feat: add subdomain architecture and enhanced security for DevOps panel

CHANGELOG.md

@@ -14,6 +14,27 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased] - 2025-11-21
 
 ### Added
+- **Subdomain Architecture Documentation** - Comprehensive documentation for vln.gg domain structure
+  - Complete subdomain definitions for 12 production subdomains (app, api, auth, pay, wallet, docs, help, edu, design, mail, dev, preview)
+  - Architecture diagram and configuration standards
+  - DNS configuration guidelines with SSL/TLS setup
+  - Port allocation and PM2 naming conventions for self-hosted services
+  - Security considerations and access control matrix
+  - Deployment guidelines and rollback procedures
+  - New documentation: `docs/SUBDOMAIN-ARCHITECTURE.md`
+  - Updated: `devops-panel/.env.deploy.example` with subdomain references
+  - Updated: `README.md` with subdomain overview section
+
+- **Enhanced DevOps Panel Security** - Password protection with environment variable configuration
+  - Added middleware-level authentication protection (`middleware.ts`)
+  - Environment variable-based authentication (`DEVOPS_USERNAME`, `DEVOPS_PASSWORD`, `SESSION_SECRET`)
+  - Support for bcrypt password hashing in production (`DEVOPS_PASSWORD_HASH`)
+  - Automatic redirect to login for unauthenticated users
+  - Session-based authentication with iron-session
+  - Comprehensive authentication documentation in subdomain architecture guide
+  - Updated: `devops-panel/.env.example` with detailed security notes
+  - Updated: `devops-panel/.env.deploy.example` with authentication configuration
+
 - Created: 2 GitHub Actions workflows (auto-tracking + initialization) 2 shell scripts (simple + detailed status) 2 documentation files (guide + recommendations) Features: 📊 Real-time milestone progress updates 💬 Automatic comments on issues ⚠️ Critical issue detection 🎯 MVP completion tracking 🚀 Release readiness checks Integration Points: Works with existing scripts/create-milestone-issues.sh Can add to setup-devops-quick-access.sh Can add to Makefile Can integrate into DevOps web panel (@)
 - add GitHub repository ruleset configurations (@)
 - add comprehensive workflow reporting and test summaries (@)

README.md

@@ -41,8 +41,32 @@ Centralized web dashboard for project management.
 - `/api/webhook-manager` - Manage Telegram bot webhooks (GET/POST)
 - Full CORS support for cross-origin requests
 
+#### 🌐 Subdomain Architecture
+Standardized subdomain structure for vln.gg domain with 12 designated subdomains:
+
+**Production Services:**
+- `app.vln.gg` - Main application
+- `api.vln.gg` - Backend API endpoints
+- `auth.vln.gg` - Authentication service
+- `pay.vln.gg` - Payment processing
+- `wallet.vln.gg` - Wallet management
+
+**Content & Documentation:**
+- `docs.vln.gg` - Technical documentation
+- `help.vln.gg` - Help center and support
+- `edu.vln.gg` - Educational resources
+- `design.vln.gg` - Design system and UI library
+
+**Development & Infrastructure:**
+- `dev.vln.gg` - Development environment
+- `preview.vln.gg` - Preview/demo environment
+- `mail.vln.gg` - Email services
+
+**See:** [docs/SUBDOMAIN-ARCHITECTURE.md](docs/SUBDOMAIN-ARCHITECTURE.md) for complete architecture documentation and deployment guidelines.
+
 ### Documentation
 
+- **[docs/SUBDOMAIN-ARCHITECTURE.md](docs/SUBDOMAIN-ARCHITECTURE.md)** - Complete vln.gg subdomain architecture and configuration
 - **[docs/MILESTONE-TRACKING.md](docs/MILESTONE-TRACKING.md)** - Complete usage guide with examples
 - **[MILESTONE-AUTOMATION-RECOMMENDATIONS.md](MILESTONE-AUTOMATION-RECOMMENDATIONS.md)** - Integration recommendations
 

devops-panel/.env.deploy.example

@@ -10,10 +10,27 @@
 TLD=vln.gg
 
 # Subdomains you want to deploy to
-SUB_DOMAIN1=preview
-SUB_DOMAIN2=dev
-SUB_DOMAIN3=staging
-# Add more as needed...
+# See: docs/SUBDOMAIN-ARCHITECTURE.md for complete subdomain definitions
+#
+# Development/Staging Subdomains (Self-Hosted on VPS)
+SUB_DOMAIN1=preview         # preview.vln.gg - Preview/demo environment
+SUB_DOMAIN2=dev             # dev.vln.gg - Development environment
+SUB_DOMAIN3=staging         # staging.vln.gg - Staging environment
+#
+# Production Subdomains (Documented in SUBDOMAIN-ARCHITECTURE.md)
+# These are typically hosted on Vercel or dedicated infrastructure:
+# - app.vln.gg: Main application
+# - api.vln.gg: API endpoints
+# - auth.vln.gg: Authentication service
+# - pay.vln.gg: Payment processing
+# - wallet.vln.gg: Wallet management
+# - docs.vln.gg: Technical documentation
+# - help.vln.gg: Help center
+# - edu.vln.gg: Educational resources
+# - design.vln.gg: Design system
+# - mail.vln.gg: Email services
+#
+# Add more deployment subdomains as needed...
 
 # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
 # SERVER CONFIGURATION
@@ -33,6 +50,23 @@ ROOT_SSH_KEY=your-public-ssh-key-here
 # Path to your LOCAL private SSH key
 SSH_PRIVATE_KEY=~/.ssh/id_rsa
 
+# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+# AUTHENTICATION (REQUIRED FOR DEPLOYED INSTANCES)
+# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+# DevOps Panel Login Credentials - MUST be changed for each deployment
+# These will be set as environment variables on the server
+DEVOPS_USERNAME=admin
+DEVOPS_PASSWORD=change_this_strong_password_12345
+
+# RECOMMENDED: Use bcrypt hash for production deployments
+# Generate with: node -e "console.log(require('bcryptjs').hashSync('your_password', 10))"
+# DEVOPS_PASSWORD_HASH=$2a$10$...
+
+# Session Secret - Generate a unique random string per deployment
+# Generate with: openssl rand -base64 32
+SESSION_SECRET=generate_a_unique_random_string_at_least_32_chars_long
+
 # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
 # DEPLOYMENT SETTINGS
 # ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

devops-panel/.env.example

@@ -1,12 +1,33 @@
-# Authentication
+# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+# AUTHENTICATION (REQUIRED)
+# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+# DevOps Panel Login Credentials
+# WARNING: Change these before deploying to production!
 DEVOPS_USERNAME=admin
 DEVOPS_PASSWORD=changeme
-# Optional: Use bcrypt hash instead of plain password (recommended for production)
+
+# Optional: Use bcrypt hash instead of plain password (STRONGLY recommended for production)
+# To generate a hash: node -e "console.log(require('bcryptjs').hashSync('your_password', 10))"
 # DEVOPS_PASSWORD_HASH=$2a$10$...
 
-# Session Security
+# Session Security - MUST be changed in production
+# Generate a secure random string (at least 32 characters)
+# Example: openssl rand -base64 32
 SESSION_SECRET=complex_password_at_least_32_characters_long_change_this_in_production
 
+# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+# SECURITY NOTES
+# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+#
+# 1. NEVER commit .env files to version control
+# 2. Use DEVOPS_PASSWORD_HASH instead of DEVOPS_PASSWORD in production
+# 3. Generate a strong SESSION_SECRET (32+ random characters)
+# 4. For dev/preview subdomains, always use strong passwords
+# 5. Consider IP whitelisting for additional security
+#
+# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
 # GitHub Integration (Optional)
 GITHUB_TOKEN=ghp_your_github_personal_access_token
 GITHUB_REPO=Fused-Gaming/DevOps

devops-panel/middleware.ts

@@ -0,0 +1,79 @@
+import { NextResponse } from 'next/server';
+import type { NextRequest } from 'next/server';
+import { getIronSession } from 'iron-session';
+
+// Session configuration
+const sessionOptions = {
+  password: process.env.SESSION_SECRET || 'complex_password_at_least_32_characters_long_change_this_in_production',
+  cookieName: 'devops_panel_session',
+  cookieOptions: {
+    secure: process.env.NODE_ENV === 'production',
+  },
+};
+
+// Public routes that don't require authentication
+const publicRoutes = ['/login', '/api/auth/login'];
+
+// API routes that should be protected
+const protectedApiRoutes = [
+  '/api/deployments',
+  '/api/milestones',
+  '/api/github',
+  '/api/auth/logout',
+  '/api/auth/session',
+];
+
+export async function middleware(request: NextRequest) {
+  const { pathname } = request.nextUrl;
+
+  // Allow public routes
+  if (publicRoutes.includes(pathname)) {
+    return NextResponse.next();
+  }
+
+  // Allow static files and Next.js internals
+  if (
+    pathname.startsWith('/_next') ||
+    pathname.startsWith('/favicon') ||
+    pathname.includes('.')
+  ) {
+    return NextResponse.next();
+  }
+
+  try {
+    // Get session from cookie
+    const response = NextResponse.next();
+    const session = await getIronSession(request, response, sessionOptions);
+
+    // Check if user is logged in
+    if (!session.isLoggedIn) {
+      // Redirect to login for protected routes
+      if (pathname === '/' || protectedApiRoutes.some(route => pathname.startsWith(route))) {
+        const url = request.nextUrl.clone();
+        url.pathname = '/login';
+        return NextResponse.redirect(url);
+      }
+    }
+
+    return response;
+  } catch (error) {
+    console.error('Middleware error:', error);
+    // On error, redirect to login for safety
+    const url = request.nextUrl.clone();
+    url.pathname = '/login';
+    return NextResponse.redirect(url);
+  }
+}
+
+// Configure which routes use this middleware
+export const config = {
+  matcher: [
+    /*
+     * Match all request paths except for the ones starting with:
+     * - _next/static (static files)
+     * - _next/image (image optimization files)
+     * - favicon.ico (favicon file)
+     */
+    '/((?!_next/static|_next/image|favicon.ico).*)',
+  ],
+};