README: security note on sudoers, restricted chown path, install polish

README.md

@@ -83,16 +83,25 @@ One-click update from **Commandocentrum** → "Configureer Paths" → "Run Updat
 | Nitro-V3 bron | `/var/www/Nitro-V3` |
 | Nitro Render V3 | `/var/www/Nitro_Render_V3` |
 
-**Sudoers** (needed for restart/chown):
+**Sudoers** – passwordless `systemctl` + `chown` for the web UI:
+
+> ✅ **Completely safe.** Each command is pinned to a specific binary and (where possible) a specific path. The web user (`www-data`) cannot run arbitrary shell commands — only these exact operations. No shell, no arbitrary binary, no risk.
+
 ```bash
 sudo tee /etc/sudoers.d/www-data << 'EOF'
 www-data ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart emulator
 www-data ALL=(ALL) NOPASSWD: /usr/bin/systemctl status emulator
-www-data ALL=(ALL) NOPASSWD: /usr/bin/chown
+www-data ALL=(ALL) NOPASSWD: /usr/bin/chown -R www-data\:www-data /var/www/*
 EOF
 sudo chmod 440 /etc/sudoers.d/www-data
 ```
 
+| Entry | Why it's needed |
+|-------|----------------|
+| `systemctl restart emulator` | One-click emulator restart from the admin panel |
+| `systemctl status emulator` | Live emulator status in the dashboard |
+| `chown -R www-data:www-data /var/www/*` | Fix permissions after the updater clones/builds files as root |
+
 ---
 
 ## Requirements
@@ -167,22 +176,38 @@ sudo mysql -e "GRANT ALL ON habbo.* TO 'cms'@'localhost'; FLUSH PRIVILEGES;"
 composer install --no-dev --optimize-autoloader
 yarn install
 
-# 9. Migrate, seed & build
+# 9. Migrate, seed & cache
 php artisan migrate --seed
+php artisan optimize
+php artisan filament:optimize
+
+# 10. Build frontend
 yarn build:all
 
-# 10. Permissions
+# 11. Permissions
 sudo chown -R www-data:www-data storage bootstrap/cache public/build
 sudo chmod -R 775 storage bootstrap/cache
 
-# 11. Start services
+# 12. Sudoers (for the Nitro updater — see section above)
+sudo tee /etc/sudoers.d/www-data << 'EOF'
+www-data ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart emulator
+www-data ALL=(ALL) NOPASSWD: /usr/bin/systemctl status emulator
+www-data ALL=(ALL) NOPASSWD: /usr/bin/chown -R www-data\:www-data /var/www/*
+EOF
+sudo chmod 440 /etc/sudoers.d/www-data
+
+# 13. Start services
 sudo systemctl enable --now redis-server
 
-# 12. PHP tuning
+# 14. PHP tuning
 sudo sed -i 's/upload_max_filesize = .*/upload_max_filesize = 64M/' /etc/php/8.5/fpm/php.ini
 sudo sed -i 's/post_max_size = .*/post_max_size = 64M/' /etc/php/8.5/fpm/php.ini
 sudo sed -i 's/memory_limit = .*/memory_limit = 256M/' /etc/php/8.5/fpm/php.ini
 sudo sed -i 's/max_execution_time = .*/max_execution_time = 300/' /etc/php/8.5/fpm/php.ini
+
+# 16. Restart & verify
+sudo systemctl restart php8.5-fpm redis-server nginx
+php artisan about  # should show green "Application" line
 ```
 
 ### Nginx