.0.0/24`
+   - Reverse proxy to `vault-dash:8000` on `proxy-net`
+   - Reload Caddy and verify `http://vd1.uncloud.vpn/health` over VPN
+
+6. **Verify network connectivity**:
    - Forgejo runner must be able to reach the VPS via SSH
    - VPS must be able to pull images from the registry
 
+
 ## Instructions for the DevOps Agent
 
 When setting up the deployment: