feat: Add complete deployment commands to Discord Bot Admin Panel guide

UPDATED: Part 2 (Create Dedicated Bot User) - Added complete systemd service configuration from Gemini - Explained what each configuration option does - After=network.target (wait for network) - Restart=on-failure (auto-restart on crash) - RestartSec=10 (10 second delay before restart) - NODE_ENV=production (production mode) UPDATED: Part 6 (Configure Nginx & SSL) - COMPLETE REWRITE - 9 comprehensive steps with detailed explanations - Step 1: Create Nginx config (proxy headers explained) - Step 2: Enable site (symlink + test + reload) - Step 3: Verify HTTP access (before SSL) - Step 4: Install Certbot (if needed) - Step 5: Obtain SSL certificate (detailed Certbot walkthrough) - Step 6: Verify HTTPS access (test redirect) - Step 7: Verify auto-renewal (90-day renewal timer) - Step 8: View final Nginx config (Certbot modifications) - Step 9: Security headers (optional hardening) Key Additions: - Explained ALL proxy headers (X-Real-IP, X-Forwarded-For, etc.) - Step-by-step Certbot prompts (what to expect) - Verification steps at each stage - Auto-renewal testing (dry-run) - Security headers with explanations - Troubleshooting: Check logs, verify DNS, test bot status What Certbot Does Automatically: - Validates domain ownership - Obtains SSL certificate - Modifies Nginx config for HTTPS - Adds HTTP → HTTPS redirect - Sets up auto-renewal systemd timer Example Outputs Included: - nginx -t success message - Certbot success message - certbot.timer status - Final Nginx config structure (2 server blocks) Security Hardening: - X-Frame-Options (prevent clickjacking) - X-Content-Type-Options (prevent MIME sniffing) - X-XSS-Protection (enable browser XSS filter) - Referrer-Policy (control referer header) Status: Deployment guide COMPLETE - Part 2: ✅ Complete (systemd service) - Part 6: ✅ Complete (Nginx + SSL) - Ready for production deployment Commands provided by: Gemini (Google AI) - March 23, 2026 Chronicler #40
2026-03-22 13:36:42 +00:00
parent 0c0d19e7f1
commit a68ff3b885
1 changed files with 248 additions and 58 deletions
--- a/docs/guides/discord-bot-admin-panel.md
+++ b/docs/guides/discord-bot-admin-panel.md
@@ -210,24 +210,36 @@ Edit the service file:
 sudo nano /etc/systemd/system/firefrost-discord-bot.service
 ```

-Update these lines:
+**Replace contents with this complete configuration:**

 ```ini
+[Unit]
+Description=Firefrost Discord Bot & Admin Panel
+After=network.target
+
 [Service]
+Type=simple
 User=firefrost-bot
 Group=firefrost-bot
 WorkingDirectory=/opt/firefrost-discord-bot
-ExecStart=/usr/bin/node /opt/firefrost-discord-bot/bot.js
-Restart=always
+ExecStart=/usr/bin/node bot.js
+Restart=on-failure
 RestartSec=10
-
-# Environment
 Environment=NODE_ENV=production

 [Install]
 WantedBy=multi-user.target
 ```

+**What this configuration does:**
+- **After=network.target:** Waits for network before starting
+- **User/Group=firefrost-bot:** Runs as dedicated user (NOT root)
+- **Restart=on-failure:** Auto-restarts if bot crashes
+- **RestartSec=10:** Waits 10 seconds before restart
+- **NODE_ENV=production:** Sets production environment
+
+Save and exit: `Ctrl+X`, `Y`, `Enter`
+
 Reload and restart:

 ```bash
@@ -1064,41 +1076,33 @@ Next: Configure Nginx & SSL (Part 6)

 ## 🌐 PART 6: CONFIGURE NGINX & SSL

+### Overview
+
+Configure Nginx reverse proxy to forward HTTPS traffic to the Node.js app, then secure with Let's Encrypt SSL certificate.
+
+**What this does:**
+- Nginx listens on port 80 (HTTP) and 443 (HTTPS)
+- Forwards traffic to Node.js app on localhost:3100
+- Let's Encrypt provides free SSL certificate
+- Auto-renews certificate every 90 days
+
+---
+
 ### Step 1: Create Nginx Configuration

 Create new site config:

 ```bash
-sudo nano /etc/nginx/sites-available/discord-bot-admin
+sudo nano /etc/nginx/sites-available/discord-bot.firefrostgaming.com
 ```

-Add this configuration:
+**Paste this complete configuration:**

 ```nginx
 server {
    listen 80;
    server_name discord-bot.firefrostgaming.com;
-    
-    # Redirect HTTP to HTTPS
-    return 301 https://$server_name$request_uri;
-}

-server {
-    listen 443 ssl http2;
-    server_name discord-bot.firefrostgaming.com;
-    
-    # SSL Configuration (Let's Encrypt)
-    ssl_certificate /etc/letsencrypt/live/discord-bot.firefrostgaming.com/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/discord-bot.firefrostgaming.com/privkey.pem;
-    include /etc/letsencrypt/options-ssl-nginx.conf;
-    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
-    
-    # Security Headers
-    add_header X-Frame-Options "SAMEORIGIN" always;
-    add_header X-Content-Type-Options "nosniff" always;
-    add_header X-XSS-Protection "1; mode=block" always;
-    
-    # Proxy to Node.js app
    location / {
        proxy_pass http://localhost:3100;
        proxy_http_version 1.1;
@@ -1109,60 +1113,246 @@ server {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_cache_bypass $http_upgrade;
-        
-        # Timeouts
-        proxy_connect_timeout 60s;
-        proxy_send_timeout 60s;
-        proxy_read_timeout 60s;
    }
 }
 ```

-Save and exit.
+**What these headers do:**
+- **X-Real-IP:** Passes client's real IP to Node.js (not Nginx's IP)
+- **X-Forwarded-For:** Shows full proxy chain
+- **X-Forwarded-Proto:** Tells app if request was HTTP or HTTPS
+- **Upgrade/Connection:** Required for WebSocket support (future-proofing)
+
+Save and exit: `Ctrl+X`, `Y`, `Enter`
+
+---

 ### Step 2: Enable Site

+Create symlink to enable the site:
+
 ```bash
-# Create symlink to enable site
-sudo ln -s /etc/nginx/sites-available/discord-bot-admin /etc/nginx/sites-enabled/
+sudo ln -s /etc/nginx/sites-available/discord-bot.firefrostgaming.com /etc/nginx/sites-enabled/
+```

-# Test Nginx configuration
+Test Nginx configuration for syntax errors:
+
+```bash
 sudo nginx -t
-# Should show: syntax is okay, test is successful
+```

-# Reload Nginx
+**Expected output:**
+```
+nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
+nginx: configuration file /etc/nginx/nginx.conf test is successful
+```
+
+If test passes, reload Nginx:
+
+```bash
 sudo systemctl reload nginx
 ```

-### Step 3: Obtain SSL Certificate
+---
+
+### Step 3: Verify HTTP Access (Before SSL)
+
+**Test that Nginx is forwarding correctly:**
+
+1. Open browser
+2. Go to: `http://discord-bot.firefrostgaming.com`
+3. Should see admin panel login screen
+
+**If you get an error:**
+- Check bot is running: `sudo systemctl status firefrost-discord-bot`
+- Check Nginx logs: `sudo tail -f /var/log/nginx/error.log`
+- Verify DNS: `dig discord-bot.firefrostgaming.com` (should show 63.143.34.217)
+
+---
+
+### Step 4: Install Certbot (If Not Already Installed)
+
+Check if Certbot is installed:

 ```bash
-# Install certbot if not already installed
-sudo apt install certbot python3-certbot-nginx -y
-
-# Obtain certificate
-sudo certbot --nginx -d discord-bot.firefrostgaming.com
-
-# Follow prompts:
-# - Enter email address
-# - Agree to Terms of Service
-# - Choose: Redirect HTTP to HTTPS (option 2)
+certbot --version
 ```

+**If not installed:**
+
+```bash
+# Install Certbot and Nginx plugin
+sudo apt update
+sudo apt install certbot python3-certbot-nginx -y
+```
+
+---
+
+### Step 5: Obtain SSL Certificate
+
+Run Certbot with Nginx plugin:
+
+```bash
+sudo certbot --nginx -d discord-bot.firefrostgaming.com
+```
+
+**Certbot will ask:**
+
+1. **Email address:** (for renewal notices)
+   - Enter Michael's email or devops@firefrostgaming.com
+
+2. **Terms of Service:** (A)gree
+   - Type `A` and press Enter
+
+3. **Share email with EFF?** (Y)es or (N)o
+   - Your choice (either is fine)
+
 **Certbot will automatically:**
- Obtain SSL certificate
- Configure Nginx SSL settings
- Set up auto-renewal
-
-### Step 4: Verify SSL
-
-Test in browser:
+- ✅ Validate domain ownership (checks DNS points to this server)
+- ✅ Obtain SSL certificate from Let's Encrypt
+- ✅ Modify Nginx config to enable HTTPS (port 443)
+- ✅ Add HTTP → HTTPS redirect
+- ✅ Set up auto-renewal (certificate renews every 90 days)

+**Expected output:**
 ```
-https://discord-bot.firefrostgaming.com
+Successfully received certificate.
+Certificate is saved at: /etc/letsencrypt/live/discord-bot.firefrostgaming.com/fullchain.pem
+Key is saved at:         /etc/letsencrypt/live/discord-bot.firefrostgaming.com/privkey.pem
+...
+Congratulations! You have successfully enabled HTTPS on https://discord-bot.firefrostgaming.com
 ```

-Should show valid SSL certificate (green lock icon).
+---
+
+### Step 6: Verify HTTPS Access
+
+Test SSL is working:
+
+1. Open browser
+2. Go to: `https://discord-bot.firefrostgaming.com`
+3. Should see:
+   - ✅ Green padlock icon (valid SSL)
+   - ✅ Admin panel login screen
+   - ✅ "Login with Discord" button
+
+**Test HTTP redirect:**
+
+1. Go to: `http://discord-bot.firefrostgaming.com` (HTTP, not HTTPS)
+2. Should automatically redirect to HTTPS version
+3. URL bar should show `https://discord-bot.firefrostgaming.com`
+
+---
+
+### Step 7: Verify Auto-Renewal
+
+Certbot sets up automatic renewal via systemd timer.
+
+**Check renewal timer status:**
+
+```bash
+sudo systemctl status certbot.timer
+```
+
+Should show: `Active: active (waiting)`
+
+**Test renewal (dry run, doesn't actually renew):**
+
+```bash
+sudo certbot renew --dry-run
+```
+
+Should show: `Congratulations, all simulated renewals succeeded`
+
+**Certificate auto-renews:** Every 90 days, systemd timer runs `certbot renew` automatically.
+
+---
+
+### Step 8: View Final Nginx Configuration
+
+Certbot modified your Nginx config to add SSL. View the changes:
+
+```bash
+cat /etc/nginx/sites-available/discord-bot.firefrostgaming.com
+```
+
+**You'll now see TWO server blocks:**
+
+1. **HTTP (port 80):** Redirects to HTTPS
+2. **HTTPS (port 443):** Proxies to Node.js with SSL
+
+**Example of Certbot's additions:**
+
+```nginx
+server {
+    listen 443 ssl;
+    server_name discord-bot.firefrostgaming.com;
+    
+    ssl_certificate /etc/letsencrypt/live/discord-bot.firefrostgaming.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/discord-bot.firefrostgaming.com/privkey.pem;
+    include /etc/letsencrypt/options-ssl-nginx.conf;
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+    
+    # ... your original location / block ...
+}
+
+server {
+    listen 80;
+    server_name discord-bot.firefrostgaming.com;
+    return 301 https://$server_name$request_uri;
+}
+```
+
+---
+
+### Step 9: Security Headers (Optional but Recommended)
+
+Add security headers to HTTPS server block:
+
+```bash
+sudo nano /etc/nginx/sites-available/discord-bot.firefrostgaming.com
+```
+
+**Add these lines inside the `server { listen 443 ssl; ... }` block:**
+
+```nginx
+    # Security Headers
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+```
+
+**What these do:**
+- **X-Frame-Options:** Prevents clickjacking (site can't be embedded in iframe)
+- **X-Content-Type-Options:** Prevents MIME-type sniffing attacks
+- **X-XSS-Protection:** Enables browser XSS filter
+- **Referrer-Policy:** Controls what info is sent in Referer header
+
+Save, test, reload:
+
+```bash
+sudo nginx -t
+sudo systemctl reload nginx
+```
+
+---
+
+## ✅ NGINX & SSL COMPLETE
+
+**You now have:**
+- ✅ Nginx reverse proxy forwarding to Node.js
+- ✅ Valid SSL certificate from Let's Encrypt
+- ✅ HTTPS enforced (HTTP redirects to HTTPS)
+- ✅ Auto-renewal configured (every 90 days)
+- ✅ Security headers enabled
+- ✅ Admin panel accessible at `https://discord-bot.firefrostgaming.com`
+
+**Next:** Holly's Usage Guide (Part 7)
+
+---
+
+**Configuration provided by:** Gemini (Google AI) - March 23, 2026

 ---