feat(prod): add production infrastructure management
Add `core prod` command with full production infrastructure tooling:
- `core prod status` — parallel SSH health checks across all hosts,
Galera cluster state, Redis sentinel, Docker, LB health
- `core prod setup` — Phase 1 foundation: Hetzner topology discovery,
managed LB creation, CloudNS DNS record management
- `core prod dns` — CloudNS record CRUD with idempotent EnsureRecord
- `core prod lb` — Hetzner Cloud LB status and creation
- `core prod ssh <host>` — SSH into hosts defined in infra.yaml
New packages:
- pkg/infra: config parsing, Hetzner Cloud/Robot API, CloudNS DNS API
- infra.yaml: declarative production topology (hosts, LB, DNS, SSL,
Galera, Redis, containers, S3, CDN, CI/CD, monitoring, backups)
Docker:
- Dockerfile.app (PHP 8.3-FPM, multi-stage)
- Dockerfile.web (Nginx + security headers)
- docker-compose.prod.yml (app, web, horizon, scheduler, mcp, redis, galera)
Ansible playbooks (runnable via `core deploy ansible`):
- galera-deploy.yml, redis-deploy.yml, galera-backup.yml
- inventory.yml with all production hosts
CI/CD:
- .forgejo/workflows/deploy.yml for Forgejo Actions pipeline
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-06 03:03:29 +00:00
|
|
|
# Security headers for Host UK
|
|
|
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
|
|
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
|
|
|
add_header X-XSS-Protection "1; mode=block" always;
|
|
|
|
|
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
|
|
|
|
add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()" always;
|