Merge branch 'main' of https://git.ayau.me/syntaxbullet/discord-rpg-concept

feat: Introduce production Docker and CI/CD setup, removing internal documentation and agent workflows.
2026-01-30 13:44:04 +01:00 · 2026-01-30 13:43:59 +01:00
7 changed files with 613 additions and 2 deletions
--- a/.env.example
+++ b/.env.example
@@ -1,12 +1,26 @@
 # =============================================================================
 # Aurora Environment Configuration
 # =============================================================================
 # Copy this file to .env and update with your values
 # For production, see .env.prod.example with security recommendations
 # =============================================================================
 # Database
 # For production: use a strong password (openssl rand -base64 32)
 DB_USER=aurora
 DB_PASSWORD=aurora
 DB_NAME=aurora
 DB_PORT=5432
 DB_HOST=db
 DATABASE_URL=postgres://aurora:aurora@db:5432/aurora
 # Discord
 # Get from: https://discord.com/developers/applications
 DISCORD_BOT_TOKEN=your-discord-bot-token
 DISCORD_CLIENT_ID=your-discord-client-id
 DISCORD_GUILD_ID=your-discord-guild-id
 DATABASE_URL=postgres://aurora:aurora@db:5432/aurora
-VPS_USER=your-vps-user
+# Server (for remote access scripts)
 # Use a non-root user (see shared/scripts/setup-server.sh)
 VPS_USER=deploy
 VPS_HOST=your-vps-ip
--- a/.env.prod.example
+++ b/.env.prod.example
@@ -0,0 +1,38 @@
 # =============================================================================
 # Aurora Production Environment Template
 # =============================================================================
 # Copy this file to .env and fill in the values
 # IMPORTANT: Use strong, unique passwords in production!
 # =============================================================================
 # -----------------------------------------------------------------------------
 # Database Configuration
 # -----------------------------------------------------------------------------
 # Generate strong password: openssl rand -base64 32
 DB_USER=aurora_prod
 DB_PASSWORD=CHANGE_ME_USE_STRONG_PASSWORD
 DB_NAME=aurora_prod
 DB_PORT=5432
 DB_HOST=localhost
 # Constructed database URL (used by Drizzle)
 DATABASE_URL=postgres://${DB_USER}:${DB_PASSWORD}@localhost:${DB_PORT}/${DB_NAME}
 # -----------------------------------------------------------------------------
 # Discord Configuration
 # -----------------------------------------------------------------------------
 # Get these from Discord Developer Portal: https://discord.com/developers
 DISCORD_BOT_TOKEN=your_bot_token_here
 DISCORD_CLIENT_ID=your_client_id_here
 DISCORD_GUILD_ID=your_guild_id_here
 # -----------------------------------------------------------------------------
 # Server Configuration (for SSH deployment scripts)
 # -----------------------------------------------------------------------------
 # Use a non-root user for security!
 VPS_USER=deploy
 VPS_HOST=your_server_ip_here
 # Optional: Custom ports for remote access
 # DASHBOARD_PORT=3000
 # STUDIO_PORT=4983
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -0,0 +1,136 @@
 # Aurora CI/CD Pipeline
 # Builds, tests, and deploys to production server
 name: Deploy to Production
 on:
  push:
    branches: [main]
  workflow_dispatch:  # Allow manual trigger
 env:
  REGISTRY: ghcr.io
  IMAGE_NAME: ${{ github.repository }}
 jobs:
  # ==========================================================================
  # Test Job
  # ==========================================================================
  test:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Setup Bun
        uses: oven-sh/setup-bun@v2
        with:
          bun-version: latest
      - name: Install Dependencies
        run: bun install --frozen-lockfile
      - name: Run Tests
        run: bun test
  # ==========================================================================
  # Build Job
  # ==========================================================================
  build:
    runs-on: ubuntu-latest
    needs: test
    permissions:
      contents: read
      packages: write
    outputs:
      image_tag: ${{ steps.meta.outputs.tags }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Log in to Container Registry
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Extract metadata
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          tags: |
            type=sha,prefix=
            type=raw,value=latest
      - name: Build and Push Docker Image
        uses: docker/build-push-action@v5
        with:
          context: .
          file: ./Dockerfile.prod
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          cache-from: type=gha
          cache-to: type=gha,mode=max
  # ==========================================================================
  # Deploy Job
  # ==========================================================================
  deploy:
    runs-on: ubuntu-latest
    needs: build
    environment: production
    steps:
      - name: Deploy to Production Server
        uses: appleboy/ssh-action@v1.0.3
        with:
          host: ${{ secrets.VPS_HOST }}
          username: ${{ secrets.VPS_USER }}
          key: ${{ secrets.SSH_PRIVATE_KEY }}
          script: |
            cd ~/Aurora
            # Pull latest code
            git pull origin main
            # Pull latest Docker image
            docker compose -f docker-compose.prod.yml pull 2>/dev/null || true
            # Build and restart containers
            docker compose -f docker-compose.prod.yml build --no-cache
            docker compose -f docker-compose.prod.yml down
            docker compose -f docker-compose.prod.yml up -d
            # Wait for health checks
            sleep 15
            # Verify deployment
            docker ps | grep aurora
            # Cleanup old images
            docker image prune -f
      - name: Verify Deployment
        uses: appleboy/ssh-action@v1.0.3
        with:
          host: ${{ secrets.VPS_HOST }}
          username: ${{ secrets.VPS_USER }}
          key: ${{ secrets.SSH_PRIVATE_KEY }}
          script: |
            # Check if app container is healthy
            if docker ps | grep -q "aurora_app.*healthy"; then
              echo "✅ Deployment successful - aurora_app is healthy"
              exit 0
            else
              echo "⚠️ Health check pending, checking container status..."
              docker ps | grep aurora
              docker logs aurora_app --tail 20
              exit 0
            fi
--- a/Dockerfile.prod
+++ b/Dockerfile.prod
@@ -0,0 +1,54 @@
 # =============================================================================
 # Stage 1: Dependencies & Build
 # =============================================================================
 FROM oven/bun:latest AS builder
 WORKDIR /app
 # Install system dependencies needed for build
 RUN apt-get update && apt-get install -y git && rm -rf /var/lib/apt/lists/*
 # Install root project dependencies
 COPY package.json bun.lock ./
 RUN bun install --frozen-lockfile
 # Install web project dependencies
 COPY web/package.json web/bun.lock ./web/
 RUN cd web && bun install --frozen-lockfile
 # Copy source code
 COPY . .
 # Build web assets for production
 RUN cd web && bun run build
 # =============================================================================
 # Stage 2: Production Runtime
 # =============================================================================
 FROM oven/bun:latest AS production
 WORKDIR /app
 # Create non-root user for security
 RUN groupadd --system appgroup && useradd --system --gid appgroup appuser
 # Copy only what's needed for production
 COPY --from=builder --chown=appuser:appgroup /app/node_modules ./node_modules
 COPY --from=builder --chown=appuser:appgroup /app/web/node_modules ./web/node_modules
 COPY --from=builder --chown=appuser:appgroup /app/web/dist ./web/dist
 COPY --from=builder --chown=appuser:appgroup /app/bot ./bot
 COPY --from=builder --chown=appuser:appgroup /app/shared ./shared
 COPY --from=builder --chown=appuser:appgroup /app/package.json .
 COPY --from=builder --chown=appuser:appgroup /app/drizzle.config.ts .
 COPY --from=builder --chown=appuser:appgroup /app/tsconfig.json .
 # Switch to non-root user
 USER appuser
 # Expose web dashboard port
 EXPOSE 3000
 # Health check
 HEALTHCHECK --interval=30s --timeout=10s --start-period=40s --retries=3 \
  CMD bun -e "fetch('http://localhost:3000/api/health').then(r => r.ok ? process.exit(0) : process.exit(1)).catch(() => process.exit(1))"
 # Run in production mode
 CMD ["bun", "run", "bot/index.ts"]
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -0,0 +1,78 @@
 # Production Docker Compose Configuration
 # Usage: docker compose -f docker-compose.prod.yml up -d
 #
 # IMPORTANT: Database data is preserved in ./shared/db/data volume
 services:
  db:
    image: postgres:17-alpine
    container_name: aurora_db
    restart: unless-stopped
    environment:
      - POSTGRES_USER=${DB_USER}
      - POSTGRES_PASSWORD=${DB_PASSWORD}
      - POSTGRES_DB=${DB_NAME}
    volumes:
      # Database data - persisted across container rebuilds
      - ./shared/db/data:/var/lib/postgresql/data
      - ./shared/db/log:/var/log/postgresql
    networks:
      - internal
    healthcheck:
      test: [ "CMD-SHELL", "pg_isready -U ${DB_USER} -d ${DB_NAME}" ]
      interval: 10s
      timeout: 5s
      retries: 5
    # Security: limit resources
    deploy:
      resources:
        limits:
          memory: 512M
  app:
    container_name: aurora_app
    restart: unless-stopped
    build:
      context: .
      dockerfile: Dockerfile.prod
      target: production
    image: aurora-app:latest
    ports:
      - "127.0.0.1:3000:3000"
    # NO source code volumes - production image is self-contained
    environment:
      - NODE_ENV=production
      - HOST=0.0.0.0
      - DB_USER=${DB_USER}
      - DB_PASSWORD=${DB_PASSWORD}
      - DB_NAME=${DB_NAME}
      - DB_PORT=5432
      - DB_HOST=db
      - DISCORD_BOT_TOKEN=${DISCORD_BOT_TOKEN}
      - DISCORD_GUILD_ID=${DISCORD_GUILD_ID}
      - DISCORD_CLIENT_ID=${DISCORD_CLIENT_ID}
      - DATABASE_URL=postgresql://${DB_USER}:${DB_PASSWORD}@db:5432/${DB_NAME}
    depends_on:
      db:
        condition: service_healthy
    networks:
      - internal
      - web
    # Security: limit resources
    deploy:
      resources:
        limits:
          memory: 1G
    # Logging configuration
    logging:
      driver: "json-file"
      options:
        max-size: "10m"
        max-file: "3"
 networks:
  internal:
    driver: bridge
    internal: true # No external access - DB isolated
  web:
    driver: bridge # App accessible from host (via reverse proxy)
--- a/shared/scripts/deploy.sh
+++ b/shared/scripts/deploy.sh
@@ -0,0 +1,131 @@
 #!/bin/bash
 # =============================================================================
 # Aurora Production Deployment Script
 # =============================================================================
 # Run this script to deploy the latest version of Aurora
 # Usage: bash deploy.sh
 # =============================================================================
 set -e
 # Colors for output
 RED='\033[0;31m'
 GREEN='\033[0;32m'
 YELLOW='\033[1;33m'
 NC='\033[0m'
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 PROJECT_DIR="$(cd "$SCRIPT_DIR/../.." && pwd)"
 echo -e "${GREEN}╔══════════════════════════════════════════╗${NC}"
 echo -e "${GREEN}║        Aurora Deployment Script          ║${NC}"
 echo -e "${GREEN}╚══════════════════════════════════════════╝${NC}"
 echo ""
 cd "$PROJECT_DIR"
 # =============================================================================
 # Pre-flight Checks
 # =============================================================================
 echo -e "${YELLOW}[1/5] Running pre-flight checks...${NC}"
 # Check if .env exists
 if [ ! -f .env ]; then
  echo -e "${RED}Error: .env file not found${NC}"
  exit 1
 fi
 # Check if Docker is running
 if ! docker info &>/dev/null; then
  echo -e "${RED}Error: Docker is not running${NC}"
  exit 1
 fi
 echo -e "  ${GREEN}✓${NC} Pre-flight checks passed"
 # =============================================================================
 # Backup Database (optional but recommended)
 # =============================================================================
 echo -e "${YELLOW}[2/5] Creating database backup...${NC}"
 BACKUP_DIR="$PROJECT_DIR/shared/db/backups"
 mkdir -p "$BACKUP_DIR"
 if docker ps | grep -q aurora_db; then
  BACKUP_FILE="$BACKUP_DIR/backup_$(date +%Y%m%d_%H%M%S).sql"
  docker exec aurora_db pg_dump -U "${DB_USER:-auroradev}" "${DB_NAME:-auroradev}" > "$BACKUP_FILE" 2>/dev/null || true
  if [ -f "$BACKUP_FILE" ] && [ -s "$BACKUP_FILE" ]; then
    echo -e "  ${GREEN}✓${NC} Database backed up to: $BACKUP_FILE"
  else
    echo -e "  ${YELLOW}⚠${NC} Database backup skipped (container not running or empty)"
    rm -f "$BACKUP_FILE"
  fi
 else
  echo -e "  ${YELLOW}⚠${NC} Database backup skipped (container not running)"
 fi
 # =============================================================================
 # Pull Latest Code (if using git)
 # =============================================================================
 echo -e "${YELLOW}[3/5] Pulling latest code...${NC}"
 if [ -d .git ]; then
  git pull origin main 2>/dev/null || git pull origin master 2>/dev/null || echo "  Skipping git pull"
  echo -e "  ${GREEN}✓${NC} Code updated"
 else
  echo -e "  ${YELLOW}⚠${NC} Not a git repository, skipping pull"
 fi
 # =============================================================================
 # Build and Deploy
 # =============================================================================
 echo -e "${YELLOW}[4/5] Building and deploying containers...${NC}"
 # Build the new image
 docker compose -f docker-compose.prod.yml build --no-cache
 # Stop and remove old containers, start new ones
 docker compose -f docker-compose.prod.yml down
 docker compose -f docker-compose.prod.yml up -d
 echo -e "  ${GREEN}✓${NC} Containers deployed"
 # =============================================================================
 # Health Check
 # =============================================================================
 echo -e "${YELLOW}[5/5] Waiting for health checks...${NC}"
 sleep 10
 # Check container status
 if docker ps | grep -q "aurora_app.*healthy"; then
  echo -e "  ${GREEN}✓${NC} aurora_app is healthy"
 else
  echo -e "  ${YELLOW}⚠${NC} aurora_app health check pending (may take up to 60s)"
 fi
 if docker ps | grep -q "aurora_db.*healthy"; then
  echo -e "  ${GREEN}✓${NC} aurora_db is healthy"
 else
  echo -e "  ${YELLOW}⚠${NC} aurora_db health check pending"
 fi
 # =============================================================================
 # Cleanup
 # =============================================================================
 echo ""
 echo -e "${YELLOW}Cleaning up old Docker images...${NC}"
 docker image prune -f
 # =============================================================================
 # Summary
 # =============================================================================
 echo ""
 echo -e "${GREEN}╔══════════════════════════════════════════╗${NC}"
 echo -e "${GREEN}║       Deployment Complete! 🚀            ║${NC}"
 echo -e "${GREEN}╚══════════════════════════════════════════╝${NC}"
 echo ""
 echo -e "Container Status:"
 docker ps --format "table {{.Names}}\t{{.Status}}\t{{.Ports}}" | grep aurora
 echo ""
 echo -e "View logs with: ${YELLOW}docker logs -f aurora_app${NC}"
--- a/shared/scripts/setup-server.sh
+++ b/shared/scripts/setup-server.sh
@@ -0,0 +1,160 @@
 #!/bin/bash
 # =============================================================================
 # Server Setup Script for Aurora Production Deployment
 # =============================================================================
 # Run this script ONCE on a fresh server to configure security settings.
 # Usage: sudo bash setup-server.sh
 # =============================================================================
 set -e
 # Colors for output
 RED='\033[0;31m'
 GREEN='\033[0;32m'
 YELLOW='\033[1;33m'
 NC='\033[0m' # No Color
 echo -e "${GREEN}╔══════════════════════════════════════════╗${NC}"
 echo -e "${GREEN}║   Aurora Server Security Setup Script    ║${NC}"
 echo -e "${GREEN}╚══════════════════════════════════════════╝${NC}"
 echo ""
 # Check if running as root
 if [ "$EUID" -ne 0 ]; then
  echo -e "${RED}Error: Please run as root (sudo)${NC}"
  exit 1
 fi
 # =============================================================================
 # 1. Create Deploy User
 # =============================================================================
 echo -e "${YELLOW}[1/5] Creating deploy user...${NC}"
 DEPLOY_USER="deploy"
 if id "$DEPLOY_USER" &>/dev/null; then
  echo -e "  User '$DEPLOY_USER' already exists, skipping..."
 else
  adduser --disabled-password --gecos "" $DEPLOY_USER
  echo -e "  ${GREEN}✓${NC} Created user '$DEPLOY_USER'"
 fi
 # Add to docker group
 usermod -aG docker $DEPLOY_USER 2>/dev/null || groupadd docker && usermod -aG docker $DEPLOY_USER
 echo -e "  ${GREEN}✓${NC} Added '$DEPLOY_USER' to docker group"
 # Add to sudo group (optional - remove if you don't want sudo access)
 usermod -aG sudo $DEPLOY_USER
 echo -e "  ${GREEN}✓${NC} Added '$DEPLOY_USER' to sudo group"
 # Copy SSH keys from root to deploy user
 if [ -d /root/.ssh ]; then
  mkdir -p /home/$DEPLOY_USER/.ssh
  cp /root/.ssh/authorized_keys /home/$DEPLOY_USER/.ssh/ 2>/dev/null || true
  chown -R $DEPLOY_USER:$DEPLOY_USER /home/$DEPLOY_USER/.ssh
  chmod 700 /home/$DEPLOY_USER/.ssh
  chmod 600 /home/$DEPLOY_USER/.ssh/authorized_keys 2>/dev/null || true
  echo -e "  ${GREEN}✓${NC} Copied SSH keys to '$DEPLOY_USER'"
 fi
 # =============================================================================
 # 2. Configure UFW Firewall
 # =============================================================================
 echo -e "${YELLOW}[2/5] Configuring UFW firewall...${NC}"
 apt-get update -qq
 apt-get install -y -qq ufw
 ufw default deny incoming
 ufw default allow outgoing
 ufw allow ssh
 # Add more rules as needed:
 # ufw allow 80/tcp   # HTTP
 # ufw allow 443/tcp  # HTTPS
 # Enable UFW (non-interactive)
 echo "y" | ufw enable
 echo -e "  ${GREEN}✓${NC} UFW firewall enabled and configured"
 # =============================================================================
 # 3. Install and Configure Fail2ban
 # =============================================================================
 echo -e "${YELLOW}[3/5] Installing fail2ban...${NC}"
 apt-get install -y -qq fail2ban
 # Create local jail configuration
 cat > /etc/fail2ban/jail.local << 'EOF'
 [DEFAULT]
 bantime = 1h
 findtime = 10m
 maxretry = 5
 [sshd]
 enabled = true
 port = ssh
 filter = sshd
 logpath = /var/log/auth.log
 maxretry = 3
 bantime = 24h
 EOF
 systemctl enable fail2ban
 systemctl restart fail2ban
 echo -e "  ${GREEN}✓${NC} Fail2ban installed and configured"
 # =============================================================================
 # 4. Harden SSH Configuration
 # =============================================================================
 echo -e "${YELLOW}[4/5] Hardening SSH configuration...${NC}"
 SSHD_CONFIG="/etc/ssh/sshd_config"
 # Backup original config
 cp $SSHD_CONFIG ${SSHD_CONFIG}.backup
 # Apply hardening settings
 sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin no/' $SSHD_CONFIG
 sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' $SSHD_CONFIG
 sed -i 's/^#\?PubkeyAuthentication.*/PubkeyAuthentication yes/' $SSHD_CONFIG
 sed -i 's/^#\?X11Forwarding.*/X11Forwarding no/' $SSHD_CONFIG
 sed -i 's/^#\?MaxAuthTries.*/MaxAuthTries 3/' $SSHD_CONFIG
 # Validate SSH config before restarting
 if sshd -t; then
  systemctl reload sshd
  echo -e "  ${GREEN}✓${NC} SSH hardened (root login disabled, password auth disabled)"
 else
  echo -e "  ${RED}✗${NC} SSH config validation failed, restoring backup..."
  cp ${SSHD_CONFIG}.backup $SSHD_CONFIG
 fi
 # =============================================================================
 # 5. System Updates
 # =============================================================================
 echo -e "${YELLOW}[5/5] Installing system updates...${NC}"
 apt-get upgrade -y -qq
 apt-get autoremove -y -qq
 echo -e "  ${GREEN}✓${NC} System updated"
 # =============================================================================
 # Summary
 # =============================================================================
 echo ""
 echo -e "${GREEN}╔══════════════════════════════════════════╗${NC}"
 echo -e "${GREEN}║          Setup Complete!                 ║${NC}"
 echo -e "${GREEN}╚══════════════════════════════════════════╝${NC}"
 echo ""
 echo -e "Next steps:"
 echo -e "  1. Update your local .env file:"
 echo -e "     ${YELLOW}VPS_USER=deploy${NC}"
 echo -e ""
 echo -e "  2. Test SSH access with the new user:"
 echo -e "     ${YELLOW}ssh deploy@<your-server-ip>${NC}"
 echo -e ""
 echo -e "  3. Deploy the application:"
 echo -e "     ${YELLOW}cd /home/deploy/Aurora && docker compose -f docker-compose.prod.yml up -d${NC}"
 echo ""
 echo -e "${RED}⚠️  IMPORTANT: Test SSH access with 'deploy' user BEFORE logging out!${NC}"
 echo -e "${RED}   Keep this root session open until you confirm 'deploy' user works.${NC}"
Author	SHA1	Message	Date
syntaxbullet	f9dafeac3b	Merge branch 'main' of https://git.ayau.me/syntaxbullet/discord-rpg-concept Some checks failed Deploy to Production / test (push) Failing after 1m27s Details Deploy to Production / build (push) Has been skipped Details Deploy to Production / deploy (push) Has been skipped Details	2026-01-30 13:44:04 +01:00
syntaxbullet	1a2bbb011c	feat: Introduce production Docker and CI/CD setup, removing internal documentation and agent workflows.	2026-01-30 13:43:59 +01:00