Epic: v0.2.0 — Production Deployment + Station-Bot API Connectivity

[GitAddRemote]

Epic

This epic covers everything required to ship Station to production on a Linode VPS and establish secure API connectivity with Station-Bot. It replaces the previous Kubernetes-based deployment plan with a pragmatic Docker Compose + Terraform approach that is appropriate for the current single-server scale.

Why This Approach

Think of this like building a house before decorating it. Kubernetes (K8s) is a mansion with a full maintenance staff — powerful, but overkill when you have one apartment. Docker Compose is that apartment: it runs all your services reliably, is easy to understand, and can be upgraded later. Terraform is the blueprint: instead of manually clicking buttons in the Linode dashboard, you write code that describes your infrastructure so it can be rebuilt identically at any time.

Scope

Infrastructure

• Terraform configuration for Linode VPS: DNS A records, firewall rules, SSH key management
• VPS baseline: Nginx reverse proxy, Let's Encrypt TLS, deploy user, directory structure

Application Deployment

• Hardened multi-stage Dockerfiles for backend and frontend (see Tech Story: Harden Dockerfiles for production #102)
• Docker Compose production configuration for all Station services
• GitHub Actions CI/CD: release-tag-triggered build → push → SSH deploy with graceful restart

Security / Auth

• Redis-backed refresh token storage with JTI (JWT ID) blacklist for instant token revocation
• httpOnly + Secure + SameSite cookies for browser-based sessions
• OAuth 2.0 Client Credentials grant (M2M auth) so Station-Bot can securely call Station's API

Station-Bot Connectivity

• Station-Bot gets a registered OAuth client with client_id + client_secret
• Bot acquires a short-lived JWT from Station's /auth/token endpoint on startup
• All bot → Station API calls use Authorization: Bearer <token>

Documentation

• README updates for Station
• docs/deployment.md full deployment runbook
• docs/architecture.md with infrastructure diagram
• docs/oauth-m2m.md explaining the bot auth flow

Sub-Issues

• Tech: Terraform infrastructure for Linode VPS
• Tech: VPS baseline provisioning (Nginx, Certbot, deploy user)
• Tech: Docker Compose production configuration for Station
• Tech: Harden Dockerfiles for production (Tech Story: Harden Dockerfiles for production #102 — already open)
• Tech: CI/CD pipeline — release-tag SSH deploy (Tech Story: GitHub Actions CI/CD — release-tag SSH deploy with graceful restart #90 — needs update)
• Tech: Redis-backed refresh tokens + JTI blacklist
• Tech: OAuth 2.0 Client Credentials grant (M2M auth)
• Tech: Station-Bot — Station API client module (Presstronic/station-bot)
• Tech: Production documentation (README, deployment guide, architecture)

Definition of Done

• All sub-issues closed
• Station is live at api.drdnt.org (backend) and station.drdnt.org (frontend)
• TLS active on all three subdomains with auto-renewing Let's Encrypt certs
• Station-Bot successfully authenticates against Station API using Client Credentials
• Deployment is fully automated: pushing a release tag triggers build → push → SSH deploy with no manual steps
• All documentation written and reviewed