nalalangan/fiddy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
8b13de34fe
fiddy/docs/07_PUBLIC_LAUNCH_CHECKLIST.md
Nico a0514f0823
Some checks failed
Build & Deploy Fiddy (SSH Compose) / build (push) Failing after 1s
Details
Build & Deploy Fiddy (SSH Compose) / deploy (push) Has been skipped
Details
docs: switch active deployment runbooks from dokploy to ssh compose
2026-02-22 01:51:44 -08:00

2.4 KiB
Raw Blame History

Public Launch Checklist

A) Infrastructure Baseline

  • Domain DNS points to public IP.
  • Router forwards only 80 and 443.
  • Host firewall denies all inbound except 80/443 and restricted 22.
  • SSH_ALLOW_CIDR policy validated.
  • Postgres port 5432 is not public.

B) App and Deployment

  • SSH deployment host is prepared (/opt/fiddy, Docker Engine, Compose plugin).
  • Deploy host runtime env is configured in /opt/fiddy/.env:
    • DATABASE_URL
    • DATABASE_SSL
    • ALLOWED_DB_NAMES
    • SESSION_COOKIE_NAME
    • SESSION_TTL_DAYS
    • DEBUG_API
  • Gitea Actions secrets configured:
    • REGISTRY_USER
    • REGISTRY_PASS
    • DEPLOY_KEY
    • DEPLOY_HOST
    • DEPLOY_USER
    • DEPLOY_HEALTHCHECK_URL
  • Deploy workflow passes build/test/push/deploy.
  • Deploy guard confirms web and scheduler are running.
  • Post-deploy health gate passes (scripts/wait-for-health.sh).
  • Manual smoke passes (scripts/smoke-public-launch.sh).

C) Security Controls

  • Existing Nginx TLS/headers/rate limits enabled (using docker/nginx/fiddy.conf template).
  • If using NPM, docs/08_NGINX_PROXY_MANAGER_SETUP.md completed.
  • If using NPM, Custom Location / includes header/request-id snippet.
  • Request-id propagation enabled (X-Request-Id in responses).
  • Server-side rate limits active (auth/write/ip limiters).
  • Fail2ban or CrowdSec configured from docker/security/.
  • No secrets/full invite codes in logs.

D) Observability

  • Loki, Promtail, Grafana, Uptime Kuma running.
  • Promtail ingests job="nginx".
  • Dashboards show request IDs for incident triage.
  • Alerts configured for 5xx/auth spikes/DB failures/resource pressure.

E) Backup and Recovery

  • Daily logical backup scheduled (scripts/backup-postgres.sh).
  • Periodic base backup scheduled (scripts/basebackup-postgres.sh).
  • Latest restore drill succeeded (scripts/restore-drill-postgres.sh).
  • Drill logged (scripts/log-restore-drill.sh -> docs/restore-drill-log.csv).
  • Measured RTO is acceptable.

F) Rollback Readiness

  • Previous stable image tags retained in registry (for rollback).
  • Rollback runbook tested once in staging or low-risk window (SSH Compose deploy by older image tag).
  • Rollback smoke check verified.