sboulahtit/orion
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(infra): add alerting, network segmentation, and ops docs (Steps 19-24)
All checks were successful
CI / ruff (push) Successful in 11s
Details
CI / pytest (push) Successful in 36m6s
Details
CI / validate (push) Successful in 22s
Details
CI / dependency-scanning (push) Successful in 28s
Details
CI / docs (push) Successful in 37s
Details
CI / deploy (push) Successful in 47s
Details

Browse Source 
- Prometheus alert rules (host, container, API, Celery, target-down)
- Alertmanager with email routing (critical 1h, warning 4h repeat)
- Docker network segmentation (frontend/backend/monitoring)
- Incident response runbook with 8 copy-paste runbooks
- Environment variables reference (55+ vars documented)
- Hetzner setup docs updated with Steps 19-24
- Launch readiness updated with Feb 2026 infrastructure status

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Samir Boulahtit
2026-02-15 22:06:54 +01:00
parent 1cb659e3a5
commit 4bce16fb73
9 changed files with 1845 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

379
docs/deployment/hetzner-server-setup.md
View File

@@ -90,6 +90,18 @@ Complete step-by-step guide for deploying Orion on a Hetzner Cloud VPS.
**Steps 118 fully complete.** All infrastructure operational.
!!! success "Progress — 2026-02-15 (continued)"
**Completed (Steps 1924):**
- **Step 19: Prometheus Alerting** — alert rules (host, container, API, Celery, targets) + Alertmanager with email routing
- **Step 20: Security Hardening** — Docker network segmentation (frontend/backend/monitoring), fail2ban config, unattended-upgrades
- **Step 21: Cloudflare Domain Proxy** — origin certificates, WAF, bot protection, rate limiting (documented, user deploys)
- **Step 22: Incident Response** — 8 runbooks with copy-paste commands, severity levels, decision tree
- **Step 23: Environment Reference** — all 55+ env vars documented with defaults and production requirements
- **Step 24: Documentation Updates** — hetzner docs, launch readiness, mkdocs nav updated
**Steps 124 fully complete.** Enterprise infrastructure hardening done.
## Installed Software Versions
@@ -1106,6 +1118,372 @@ docker stats --no-stream
---
## Step 19: Prometheus Alerting
Alert rules and Alertmanager for email notifications when things go wrong.
### 19.1 Architecture
```
┌──────────────┐ evaluates ┌───────────────────┐
│ Prometheus │─────────────►│ alert.rules.yml │
│ :9090 │ │ (host, container, │
│ │ │ API, Celery) │
└──────┬───────┘ └───────────────────┘
│ fires alerts
┌──────▼───────┐
│ Alertmanager │──── email ──► admin@wizard.lu
│ :9093 │
└──────────────┘
```
### 19.2 Alert Rules
Alert rules are defined in `monitoring/prometheus/alert.rules.yml`:
| Group | Alert | Condition | Severity |
|---|---|---|---|
| Host | HostHighCpuUsage | CPU >80% for 5m | warning |
| Host | HostHighMemoryUsage | Memory >85% for 5m | warning |
| Host | HostHighDiskUsage | Disk >80% | warning |
| Host | HostDiskFullPrediction | Disk full within 4h | critical |
| Containers | ContainerHighRestartCount | >3 restarts/hour | critical |
| Containers | ContainerOomKilled | Any OOM kill | critical |
| Containers | ContainerHighCpu | >80% CPU for 5m | warning |
| API | ApiHighErrorRate | 5xx rate >1% for 5m | critical |
| API | ApiHighLatency | P95 >2s for 5m | warning |
| API | ApiHealthCheckDown | Health check failing 1m | critical |
| Celery | CeleryQueueBacklog | >100 tasks for 10m | warning |
| Prometheus | TargetDown | Any target down 2m | critical |
### 19.3 Alertmanager Configuration
Alertmanager config is in `monitoring/alertmanager/alertmanager.yml`:
- **Critical alerts**: repeat every 1 hour
- **Warning alerts**: repeat every 4 hours
- Groups by `alertname` + `severity`, 30s wait, 5m interval
- Inhibition: warnings suppressed when critical is already firing for same alert
!!! warning "Configure SMTP before deploying"
Edit `monitoring/alertmanager/alertmanager.yml` and fill in the SMTP settings (host, username, password, recipient email). Alertmanager will start but won't send emails until SMTP is configured.
### 19.4 Docker Compose Changes
The `docker-compose.yml` includes:
- `alertmanager` service: `prom/alertmanager:latest`, profiles: [full], port 127.0.0.1:9093, mem_limit: 32m
- `prometheus` volumes: mounts `alert.rules.yml` as read-only
- `prometheus.yml`: `alerting:` section pointing to alertmanager:9093, `rule_files:` for alert rules, new scrape job for alertmanager
### 19.5 Deploy
```bash
cd ~/apps/orion
docker compose --profile full up -d
```
### 19.6 Verification
```bash
# Alertmanager healthy
curl -s http://localhost:9093/-/healthy
# Alert rules loaded
curl -s http://localhost:9090/api/v1/rules | python3 -m json.tool | head -20
# Active alerts (should be empty if all is well)
curl -s http://localhost:9090/api/v1/alerts | python3 -m json.tool
# Alertmanager target in Prometheus
curl -s http://localhost:9090/api/v1/targets | python3 -m json.tool | grep alertmanager
```
---
## Step 20: Security Hardening
Docker network segmentation, fail2ban configuration, and automatic security updates.
### 20.1 Docker Network Segmentation
Three isolated networks replace the default flat network:
| Network | Purpose | Services |
|---|---|---|
| `orion_frontend` | External-facing | api |
| `orion_backend` | Database + workers | db, redis, api, celery-worker, celery-beat, flower |
| `orion_monitoring` | Metrics collection | api, prometheus, grafana, node-exporter, cadvisor, alertmanager |
The `api` service is on all three networks because it needs to:
- Serve HTTP traffic (frontend)
- Connect to database and Redis (backend)
- Expose `/metrics` to Prometheus (monitoring)
This is already configured in the updated `docker-compose.yml`. After deploying, verify:
```bash
docker network ls | grep orion
# Expected: orion_frontend, orion_backend, orion_monitoring
```
### 20.2 fail2ban Configuration
fail2ban is already installed (Step 3) but needs jail configuration.
**SSH jail** — create `/etc/fail2ban/jail.local`:
```ini
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 86400
findtime = 600
```
**Caddy auth filter** — create `/etc/fail2ban/filter.d/caddy-auth.conf`:
```ini
[Definition]
failregex = ^.*"remote_ip":"<HOST>".*"status":(401|403).*$
ignoreregex =
```
**Caddy jail** — create `/etc/fail2ban/jail.d/caddy.conf`:
```ini
[caddy-auth]
enabled = true
port = http,https
filter = caddy-auth
logpath = /var/log/caddy/access.log
maxretry = 10
bantime = 3600
findtime = 600
```
!!! note "Caddy access logging"
For the Caddy jail to work, enable access logging in your Caddyfile by adding `log` directives that write to `/var/log/caddy/access.log` in JSON format. See [Caddy logging docs](https://caddyserver.com/docs/caddyfile/directives/log).
Restart fail2ban:
```bash
sudo systemctl restart fail2ban
sudo fail2ban-client status
sudo fail2ban-client status sshd
```
### 20.3 Unattended Security Upgrades
Install and enable automatic security updates:
```bash
sudo apt install -y unattended-upgrades apt-listchanges
sudo dpkg-reconfigure -plow unattended-upgrades
```
This enables security-only updates with automatic reboot disabled (safe default). Verify:
```bash
sudo unattended-upgrades --dry-run 2>&1 | head -10
cat /etc/apt/apt.conf.d/20auto-upgrades
```
Expected `20auto-upgrades` content:
```
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
```
### 20.4 Verification
```bash
# fail2ban jails active
sudo fail2ban-client status sshd
# Docker networks exist
docker network ls | grep orion
# Unattended upgrades configured
sudo unattended-upgrades --dry-run 2>&1 | head
```
---
## Step 21: Cloudflare Domain Proxy
Move DNS to Cloudflare for WAF, DDoS protection, and CDN. This step involves DNS propagation — do it during a maintenance window.
!!! warning "DNS changes affect all services"
Moving nameservers involves propagation delay (minutes to hours). Plan for brief interruption. Do this step last, after Steps 1920 are verified.
### 21.1 Pre-Migration: Record Email DNS
Before changing nameservers, document all email-related DNS records:
```bash
# Run for each domain (wizard.lu, omsflow.lu, rewardflow.lu)
dig wizard.lu MX +short
dig wizard.lu TXT +short
dig _dmarc.wizard.lu TXT +short
dig default._domainkey.wizard.lu TXT +short # DKIM selector may vary
```
Save the output — you'll need to verify these exist after Cloudflare import.
### 21.2 Add Domains to Cloudflare
1. Log in to [Cloudflare Dashboard](https://dash.cloudflare.com)
2. **Add a site** for each domain: `wizard.lu`, `omsflow.lu`, `rewardflow.lu`
3. Cloudflare auto-scans and imports existing DNS records
4. **Verify MX/SPF/DKIM/DMARC records are present** before changing NS
5. Email records must stay as **DNS-only (grey cloud)** — never proxy MX records
### 21.3 Change Nameservers
At your domain registrar, update NS records to Cloudflare's assigned nameservers. Cloudflare will show which NS to use (e.g., `ns1.cloudflare.com`, `ns2.cloudflare.com`).
### 21.4 Generate Origin Certificates
Cloudflare Origin Certificates (free, 15-year validity) avoid ACME challenge issues when traffic is proxied:
1. In Cloudflare: **SSL/TLS** > **Origin Server** > **Create Certificate**
2. Generate for `*.wizard.lu, wizard.lu` (repeat for each domain)
3. Download the certificate and private key
Install on the server:
```bash
sudo mkdir -p /etc/caddy/certs/{wizard.lu,omsflow.lu,rewardflow.lu}
# Copy cert.pem and key.pem to each directory
sudo chown -R caddy:caddy /etc/caddy/certs/
sudo chmod 600 /etc/caddy/certs/*/key.pem
```
### 21.5 Update Caddyfile
For Cloudflare-proxied domains, use explicit TLS with origin certs. Keep auto-HTTPS for `git.wizard.lu` (DNS-only, grey cloud):
```caddy
# ─── Cloudflare-proxied domains (origin certs) ──────────
wizard.lu {
tls /etc/caddy/certs/wizard.lu/cert.pem /etc/caddy/certs/wizard.lu/key.pem
reverse_proxy localhost:8001
}
omsflow.lu {
tls /etc/caddy/certs/omsflow.lu/cert.pem /etc/caddy/certs/omsflow.lu/key.pem
reverse_proxy localhost:8001
}
rewardflow.lu {
tls /etc/caddy/certs/rewardflow.lu/cert.pem /etc/caddy/certs/rewardflow.lu/key.pem
reverse_proxy localhost:8001
}
api.wizard.lu {
tls /etc/caddy/certs/wizard.lu/cert.pem /etc/caddy/certs/wizard.lu/key.pem
reverse_proxy localhost:8001
}
flower.wizard.lu {
tls /etc/caddy/certs/wizard.lu/cert.pem /etc/caddy/certs/wizard.lu/key.pem
reverse_proxy localhost:5555
}
grafana.wizard.lu {
tls /etc/caddy/certs/wizard.lu/cert.pem /etc/caddy/certs/wizard.lu/key.pem
reverse_proxy localhost:3001
}
# ─── DNS-only domain (auto-HTTPS via Let's Encrypt) ─────
git.wizard.lu {
reverse_proxy localhost:3000
}
```
Restart Caddy:
```bash
sudo systemctl restart caddy
sudo systemctl status caddy
```
### 21.6 Cloudflare Settings (per domain)
| Setting | Value |
|---|---|
| SSL mode | Full (Strict) |
| Always Use HTTPS | On |
| WAF Managed Rules | On |
| Bot Fight Mode | On |
| Rate Limiting | 100 req/min on `/api/*` |
### 21.7 Production Environment
Add to `~/apps/orion/.env`:
```bash
CLOUDFLARE_ENABLED=true
```
### 21.8 Verification
```bash
# CF proxy active (look for cf-ray header)
curl -I https://wizard.lu | grep cf-ray
# DNS resolves to Cloudflare IPs (not 91.99.65.229)
dig wizard.lu +short
# All domains responding
curl -I https://omsflow.lu
curl -I https://rewardflow.lu
curl -I https://api.wizard.lu/health
# git.wizard.lu still on Let's Encrypt (not CF)
curl -I https://git.wizard.lu
```
!!! info "`git.wizard.lu` stays DNS-only"
The Gitea instance uses SSH on port 2222 for git operations. Cloudflare proxy only supports HTTP/HTTPS, so `git.wizard.lu` must remain as DNS-only (grey cloud) with Let's Encrypt auto-SSL via Caddy.
---
## Step 22: Incident Response Runbook
A comprehensive incident response runbook is available at [Incident Response](incident-response.md). It includes:
- **Severity levels**: SEV-1 (platform down, <15min), SEV-2 (feature broken, <1h), SEV-3 (minor, <4h)
- **Quick diagnosis decision tree**: SSH → Docker → containers → Caddy → DNS
- **8 runbooks** with copy-paste commands for common incidents
- **Post-incident report template**
- **Monitoring URLs** quick reference
---
## Step 23: Environment Reference
A complete environment variables reference is available at [Environment Variables](environment.md). It documents all 55+ configuration variables from `app/core/config.py`, grouped by category with defaults and production requirements.
---
## Step 24: Documentation Updates
This document has been updated with Steps 1924. Additional documentation changes:
- `docs/deployment/incident-response.md` — new incident response runbook
- `docs/deployment/environment.md` — complete env var reference (was empty)
- `docs/deployment/launch-readiness.md` — updated with Feb 2026 infrastructure status
- `mkdocs.yml` — incident-response.md added to nav
---
## Domain & Port Reference
| Service | Internal Port | External Port | Domain (via Caddy) |
@@ -1122,6 +1500,7 @@ docker stats --no-stream
| Grafana | 3000 | 3001 (localhost) | `grafana.wizard.lu` |
| Node Exporter | 9100 | 9100 (localhost) | (internal only) |
| cAdvisor | 8080 | 8080 (localhost) | (internal only) |
| Alertmanager | 9093 | 9093 (localhost) | (internal only) |
| Caddy | — | 80, 443 | (reverse proxy) |
!!! note "Single backend, multiple domains"