feat: add deploy cookbook and scripts

Author: Bulletdev

deploy/README.md

@@ -0,0 +1,84 @@
+# Deploy Files
+
+Este diretório contém todos os arquivos necessários para deploy em produção e staging.
+
+## Estrutura
+
+```
+deploy/
+├── nginx/              # Configurações Nginx
+│   ├── nginx.conf      # Config principal
+│   └── conf.d/         # Server configs
+│       └── prostaff.conf
+├── postgres/           # Scripts PostgreSQL
+│   └── init/           # Scripts de inicialização
+├── scripts/            # Scripts de manutenção
+│   ├── docker-entrypoint.sh
+│   └── backup.sh
+├── ssl/                # Certificados SSL (não commitar!)
+├── staging/            # Configs específicas de staging
+└── production/         # Configs específicas de production
+
+## Arquivos Importantes
+
+- `SECRETS_SETUP.md` - Guia de configuração de secrets
+- `../DEPLOYMENT.md` - Guia completo de deployment
+- `../.env.staging.example` - Exemplo de variáveis staging
+- `../.env.production.example` - Exemplo de variáveis production
+- `../docker-compose.production.yml` - Docker Compose para produção
+
+## Quick Start
+
+### 1. Preparar Servidor
+
+```bash
+# Clone o repositório
+git clone https://github.com/seu-usuario/prostaff-api.git
+cd prostaff-api
+
+# Copiar ambiente
+cp .env.staging.example .env
+nano .env  # Configurar
+```
+
+### 2. Configurar SSL
+
+```bash
+# Copiar certificados Let's Encrypt
+sudo cp /etc/letsencrypt/live/staging-api.prostaff.gg/fullchain.pem deploy/ssl/staging-fullchain.pem
+sudo cp /etc/letsencrypt/live/staging-api.prostaff.gg/privkey.pem deploy/ssl/staging-privkey.pem
+```
+
+### 3. Deploy
+
+```bash
+# Build e iniciar
+docker-compose -f docker-compose.production.yml up -d
+
+# Ver logs
+docker-compose -f docker-compose.production.yml logs -f
+
+# Verificar saúde
+curl https://staging-api.prostaff.gg/up
+```
+
+## Manutenção
+
+```bash
+# Backup
+docker-compose -f docker-compose.production.yml run --rm backup
+
+# Logs
+docker-compose -f docker-compose.production.yml logs -f api
+
+# Restart
+docker-compose -f docker-compose.production.yml restart
+
+# Atualizar
+git pull
+docker-compose -f docker-compose.production.yml up -d --build
+```
+
+## Suporte
+
+Ver documentação completa em [DEPLOYMENT.md](../DOCS/deployment/DEPLOYMENT.md)

deploy/SECRETS_SETUP.md

@@ -0,0 +1,127 @@
+# Configuração de Secrets e Variáveis
+
+Guia para configurar todos os secrets necessários para deploy em produção.
+
+## GitHub Secrets
+
+Configure estes secrets no GitHub (Settings → Secrets and variables → Actions):
+
+### Staging Environment
+
+```
+STAGING_HOST=staging-api.prostaff.gg
+STAGING_USER=deploy
+STAGING_SSH_KEY=<SSH private key content>
+STAGING_ENV=<Conteúdo completo do .env>
+```
+
+### Production Environment
+
+```
+PRODUCTION_HOST=api.prostaff.gg
+PRODUCTION_USER=deploy
+PRODUCTION_SSH_KEY=<SSH private key content>
+PRODUCTION_ENV=<Conteúdo completo do .env>
+```
+
+### Geral
+
+```
+DOCKER_USERNAME=<seu_usuario_dockerhub>
+DOCKER_PASSWORD=<seu_token_dockerhub>
+```
+
+## Gerar Secrets Fortes
+
+```bash
+# SECRET_KEY_BASE, JWT_SECRET_KEY, etc.
+bundle exec rails secret
+
+# Ou usando OpenSSL
+openssl rand -hex 64
+
+# Senha de banco de dados (32 caracteres)
+openssl rand -base64 32
+```
+
+## Configurar SSH para Deploy
+
+```bash
+# No seu computador local
+ssh-keygen -t ed25519 -C "deploy@prostaff-api"
+
+# Copiar chave pública para o servidor
+ssh-copy-id -i ~/.ssh/id_ed25519.pub deploy@api.prostaff.gg
+
+# Adicionar chave privada ao GitHub Secrets
+cat ~/.ssh/id_ed25519  # Copiar conteúdo completo
+```
+
+## Variáveis de Ambiente Obrigatórias
+
+### Application
+- `RAILS_ENV` - Ambiente (staging/production)
+- `SECRET_KEY_BASE` - Secret para sessions
+- `JWT_SECRET_KEY` - Secret para JWT tokens
+
+### Database
+- `DATABASE_URL` - URL completa de conexão PostgreSQL
+- `POSTGRES_USER` - Usuário do banco
+- `POSTGRES_PASSWORD` - Senha forte do banco
+- `POSTGRES_DB` - Nome do banco
+
+### Redis
+- `REDIS_URL` - URL de conexão Redis
+- `REDIS_PASSWORD` - Senha do Redis
+
+### External APIs
+- `RIOT_API_KEY` - API key da Riot Games
+
+### Email
+- `SMTP_ADDRESS` - Servidor SMTP
+- `SMTP_USERNAME` - Usuário SMTP
+- `SMTP_PASSWORD` - Senha SMTP
+
+### Storage (AWS S3)
+- `AWS_ACCESS_KEY_ID` - Access key da AWS
+- `AWS_SECRET_ACCESS_KEY` - Secret key da AWS
+- `AWS_REGION` - Região (ex: us-east-1)
+- `AWS_S3_BUCKET` - Nome do bucket
+
+### Monitoring (Opcional)
+- `SENTRY_DSN` - DSN do Sentry para error tracking
+
+## Verificar Configuração
+
+```bash
+# Testar conexão SSH
+ssh deploy@api.prostaff.gg
+
+# Verificar variáveis de ambiente no servidor
+docker-compose -f docker-compose.production.yml exec api env | sort
+
+# Testar conexão com banco
+docker-compose -f docker-compose.production.yml exec api bundle exec rails db:migrate:status
+
+# Testar Redis
+docker-compose -f docker-compose.production.yml exec redis redis-cli ping
+```
+
+## Rotação de Secrets
+
+Recomendação: Rotacionar secrets a cada 90 dias.
+
+```bash
+# 1. Gerar novos secrets
+NEW_SECRET=$(openssl rand -hex 64)
+
+# 2. Atualizar .env no servidor
+nano .env  # Adicionar novo secret
+
+# 3. Restart gradual dos serviços
+docker-compose -f docker-compose.production.yml restart api
+
+# 4. Validar funcionamento
+
+# 5. Remover secret antigo do .env
+```

deploy/nginx/conf.d/prostaff.conf

@@ -0,0 +1,133 @@
+# ProStaff API - Nginx Server Configuration
+
+# HTTP - Redirect to HTTPS
+server {
+    listen 80;
+    listen [::]:80;
+    server_name api.prostaff.gg staging-api.prostaff.gg;
+
+    # Health check endpoint (HTTP OK)
+    location /health {
+        access_log off;
+        return 200 "healthy\n";
+        add_header Content-Type text/plain;
+    }
+
+    # Redirect all other traffic to HTTPS
+    location / {
+        return 301 https://$server_name$request_uri;
+    }
+}
+
+# HTTPS - Production
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name api.prostaff.gg;
+
+    # SSL Configuration
+    ssl_certificate /etc/nginx/ssl/fullchain.pem;
+    ssl_certificate_key /etc/nginx/ssl/privkey.pem;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers HIGH:!aNULL:!MD5;
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 10m;
+
+    # HSTS
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
+    # Logs
+    access_log /var/log/nginx/prostaff-access.log main;
+    error_log /var/log/nginx/prostaff-error.log warn;
+
+    # Root directory
+    root /app/public;
+
+    # Rate limiting
+    limit_req zone=api burst=50 nodelay;
+
+    # Serve static files directly
+    location ~ ^/(assets|packs|images|javascripts|stylesheets|system)/ {
+        gzip_static on;
+        expires max;
+        add_header Cache-Control public;
+        access_log off;
+        try_files $uri @app;
+    }
+
+    # Health check
+    location /up {
+        proxy_pass http://prostaff_api;
+        proxy_set_header Host $host;
+        access_log off;
+    }
+
+    # API Documentation (Swagger)
+    location /api-docs {
+        proxy_pass http://prostaff_api;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    # Proxy to Rails app
+    location / {
+        proxy_pass http://prostaff_api;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Port $server_port;
+        
+        # Timeouts
+        proxy_connect_timeout 60s;
+        proxy_send_timeout 60s;
+        proxy_read_timeout 60s;
+        
+        # Buffering
+        proxy_buffering on;
+        proxy_buffer_size 4k;
+        proxy_buffers 8 4k;
+        
+        # WebSocket support
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+    }
+
+    # Error pages
+    error_page 500 502 503 504 /500.html;
+    location = /500.html {
+        root /app/public;
+        internal;
+    }
+}
+
+# HTTPS - Staging
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name staging-api.prostaff.gg;
+
+    # SSL Configuration (same as production)
+    ssl_certificate /etc/nginx/ssl/staging-fullchain.pem;
+    ssl_certificate_key /etc/nginx/ssl/staging-privkey.pem;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers HIGH:!aNULL:!MD5;
+    ssl_prefer_server_ciphers on;
+
+    # Rest of config same as production
+    root /app/public;
+    access_log /var/log/nginx/staging-access.log main;
+    error_log /var/log/nginx/staging-error.log warn;
+
+    location / {
+        proxy_pass http://prostaff_api;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}