Add desktop distribution support

.github/workflows/release-docker.yaml

@@ -64,8 +64,8 @@ jobs:
         provenance: mode=max
         sbom: true
 
-  deploy-to-dev:
-    name: Deploy to dev
+  wait-for-deploy:
+    name: Wait for dev deploy
     runs-on: ubuntu-latest
     needs: push-image
     if: github.ref == 'refs/heads/main'
@@ -74,12 +74,25 @@ jobs:
       url: ${{ vars.APP_URL }}
 
     steps:
-    - name: Deploy via SSH
-      uses: appleboy/ssh-action@823bd89e131d8d508129f9443cad5855e9ba96f0  # v1.2.4
-      with:
-        host: ${{ secrets.SSH_HOST }}
-        username: ${{ secrets.SSH_USER }}
-        key: ${{ secrets.SSH_PRIVATE_KEY }}
-        port: ${{ secrets.SSH_PORT || 22 }}
-        fingerprint: ${{ secrets.SSH_HOST_FINGERPRINT }}
-        script: deploy dev
+    - name: Poll /api/v1/version for new short SHA
+      env:
+        TARGET_SHA: ${{ github.sha }}
+        APP_URL: ${{ vars.APP_URL }}
+        CF_ACCESS_CLIENT_ID: ${{ secrets.CF_ACCESS_CLIENT_ID_DEPLOY }}
+        CF_ACCESS_CLIENT_SECRET: ${{ secrets.CF_ACCESS_CLIENT_SECRET_DEPLOY }}
+      run: |
+        set -eu
+        SHORT="${TARGET_SHA:0:7}"
+        for i in $(seq 1 80); do
+          ver=$(curl -sS \
+            -H "CF-Access-Client-Id: $CF_ACCESS_CLIENT_ID" \
+            -H "CF-Access-Client-Secret: $CF_ACCESS_CLIENT_SECRET" \
+            "$APP_URL/api/v1/version/" | jq -r '.version // empty' 2>/dev/null || true)
+          if [[ "$ver" == *"g${SHORT}"* ]]; then
+            echo "Deployed: $ver"
+            exit 0
+          fi
+          echo "want g${SHORT}, got ${ver:-<none>}"
+          sleep 15
+        done
+        exit 1

.gitignore

@@ -5,6 +5,9 @@ todo.md
 # Data
 /data/
 
+# Demo seeding
+/demo/
+
 # setuptools-scm version
 src/pypsa_app/backend/_version_info.py
 
@@ -36,6 +39,11 @@ sdist/
 var/
 wheels/
 *.egg-info/
+# Wails desktop build — source assets are tracked; compiled outputs and auto-generated files are not.
+# The `build/` and `wheels/` patterns above would catch these, so negate them explicitly.
+!desktop/build/
+desktop/build/windows/installer/wails_tools.nsh
+!desktop/build/windows/wheels/
 .installed.cfg
 *.egg
 
@@ -80,8 +88,10 @@ htmlcov/
 
 # Docker
 compose/compose.prod.yaml
+compose/compose.demo.yaml
 compose/.env
 compose/.env.dev
+compose/.env.demo
 
 # Alembic
 alembic/versions/*.pyc

Dockerfile

@@ -23,8 +23,11 @@ COPY pyproject.toml uv.lock MANIFEST.in ./
 COPY src/ src/
 COPY .git/ .git/
 
-# Sync dependencies with uv
-RUN uv sync --frozen --extra full --no-dev
+# Skip setuptools_scm git lookup when .git is unavailable
+ARG SETUPTOOLS_SCM_PRETEND_VERSION_FOR_PYPSA_APP=
+RUN if [ -n "${SETUPTOOLS_SCM_PRETEND_VERSION_FOR_PYPSA_APP}" ]; then \
+        export SETUPTOOLS_SCM_PRETEND_VERSION_FOR_PYPSA_APP="${SETUPTOOLS_SCM_PRETEND_VERSION_FOR_PYPSA_APP}"; \
+    fi && uv sync --frozen --extra full --no-dev
 
 # Stage 2: Runtime stage (pypsa-app backend)
 FROM python:3.13-slim@sha256:d49c1ff87eb98eac346fc250f52925f726eb913c43a92854246dd03c9692ad67 AS backend

README.md

@@ -24,6 +24,9 @@ and custom integrations.
 > [!TIP]
 > There is a prototype deployed under [`https://app-dev.pypsa.org/`](https://app-dev.pypsa.org/). If you would like to have access, reach out to [@lkstrp](https://github.com/lkstrp/).
 
+> [!TIP]
+> A public read-only demo runs at [`https://demo.pypsa.org/`](https://demo.pypsa.org/), where uploads and runs are disabled and data is synthetic.
+
 ### Roadmap
 
 - [ ] Upload Networks via interface

compose/.env.example

@@ -6,35 +6,56 @@
 # Publicly accessible URL of the application
 BASE_URL=http://localhost:5173
 
+# Single-user local-dashboard deployment (the bare `pypsa-app` CLI). Enables zero-copy in-place network registration. Incompatible with any authentication.
+LOCAL_MODE=false
+
+# Public read-only demo deployment. Disables all write endpoints, uses a shared 'demo' user.
+DEMO_MODE=false
+
 # File storage directory to store application data and network files
-DATA_DIR=./data
+DATA_DIR=PydanticUndefined
 
 # Database
 # --------
 
-# Database URL (SQLite and PostgreSQL is supported)
-DATABASE_URL=sqlite:///./data/pypsa-app.db
+# Database URL (SQLite and PostgreSQL are supported). Defaults to a SQLite file inside data_dir.
+DATABASE_URL=__derive_from_data_dir__
 
 # Authentication
 # --------------
 
-# Enable GitHub OAuth authentication
-ENABLE_AUTH=false
-
 # GitHub OAuth app client ID (create at https://github.com/settings/developers)
-# GITHUB_CLIENT_ID=
+# AUTH_GITHUB_CLIENT_ID=
 
 # GitHub OAuth app client secret
-# GITHUB_CLIENT_SECRET=
+# AUTH_GITHUB_CLIENT_SECRET=
+
+# Enable password based login
+AUTH_PASSWORD_ENABLED=false
 
 # Secret key for session cookies (generate with: openssl rand -base64 32)
-# SESSION_SECRET_KEY=dev-secret-key-change-in-production
+SESSION_SECRET_KEY=dev-secret-key-change-in-production
 
 # Session time-to-live in seconds (default: 7 days)
-# SESSION_TTL=604800
+SESSION_TTL=604800
+
+# Networks
+# --------
+
+# Maximum network file upload size in megabytes
+MAX_UPLOAD_SIZE_MB=2000
 
-# GitHub username that becomes admin on first login
-# ADMIN_GITHUB_USERNAME=
+# Runs
+# ----
+
+# Interval in seconds between background Snakedispatch sync cycles
+SNAKEDISPATCH_SYNC_INTERVAL=10.0
+
+# Comma-separated list of allowed domains for run callback URLs (e.g. hooks.myorg.dev,example.com). Callbacks are rejected unless the host matches. Empty disables callbacks entirely.
+CALLBACK_URL_ALLOWED_DOMAINS=
+
+# Comma-separated list of Snakedispatch backends in name=url format (e.g. cluster-a=http://sd-a:8000,cluster-b=http://sd-b:8000)
+# SNAKEDISPATCH_BACKENDS=
 
 # Redis
 # -----
@@ -48,17 +69,50 @@ ENABLE_AUTH=false
 # Time-to-live in seconds for network cache entries
 # NETWORK_CACHE_TTL=7200
 
+# Time-to-live in seconds for run output file list cache entries
+# RUN_OUTPUTS_CACHE_TTL=10800
+
 # Maximum cache size in megabytes
 # MAX_CACHE_SIZE_MB=50
 
-# Executions
-# ----------
+# Rate limiting
+# -------------
 
-# Comma-separated list of Snakedispatch backends in name=url format
-# SNAKEDISPATCH_BACKENDS=cluster-a=http://snakedispatch-a:8000,cluster-b=http://snakedispatch-b:8000
+# Enable per route rate limiting. Auto on when LOCAL_MODE is off.
+# RATELIMIT_ENABLED=
 
-# Time-to-live in seconds for run output file list cache entries
-# RUN_OUTPUTS_CACHE_TTL=10800
+# Default per key rate limit applied to all routes
+RATELIMIT_DEFAULT=120/minute
+
+# Rate limit for POST /auth/login/password
+RATELIMIT_LOGIN=5/minute;20/hour
+
+# Rate limit for task queueing routes (plots, statistics).
+RATELIMIT_EXPENSIVE=60/minute;600/hour
+
+# Trust the CF-Connecting-IP header as the client IP for rate limiting. Only enable when the app sits behind a Cloudflare tunnel.
+TRUST_CLOUDFLARE_IP=false
+
+# Email
+# -----
+
+# SMTP server hostname (enables email notifications when set)
+# SMTP_HOST=
+
+# SMTP server port
+# SMTP_PORT=587
+
+# SMTP authentication username
+# SMTP_USERNAME=
+
+# SMTP authentication password
+# SMTP_PASSWORD=
+
+# Use TLS/STARTTLS for SMTP connection
+# SMTP_USE_TLS=true
+
+# Sender email address for notifications
+# SMTP_FROM_ADDRESS=noreply@pypsa-app.local
 
 # Development
 # -----------

compose/compose.yaml

@@ -0,0 +1,96 @@
+# Development setup - backend only (run frontend with npm run dev)
+# Copy .env.dev.example to .env.dev and configure your settings
+
+services:
+  postgres:
+    image: postgres:18-alpine
+    container_name: pypsa-postgres
+
+    environment:
+      POSTGRES_DB: ${POSTGRES_DB}
+      POSTGRES_USER: ${POSTGRES_USER}
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
+    # Uncomment for access Postgres on host machine
+    # ports:
+    #   - "${POSTGRES_PORT:-5432}:5432"
+    volumes:
+      - postgres_data:/var/lib/postgresql
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER}"]
+      interval: 5s
+      timeout: 5s
+      retries: 5
+
+  redis:
+    image: redis:8-alpine
+    container_name: pypsa-redis
+
+    # Uncomment to access Redis from host machine
+    # ports:
+    #   - "6379:6379"
+    command: redis-server --maxmemory ${REDIS_MAXMEMORY:-2gb} --maxmemory-policy allkeys-lru
+    healthcheck:
+      test: ["CMD", "redis-cli", "ping"]
+      interval: 5s
+      timeout: 3s
+      retries: 5
+
+  pypsa-app:
+    build:
+      context: ..
+      dockerfile: Dockerfile
+      target: backend
+    container_name: pypsa-app
+    ports:
+      - "${APP_PORT:-8000}:8000"
+
+    environment:
+      # These use docker network hostnames, so we construct them here
+      DATABASE_URL: postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@postgres:5432/${POSTGRES_DB}
+      REDIS_URL: redis://redis:6379/0
+      DATA_DIR: /data
+      DEBUG: true
+    volumes:
+      - ../src:/app/src
+      - ../data:/data
+      - ../alembic.ini:/app/alembic.ini:ro
+      - ../frontend/app/package.json:/app/frontend/app/package.json:ro
+    depends_on:
+      postgres:
+        condition: service_healthy
+      redis:
+        condition: service_healthy
+    command: ["pypsa-app", "serve", "--reload", "--dev"]
+
+  celery-worker:
+    build:
+      context: ..
+      dockerfile: Dockerfile
+      target: backend
+    container_name: pypsa-celery-worker
+
+    environment:
+      DATABASE_URL: postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@postgres:5432/${POSTGRES_DB}
+      REDIS_URL: redis://redis:6379/0
+      DATA_DIR: /data
+    command:
+      [
+        "celery",
+        "-A",
+        "pypsa_app.backend.task_queue.task_app",
+        "worker",
+        "--loglevel=${CELERY_LOGLEVEL:-info}",
+        "--concurrency=${CELERY_CONCURRENCY:-2}",
+      ]
+    volumes:
+      - ../src:/app/src
+      - ../data:/data
+      - ../alembic.ini:/app/alembic.ini:ro
+    depends_on:
+      postgres:
+        condition: service_healthy
+      redis:
+        condition: service_healthy
+
+volumes:
+  postgres_data:

desktop/.gitignore

@@ -0,0 +1,6 @@
+build/bin
+node_modules
+frontend/dist
+# local go build outputs
+pypsa-desktop
+pypsa-desktop.exe

desktop/README.md

@@ -0,0 +1,16 @@
+# README
+
+## About
+
+This is the official Wails Svelte template.
+
+## Live Development
+
+To run in live development mode, run `wails dev` in the project directory. This will run a Vite development
+server that will provide very fast hot reload of your frontend changes. If you want to develop in a browser
+and have access to your Go methods, there is also a dev server that runs on http://localhost:34115. Connect
+to this in your browser, and you can call your Go code from devtools.
+
+## Building
+
+To build a redistributable, production mode package, use `wails build`.