Build a warm-standby failover setup for web.speaktrue.cc:
web.speaktrue.cc to LA first and Canada only when LA fails /health.Provision a Canada Docker VM/container equivalent to the current LA SpeakTrue host.
Required Canada setup:
Haddadios/SpeakTrue./home/deploy/SpeakTrue/web/python-web-app, unless the Canada host already uses a different deploy convention..env from the LA production shape and adjust only host-local values.SUPABASE_URLSUPABASE_ANON_KEYSUPABASE_SERVICE_ROLE_KEY, if presentDATABASE_URLSUPABASE_STORAGE_*ELEVENLABS_*LEGACY_WEB_PUBLIC_ORIGIN=https://web.speaktrue.cc127.0.0.1:8000.docker compose pscurl -fsS http://127.0.0.1:8000/healthUse two site-specific tunnels:
speaktrue-web-laspeaktrue-web-caEach tunnel routes to the local app:
service = http://127.0.0.1:8000
Create two non-user-facing origin hostnames:
st-web-la-origin.speaktrue.cc
st-web-ca-origin.speaktrue.cc
Tunnel public hostnames:
st-web-la-origin.speaktrue.cc -> http://127.0.0.1:8000
st-web-ca-origin.speaktrue.cc -> http://127.0.0.1:8000
Do not put these origin hostnames in marketing copy, Supabase redirects, or app config. They exist only for Cloudflare Load Balancing health checks and origin routing.
Create a Cloudflare Load Balancer for:
web.speaktrue.cc
Pool design:
speaktrue-web-prodla-primaryst-web-la-origin.speaktrue.ccca-standbyst-web-ca-origin.speaktrue.ccTraffic policy:
/health200TLS mode:
web.speaktrue.cc.https://127.0.0.1:8000; Gunicorn is not serving TLS.Replace the single-target homelab deploy workflow with two deploy jobs.
Secrets:
LA_HOMELAB_SSH_HOST
LA_HOMELAB_SSH_USER
LA_HOMELAB_SSH_PRIVATE_KEY
LA_HOMELAB_DEPLOY_PATH
LA_HOMELAB_SSH_PORT
CA_HOMELAB_SSH_HOST
CA_HOMELAB_SSH_USER
CA_HOMELAB_SSH_PRIVATE_KEY
CA_HOMELAB_DEPLOY_PATH
CA_HOMELAB_SSH_PORT
Workflow behavior:
main touching web/python-web-app/**.deploy-la and deploy-ca run the same script independently..env exists.git fetch origin main.origin/main.WEB_ASSET_VERSION to short commit SHA.docker compose down --remove-orphans.docker compose build --pull.docker compose up -d.curl -fsS http://127.0.0.1:8000/health.deploy-la and deploy-ca should both be required to pass for deployment success.Keep the public app identity stable:
LEGACY_WEB_PUBLIC_ORIGIN=https://web.speaktrue.cc
LEGACY_AUTH_POST_LOGIN_REDIRECT_URL=https://web.speaktrue.cc/
Do not add origin hostnames to normal auth redirect flows unless direct origin debugging is explicitly needed.
Supabase redirect allowlist should continue to include:
https://web.speaktrue.cc/**
https://speaktrue.cc/auth/callback
https://speaktrue.cc/auth/callback/
Only add origin hostnames to Supabase redirects if intentionally testing OAuth directly against an origin hostname. The default is not to add them.
Initial rollout checks:
Verify LA origin directly:
curl -fsS https://st-web-la-origin.speaktrue.cc/health
Verify Canada origin directly:
curl -fsS https://st-web-ca-origin.speaktrue.cc/health
Verify the load-balanced hostname:
curl -fsS https://web.speaktrue.cc/health
Confirm Cloudflare Load Balancing reports:
la-primary healthyca-standby healthyFailover drill:
https://web.speaktrue.cc/health remains 200Operational monitors to add or update:
hl-dockervmla2-speaktrueBefore enabling the load balancer:
web.speaktrue.ccAfter enabling the load balancer:
https://web.speaktrue.cc/health returns 200.https://web.speaktrue.cc/ loads the app.web.speaktrue.cc.web.speaktrue.cc as the only user-facing Python web hostname.supabase db push; no DB schema change is required.