prod preparations

2026-01-28 08:53:21 -05:00
parent 4850c16b87
commit b70d87c797
9 changed files with 1259 additions and 14 deletions
--- a/PRODUCTION_README.md
+++ b/PRODUCTION_README.md
@@ -0,0 +1,303 @@
+# Faction War Dispatch Bot - Production Deployment
+
+## Quick Summary
+
+This application is ready for production deployment with proper security measures. Follow the steps below to deploy to your Linux server.
+
+## Security Features Implemented
+
+- Environment variable support (.env files)
+- Secrets excluded from git (.gitignore)
+- HTTPS/SSL configuration (via Let's Encrypt)
+- JWT-based authentication
+- Nginx reverse proxy configuration
+- Systemd service for process management
+- Firewall configuration
+- Automated backups
+- Security headers
+
+## Prerequisites
+
+- **Server**: Linux VM (Ubuntu 20.04+ or Debian 11+)
+- **RAM**: 512MB minimum, 1GB recommended
+- **Domain**: Free domain from DuckDNS, FreeDNS, or No-IP
+- **Port Access**: Ports 80 and 443 open to the internet
+
+## Automated Setup (Recommended)
+
+1. Upload files to your server:
+   ```bash
+   scp -r * user@your-server:/opt/faction-war/app/
+   ```
+
+2. Run the setup script:
+   ```bash
+   ssh user@your-server
+   cd /opt/faction-war/app
+   sudo bash setup_production.sh
+   ```
+
+3. The script will:
+   - Install all dependencies
+   - Configure Nginx
+   - Get SSL certificate
+   - Setup systemd service
+   - Configure firewall
+   - Setup automated backups
+
+4. Follow prompts to:
+   - Enter your domain name
+   - Enter your email (for SSL)
+   - Configure your .env file with secrets
+
+## Manual Setup
+
+See [DEPLOYMENT.md](DEPLOYMENT.md) for detailed step-by-step instructions.
+
+## Free Domain Options
+
+### Option 1: DuckDNS (Recommended)
+- Visit https://www.duckdns.org
+- Sign in and create a subdomain (e.g., `myfaction.duckdns.org`)
+- Note your token for DNS updates
+- Free HTTPS support with Let's Encrypt
+
+### Option 2: FreeDNS
+- Visit https://freedns.afraid.org
+- Create free subdomain
+- Choose from many domain options
+
+### Option 3: No-IP
+- Visit https://www.noip.com
+- Free tier includes dynamic DNS
+
+## Critical Security Steps
+
+### Before Deployment:
+
+1. **Generate Strong Secrets**:
+   ```bash
+   # Generate AUTH_PASSWORD
+   openssl rand -base64 32
+
+   # Generate JWT_SECRET
+   openssl rand -hex 64
+   ```
+
+2. **Configure .env File**:
+   ```bash
+   cp .env.example .env
+   nano .env
+   ```
+
+   Update these values:
+   ```env
+   AUTH_PASSWORD=<generated-password>
+   JWT_SECRET=<generated-secret>
+   TORN_API_KEY=<your-api-key>
+   DISCORD_TOKEN=<your-bot-token>
+   ```
+
+3. **Secure .env File**:
+   ```bash
+   chmod 600 .env
+   ```
+
+4. **Never Commit Secrets**:
+   - `.env` is in `.gitignore`
+   - `data/config.json` is in `.gitignore`
+   - Never commit API keys or passwords
+
+## Post-Deployment
+
+### Access Your Application
+```
+https://yourdomain.com
+```
+
+### Check Service Status
+```bash
+sudo systemctl status faction-war
+```
+
+### View Logs
+```bash
+sudo journalctl -u faction-war -f
+```
+
+### Restart Service
+```bash
+sudo systemctl restart faction-war
+```
+
+## Configuration
+
+### Option 1: Web Interface (Recommended)
+1. Visit `https://yourdomain.com/config`
+2. Configure all settings through the UI
+3. Settings are saved to `data/config.json`
+
+### Option 2: Environment Variables
+1. Edit `/opt/faction-war/app/.env`
+2. Restart service: `sudo systemctl restart faction-war`
+
+### Option 3: JSON File
+1. Edit `data/config.json` directly
+2. Restart service to apply changes
+
+**Priority**: Environment variables > config.json > defaults
+
+## Security Checklist
+
+Before going live, verify:
+
+- [ ] Strong AUTH_PASSWORD generated and set
+- [ ] Strong JWT_SECRET generated and set
+- [ ] HTTPS/SSL certificate installed
+- [ ] Firewall configured (only ports 22, 80, 443)
+- [ ] Port 8000 blocked from external access
+- [ ] .env file has permissions 600
+- [ ] data/ directory has permissions 700
+- [ ] Automatic SSL renewal working
+- [ ] Backups configured (2 AM daily)
+- [ ] Logs accessible and monitoring setup
+
+## File Structure
+
+```
+/opt/faction-war/app/
+├── main.py                 # Application entry point
+├── config.py               # Configuration loader
+├── .env                    # Environment variables (NEVER COMMIT)
+├── .env.example            # Example environment file
+├── requirements.txt        # Python dependencies
+├── faction-war.service     # Systemd service template
+├── nginx.conf.example      # Nginx configuration template
+├── setup_production.sh     # Automated setup script
+├── DEPLOYMENT.md           # Detailed deployment guide
+├── data/                   # Persistent data (NEVER COMMIT)
+│   ├── config.json        # Web UI configuration
+│   ├── discord_mapping.json
+│   └── ...
+├── routers/               # API routes
+├── services/              # Business logic
+├── static/                # Frontend assets
+└── templates/             # HTML templates
+```
+
+## Updates
+
+### Update Application
+```bash
+cd /opt/faction-war/app
+git pull
+sudo -u factionwar venv/bin/pip install --upgrade -r requirements.txt
+sudo systemctl restart faction-war
+```
+
+### Update SSL Certificate
+```bash
+# Auto-renewal is configured by certbot
+# Test renewal:
+sudo certbot renew --dry-run
+```
+
+## Backups
+
+Automated daily backups run at 2 AM:
+- Location: `/opt/faction-war/backups/`
+- Retention: 7 days
+- Manual backup:
+  ```bash
+  /opt/faction-war/backup.sh
+  ```
+
+## Troubleshooting
+
+### Application Won't Start
+```bash
+# Check logs
+sudo journalctl -u faction-war -n 50
+
+# Test manually
+sudo -u factionwar /opt/faction-war/app/venv/bin/python /opt/faction-war/app/main.py
+```
+
+### 502 Bad Gateway
+```bash
+# Check if app is running
+sudo systemctl status faction-war
+
+# Check if listening on port 8000
+sudo netstat -tlnp | grep 8000
+```
+
+### SSL Certificate Issues
+```bash
+# Renew manually
+sudo certbot renew
+
+# Check certificate status
+sudo certbot certificates
+```
+
+## Support
+
+For detailed deployment instructions, see [DEPLOYMENT.md](DEPLOYMENT.md)
+
+## Quick Commands Reference
+
+```bash
+# Service management
+sudo systemctl start faction-war
+sudo systemctl stop faction-war
+sudo systemctl restart faction-war
+sudo systemctl status faction-war
+
+# View logs
+sudo journalctl -u faction-war -f
+sudo tail -f /var/log/nginx/faction-war-error.log
+
+# Update application
+cd /opt/faction-war/app && git pull && sudo systemctl restart faction-war
+
+# Manual backup
+/opt/faction-war/backup.sh
+
+# Renew SSL
+sudo certbot renew
+```
+
+## Monitoring
+
+Monitor these logs regularly:
+- Application: `sudo journalctl -u faction-war -f`
+- Nginx Access: `/var/log/nginx/faction-war-access.log`
+- Nginx Errors: `/var/log/nginx/faction-war-error.log`
+- System: `sudo tail -f /var/log/syslog`
+
+## Production Best Practices
+
+1. **Use strong passwords** - Generate with OpenSSL
+2. **Keep dependencies updated** - Regular `pip install --upgrade`
+3. **Monitor logs** - Check for errors and suspicious activity
+4. **Backup regularly** - Automated daily backups configured
+5. **Use HTTPS only** - HTTP auto-redirects to HTTPS
+6. **Restrict firewall** - Only necessary ports open
+7. **Update system** - Regular `apt update && apt upgrade`
+8. **Test backups** - Periodically restore from backup to verify
+
+## Features
+
+- Secure authentication (JWT + password)
+- Web-based configuration
+- Real-time activity logging
+- Active user tracking
+- Automated hit assignment
+- Chain timer monitoring
+- Server-side state persistence
+- Multi-device support
+
+---
+
+**Ready to deploy?** Run `setup_production.sh` on your server to get started!