00
broilr-rs on Railway
Same shape as FL33T-rs V12.6

broilr-server is the customer-deployed Axum service behind BROILR-iOS. Railway path matches FL33T: root Dockerfile (cargo-chef → slim runtime), railway.toml with healthcheckPath = "/ready", Postgres, and explicit Apple + JWT env.

Repo assumption: GitHub repo broilr-rs with root Dockerfile + railway.toml (public Everplay layout). startCommand runs broilr-server; Railway injects PORT and the binary listens on 0.0.0.0:${PORT} when BIND_ADDR is unset.

00a
Path A — pull public image (customer fleet)
No GitHub repo access required

Primary customer path: pull a pinned tag from GHCR, run with your Postgres + env vars, paste the HTTPS URL into BROILR-iOS.

export TAG=rust-cutover-20260520-ghcr-pipeline
docker pull ghcr.io/everplay-tech/broilr-server:${TAG}
# compose: image: ghcr.io/everplay-tech/broilr-server:${TAG}  (not build: ./repo)

Tag pin: setup/llm JSON spec. Package must be Public on GitHub Packages before anonymous pull works.

00b
Path B — Deploy from GitHub (Railway / operators)
Unchanged — Dockerfile + railway.toml

Railway connected-repo builds remain valid for Everplay operators. Panels 01–04 below are Path B.

01
Steps (Path B)
Operator checklist
  1. 1 · New Railway project

    Deploy from GitHub → pick broilr-rs (or your fork). CLI alternative below.

  2. 2 · Dockerfile build

    Confirm Railway uses DOCKERFILE builder from railway.toml — not Nixpacks.

  3. 3 · Postgres plugin

    Add PostgreSQL; wire DATABASE_URL reference into the broilr service.

  4. 4 · Variables

    Fill panel 02. Persist JWT_SECRET / JWT_REFRESH_SECRET — rotating them invalidates outstanding tokens.

  5. 5 · Domain

    Generate a Railway HTTPS domain; record it for BROILR-iOS first-boot / operator docs.

  6. 6 · Deploy + gate

    Rollout succeeds when GET /ready returns 200 (Postgres SELECT 1 inside the probe budget).

01b
CLI alternative
railway-cli  ·  the path maintainer ran 2026-05-18

Same outcome as the GitHub-deploy flow above; just executed from your local clone with the railway CLI. Project name should match the binary (broilr-server), not the repo (broilr-rs) — customers see the binary name in docker ps, railway logs, and the dashboard.

cd broilr-rs/
railway init --name broilr-server     # creates new Railway project; --name skips the prompt
railway up --detach                    # uploads source; Dockerfile build per railway.toml
railway status                          # confirms project + environment + service link
railway logs                            # tail build + runtime
railway open                            # opens dashboard for env vars + domain

After railway up --detach kicks the first build, jump back to panel 02 to fill env vars in the dashboard and panel 03/04 to verify /ready goes green.

02
Environment variables
broilr service
VariableExampleNotes
DATABASE_URL${{ Postgres.DATABASE_URL }}Required
APPLE_CLIENT_IDnet.llmtech.broilrApple aud
JWT_SECRETopenssl rand -hex 32Access token HS256 key
JWT_REFRESH_SECRETdifferent hexRefresh token signing
BOOTSTRAP_SETUP_CODEoperator-chosen (optional)Owner bootstrap; else see first-boot logs for generated material
JWT_EXPIRES_IN14dOptional
JWT_REFRESH_EXPIRES_IN30dOptional
RUST_LOGbroilr_server=infoOptional
03
Health checks
V12.6-style
PathRole
/healthLiveness — always 200 when process is up
/readyReadiness — 200 when Postgres answers; Railway healthcheckPath
04
Verify
curl
export BROILR_URL=https://YOUR-RAILWAY-DOMAIN.up.railway.app
curl -fsS "${BROILR_URL}/ready"
# expect: {"status":"ready","service":"broilr-rs"}