Production Deployment — Garuda Chain¶

Panduan deploy Garuda Chain mainnet (Chain ID 8846) ke server production dengan TLS, reverse proxy, monitoring, dan backup.

Arsitektur Production¶

                    Internet
                        │
                   ┌────▼────┐
                   │  Caddy  │  :80 / :443 (Let's Encrypt TLS)
                   └────┬────┘
        ┌───────────┬────┼────┬──────────┐
        ▼           ▼    ▼    ▼          ▼
     rpc:8585    api:4000  explorer  status  static/docs
        │
   main-validator1:8595 (Besu IBFT)
        │
   validators 2-5 (internal P2P :30323-30327)

Subdomain	Service	Port Internal
`rpc.garudachain.id`	Public RPC + WSS	8585
`rpc2.garudachain.id`	Backup RPC	8585
`api.garudachain.id`	REST + GraphQL API	4000
`explorer.garudachain.id`	Block Explorer	3000
`status.garudachain.id`	Status Page	4003
`docs.garudachain.id`	Documentation	static

Server Requirements¶

Resource	Minimum	Recommended
CPU	8 cores	16 cores
RAM	32 GB	64 GB
Storage	1 TB NVMe SSD	2 TB RAID
Bandwidth	500 Mbps	1 Gbps
OS	Ubuntu 22.04 LTS	Ubuntu 24.04 LTS

Catatan: 5 validator nodes di satu server hanya untuk launch awal. Untuk production jangka panjang, distribusikan validator ke server terpisah (multi-host).

Langkah Deploy¶

1. Siapkan Server¶

# Di server production (as root)
curl -fsSL https://raw.githubusercontent.com/.../scripts/production/setup-server.sh | bash
# atau clone repo lalu:
sudo bash scripts/production/setup-server.sh

Setup ini menginstall Docker, UFW firewall (22, 80, 443, P2P), fail2ban, dan user deploy.

2. Clone & Konfigurasi¶

sudo -u deploy -i
cd /opt/garuda-chain
git clone <repo-url> .
cp .env.production.example .env.production
nano .env.production

Isi .env.production: - PRODUCTION_DOMAIN=garudachain.id - ACME_EMAIL=ops@garudachain.id - PRODUCTION_HOST=<server-public-ip> - Contract addresses setelah deploy - Jangan isi DEPLOYER_PRIVATE_KEY di server production

3. Validator Keys (HSM)¶

# Gunakan HSM/KMS untuk production — lihat docs/security/hardware-security.md
bash scripts/generate-validator-keys.sh   # dev/staging only

4. DNS¶

Tambahkan A records ke IP server:

rpc.garudachain.id      → <IP>
rpc2.garudachain.id     → <IP>
api.garudachain.id      → <IP>
explorer.garudachain.id → <IP>
status.garudachain.id   → <IP>
docs.garudachain.id     → <IP>
garudachain.id          → <IP>

Atau gunakan Terraform:

cd deploy/terraform
export TF_VAR_cloudflare_api_token=...
export TF_VAR_production_ip=1.2.3.4
terraform init && terraform apply

Verifikasi:

npm run prod:verify-dns

5. Pre-flight & Launch¶

npm run mainnet:preflight
npm run prod:deploy

Perintah prod:deploy akan: 1. Jalankan pre-flight security check 2. Generate bootnodes 3. Build & start semua container (validators + RPC + API + explorer + status + Caddy) 4. Jalankan smoke tests lokal

6. Deploy Smart Contracts¶

# Dari mesin aman dengan hardware wallet — BUKAN di server production
npm run contracts:deploy:mainnet

Update .env.production dengan alamat kontrak yang di-deploy.

7. Verifikasi Production¶

npm run prod:smoke          # Test HTTPS endpoints
npm run prod:monitor        # Monitor semua services

npm Scripts¶

Script	Fungsi
`prod:deploy`	Full production deployment
`prod:smoke`	Remote HTTPS smoke tests
`prod:monitor`	Production health dashboard
`prod:backup`	Backup validator volumes
`prod:verify-dns`	Cek DNS records
`prod:down`	Stop production stack
`prod:logs`	Tail logs

CI/CD (GitHub Actions)¶

Workflow: .github/workflows/deploy-production.yml

Secrets yang diperlukan: - PRODUCTION_HOST — IP/hostname server - PRODUCTION_USER — SSH user (default: deploy) - PRODUCTION_SSH_KEY — Private SSH key

Variables: - PRODUCTION_DOMAIN — default garudachain.id

Trigger manual via GitHub Actions → Production Deploy → Run workflow.

Backup & Recovery¶

Backup Harian (cron)¶

# /etc/cron.d/garuda-backup
0 3 * * * deploy /opt/garuda-chain/scripts/production/backup.sh

Backup menyimpan: - chain/config/mainnet/ - chain/deployments/mainnet.json - Docker volumes validator 1-5

Validator keys TIDAK di-backup — kelola terpisah via HSM.

Restore¶

docker compose -f docker-compose.mainnet.yml -f docker-compose.production.yml down
tar xzf /var/backups/garuda-chain/garuda-backup-YYYYMMDD.tar.gz
# Restore volumes dari archives
docker compose -f docker-compose.mainnet.yml -f docker-compose.production.yml up -d

Keamanan Production¶

Item	Implementasi
TLS	Caddy auto Let's Encrypt
Firewall	UFW — hanya 22, 80, 443, P2P
RPC admin methods	Diblokir di `apps/rpc-public`
Rate limiting	500 req/min RPC, 200 req/min API
Validator RPC	Bind localhost / internal network
Keys	HSM, tidak di server setelah deploy
Monitoring	Security monitor + status page
Incident	`docs/security/incident-response.md`

Checklist¶

Lihat security/production-checklist.json — 15 item PROD-01 hingga PROD-15.

MetaMask Network¶

{
  "chainId": "0x2286",
  "chainName": "Garuda Chain Mainnet",
  "nativeCurrency": {
    "name": "Garuda Asset Token",
    "symbol": "GAT",
    "decimals": 18
  },
  "rpcUrls": ["https://rpc.garudachain.id"],
  "blockExplorerUrls": ["https://explorer.garudachain.id"]
}

Troubleshooting¶

Masalah	Solusi
Caddy TLS gagal	Pastikan DNS sudah propagate, port 80 terbuka
Validator tidak sync	Cek P2P ports 30323-30327 di firewall
Explorer 502	Tunggu API healthy, cek `docker compose logs explorer`
RPC rate limit	Naikkan `RATE_LIMIT_MAX` di compose
Chain ID salah	Verifikasi genesis `chain/config/mainnet/genesis.json`

Monitoring¶

Enable Prometheus + Grafana with deploy:

npm run prod:deploy -- --with-monitoring
# or after deploy:
npm run monitoring:setup

See monitoring.md for dashboards, alerts, and Grafana access.

Staging First¶

Test on staging before production:

npm run staging:deploy
npm run staging:smoke

See staging-deployment.md.

Kontak¶

Ops: ops@garudachain.id
Security: security@garudachain.id
Validators: validators@garudachain.id