ops: add production hardening automation for secrets, backups, and rollback

infra/deploy/SECRET_ROTATION_CHECKLIST.md

@@ -0,0 +1,68 @@
+# Secret Rotation Checklist (Production)
+
+Target: `my.votcloud.com`  
+Host: `102.69.243.167`
+
+## Scope
+
+Rotate the following regularly (monthly/quarterly or after any incident):
+
+1. `JWT_SECRET`
+2. `JWT_REFRESH_SECRET`
+3. `POSTGRES_PASSWORD`
+4. `ADMIN_PASSWORD`
+
+Recommended:
+
+1. `BACKUP_ENCRYPTION_KEY` (with controlled key migration plan)
+2. Proxmox API token secret
+3. Payment/webhook secrets
+
+## Runbook (Safe Order)
+
+1. Create timestamped app/env/db backup.
+2. Rotate env secrets in `.env.production`.
+3. Apply DB password rotation (`ALTER USER ... WITH PASSWORD ...`).
+4. Restart app stack with new env.
+5. Re-seed admin (`npm run prisma:seed`) to sync rotated admin password.
+6. Revoke all active sessions (`AuthSession`) to invalidate old sessions.
+7. Verify:
+   - `GET /api/health`
+   - Admin login
+   - Core pages (`/rbac`, `/profile`, `/system`, `/audit-logs`)
+8. Save secure summary with new admin credentials under `/root/`.
+
+## Automation Script
+
+Use:
+
+```bash
+sudo bash /opt/proxpanel/infra/deploy/rotate-production-secrets.sh
+```
+
+Script guarantees:
+
+1. Backup directory created in `/opt/proxpanel-backups/<timestamp>-secret-rotation/`
+2. DB pre-rotation dump created
+3. Post-rotation health + login verified
+4. Summary written to `/root/proxpanel-secret-rotation-<timestamp>.txt`
+
+## Rollback Plan
+
+If post-rotation checks fail:
+
+1. Restore `.env.production` from backup.
+2. Restore previous app files if needed.
+3. Restore DB dump if schema/state corruption occurred.
+4. Recreate containers:
+   - `docker compose --env-file .env.production -f infra/deploy/docker-compose.production.yml up -d --build`
+
+## Audit Trail
+
+Store:
+
+1. Rotation timestamp
+2. Operator identity
+3. Backup directory used
+4. Health verification evidence
+5. Any rollback events