Architecture
How the MCP server and this documentation site are deployed on AWS.
Both the MCP server and this documentation site are provisioned with Terraform
in the alex-salisol AWS account, under the andru.codes Route 53 hosted zone.
The MCP server
The server is a small Node process fronted by Caddy for automatic HTTPS.
| Layer | Detail |
|---|---|
| Compute | Single t3.micro EC2 instance (Amazon Linux 2023) with an Elastic IP |
| TLS / proxy | Caddy reverse proxy, Let's Encrypt certificate, :443 → 127.0.0.1:8080 |
| Process | systemd unit running node dist/index.js |
| DNS | tour-de-france.andru.codes A record → Elastic IP |
| CI/CD | Push to main → GitHub OIDC → scoped AWS role → SSM Run Command redeploy |
No long-lived AWS credentials are stored anywhere: GitHub Actions exchanges its
short-lived OIDC token for a role restricted to the repo's main branch, then
uses SSM to run the redeploy script on the box. No inbound port is opened for
deploys.
This documentation site
The docs are a Fumadocs (Next.js) app exported to static HTML and served from S3 behind CloudFront.
| Layer | Detail |
|---|---|
| Build | next build with output: 'export' → static out/ directory |
| Storage | Private S3 bucket, reachable only through CloudFront (Origin Access Control) |
| CDN / TLS | CloudFront distribution with an ACM certificate (us-east-1) |
| Routing | A CloudFront viewer-request function rewrites clean URLs to /index.html |
| DNS | tdf-docs.andru.codes alias record → CloudFront distribution |
| CI/CD | Push to main → GitHub OIDC → aws s3 sync + CloudFront invalidation |
The docs infrastructure lives in infra-docs/ and is kept in separate
Terraform state from the MCP server (infra/), so deploying one never risks
the other.