feat(infra): Phase 0 provisioning + dev status dashboard

- scripts/phase0-provision.sh: idempotent root setup (nginx, PostgreSQL,
  Redis, certbot/TLS, UFW). Opens 22/2222/80/443 before enabling UFW so SSH
  and Gitea git-SSH can't be locked out. Redis/Postgres stay localhost-only.
- infra/nginx/feedthepyre.com.conf: vhost serving the status page; commented
  web(:3000)/api(:4000) reverse-proxy blocks ready for app deploy.
- infra/status/: data-driven dev status dashboard (status.json + gen-status.mjs
  + prebuilt index.html), served at feedthepyre.com.
- ecosystem.config.cjs (PM2), infra/systemd/pm2-pyre.service, infra/logrotate/pyre,
  scripts/backup.sh — process mgmt + ops (inert until apps are built).

Built by 4 parallel agents, reviewed by 2 audit agents; audit fixes applied
(logs dir creation, port-citation accuracy, status truthfulness). pm2 installed
user-level. Privileged steps gated on `sudo bash scripts/phase0-provision.sh`.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

infra/nginx/README.md

@@ -0,0 +1,98 @@
+# nginx — feedthepyre.com virtual host
+
+This directory holds the nginx virtual host config for **feedthepyre.com**, the
+public domain for the PYRE / Prometheus Protocol MVP.
+
+- [`feedthepyre.com.conf`](feedthepyre.com.conf) — the vhost.
+
+## What it does now
+
+Right now the vhost serves a **static status dashboard** (a holding/status page)
+for both `feedthepyre.com` and `www.feedthepyre.com`.
+
+- Site root (`location /`) serves files from the webroot
+  `/var/www/feedthepyre/status` (with `index.html`), using
+  `try_files $uri $uri/ /index.html`.
+- The Next.js web app and Fastify API are **not** proxied yet — those blocks are
+  present but commented out.
+- An explicit `/.well-known/acme-challenge/` location is served from the same
+  webroot so Let's Encrypt HTTP-01 validation works even before certbot applies
+  its `--nginx` changes.
+- gzip is enabled for common text content types.
+
+Ports (per `.env.example`; design §11 names the processes but not their ports):
+
+| service        | bind            | env var    |
+| -------------- | --------------- | ---------- |
+| web (Next.js)  | 127.0.0.1:3000  | `WEB_PORT` |
+| api (Fastify)  | 127.0.0.1:4000  | `API_PORT` |
+
+## How the provision script installs it
+
+The provisioning script (run with sudo on the PYRE VPS) is expected to:
+
+1. Copy `feedthepyre.com.conf` to `/etc/nginx/sites-available/feedthepyre.com`.
+2. Symlink it into the enabled set:
+   `ln -s /etc/nginx/sites-available/feedthepyre.com /etc/nginx/sites-enabled/feedthepyre.com`
+3. Ensure the webroot exists and has an index page:
+   `mkdir -p /var/www/feedthepyre/status` (drop an `index.html` in it).
+4. Validate and reload: `nginx -t && systemctl reload nginx`.
+
+These exact paths are a contract the script relies on — do not rename the
+install path or the webroot without updating the script too.
+
+> This config is file-only. Do not run nginx/sudo from this repo; the provision
+> script owns that.
+
+## How certbot adds TLS
+
+After the HTTP vhost is installed and nginx is reloaded, obtain certificates:
+
+```bash
+sudo certbot --nginx -d feedthepyre.com -d www.feedthepyre.com
+```
+
+certbot will **edit `feedthepyre.com.conf` in place**, adding:
+
+- a `listen 443 ssl;` server block,
+- `ssl_certificate` / `ssl_certificate_key` directives (and Let's Encrypt
+  includes),
+- an HTTP->HTTPS redirect on the `listen 80;` server.
+
+That is why the `:80` server is written as a plain `listen 80;` block with both
+domains in `server_name` — it is the shape certbot expects to augment. Renewals
+are handled automatically by certbot's systemd timer/cron.
+
+## Flipping from the static status page to the live app + API proxy
+
+Once `apps/web` (Next.js, port 3000) and `apps/api` (Fastify, port 4000) are
+deployed and running on the VPS:
+
+1. Edit `/etc/nginx/sites-available/feedthepyre.com`.
+2. **Enable the API proxy:** uncomment the `location /api/ { ... }` block. The
+   trailing slash on `proxy_pass http://127.0.0.1:4000/;` strips the `/api/`
+   prefix so the backend sees `/scan`, `/receipt`, etc.
+3. **Switch the root to the web app:** in `location / { ... }`, replace the
+   `try_files ...` line with the `proxy_pass http://127.0.0.1:3000;` block shown
+   in the inline comment (Host / X-Real-IP / X-Forwarded-For / X-Forwarded-Proto
+   plus the websocket Upgrade/Connection headers).
+4. **Add the websocket map** (one time) to the `http{}` block of
+   `/etc/nginx/nginx.conf`:
+
+   ```nginx
+   map $http_upgrade $connection_upgrade {
+       default upgrade;
+       ''      close;
+   }
+   ```
+
+5. **Optional global hardening:** add `server_tokens off;` to the same `http{}`
+   block (kept out of the vhost on purpose so it is not duplicated).
+6. Validate and reload:
+
+   ```bash
+   sudo nginx -t && sudo systemctl reload nginx
+   ```
+
+Keep the `/.well-known/acme-challenge/` location in place so certificate
+renewals continue to work after the cutover.

infra/nginx/feedthepyre.com.conf

@@ -0,0 +1,109 @@
+# ============================================================================
+# PYRE / Prometheus Protocol — nginx virtual host for feedthepyre.com
+# ----------------------------------------------------------------------------
+# Install path:   /etc/nginx/sites-available/feedthepyre.com
+#                 (the provision script symlinks this into sites-enabled/)
+#
+# TLS:            Managed by certbot. Run `certbot --nginx` AFTER this config is
+#                 installed — it will inject the listen 443 ssl server block,
+#                 the ssl_certificate / ssl_certificate_key lines, and the
+#                 HTTP->HTTPS redirect automatically. Do NOT hand-edit those in.
+#
+# App ports (see docs/PYRE_MVP_DESIGN.md §11 and .env.example):
+#                 web (Next.js)  -> 127.0.0.1:3000   (WEB_PORT)
+#                 api (Fastify)  -> 127.0.0.1:4000   (API_PORT)
+#
+# Current behaviour: serves the static status dashboard from
+#                 /var/www/feedthepyre/status. The reverse-proxy blocks below
+#                 are commented out until the apps are deployed.
+# ============================================================================
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name feedthepyre.com www.feedthepyre.com;
+
+    # --- Static status site (current site root) -----------------------------
+    root /var/www/feedthepyre/status;
+    index index.html;
+
+    # --- Logging ------------------------------------------------------------
+    access_log /var/log/nginx/feedthepyre.access.log;
+    error_log  /var/log/nginx/feedthepyre.error.log;
+
+    # --- ACME HTTP-01 challenge --------------------------------------------
+    # Explicit so certbot's HTTP-01 validation works even before its --nginx
+    # tweaks are applied. ^~ ensures this wins over the regex/proxy locations.
+    location ^~ /.well-known/acme-challenge/ {
+        root /var/www/feedthepyre/status;
+        allow all;
+    }
+
+    # --- Basic hardening ----------------------------------------------------
+    # gzip for text-ish content types.
+    gzip on;
+    gzip_comp_level 5;
+    gzip_min_length 256;
+    gzip_proxied any;
+    gzip_vary on;
+    gzip_types
+        text/plain
+        text/css
+        text/xml
+        text/javascript
+        application/javascript
+        application/json
+        application/xml
+        application/rss+xml
+        image/svg+xml;
+
+    # NOTE: `server_tokens off;` is intentionally NOT set here — it belongs in
+    # the http{} block of /etc/nginx/nginx.conf so it applies globally. Set it
+    # there once rather than duplicating it per-vhost.
+
+    # --- Site root ----------------------------------------------------------
+    # Serve the static status dashboard for now.
+    #
+    # LATER: when apps/web (Next.js) is deployed, switch this location from the
+    # static status page to a reverse proxy. Replace the try_files body with:
+    #
+    #     proxy_pass http://127.0.0.1:3000;
+    #     proxy_http_version 1.1;
+    #     proxy_set_header Host              $host;
+    #     proxy_set_header X-Real-IP         $remote_addr;
+    #     proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+    #     proxy_set_header X-Forwarded-Proto $scheme;
+    #     proxy_set_header Upgrade           $http_upgrade;
+    #     proxy_set_header Connection        $connection_upgrade;
+    #
+    location / {
+        try_files $uri $uri/ /index.html;
+    }
+
+    # ------------------------------------------------------------------------
+    # REVERSE-PROXY BLOCKS — enable when apps are running
+    # ------------------------------------------------------------------------
+    # Uncomment the /api/ block below once apps/api (Fastify, port 4000) is up.
+    # The trailing slash on proxy_pass strips the /api/ prefix so the backend
+    # sees /scan, /receipt, etc.
+    #
+    # location /api/ {
+    #     proxy_pass http://127.0.0.1:4000/;
+    #     proxy_http_version 1.1;
+    #     proxy_set_header Host              $host;
+    #     proxy_set_header X-Real-IP         $remote_addr;
+    #     proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+    #     proxy_set_header X-Forwarded-Proto $scheme;
+    #     proxy_set_header Upgrade           $http_upgrade;
+    #     proxy_set_header Connection        $connection_upgrade;
+    # }
+    #
+    # The websocket Upgrade/Connection headers above rely on a $connection_upgrade
+    # map. Add this once in the http{} block of /etc/nginx/nginx.conf:
+    #
+    #     map $http_upgrade $connection_upgrade {
+    #         default upgrade;
+    #         ''      close;
+    #     }
+    # ------------------------------------------------------------------------
+}