# Maple Open Technologies - Production Infrastructure

This directory contains configuration and documentation for deploying Maple Open Technologies to production on DigitalOcean.

## Quick Start

```bash
# 1. Copy environment template
cp .env.template .env

# 2. Edit .env and replace all CHANGEME values
nano .env

# 3. Set secure permissions
chmod 600 .env

# 4. Verify .env is gitignored
git check-ignore -v .env

# 5. Start with setup documentation
cd setup/
cat 00-getting-started.md
```

## Directory Structure

```
production/
├── .env.template       # Template with CHANGEME placeholders (safe to commit)
├── .env               # Your actual config (gitignored, NEVER commit)
├── .gitignore         # Ensures .env is never committed to Git
├── .claudeignore      # Protects secrets from LLMs/AI assistants
├── README.md          # This file
└── setup/             # Step-by-step deployment guides
    ├── 00-getting-started.md
    ├── 01_init_docker_swarm.md
    └── ... (more guides)
```

## Environment Configuration

### `.env.template` vs `.env`

| File | Purpose | Git Status | Contains |
|------|---------|------------|----------|
| `.env.template` | Template for team | ✅ Committed | `CHANGEME` placeholders |
| `.env` | Your actual config | ❌ Gitignored | Real IPs, passwords, tokens |

### Security Rules

🔒 **DO:**
- Keep `.env` file with `chmod 600` permissions
- Store backups of `.env` securely (encrypted)
- Use `.env.template` to share config structure
- Verify `.env` is gitignored before adding secrets
- Trust `.claudeignore` to protect secrets from AI assistants

🚫 **DON'T:**
- Commit `.env` to Git
- Share `.env` via email/Slack/unencrypted channels
- Use world-readable permissions (644, 777)
- Hardcode values from `.env` in documentation

### Multi-Layer Security Protection

This directory uses **three layers** of secret protection:

1. **`.gitignore`** - Prevents committing secrets to Git repository
2. **`.claudeignore`** - Prevents LLMs/AI assistants from reading secrets
3. **File permissions** - `chmod 600` prevents other users from reading secrets

All three layers work together to protect your production infrastructure.

## Setup Guides

Follow these guides in order:

1. **[00-getting-started.md](setup/00-getting-started.md)**
   - Local workspace setup
   - DigitalOcean API token configuration
   - `.env` file initialization

2. **[01_init_docker_swarm.md](setup/01_init_docker_swarm.md)**
   - Create DigitalOcean droplets (Ubuntu 24.04)
   - Install Docker on nodes
   - Configure Docker Swarm with private networking
   - Verify cluster connectivity

3. **More guides coming...**
   - Cassandra deployment
   - Redis setup
   - Application deployment
   - SSL/HTTPS configuration

## Infrastructure Overview

### Naming Convention

Format: `{company}-{role}-{sequential-number}-{environment}`

Examples:
- `mapleopentech-swarm-manager-1-prod`
- `mapleopentech-swarm-worker-1-prod`
- `mapleopentech-swarm-worker-2-prod`

**Why this pattern?**
- Simple sequential numbering (never reused)
- No role-specific prefixes (use Docker labels instead)
- Easy to scale (just add worker-N)
- Flexible (can repurpose servers without renaming)

## Getting Help

### Documentation

- Setup guides in `setup/` directory
- `.env.template` has inline comments for all variables
- Each guide includes troubleshooting section

### Common Issues

1. **`.env` file missing**: Run `cp .env.template .env`
2. **Variables not loading**: Run `source .env` in your terminal
3. **Git showing .env**: It shouldn't be - check `.gitignore`

---

**Last Updated**: November 3, 2025
**Maintained By**: Infrastructure Team