Staging environment

The goal of the staging environment is to provide a stable environment for testing, by both Game Tailors and the client (RID). The staging environment is configured to be as close to the production environment as possible, so that any issues that we might expect in production, can be reproduced in staging.

The staging environment is hosted on a separate TransIP server running Debian 13 (at the time of writing): rid-code-staging-vps (in the orbitgames account).

Connect to the server using SSH:

ssh gametailors@136.144.205.124

TransIP does currently not support Object Storage (S3) yet, although it is coming soon. Therefore, files are currently stored locally on the server.

Deployments happen automatically using a Bitbucket Pipeline on the staging branch. The containers are pulled using the staging tag.

Deployments work by copying the contents of environents/staging/server to the /opt/rid-code directory on the server, and running the update.sh script.

Backup & restore

Backups are made automatically to the TransIP Stack Storage.

Server configuration

Base configuration

Configuration is based on the gt-server-base deployment instructions for Debian. The steps are copied here, and modified where necessary.

1. Get a nicer hostname:

   sudo hostnamectl set-hostname rid-code.staging.gametailors.com

2. Secure the server (for more details, see the documentation for our Hetzner server (gt-1)):

   sudo apt update
   sudo apt upgrade -y
   sudo apt-get install unattended-upgrades apt-listchanges -y
   
   # Install security stuff (antivirus, auditing, fail2ban)
   sudo apt install -y aide auditd fail2ban
   sudo systemctl enable auditd.service
   
   # Some default tools
   sudo apt install -y git htop jq gnupg2 restic
   
   # Install ufw as an (additional) firewall
   sudo apt install -y ufw
   sudo ufw allow ssh
   sudo ufw allow "WWW Full"
   sudo ufw enable

3. Install Docker using the steps in the official documentation:

   # Add Dockers official GPG key:
   sudo apt install ca-certificates curl
   sudo install -m 0755 -d /etc/apt/keyrings
   sudo curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc
   sudo chmod a+r /etc/apt/keyrings/docker.asc
   
   # Add the repository to Apt sources:
   echo \
   "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian \
   $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
   sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
   sudo apt update
   
   # And install
   sudo apt install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
   
   # Configure the current user to be able to use docker. Note that the docker group should have been created when installing docker
   sudo usermod -aG docker $USER
   newgrp docker
   
   # Check if it works:
   sudo docker run --rm hello-world
   
   # For docker and UFW to work correctly together, we need some additional magic
   sudo wget -O /usr/local/bin/ufw-docker \
      https://github.com/chaifeng/ufw-docker/raw/master/ufw-docker
   sudo chmod +x /usr/local/bin/ufw-docker
   sudo ufw-docker install
   sudo systemctl restart ufw

4. Create an SSH key, and add it to bitbucket as an access key (using the default path, no passphrase):

   ssh-keygen
   cat ~/.ssh/id_ed25519.pub

   Copy the public key to the repository settings.

5. Clone this repository:

   sudo mkdir /opt/base
   sudo chown -R $USER:$USER /opt/base
   git clone git@bitbucket.org:orbit-games/gt-server-base.git /opt/base
   cd /opt/base

6. Make the bash scripts (such as the update.sh file) executable:

   chmod +x *.sh

7. Install the AWS CLI (needed for ECR access)

   sudo apt install -y awscli amazon-ecr-credential-helper

8. Login to AWS, for example, using the gt-server user in Bitwarden.

   aws configure
   mkdir -p ~/.docker && echo -e '{\n\t"credsStore": "ecr-login"\n}' > ~/.docker/config.json

9. Run the update command

   ./update.sh

10. Allow access to traefik through ufw-docker

    sudo ufw-docker allow traefik 80/tcp
    sudo ufw-docker allow traefik 443/tcp

RID Code configuration

Now that the base is installed, we can install the project specific stuff:

1. Create a folder:

   sudo mkdir -p /opt/rid-code
   sudo chown -R $USER:$USER /opt/rid-code
   cd /opt/rid-code

2. Run the bitbucket-pipeline for staging to copy the initial configuration. Comment out the code to update/deploy before we configure everything.
3. Setup the .env file:

   cp .env.example .env
   nano .env

4. For the backups, we use TransIP stack. To set this up, first go to https://orbitgames.stack.storage/, and log in as the root orbitgames user. There you can create an account for rid-code-staging. Store its credentials in Bitwarden.
5. Log in with the new account, go to "Access Tokens", and create a WebDAV access token that is valid for 1 year. o2lHmBdC5ekrJF3rV0rgiejSjdg
6. On the server, install rclone:

   sudo apt install rclone

7. Setup rclone, and follow the wizard:
   1. rclone config
   2. new remote/edit remote (n/e)
   3. name: rid-code-staging-backup
   4. type: webdav
   5. vendor: other
   6. url: https://orbitgames.stack.storage/webdav/files/rid-code-staging
   7. user: rid-code-staging
   8. password: The token auth token generated in the GUI
   9. bearer token: Also the auth token generated in the GUI
8. Test the connection

   rclone ls rid-code-staging-backup:

   This shouldn't print anything, unless there are files in the remote.
9. Run the initialization script:

   ./init.sh

10. Seed the database

    docker compose cp seed.sql db:/tmp/seed.sql
    docker compose exec db psql -d rid_code -U rid-code -f /tmp/seed.sql

11. Restart everything:

    docker compose restart

12. Configure daily backups:

    crontab -e

    Add the following line (you can replace the time by something random to prevent heavy load at 0:00 every day):

    0 1 * * * cd /opt/rid-code && /bin/bash backup.sh