nalalangan/fiddy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
a0514f0823
fiddy/docs/07_PUBLIC_LAUNCH_CHECKLIST.md
Nico a0514f0823
Some checks failed
Build & Deploy Fiddy (SSH Compose) / build (push) Failing after 1s
Details
Build & Deploy Fiddy (SSH Compose) / deploy (push) Has been skipped
Details
docs: switch active deployment runbooks from dokploy to ssh compose
2026-02-22 01:51:44 -08:00

57 lines
2.4 KiB
Markdown
Raw Blame History

# Public Launch Checklist
## A) Infrastructure Baseline
- [ ] Domain DNS points to public IP.
- [ ] Router forwards only `80` and `443`.
- [ ] Host firewall denies all inbound except `80/443` and restricted `22`.
- [ ] `SSH_ALLOW_CIDR` policy validated.
- [ ] Postgres port `5432` is not public.
## B) App and Deployment
- [ ] SSH deployment host is prepared (`/opt/fiddy`, Docker Engine, Compose plugin).
- [ ] Deploy host runtime env is configured in `/opt/fiddy/.env`:
- [ ] `DATABASE_URL`
- [ ] `DATABASE_SSL`
- [ ] `ALLOWED_DB_NAMES`
- [ ] `SESSION_COOKIE_NAME`
- [ ] `SESSION_TTL_DAYS`
- [ ] `DEBUG_API`
- [ ] Gitea Actions secrets configured:
- [ ] `REGISTRY_USER`
- [ ] `REGISTRY_PASS`
- [ ] `DEPLOY_KEY`
- [ ] `DEPLOY_HOST`
- [ ] `DEPLOY_USER`
- [ ] `DEPLOY_HEALTHCHECK_URL`
- [ ] Deploy workflow passes build/test/push/deploy.
- [ ] Deploy guard confirms `web` and `scheduler` are running.
- [ ] Post-deploy health gate passes (`scripts/wait-for-health.sh`).
- [ ] Manual smoke passes (`scripts/smoke-public-launch.sh`).
## C) Security Controls
- [ ] Existing Nginx TLS/headers/rate limits enabled (using `docker/nginx/fiddy.conf` template).
- [ ] If using NPM, `docs/08_NGINX_PROXY_MANAGER_SETUP.md` completed.
- [ ] If using NPM, Custom Location `/` includes header/request-id snippet.
- [ ] Request-id propagation enabled (`X-Request-Id` in responses).
- [ ] Server-side rate limits active (auth/write/ip limiters).
- [ ] Fail2ban or CrowdSec configured from `docker/security/`.
- [ ] No secrets/full invite codes in logs.
## D) Observability
- [ ] Loki, Promtail, Grafana, Uptime Kuma running.
- [ ] Promtail ingests `job="nginx"`.
- [ ] Dashboards show request IDs for incident triage.
- [ ] Alerts configured for 5xx/auth spikes/DB failures/resource pressure.
## E) Backup and Recovery
- [ ] Daily logical backup scheduled (`scripts/backup-postgres.sh`).
- [ ] Periodic base backup scheduled (`scripts/basebackup-postgres.sh`).
- [ ] Latest restore drill succeeded (`scripts/restore-drill-postgres.sh`).
- [ ] Drill logged (`scripts/log-restore-drill.sh` -> `docs/restore-drill-log.csv`).
- [ ] Measured RTO is acceptable.
## F) Rollback Readiness
- [ ] Previous stable image tags retained in registry (for rollback).
- [ ] Rollback runbook tested once in staging or low-risk window (SSH Compose deploy by older image tag).
- [ ] Rollback smoke check verified.
Reference in New Issue View Git Blame Copy Permalink