|
| 1 | +# Ward Protocol - Infrastructure Documentation |
| 2 | + |
| 3 | +## Production Environment |
| 4 | + |
| 5 | +| Component | Details | |
| 6 | +|-----------|---------| |
| 7 | +| **Server** | DigitalOcean 1vCPU / 1GB RAM / 25GB SSD | |
| 8 | +| **OS** | Ubuntu 24.04 LTS | |
| 9 | +| **Runtime** | Python 3.12, FastAPI + Uvicorn | |
| 10 | +| **Database** | PostgreSQL 16 | |
| 11 | +| **Reverse Proxy** | Nginx with SSL termination | |
| 12 | +| **SSL** | Let's Encrypt (auto-renewal via certbot) | |
| 13 | +| **Domain** | api.wardprotocol.org | |
| 14 | +| **XRPL** | Testnet integration | |
| 15 | + |
| 16 | +## Security Hardening |
| 17 | + |
| 18 | +### Firewall (UFW) |
| 19 | +- Default deny incoming |
| 20 | +- Allowed: SSH (22), HTTP (80), HTTPS (443) |
| 21 | +- All other ports blocked |
| 22 | + |
| 23 | +### SSH |
| 24 | +- Password authentication disabled |
| 25 | +- Key-only authentication |
| 26 | +- Max 3 auth attempts per connection |
| 27 | +- Root login restricted to key-only |
| 28 | + |
| 29 | +### Fail2ban |
| 30 | +- SSH jail: 3 failures → 2-hour ban |
| 31 | +- Nginx rate limit jail: 10 failures → 1-hour ban |
| 32 | +- Auto-starts on boot |
| 33 | + |
| 34 | +### Nginx |
| 35 | +- Rate limiting: 10 req/s per IP (burst 20) |
| 36 | +- Gzip compression enabled |
| 37 | +- Security headers (X-Content-Type-Options, X-Frame-Options, Referrer-Policy) |
| 38 | +- Server tokens hidden |
| 39 | +- SSL/TLS with Let's Encrypt |
| 40 | + |
| 41 | +### API Security |
| 42 | +- API key authentication required |
| 43 | +- Rate limiting per endpoint tier |
| 44 | +- Security headers middleware |
| 45 | +- CORS configuration |
| 46 | + |
| 47 | +## Reliability |
| 48 | + |
| 49 | +### Memory Management |
| 50 | +- 2GB swap file configured |
| 51 | +- Swappiness tuned to 10 (prefer RAM) |
| 52 | +- Prevents OOM kills on 1GB instance |
| 53 | + |
| 54 | +### Automated Backups |
| 55 | +- Daily PostgreSQL dumps at 03:00 UTC |
| 56 | +- 7-day retention policy |
| 57 | +- Stored at /opt/backups/ |
| 58 | + |
| 59 | +### Service Management |
| 60 | +- systemd service with auto-restart |
| 61 | +- Log rotation (14-day retention) |
| 62 | +- SSL auto-renewal (certbot timer) |
| 63 | + |
| 64 | +## Monitoring |
| 65 | +```bash |
| 66 | +# Service status |
| 67 | +systemctl status ward-protocol |
| 68 | + |
| 69 | +# API health |
| 70 | +curl https://api.wardprotocol.org/health |
| 71 | + |
| 72 | +# Fail2ban status |
| 73 | +fail2ban-client status sshd |
| 74 | + |
| 75 | +# Recent logs |
| 76 | +journalctl -u ward-protocol --since "1 hour ago" |
| 77 | + |
| 78 | +# Backup status |
| 79 | +ls -la /opt/backups/*.sql.gz |
| 80 | +``` |
| 81 | + |
| 82 | +## Deployment |
| 83 | +```bash |
| 84 | +cd /opt/ward-protocol |
| 85 | +source venv/bin/activate |
| 86 | +git pull origin main |
| 87 | +sudo systemctl restart ward-protocol |
| 88 | +``` |
0 commit comments