BrowserUse_and_ComputerUse_skills/docs/vps-deploy.md

# BrowserUse VPS Deployment

This project deploys to `BrowserUse-vps@lambda.coredump.ru` with a Gitea/Forgejo Actions runner installed on the VPS.

The server already has a root-owned `/opt/lambdalab` stack with Caddy on ports `80/443`. Keep this browser service as a separate app under the deploy user home directory, then attach the public-facing containers to the existing `lambdalab_frontend` Docker network through `docker-compose.vps.yml`.

## SSH Access

Add the public SSH key to the VPS user:

```sh
ssh BrowserUse-vps@lambda.coredump.ru
mkdir -p ~/.ssh
chmod 700 ~/.ssh
printf '%s\n' '<ssh-ed25519 public key>' >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
```

The fingerprint `SHA256:/XC5ifPX8j+uRyp0Yw2zAl5nteWc3YcHeVHfCG+rhP4` is not enough by itself. `authorized_keys` needs the full public key line that starts with `ssh-ed25519`.

## Initial Server Checkout

Run once on the VPS:

```sh
mkdir -p ~/apps
cd ~/apps
git clone -b feature/api-for-subagent https://git.lambda.coredump.ru/APEX/BrowserUse_and_ComputerUse_skills.git
cd BrowserUse_and_ComputerUse_skills
```

Create a server-local `.env` file in the checkout. It is intentionally not committed:

```sh
OPENAI_API_KEY=...
OPENAI_BASE_URL=...
MODEL_DEFAULT=qwen3.5-122b
BROWSER_VIEW_BASE_URL=https://browser-view.lambda.coredump.ru
BROWSER_API_PUBLISH=127.0.0.1:8088:8088
BROWSER_VIEW_PROXY_PUBLISH=127.0.0.1:6081:8080
BROWSER_NOVNC_PUBLISH=127.0.0.1:6080:6080
BROWSER_CDP_PUBLISH=127.0.0.1:9222:9222
```

Then run the first deploy manually:

```sh
bash scripts/deploy_vps.sh
curl -fsS http://127.0.0.1:8088/health
```

The deploy script uses both Compose files by default:

```sh
docker-compose.yml:docker-compose.vps.yml
```

`docker-compose.vps.yml` connects `browser-api` and `browser-view-proxy` to the existing external `lambdalab_frontend` network so Caddy can reach them by Docker DNS.

## Domain Binding

The active Caddy config is root-owned at:

```sh
/opt/lambdalab/caddy/Caddyfile
```

Add these vhosts to that file from an admin/root account:

```caddyfile
browser-api.lambda.coredump.ru {
	reverse_proxy browser-use-api:8088
}

browser-view.lambda.coredump.ru {
	reverse_proxy browser-use-view-proxy:8080
}
```

Then reload the existing Caddy container from `/opt/lambdalab`:

```sh
cd /opt/lambdalab
docker compose exec caddy caddy reload --config /etc/caddy/Caddyfile
```

DNS must point both subdomains to the VPS public IP `155.212.185.120`. At inspection time, `lambda.coredump.ru` resolved to that IP, while `browser-api.lambda.coredump.ru` and `browser-view.lambda.coredump.ru` did not resolve yet.

## Gitea/Forgejo Runner

Install `act_runner` as the `BrowserUse-vps` user and register it with the repository, organization, or instance runner token:

```sh
mkdir -p ~/act_runner
cd ~/act_runner
./act_runner generate-config > config.yaml
./act_runner --config config.yaml register \
  --no-interactive \
  --instance https://git.lambda.coredump.ru \
  --token '<runner-registration-token>' \
  --name BrowserUse-vps \
  --labels deploy-vps:host
```

Start it under the same user:

```sh
cd ~/act_runner
nohup ./act_runner daemon --config config.yaml > act_runner.log 2>&1 &
```

Because this account has `sudo: no`, a system-wide service cannot be installed from this user. If an admin enables a user-level systemd service for this account, run the same daemon command from that service instead of `nohup`.

## CI/CD Behavior

The workflow lives at `.gitea/workflows/deploy.yml`.

It runs on:

- push to `feature/api-for-subagent`
- manual `workflow_dispatch`

The job expects a runner label named `deploy-vps`, registered as `deploy-vps:host`. It enters:

```sh
/home/BrowserUse-vps/apps/BrowserUse_and_ComputerUse_skills
```

Then it fetches `origin/feature/api-for-subagent`, resets the tracked checkout to that commit, runs Docker Compose, and verifies:

```sh
curl -fsS http://127.0.0.1:8088/health
```