Fix deploy.sh: run as normal user, sudo only for privileged ops

Removes root check; uses sudo internally for apt/apache/ufw commands
so git pull and docker commands run as the invoking user (with correct
SSH keys and docker group membership).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

deploy.sh

@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 # DeckForge Production Deploy Script
 # Idempotent — safe to run multiple times
-# Must run as root (needs apt, apache2, ufw)
+# Run as normal user; script uses sudo internally for privileged operations
 set -euo pipefail
 
 # ── Colours ──────────────────────────────────────────────────────────────────
@@ -10,10 +10,9 @@ info()  { echo -e "${GREEN}[deploy]${NC} $*"; }
 warn()  { echo -e "${YELLOW}[warn]${NC}  $*"; }
 error() { echo -e "${RED}[error]${NC} $*" >&2; }
 
-# ── Root check ────────────────────────────────────────────────────────────────
-if [[ $EUID -ne 0 ]]; then
-  error "This script must be run as root (sudo $0)"
-  exit 1
+# ── Sudo check (need it for apt/apache/ufw but NOT for git/docker) ────────────
+if ! sudo -n true 2>/dev/null; then
+  warn "This script needs sudo for apt/apache/ufw — you may be prompted for your password."
 fi
 
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
@@ -34,13 +33,13 @@ install_if_missing() {
   local cmd=$1; local pkg=${2:-$1}
   if ! command -v "$cmd" &>/dev/null; then
     info "  Installing $pkg..."
-    apt-get install -y "$pkg" -qq
+    sudo apt-get install -y "$pkg" -qq
   else
     info "  $cmd: OK"
   fi
 }
 
-apt-get update -qq
+sudo apt-get update -qq
 
 install_if_missing docker   docker.io
 install_if_missing git      git
@@ -51,18 +50,18 @@ install_if_missing ufw      ufw
 # Docker Compose plugin
 if ! docker compose version &>/dev/null 2>&1; then
   info "  Installing docker-compose-plugin..."
-  apt-get install -y docker-compose-plugin -qq
+  sudo apt-get install -y docker-compose-plugin -qq
 fi
 
 # Apache2
 if ! command -v apache2 &>/dev/null; then
   info "  Installing apache2..."
-  apt-get install -y apache2 -qq
+  sudo apt-get install -y apache2 -qq
 fi
 
 # Enable required Apache modules
 info "  Enabling Apache modules..."
-a2enmod proxy proxy_http proxy_wstunnel headers rewrite -q
+sudo a2enmod proxy proxy_http proxy_wstunnel headers rewrite -q
 
 # ─────────────────────────────────────────────────────────────────────────────
 # STEP 1.5: Port conflict check
@@ -231,26 +230,26 @@ APACHE_CONF_DST="/etc/apache2/sites-available/deckforge.conf"
 sed \
   -e "s/API_PORT/${API_PORT}/g" \
   -e "s/WEB_PORT/${WEB_PORT}/g" \
-  "$APACHE_CONF_SRC" > "$APACHE_CONF_DST"
+  "$APACHE_CONF_SRC" | sudo tee "$APACHE_CONF_DST" > /dev/null
 
 info "  Written $APACHE_CONF_DST"
 
 # Disable default site on first install
 if [[ -L /etc/apache2/sites-enabled/000-default.conf ]]; then
-  a2dissite 000-default.conf -q || true
+  sudo a2dissite 000-default.conf -q || true
   info "  Disabled 000-default.conf"
 fi
 
-a2ensite deckforge.conf -q
+sudo a2ensite deckforge.conf -q
 info "  Enabled deckforge.conf"
 
 # Test Apache config before reloading
-if apache2ctl configtest 2>&1 | grep -q "Syntax OK"; then
-  systemctl reload apache2
+if sudo apache2ctl configtest 2>&1 | grep -q "Syntax OK"; then
+  sudo systemctl reload apache2
   info "  Apache reloaded"
 else
   error "Apache config test failed — check $APACHE_CONF_DST"
-  apache2ctl configtest
+  sudo apache2ctl configtest
   exit 1
 fi
 
@@ -258,11 +257,11 @@ fi
 # STEP 11: UFW Firewall
 # ─────────────────────────────────────────────────────────────────────────────
 info "Step 11: Configuring UFW firewall..."
-ufw default deny incoming  -y 2>/dev/null || true
-ufw default allow outgoing -y 2>/dev/null || true
-ufw allow 22/tcp
-ufw allow 80/tcp
-ufw --force enable
+sudo ufw default deny incoming  -y 2>/dev/null || true
+sudo ufw default allow outgoing -y 2>/dev/null || true
+sudo ufw allow 22/tcp
+sudo ufw allow 80/tcp
+sudo ufw --force enable
 info "  UFW enabled (22/tcp, 80/tcp allowed)"
 
 # ─────────────────────────────────────────────────────────────────────────────