Merge branch 'main' of https://git.ayau.me/syntaxbullet/discord-rpg-concept

.env.example

@@ -1,12 +1,26 @@
+# =============================================================================
+# Aurora Environment Configuration
+# =============================================================================
+# Copy this file to .env and update with your values
+# For production, see .env.prod.example with security recommendations
+# =============================================================================
+
+# Database
+# For production: use a strong password (openssl rand -base64 32)
 DB_USER=aurora
 DB_PASSWORD=aurora
 DB_NAME=aurora
 DB_PORT=5432
 DB_HOST=db
+DATABASE_URL=postgres://aurora:aurora@db:5432/aurora
+
+# Discord
+# Get from: https://discord.com/developers/applications
 DISCORD_BOT_TOKEN=your-discord-bot-token
 DISCORD_CLIENT_ID=your-discord-client-id
 DISCORD_GUILD_ID=your-discord-guild-id
-DATABASE_URL=postgres://aurora:aurora@db:5432/aurora
 
-VPS_USER=your-vps-user
+# Server (for remote access scripts)
+# Use a non-root user (see shared/scripts/setup-server.sh)
+VPS_USER=deploy
 VPS_HOST=your-vps-ip

.env.prod.example

@@ -0,0 +1,38 @@
+# =============================================================================
+# Aurora Production Environment Template
+# =============================================================================
+# Copy this file to .env and fill in the values
+# IMPORTANT: Use strong, unique passwords in production!
+# =============================================================================
+
+# -----------------------------------------------------------------------------
+# Database Configuration
+# -----------------------------------------------------------------------------
+# Generate strong password: openssl rand -base64 32
+DB_USER=aurora_prod
+DB_PASSWORD=CHANGE_ME_USE_STRONG_PASSWORD
+DB_NAME=aurora_prod
+DB_PORT=5432
+DB_HOST=localhost
+
+# Constructed database URL (used by Drizzle)
+DATABASE_URL=postgres://${DB_USER}:${DB_PASSWORD}@localhost:${DB_PORT}/${DB_NAME}
+
+# -----------------------------------------------------------------------------
+# Discord Configuration
+# -----------------------------------------------------------------------------
+# Get these from Discord Developer Portal: https://discord.com/developers
+DISCORD_BOT_TOKEN=your_bot_token_here
+DISCORD_CLIENT_ID=your_client_id_here
+DISCORD_GUILD_ID=your_guild_id_here
+
+# -----------------------------------------------------------------------------
+# Server Configuration (for SSH deployment scripts)
+# -----------------------------------------------------------------------------
+# Use a non-root user for security!
+VPS_USER=deploy
+VPS_HOST=your_server_ip_here
+
+# Optional: Custom ports for remote access
+# DASHBOARD_PORT=3000
+# STUDIO_PORT=4983

.github/workflows/deploy.yml

@@ -0,0 +1,136 @@
+# Aurora CI/CD Pipeline
+# Builds, tests, and deploys to production server
+
+name: Deploy to Production
+
+on:
+  push:
+    branches: [main]
+  workflow_dispatch:  # Allow manual trigger
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  # ==========================================================================
+  # Test Job
+  # ==========================================================================
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v2
+        with:
+          bun-version: latest
+
+      - name: Install Dependencies
+        run: bun install --frozen-lockfile
+
+      - name: Run Tests
+        run: bun test
+
+  # ==========================================================================
+  # Build Job
+  # ==========================================================================
+  build:
+    runs-on: ubuntu-latest
+    needs: test
+    permissions:
+      contents: read
+      packages: write
+    outputs:
+      image_tag: ${{ steps.meta.outputs.tags }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=sha,prefix=
+            type=raw,value=latest
+
+      - name: Build and Push Docker Image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ./Dockerfile.prod
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+  # ==========================================================================
+  # Deploy Job
+  # ==========================================================================
+  deploy:
+    runs-on: ubuntu-latest
+    needs: build
+    environment: production
+
+    steps:
+      - name: Deploy to Production Server
+        uses: appleboy/ssh-action@v1.0.3
+        with:
+          host: ${{ secrets.VPS_HOST }}
+          username: ${{ secrets.VPS_USER }}
+          key: ${{ secrets.SSH_PRIVATE_KEY }}
+          script: |
+            cd ~/Aurora
+            
+            # Pull latest code
+            git pull origin main
+            
+            # Pull latest Docker image
+            docker compose -f docker-compose.prod.yml pull 2>/dev/null || true
+            
+            # Build and restart containers
+            docker compose -f docker-compose.prod.yml build --no-cache
+            docker compose -f docker-compose.prod.yml down
+            docker compose -f docker-compose.prod.yml up -d
+            
+            # Wait for health checks
+            sleep 15
+            
+            # Verify deployment
+            docker ps | grep aurora
+            
+            # Cleanup old images
+            docker image prune -f
+
+      - name: Verify Deployment
+        uses: appleboy/ssh-action@v1.0.3
+        with:
+          host: ${{ secrets.VPS_HOST }}
+          username: ${{ secrets.VPS_USER }}
+          key: ${{ secrets.SSH_PRIVATE_KEY }}
+          script: |
+            # Check if app container is healthy
+            if docker ps | grep -q "aurora_app.*healthy"; then
+              echo "✅ Deployment successful - aurora_app is healthy"
+              exit 0
+            else
+              echo "⚠️ Health check pending, checking container status..."
+              docker ps | grep aurora
+              docker logs aurora_app --tail 20
+              exit 0
+            fi

Dockerfile.prod

@@ -0,0 +1,54 @@
+# =============================================================================
+# Stage 1: Dependencies & Build
+# =============================================================================
+FROM oven/bun:latest AS builder
+WORKDIR /app
+
+# Install system dependencies needed for build
+RUN apt-get update && apt-get install -y git && rm -rf /var/lib/apt/lists/*
+
+# Install root project dependencies
+COPY package.json bun.lock ./
+RUN bun install --frozen-lockfile
+
+# Install web project dependencies
+COPY web/package.json web/bun.lock ./web/
+RUN cd web && bun install --frozen-lockfile
+
+# Copy source code
+COPY . .
+
+# Build web assets for production
+RUN cd web && bun run build
+
+# =============================================================================
+# Stage 2: Production Runtime
+# =============================================================================
+FROM oven/bun:latest AS production
+WORKDIR /app
+
+# Create non-root user for security
+RUN groupadd --system appgroup && useradd --system --gid appgroup appuser
+
+# Copy only what's needed for production
+COPY --from=builder --chown=appuser:appgroup /app/node_modules ./node_modules
+COPY --from=builder --chown=appuser:appgroup /app/web/node_modules ./web/node_modules
+COPY --from=builder --chown=appuser:appgroup /app/web/dist ./web/dist
+COPY --from=builder --chown=appuser:appgroup /app/bot ./bot
+COPY --from=builder --chown=appuser:appgroup /app/shared ./shared
+COPY --from=builder --chown=appuser:appgroup /app/package.json .
+COPY --from=builder --chown=appuser:appgroup /app/drizzle.config.ts .
+COPY --from=builder --chown=appuser:appgroup /app/tsconfig.json .
+
+# Switch to non-root user
+USER appuser
+
+# Expose web dashboard port
+EXPOSE 3000
+
+# Health check
+HEALTHCHECK --interval=30s --timeout=10s --start-period=40s --retries=3 \
+  CMD bun -e "fetch('http://localhost:3000/api/health').then(r => r.ok ? process.exit(0) : process.exit(1)).catch(() => process.exit(1))"
+
+# Run in production mode
+CMD ["bun", "run", "bot/index.ts"]

docker-compose.prod.yml

@@ -0,0 +1,78 @@
+# Production Docker Compose Configuration
+# Usage: docker compose -f docker-compose.prod.yml up -d
+#
+# IMPORTANT: Database data is preserved in ./shared/db/data volume
+
+services:
+  db:
+    image: postgres:17-alpine
+    container_name: aurora_db
+    restart: unless-stopped
+    environment:
+      - POSTGRES_USER=${DB_USER}
+      - POSTGRES_PASSWORD=${DB_PASSWORD}
+      - POSTGRES_DB=${DB_NAME}
+    volumes:
+      # Database data - persisted across container rebuilds
+      - ./shared/db/data:/var/lib/postgresql/data
+      - ./shared/db/log:/var/log/postgresql
+    networks:
+      - internal
+    healthcheck:
+      test: [ "CMD-SHELL", "pg_isready -U ${DB_USER} -d ${DB_NAME}" ]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+    # Security: limit resources
+    deploy:
+      resources:
+        limits:
+          memory: 512M
+
+  app:
+    container_name: aurora_app
+    restart: unless-stopped
+    build:
+      context: .
+      dockerfile: Dockerfile.prod
+      target: production
+    image: aurora-app:latest
+    ports:
+      - "127.0.0.1:3000:3000"
+    # NO source code volumes - production image is self-contained
+    environment:
+      - NODE_ENV=production
+      - HOST=0.0.0.0
+      - DB_USER=${DB_USER}
+      - DB_PASSWORD=${DB_PASSWORD}
+      - DB_NAME=${DB_NAME}
+      - DB_PORT=5432
+      - DB_HOST=db
+      - DISCORD_BOT_TOKEN=${DISCORD_BOT_TOKEN}
+      - DISCORD_GUILD_ID=${DISCORD_GUILD_ID}
+      - DISCORD_CLIENT_ID=${DISCORD_CLIENT_ID}
+      - DATABASE_URL=postgresql://${DB_USER}:${DB_PASSWORD}@db:5432/${DB_NAME}
+    depends_on:
+      db:
+        condition: service_healthy
+    networks:
+      - internal
+      - web
+    # Security: limit resources
+    deploy:
+      resources:
+        limits:
+          memory: 1G
+    # Logging configuration
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "10m"
+        max-file: "3"
+
+networks:
+  internal:
+    driver: bridge
+    internal: true # No external access - DB isolated
+  web:
+    driver: bridge # App accessible from host (via reverse proxy)

shared/scripts/deploy.sh

@@ -0,0 +1,131 @@
+#!/bin/bash
+# =============================================================================
+# Aurora Production Deployment Script
+# =============================================================================
+# Run this script to deploy the latest version of Aurora
+# Usage: bash deploy.sh
+# =============================================================================
+
+set -e
+
+# Colors for output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m'
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_DIR="$(cd "$SCRIPT_DIR/../.." && pwd)"
+
+echo -e "${GREEN}╔══════════════════════════════════════════╗${NC}"
+echo -e "${GREEN}║        Aurora Deployment Script          ║${NC}"
+echo -e "${GREEN}╚══════════════════════════════════════════╝${NC}"
+echo ""
+
+cd "$PROJECT_DIR"
+
+# =============================================================================
+# Pre-flight Checks
+# =============================================================================
+echo -e "${YELLOW}[1/5] Running pre-flight checks...${NC}"
+
+# Check if .env exists
+if [ ! -f .env ]; then
+  echo -e "${RED}Error: .env file not found${NC}"
+  exit 1
+fi
+
+# Check if Docker is running
+if ! docker info &>/dev/null; then
+  echo -e "${RED}Error: Docker is not running${NC}"
+  exit 1
+fi
+
+echo -e "  ${GREEN}✓${NC} Pre-flight checks passed"
+
+# =============================================================================
+# Backup Database (optional but recommended)
+# =============================================================================
+echo -e "${YELLOW}[2/5] Creating database backup...${NC}"
+
+BACKUP_DIR="$PROJECT_DIR/shared/db/backups"
+mkdir -p "$BACKUP_DIR"
+
+if docker ps | grep -q aurora_db; then
+  BACKUP_FILE="$BACKUP_DIR/backup_$(date +%Y%m%d_%H%M%S).sql"
+  docker exec aurora_db pg_dump -U "${DB_USER:-auroradev}" "${DB_NAME:-auroradev}" > "$BACKUP_FILE" 2>/dev/null || true
+  if [ -f "$BACKUP_FILE" ] && [ -s "$BACKUP_FILE" ]; then
+    echo -e "  ${GREEN}✓${NC} Database backed up to: $BACKUP_FILE"
+  else
+    echo -e "  ${YELLOW}⚠${NC} Database backup skipped (container not running or empty)"
+    rm -f "$BACKUP_FILE"
+  fi
+else
+  echo -e "  ${YELLOW}⚠${NC} Database backup skipped (container not running)"
+fi
+
+# =============================================================================
+# Pull Latest Code (if using git)
+# =============================================================================
+echo -e "${YELLOW}[3/5] Pulling latest code...${NC}"
+
+if [ -d .git ]; then
+  git pull origin main 2>/dev/null || git pull origin master 2>/dev/null || echo "  Skipping git pull"
+  echo -e "  ${GREEN}✓${NC} Code updated"
+else
+  echo -e "  ${YELLOW}⚠${NC} Not a git repository, skipping pull"
+fi
+
+# =============================================================================
+# Build and Deploy
+# =============================================================================
+echo -e "${YELLOW}[4/5] Building and deploying containers...${NC}"
+
+# Build the new image
+docker compose -f docker-compose.prod.yml build --no-cache
+
+# Stop and remove old containers, start new ones
+docker compose -f docker-compose.prod.yml down
+docker compose -f docker-compose.prod.yml up -d
+
+echo -e "  ${GREEN}✓${NC} Containers deployed"
+
+# =============================================================================
+# Health Check
+# =============================================================================
+echo -e "${YELLOW}[5/5] Waiting for health checks...${NC}"
+
+sleep 10
+
+# Check container status
+if docker ps | grep -q "aurora_app.*healthy"; then
+  echo -e "  ${GREEN}✓${NC} aurora_app is healthy"
+else
+  echo -e "  ${YELLOW}⚠${NC} aurora_app health check pending (may take up to 60s)"
+fi
+
+if docker ps | grep -q "aurora_db.*healthy"; then
+  echo -e "  ${GREEN}✓${NC} aurora_db is healthy"
+else
+  echo -e "  ${YELLOW}⚠${NC} aurora_db health check pending"
+fi
+
+# =============================================================================
+# Cleanup
+# =============================================================================
+echo ""
+echo -e "${YELLOW}Cleaning up old Docker images...${NC}"
+docker image prune -f
+
+# =============================================================================
+# Summary
+# =============================================================================
+echo ""
+echo -e "${GREEN}╔══════════════════════════════════════════╗${NC}"
+echo -e "${GREEN}║       Deployment Complete! 🚀            ║${NC}"
+echo -e "${GREEN}╚══════════════════════════════════════════╝${NC}"
+echo ""
+echo -e "Container Status:"
+docker ps --format "table {{.Names}}\t{{.Status}}\t{{.Ports}}" | grep aurora
+echo ""
+echo -e "View logs with: ${YELLOW}docker logs -f aurora_app${NC}"

shared/scripts/setup-server.sh

@@ -0,0 +1,160 @@
+#!/bin/bash
+# =============================================================================
+# Server Setup Script for Aurora Production Deployment
+# =============================================================================
+# Run this script ONCE on a fresh server to configure security settings.
+# Usage: sudo bash setup-server.sh
+# =============================================================================
+
+set -e
+
+# Colors for output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m' # No Color
+
+echo -e "${GREEN}╔══════════════════════════════════════════╗${NC}"
+echo -e "${GREEN}║   Aurora Server Security Setup Script    ║${NC}"
+echo -e "${GREEN}╚══════════════════════════════════════════╝${NC}"
+echo ""
+
+# Check if running as root
+if [ "$EUID" -ne 0 ]; then
+  echo -e "${RED}Error: Please run as root (sudo)${NC}"
+  exit 1
+fi
+
+# =============================================================================
+# 1. Create Deploy User
+# =============================================================================
+echo -e "${YELLOW}[1/5] Creating deploy user...${NC}"
+
+DEPLOY_USER="deploy"
+
+if id "$DEPLOY_USER" &>/dev/null; then
+  echo -e "  User '$DEPLOY_USER' already exists, skipping..."
+else
+  adduser --disabled-password --gecos "" $DEPLOY_USER
+  echo -e "  ${GREEN}✓${NC} Created user '$DEPLOY_USER'"
+fi
+
+# Add to docker group
+usermod -aG docker $DEPLOY_USER 2>/dev/null || groupadd docker && usermod -aG docker $DEPLOY_USER
+echo -e "  ${GREEN}✓${NC} Added '$DEPLOY_USER' to docker group"
+
+# Add to sudo group (optional - remove if you don't want sudo access)
+usermod -aG sudo $DEPLOY_USER
+echo -e "  ${GREEN}✓${NC} Added '$DEPLOY_USER' to sudo group"
+
+# Copy SSH keys from root to deploy user
+if [ -d /root/.ssh ]; then
+  mkdir -p /home/$DEPLOY_USER/.ssh
+  cp /root/.ssh/authorized_keys /home/$DEPLOY_USER/.ssh/ 2>/dev/null || true
+  chown -R $DEPLOY_USER:$DEPLOY_USER /home/$DEPLOY_USER/.ssh
+  chmod 700 /home/$DEPLOY_USER/.ssh
+  chmod 600 /home/$DEPLOY_USER/.ssh/authorized_keys 2>/dev/null || true
+  echo -e "  ${GREEN}✓${NC} Copied SSH keys to '$DEPLOY_USER'"
+fi
+
+# =============================================================================
+# 2. Configure UFW Firewall
+# =============================================================================
+echo -e "${YELLOW}[2/5] Configuring UFW firewall...${NC}"
+
+apt-get update -qq
+apt-get install -y -qq ufw
+
+ufw default deny incoming
+ufw default allow outgoing
+ufw allow ssh
+# Add more rules as needed:
+# ufw allow 80/tcp   # HTTP
+# ufw allow 443/tcp  # HTTPS
+
+# Enable UFW (non-interactive)
+echo "y" | ufw enable
+echo -e "  ${GREEN}✓${NC} UFW firewall enabled and configured"
+
+# =============================================================================
+# 3. Install and Configure Fail2ban
+# =============================================================================
+echo -e "${YELLOW}[3/5] Installing fail2ban...${NC}"
+
+apt-get install -y -qq fail2ban
+
+# Create local jail configuration
+cat > /etc/fail2ban/jail.local << 'EOF'
+[DEFAULT]
+bantime = 1h
+findtime = 10m
+maxretry = 5
+
+[sshd]
+enabled = true
+port = ssh
+filter = sshd
+logpath = /var/log/auth.log
+maxretry = 3
+bantime = 24h
+EOF
+
+systemctl enable fail2ban
+systemctl restart fail2ban
+echo -e "  ${GREEN}✓${NC} Fail2ban installed and configured"
+
+# =============================================================================
+# 4. Harden SSH Configuration
+# =============================================================================
+echo -e "${YELLOW}[4/5] Hardening SSH configuration...${NC}"
+
+SSHD_CONFIG="/etc/ssh/sshd_config"
+
+# Backup original config
+cp $SSHD_CONFIG ${SSHD_CONFIG}.backup
+
+# Apply hardening settings
+sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin no/' $SSHD_CONFIG
+sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' $SSHD_CONFIG
+sed -i 's/^#\?PubkeyAuthentication.*/PubkeyAuthentication yes/' $SSHD_CONFIG
+sed -i 's/^#\?X11Forwarding.*/X11Forwarding no/' $SSHD_CONFIG
+sed -i 's/^#\?MaxAuthTries.*/MaxAuthTries 3/' $SSHD_CONFIG
+
+# Validate SSH config before restarting
+if sshd -t; then
+  systemctl reload sshd
+  echo -e "  ${GREEN}✓${NC} SSH hardened (root login disabled, password auth disabled)"
+else
+  echo -e "  ${RED}✗${NC} SSH config validation failed, restoring backup..."
+  cp ${SSHD_CONFIG}.backup $SSHD_CONFIG
+fi
+
+# =============================================================================
+# 5. System Updates
+# =============================================================================
+echo -e "${YELLOW}[5/5] Installing system updates...${NC}"
+
+apt-get upgrade -y -qq
+apt-get autoremove -y -qq
+echo -e "  ${GREEN}✓${NC} System updated"
+
+# =============================================================================
+# Summary
+# =============================================================================
+echo ""
+echo -e "${GREEN}╔══════════════════════════════════════════╗${NC}"
+echo -e "${GREEN}║          Setup Complete!                 ║${NC}"
+echo -e "${GREEN}╚══════════════════════════════════════════╝${NC}"
+echo ""
+echo -e "Next steps:"
+echo -e "  1. Update your local .env file:"
+echo -e "     ${YELLOW}VPS_USER=deploy${NC}"
+echo -e ""
+echo -e "  2. Test SSH access with the new user:"
+echo -e "     ${YELLOW}ssh deploy@<your-server-ip>${NC}"
+echo -e ""
+echo -e "  3. Deploy the application:"
+echo -e "     ${YELLOW}cd /home/deploy/Aurora && docker compose -f docker-compose.prod.yml up -d${NC}"
+echo ""
+echo -e "${RED}⚠️  IMPORTANT: Test SSH access with 'deploy' user BEFORE logging out!${NC}"
+echo -e "${RED}   Keep this root session open until you confirm 'deploy' user works.${NC}"