tenseleyflow/shithub / 824c62d

+# Cutover checklist

+

+The S40 launch checklist. Walk it top-to-bottom on cutover day;

+do not skip steps. Each box has a verification command or a

+visual check.

+

+> **Time-box.** A clean run is ~45 min from "ssh in" to "signup

+> open." Budget 90 min; stop and back out if you hit ~2 hours.

+

+## T-7 days

+

+- [ ] DNS A/AAAA for `shithub.example` published with low TTL

+      (300s) so cutover-day changes propagate fast. Verify:

+      `dig +short A shithub.example`.

+- [ ] DNS CNAME for `docs.shithub.example` published.

+- [ ] Postmark domain verified; SPF/DKIM/DMARC aligned. Verify:

+      Postmark dashboard → Domains → green.

+- [ ] Signup-throttle config reviewed; per-IP and per-/24

+      ceilings tuned for the announcement bump.

+- [ ] Monitoring alerts wired to the on-call's Telegram + SMS.

+      Test by triggering a synthetic `BackupOverdue` alert via

+      Alertmanager API and confirming it pages.

+- [ ] Rollback rehearsed on staging:

+      `git checkout v0.999 && make deploy ANSIBLE_INVENTORY=staging`.

+

+## T-48 hours

+

+- [ ] Last DNS change committed. Cutover after 48h ensures no

+      propagation lag.

+- [ ] S37 backup-restore drill green within last 7 days.

+- [ ] S38 docs deploy verified; `https://docs.shithub.example/`

+      returns 200.

+- [ ] S39 P0/P1 bugs closed.

+- [ ] Tag the release commit:

+      ```sh

+      git tag -a v1.0.0 -m "v1.0.0 — launch"

+      git push origin v1.0.0

+      ```

+

+## T-1 hour

+

+- [ ] On-call has phone + laptop reachable.

+- [ ] Status page updated to "Cutover in progress" (manual edit

+      to `docs/public/status.md`, push, sync to docs bucket).

+- [ ] `caddy_use_acme_staging=false` in production inventory

+      (so the cutover doesn't accidentally fall back to LE

+      staging).

+

+## T-0: cutover

+

+```sh

+# 1. Pull the v1.0.0 tag.

+git fetch --tags

+git checkout v1.0.0

+

+# 2. Dry-run to confirm exactly what will change.

+make deploy-check ANSIBLE_INVENTORY=production

+

+# 3. Apply. Expect ~10s downtime as the web service restarts.

+make deploy ANSIBLE_INVENTORY=production

+```

+

+The Ansible run includes `shithubd migrate up` as the web

+service's `ExecStartPre`. New migrations run as part of the

+restart; the unit stays in `activating` until they complete.

+

+Watch:

+

+```sh

+ssh web-01

+journalctl -fu shithubd-web

+```

+

+## Smoke

+

+Run the smoke script as soon as the deploy reports `ok=N

+changed=N failed=0`:

+

+```sh

+deploy/cutover/smoke.sh https://shithub.example

+```

+

+The script exercises: home page, signup form, login form, health

+endpoints, docs subdomain, a representative API call. Exits

+non-zero on any 5xx or unexpected response shape.

+

+## Bootstrap-admin

+

+```sh

+ssh web-01

+sudo -u shithub /usr/local/bin/shithubd admin bootstrap-admin \

+     --email you@yourdomain

+```

+

+The CLI prints a one-time password-reset link. Open in a browser,

+set a password, **immediately enable 2FA** (Settings → Account

+security).

+

+## Open signup

+

+If signup was gated behind a feature flag during the pre-launch

+build:

+

+```sh

+ssh web-01

+sudo systemctl edit shithubd-web --full

+# remove SHITHUB_AUTH__SIGNUP_DISABLED=true (or set to false)

+sudo systemctl restart shithubd-web

+```

+

+Otherwise signup is already on; verify via the signup form

+returning 200 + a valid CSRF token.

+

+## Mirror to GitHub

+

+Set up the one-way mirror so the GitHub mirror keeps receiving

+pushes:

+

+```sh

+# On the web host, as the shithub user:

+cd /data/repos/shithub/shithub.git

+git remote add github https://github.com/tenseleyFlow/shithub.git

+# Add the mirror push to the periodic worker job (covered by

+# the worker config; the mirror job kind = "git.mirror_push").

+```

+

+Confirm a test push lands on both:

+

+```sh

+git clone https://shithub.example/shithub/shithub.git /tmp/test-clone

+cd /tmp/test-clone

+echo "launch test" >> .launch-test

+git add .launch-test

+git commit -m "launch smoke push"

+git push origin trunk

+# Wait ~60s for the mirror job to run, then confirm on GitHub:

+git ls-remote https://github.com/tenseleyFlow/shithub.git trunk

+```

+

+## Status page

+

+Update `docs/public/status.md` to "All systems normal." with the

+current timestamp; push, sync to docs bucket.

+

+## Announcement

+

+Schedule the announcement post for **Tuesday 09:00 ET** (or your

+chosen window). Submit to:

+

+- [ ] Hacker News: title + URL only; first comment is the

+      "What is shithub?" intro.

+- [ ] /r/programming, /r/selfhosted: link + summary, follow

+      subreddit rules.

+- [ ] lobste.rs: title + URL.

+- [ ] Mastodon: short post + link.

+

+Have the FAQ tab open; expect "is this Forgejo?" / "why not

+Codeberg?" / "where's CI?" within the first hour.

+

+## Day-zero monitoring

+

+For the first 24h:

+

+- Refresh Grafana every 30 min.

+- Triage every alert immediately; nothing false-positive should

+  page in week 1 (we tuned for it).

+- Bug reports go to `https://shithub.example/shithub/shithub/issues`

+  (the project's own self-hosted issues — drink your own

+  champagne).

+

+## Backout

+

+If cutover goes sideways within the first hour:

+

+1. **Stop the bleed.** Put the site in read-only mode

+   (`docs/internal/runbooks/read-only-mode.md`).

+2. **Decide:** roll back code, restore data, or wait?

+3. If rolling back code: `deploy/cutover/rollback.sh v0.999`.

+4. Status page → "Investigating" with what we know.

+5. Page the operator (yourself, by definition).

+

+The 24h SLO is "report what we know, not promises about when it's

+fixed." Honesty wins trust; deadlines under stress lose it.

+

+## Day-one retro

+

+After the first 24h, fill in `docs/internal/retro/v1.0.0.md`

+with: what worked, what surprised us, top 3 user-reported

+issues, and the next sprint's focus.

+#!/usr/bin/env bash

+# SPDX-License-Identifier: AGPL-3.0-or-later

+#

+# S40 cutover rollback. Re-deploys a previous tag to production.

+# Walks the operator through the data-safe path; do NOT use this

+# blindly when migrations changed schema in non-additive ways

+# (read docs/internal/runbooks/rollback.md before running).

+#

+# Usage:

+#   deploy/cutover/rollback.sh v0.999

+#

+# What it does:

+#   1. Checks out the named tag.

+#   2. Confirms the tag exists and is signed (if signing is on).

+#   3. Runs make deploy-check (DRY-RUN) and prints the diff.

+#   4. Asks for explicit confirmation before applying.

+#   5. Runs make deploy.

+#   6. Runs the smoke script post-deploy.

+#

+# Exit status:

+#   0 — rollback completed and smoked

+#   1 — operator aborted, deploy failed, or smoke failed

+#   2 — usage error

+

+set -euo pipefail

+

+if [[ $# -lt 1 ]]; then

+  echo "usage: $0 <previous-tag>" >&2

+  exit 2

+fi

+

+TAG="$1"

+ROOT="$(cd "$(dirname "$0")/../.." && pwd)"

+cd "$ROOT"

+

+confirm() {

+  local prompt="$1"

+  read -r -p "$prompt [yes/NO] " resp

+  if [[ "$resp" != "yes" ]]; then

+    echo "aborted." >&2

+    exit 1

+  fi

+}

+

+echo "rollback target: $TAG"

+

+# 1. Verify the tag exists locally; fetch if needed.

+if ! git rev-parse --verify "refs/tags/$TAG" >/dev/null 2>&1; then

+  echo "tag $TAG not found locally; fetching..."

+  git fetch --tags

+  if ! git rev-parse --verify "refs/tags/$TAG" >/dev/null 2>&1; then

+    echo "FAIL: tag $TAG does not exist on origin" >&2

+    exit 1

+  fi

+fi

+

+# 2. Check whether the rollback crosses any new migration files.

+# Forward-only migrations mean the schema is ahead of the rolled-

+# back code. The operator must read the matching `down` migrations

+# before continuing; we don't auto-rollback schema here.

+NEW_MIGRATIONS=$(git diff --name-only "$TAG"..HEAD -- 'internal/migrationsfs/migrations/*.sql' || true)

+if [[ -n "$NEW_MIGRATIONS" ]]; then

+  echo ""

+  echo "WARNING: migrations exist between $TAG and HEAD:"

+  echo "$NEW_MIGRATIONS" | sed 's/^/  /'

+  echo ""

+  echo "Rolling back code without rolling back schema is fine ONLY if"

+  echo "every migration above is purely additive (new columns/tables"

+  echo "the old code ignores). Read docs/internal/runbooks/rollback.md"

+  echo "before continuing."

+  echo ""

+  confirm "All migrations above are additive (the old code handles them)?"

+fi

+

+# 3. Check out the tag.

+echo ""

+echo "checking out $TAG..."

+git checkout "$TAG"

+

+# 4. Dry-run.

+echo ""

+echo "running ANSIBLE deploy-check (DRY-RUN)..."

+make deploy-check ANSIBLE_INVENTORY=production

+

+# 5. Confirm + apply.

+echo ""

+confirm "Apply the rollback to production?"

+make deploy ANSIBLE_INVENTORY=production

+

+# 6. Smoke. Tries to read the production base URL from a deploy var

+# file; falls back to asking.

+BASE="${SHITHUB_PROD_URL:-}"

+if [[ -z "$BASE" ]]; then

+  read -r -p "Smoke base URL (e.g. https://shithub.example): " BASE

+fi

+echo ""

+echo "running smoke against $BASE..."

+deploy/cutover/smoke.sh "$BASE"

+

+echo ""

+echo "rollback to $TAG complete and smoked. Update the status page."

+#!/usr/bin/env bash

+# SPDX-License-Identifier: AGPL-3.0-or-later

+#

+# S40 cutover smoke test. Exercises the public-facing routes that

+# matter at launch: landing page, signup/login forms render with

+# a fresh CSRF token, health endpoints respond, the docs subdomain

+# is reachable, the API authenticates a known PAT.

+#

+# Usage:

+#   deploy/cutover/smoke.sh https://shithub.example

+#

+# Optional env (when set, the script also exercises the API):

+#   SHITHUB_SMOKE_PAT     — a valid shp_ token for `user:read`

+#   SHITHUB_SMOKE_DOCS    — docs subdomain URL (default: docs.<base>)

+#

+# Exit status:

+#   0 — all green

+#   1 — at least one check failed

+#   2 — usage error

+

+set -euo pipefail

+

+if [[ $# -lt 1 ]]; then

+  echo "usage: $0 <base-url>" >&2

+  exit 2

+fi

+

+BASE="$1"

+DOCS="${SHITHUB_SMOKE_DOCS:-${BASE/shithub./docs.shithub.}}"

+fail=0

+

+say() { printf '\n=== %s ===\n' "$*"; }

+ok()  { printf '  PASS: %s\n' "$*"; }

+bad() { printf '  FAIL: %s\n' "$*"; fail=$((fail + 1)); }

+

+# 1. Landing.

+say "GET $BASE/"

+body=$(curl -fsS -o - -w "\n%{http_code}\n" "$BASE/" 2>&1) || { bad "landing fetch"; body=""; }

+if [[ "$body" == *"shithub"* ]]; then ok "body contains shithub"; else bad "body missing shithub"; fi

+

+# 2. Health endpoints. /readyz proves DB + storage are reachable.

+say "GET $BASE/-/health"

+curl -fsS "$BASE/-/health" >/dev/null && ok "/-/health 200" || bad "/-/health"

+say "GET $BASE/healthz"

+curl -fsS "$BASE/healthz" >/dev/null && ok "/healthz 200" || bad "/healthz"

+say "GET $BASE/readyz"

+curl -fsS "$BASE/readyz" >/dev/null && ok "/readyz 200" || bad "/readyz"

+

+# 3. Signup form renders.

+say "GET $BASE/signup"

+body=$(curl -fsS "$BASE/signup") || { bad "signup fetch"; body=""; }

+if [[ "$body" == *"csrf_token"* ]]; then ok "CSRF token present"; else bad "no csrf_token in signup form"; fi

+

+# 4. Login form renders.

+say "GET $BASE/login"

+body=$(curl -fsS "$BASE/login") || { bad "login fetch"; body=""; }

+if [[ "$body" == *"username"* ]] && [[ "$body" == *"password"* ]]; then

+  ok "login form fields present"

+else

+  bad "login form missing username/password"

+fi

+

+# 5. TLS posture. Strict-Transport-Security must be set.

+say "TLS / HSTS"

+hdrs=$(curl -fsS -I "$BASE/" 2>&1) || { bad "headers fetch"; hdrs=""; }

+if grep -qi "strict-transport-security" <<<"$hdrs"; then

+  ok "HSTS header set"

+else

+  bad "HSTS header missing"

+fi

+if grep -qi "x-content-type-options" <<<"$hdrs"; then

+  ok "X-Content-Type-Options set"

+else

+  bad "X-Content-Type-Options missing"

+fi

+

+# 6. Docs subdomain.

+say "GET $DOCS/"

+curl -fsS -o /dev/null "$DOCS/" && ok "docs site 200" || bad "docs site"

+

+# 7. API (only if a PAT is provided).

+if [[ -n "${SHITHUB_SMOKE_PAT:-}" ]]; then

+  say "GET $BASE/api/v1/user (with PAT)"

+  body=$(curl -fsS -H "Authorization: Bearer $SHITHUB_SMOKE_PAT" "$BASE/api/v1/user") || { bad "api fetch"; body=""; }

+  if [[ "$body" == *'"username"'* ]]; then

+    ok "API returned a user object"

+  else

+    bad "API response unexpected: $body"

+  fi

+else

+  printf '  SKIP: API check (set SHITHUB_SMOKE_PAT to run)\n'

+fi

+

+printf '\n'

+if [[ "$fail" -eq 0 ]]; then

+  echo "smoke: all checks passed"

+  exit 0

+fi

+echo "smoke: $fail check(s) FAILED"

+exit 1