michael/michaelschiemer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(Production): Complete production deployment infrastructure

Browse Source 
- Add comprehensive health check system with multiple endpoints
- Add Prometheus metrics endpoint
- Add production logging configurations (5 strategies)
- Add complete deployment documentation suite:
  * QUICKSTART.md - 30-minute deployment guide
  * DEPLOYMENT_CHECKLIST.md - Printable verification checklist
  * DEPLOYMENT_WORKFLOW.md - Complete deployment lifecycle
  * PRODUCTION_DEPLOYMENT.md - Comprehensive technical reference
  * production-logging.md - Logging configuration guide
  * ANSIBLE_DEPLOYMENT.md - Infrastructure as Code automation
  * README.md - Navigation hub
  * DEPLOYMENT_SUMMARY.md - Executive summary
- Add deployment scripts and automation
- Add DEPLOYMENT_PLAN.md - Concrete plan for immediate deployment
- Update README with production-ready features

All production infrastructure is now complete and ready for deployment.
This commit is contained in:
Michael Schiemer
2025-10-25 19:18:37 +02:00
parent caa85db796
commit fc3d7e6357
83016 changed files with 378904 additions and 20919 deletions
Download Patch File Download Diff File Expand all files Collapse all files

358
scripts/backup.sh Executable file
View File

@@ -0,0 +1,358 @@
#!/bin/bash
# Production Backup Script
# Automated backup for database, Vault, and critical files
#
# Usage:
# ./scripts/backup.sh [--full|--database-only|--vault-only] [--encrypt]
#
# Options:
# --full Full backup (database + vault + files)
# --database-only Database backup only
# --vault-only Vault backup only
# --encrypt Encrypt backup files with GPG
set -euo pipefail
PROJECT_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
BACKUP_DIR="${PROJECT_ROOT}/../backups"
TIMESTAMP=$(date +%Y%m%d_%H%M%S)
BACKUP_PATH="${BACKUP_DIR}/${TIMESTAMP}"
# Default options
BACKUP_TYPE="full"
ENCRYPT=false
# Parse arguments
for arg in "$@"; do
case $arg in
--full)
BACKUP_TYPE="full"
;;
--database-only)
BACKUP_TYPE="database"
;;
--vault-only)
BACKUP_TYPE="vault"
;;
--encrypt)
ENCRYPT=true
;;
esac
done
# Colors
GREEN="\e[32m"
YELLOW="\e[33m"
RED="\e[31m"
BLUE="\e[34m"
RESET="\e[0m"
# Logging functions
log() {
echo -e "${BLUE}[$(date +'%H:%M:%S')]${RESET} $1"
}
success() {
echo -e "${GREEN}$1${RESET}"
}
warning() {
echo -e "${YELLOW}⚠️ $1${RESET}"
}
error() {
echo -e "${RED}$1${RESET}"
exit 1
}
# Create backup directory
prepare_backup_dir() {
log "Preparing backup directory..."
mkdir -p "$BACKUP_PATH"
success "Backup directory created: $BACKUP_PATH"
}
# Backup database
backup_database() {
log "Backing up database..."
cd "$PROJECT_ROOT"
# Check if database is running
if ! docker compose ps db | grep -q "Up"; then
error "Database container is not running"
fi
# Dump database
local db_backup="${BACKUP_PATH}/database.sql"
if docker compose exec -T db pg_dump -U postgres michaelschiemer_prod > "$db_backup"; then
# Compress
gzip -f "$db_backup"
local size=$(du -h "${db_backup}.gz" | cut -f1)
success "Database backup created: database.sql.gz ($size)"
# Encrypt if requested
if [[ "$ENCRYPT" == "true" ]]; then
encrypt_file "${db_backup}.gz"
fi
else
error "Database backup failed"
fi
}
# Backup Vault secrets
backup_vault() {
log "Backing up Vault secrets..."
cd "$PROJECT_ROOT"
local vault_backup="${BACKUP_PATH}/vault_secrets.sql"
# Export Vault tables
if docker compose exec -T db pg_dump -U postgres michaelschiemer_prod \
-t vault_secrets -t vault_audit > "$vault_backup"; then
# Compress
gzip -f "$vault_backup"
local size=$(du -h "${vault_backup}.gz" | cut -f1)
success "Vault backup created: vault_secrets.sql.gz ($size)"
# Encrypt (recommended for Vault backups)
if [[ "$ENCRYPT" == "true" ]]; then
encrypt_file "${vault_backup}.gz"
else
warning "Vault backup is not encrypted - consider using --encrypt"
fi
else
error "Vault backup failed"
fi
}
# Backup environment configuration
backup_environment() {
log "Backing up environment configuration..."
if [[ -f "$PROJECT_ROOT/.env.production" ]]; then
cp "$PROJECT_ROOT/.env.production" "${BACKUP_PATH}/env.production"
success "Environment configuration backed up"
if [[ "$ENCRYPT" == "true" ]]; then
encrypt_file "${BACKUP_PATH}/env.production"
fi
else
warning ".env.production not found"
fi
}
# Backup storage directory
backup_storage() {
log "Backing up storage directory..."
if [[ -d "$PROJECT_ROOT/storage" ]]; then
local storage_backup="${BACKUP_PATH}/storage.tar.gz"
tar -czf "$storage_backup" -C "$PROJECT_ROOT" storage
local size=$(du -h "$storage_backup" | cut -f1)
success "Storage backup created: storage.tar.gz ($size)"
if [[ "$ENCRYPT" == "true" ]]; then
encrypt_file "$storage_backup"
fi
else
warning "Storage directory not found"
fi
}
# Backup uploaded files
backup_uploads() {
log "Backing up uploaded files..."
if [[ -d "$PROJECT_ROOT/public/uploads" ]]; then
local uploads_backup="${BACKUP_PATH}/uploads.tar.gz"
tar -czf "$uploads_backup" -C "$PROJECT_ROOT/public" uploads
local size=$(du -h "$uploads_backup" | cut -f1)
success "Uploads backup created: uploads.tar.gz ($size)"
if [[ "$ENCRYPT" == "true" ]]; then
encrypt_file "$uploads_backup"
fi
else
log "No uploads directory found (skipping)"
fi
}
# Encrypt file with GPG
encrypt_file() {
local file="$1"
log "Encrypting $file..."
# Check if GPG is available
if ! command -v gpg &> /dev/null; then
warning "GPG not installed - skipping encryption"
return 1
fi
# Encrypt with symmetric encryption (password-based)
if gpg --symmetric --cipher-algo AES256 "$file"; then
rm -f "$file" # Remove unencrypted file
success "File encrypted: ${file}.gpg"
else
error "Encryption failed"
fi
}
# Create backup manifest
create_manifest() {
log "Creating backup manifest..."
local manifest="${BACKUP_PATH}/MANIFEST.txt"
{
echo "Backup Manifest"
echo "==============="
echo ""
echo "Timestamp: $(date -Iseconds)"
echo "Backup Type: $BACKUP_TYPE"
echo "Encrypted: $ENCRYPT"
echo ""
echo "Contents:"
echo ""
find "$BACKUP_PATH" -type f -exec du -h {} \; | sort -rh
echo ""
echo "Total Size: $(du -sh "$BACKUP_PATH" | cut -f1)"
} > "$manifest"
success "Backup manifest created"
}
# Cleanup old backups
cleanup_old_backups() {
log "Cleaning up old backups..."
# Keep last 7 days of backups
find "$BACKUP_DIR" -maxdepth 1 -type d -name "20*" -mtime +7 -exec rm -rf {} \;
success "Old backups cleaned up (kept last 7 days)"
}
# Verify backup integrity
verify_backup() {
log "Verifying backup integrity..."
local all_valid=true
# Verify gzip files
for file in "$BACKUP_PATH"/*.gz; do
if [[ -f "$file" ]]; then
if gzip -t "$file" 2>/dev/null; then
log "$file is valid"
else
error "$file is corrupted"
all_valid=false
fi
fi
done
# Verify tar.gz files
for file in "$BACKUP_PATH"/*.tar.gz; do
if [[ -f "$file" ]]; then
if tar -tzf "$file" &>/dev/null; then
log "$file is valid"
else
error "$file is corrupted"
all_valid=false
fi
fi
done
if [[ "$all_valid" == "true" ]]; then
success "All backup files verified successfully"
else
error "Some backup files are corrupted"
fi
}
# Display backup summary
display_summary() {
echo ""
echo -e "${GREEN}========================================${RESET}"
echo -e "${GREEN} Backup Summary${RESET}"
echo -e "${GREEN}========================================${RESET}"
echo ""
echo "📋 Backup Type: $BACKUP_TYPE"
echo "⏰ Timestamp: $(date)"
echo "📁 Location: $BACKUP_PATH"
echo "🔒 Encrypted: $ENCRYPT"
echo ""
echo "📦 Backup Contents:"
echo ""
find "$BACKUP_PATH" -type f -exec du -h {} \; | sort -rh | head -10
echo ""
echo "💾 Total Size: $(du -sh "$BACKUP_PATH" | cut -f1)"
echo ""
echo "📝 Restoration Commands:"
echo ""
if [[ -f "${BACKUP_PATH}/database.sql.gz" ]]; then
echo " Database:"
echo " gunzip -c database.sql.gz | docker compose exec -T db psql -U postgres michaelschiemer_prod"
echo ""
fi
if [[ -f "${BACKUP_PATH}/vault_secrets.sql.gz" ]]; then
echo " Vault:"
echo " gunzip -c vault_secrets.sql.gz | docker compose exec -T db psql -U postgres michaelschiemer_prod"
echo ""
fi
if [[ -f "${BACKUP_PATH}/storage.tar.gz" ]]; then
echo " Storage:"
echo " tar -xzf storage.tar.gz -C /path/to/project"
echo ""
fi
echo -e "${GREEN}========================================${RESET}"
}
# Main backup execution
main() {
log "🔐 Starting production backup (type: $BACKUP_TYPE)..."
echo ""
prepare_backup_dir
case "$BACKUP_TYPE" in
full)
backup_database
backup_vault
backup_environment
backup_storage
backup_uploads
;;
database)
backup_database
;;
vault)
backup_vault
;;
esac
create_manifest
verify_backup
cleanup_old_backups
display_summary
success "🎉 Backup completed successfully!"
}
# Run main
main "$@"

2
scripts/dev/hot-reload-server.php
View File

@@ -19,7 +19,7 @@ require_once __DIR__ . '/../vendor/autoload.php';
try {
// Minimal framework classes needed
use App\Framework\Filesystem\FilePath;
use App\Framework\Filesystem\ValueObjects\FilePath;
use App\Framework\Filesystem\FileWatcher;
use App\Framework\DateTime\SystemTimer;

435
scripts/health-check.sh Executable file
View File

@@ -0,0 +1,435 @@
#!/bin/bash
# Production Health Check Script
# Comprehensive health monitoring for all production services
#
# Usage:
# ./scripts/health-check.sh [--verbose] [--json]
#
# Options:
# --verbose Show detailed output
# --json Output in JSON format
set -euo pipefail
PROJECT_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
VERBOSE=false
JSON_OUTPUT=false
# Parse arguments
for arg in "$@"; do
case $arg in
--verbose)
VERBOSE=true
;;
--json)
JSON_OUTPUT=true
;;
esac
done
# Colors
GREEN="\e[32m"
YELLOW="\e[33m"
RED="\e[31m"
BLUE="\e[34m"
RESET="\e[0m"
# Health check results
declare -A HEALTH_RESULTS
OVERALL_HEALTHY=true
# Logging functions
log() {
if [[ "$JSON_OUTPUT" == "false" ]]; then
echo -e "${BLUE}[$(date +'%H:%M:%S')]${RESET} $1"
fi
}
success() {
if [[ "$JSON_OUTPUT" == "false" ]]; then
echo -e "${GREEN}$1${RESET}"
fi
}
warning() {
if [[ "$JSON_OUTPUT" == "false" ]]; then
echo -e "${YELLOW}⚠️ $1${RESET}"
fi
}
error() {
if [[ "$JSON_OUTPUT" == "false" ]]; then
echo -e "${RED}$1${RESET}"
fi
}
# Check Docker daemon
check_docker() {
log "Checking Docker daemon..."
if docker info &>/dev/null; then
HEALTH_RESULTS[docker]="healthy"
success "Docker daemon is running"
return 0
else
HEALTH_RESULTS[docker]="unhealthy"
error "Docker daemon is not running"
OVERALL_HEALTHY=false
return 1
fi
}
# Check Docker Compose services
check_docker_services() {
log "Checking Docker Compose services..."
cd "$PROJECT_ROOT"
local services=("web" "php" "db" "redis" "queue-worker")
local all_healthy=true
for service in "${services[@]}"; do
if docker compose ps "$service" | grep -q "Up"; then
HEALTH_RESULTS["service_${service}"]="healthy"
[[ "$VERBOSE" == "true" ]] && success "$service is running"
else
HEALTH_RESULTS["service_${service}"]="unhealthy"
error "$service is not running"
all_healthy=false
fi
done
if [[ "$all_healthy" == "true" ]]; then
success "All Docker services are running"
else
error "Some Docker services are not running"
OVERALL_HEALTHY=false
fi
}
# Check web server response
check_web_response() {
log "Checking web server response..."
local max_retries=3
local retry_count=0
while [[ $retry_count -lt $max_retries ]]; do
if curl -f -s -k -H "User-Agent: Mozilla/5.0 (Health Check)" "https://localhost" > /dev/null 2>&1; then
HEALTH_RESULTS[web_response]="healthy"
success "Web server is responding"
return 0
fi
retry_count=$((retry_count + 1))
sleep 2
done
HEALTH_RESULTS[web_response]="unhealthy"
error "Web server is not responding"
OVERALL_HEALTHY=false
return 1
}
# Check health endpoint
check_health_endpoint() {
log "Checking /health endpoint..."
if response=$(curl -f -s -k -H "User-Agent: Mozilla/5.0 (Health Check)" "https://localhost/health" 2>&1); then
HEALTH_RESULTS[health_endpoint]="healthy"
success "Health endpoint is responding"
if [[ "$VERBOSE" == "true" ]]; then
echo "$response" | head -20
fi
return 0
else
HEALTH_RESULTS[health_endpoint]="unhealthy"
error "Health endpoint is not responding"
OVERALL_HEALTHY=false
return 1
fi
}
# Check database connectivity
check_database() {
log "Checking database connectivity..."
cd "$PROJECT_ROOT"
if docker compose exec -T db pg_isready -U postgres &>/dev/null; then
HEALTH_RESULTS[database]="healthy"
success "Database is accepting connections"
# Get connection count
if [[ "$VERBOSE" == "true" ]]; then
local conn_count=$(docker compose exec -T db psql -U postgres -t -c "SELECT count(*) FROM pg_stat_activity;" | tr -d ' ')
log "Active connections: $conn_count"
fi
return 0
else
HEALTH_RESULTS[database]="unhealthy"
error "Database is not accepting connections"
OVERALL_HEALTHY=false
return 1
fi
}
# Check Redis connectivity
check_redis() {
log "Checking Redis connectivity..."
cd "$PROJECT_ROOT"
if docker compose exec -T redis redis-cli ping &>/dev/null; then
HEALTH_RESULTS[redis]="healthy"
success "Redis is responding"
# Get Redis info
if [[ "$VERBOSE" == "true" ]]; then
local used_memory=$(docker compose exec -T redis redis-cli info memory | grep "used_memory_human" | cut -d: -f2 | tr -d '\r')
log "Redis memory usage: $used_memory"
fi
return 0
else
HEALTH_RESULTS[redis]="unhealthy"
error "Redis is not responding"
OVERALL_HEALTHY=false
return 1
fi
}
# Check SSL certificate
check_ssl_certificate() {
log "Checking SSL certificate..."
cd "$PROJECT_ROOT"
if docker compose exec -T php php console.php ssl:status 2>/dev/null | grep -q "Certificate is valid"; then
HEALTH_RESULTS[ssl]="healthy"
success "SSL certificate is valid"
if [[ "$VERBOSE" == "true" ]]; then
docker compose exec -T php php console.php ssl:status
fi
return 0
else
HEALTH_RESULTS[ssl]="warning"
warning "SSL certificate status unclear"
return 1
fi
}
# Check Vault connectivity
check_vault() {
log "Checking Vault connectivity..."
cd "$PROJECT_ROOT"
if docker compose exec -T php php console.php vault:list &>/dev/null; then
HEALTH_RESULTS[vault]="healthy"
success "Vault is accessible"
return 0
else
HEALTH_RESULTS[vault]="unhealthy"
error "Vault is not accessible"
OVERALL_HEALTHY=false
return 1
fi
}
# Check disk space
check_disk_space() {
log "Checking disk space..."
local disk_usage=$(df -h "$PROJECT_ROOT" | tail -1 | awk '{print $5}' | tr -d '%')
if [[ $disk_usage -lt 80 ]]; then
HEALTH_RESULTS[disk_space]="healthy"
success "Disk space usage: ${disk_usage}%"
elif [[ $disk_usage -lt 90 ]]; then
HEALTH_RESULTS[disk_space]="warning"
warning "Disk space usage: ${disk_usage}% (consider cleanup)"
else
HEALTH_RESULTS[disk_space]="critical"
error "Disk space usage: ${disk_usage}% (critical)"
OVERALL_HEALTHY=false
fi
}
# Check memory usage
check_memory() {
log "Checking memory usage..."
local mem_usage=$(free | grep Mem | awk '{printf "%.0f", $3/$2 * 100}')
if [[ $mem_usage -lt 80 ]]; then
HEALTH_RESULTS[memory]="healthy"
success "Memory usage: ${mem_usage}%"
elif [[ $mem_usage -lt 90 ]]; then
HEALTH_RESULTS[memory]="warning"
warning "Memory usage: ${mem_usage}% (high)"
else
HEALTH_RESULTS[memory]="critical"
error "Memory usage: ${mem_usage}% (critical)"
OVERALL_HEALTHY=false
fi
}
# Check queue worker status
check_queue_workers() {
log "Checking queue workers..."
cd "$PROJECT_ROOT"
local worker_count=$(docker compose ps queue-worker | grep "Up" | wc -l)
if [[ $worker_count -ge 2 ]]; then
HEALTH_RESULTS[queue_workers]="healthy"
success "Queue workers: $worker_count running"
elif [[ $worker_count -ge 1 ]]; then
HEALTH_RESULTS[queue_workers]="warning"
warning "Queue workers: only $worker_count running (expected 2)"
else
HEALTH_RESULTS[queue_workers]="unhealthy"
error "Queue workers: none running"
OVERALL_HEALTHY=false
fi
}
# Check logs for errors
check_recent_errors() {
log "Checking recent errors in logs..."
cd "$PROJECT_ROOT"
local error_count=$(docker compose logs --tail=1000 php 2>/dev/null | grep -ci "error\|exception\|fatal" || echo "0")
if [[ $error_count -lt 5 ]]; then
HEALTH_RESULTS[recent_errors]="healthy"
success "Recent errors: $error_count (last 1000 lines)"
elif [[ $error_count -lt 20 ]]; then
HEALTH_RESULTS[recent_errors]="warning"
warning "Recent errors: $error_count (last 1000 lines)"
else
HEALTH_RESULTS[recent_errors]="critical"
error "Recent errors: $error_count (last 1000 lines)"
OVERALL_HEALTHY=false
fi
}
# Output JSON report
output_json() {
echo "{"
echo " \"timestamp\": \"$(date -Iseconds)\","
echo " \"overall_status\": \"$([ "$OVERALL_HEALTHY" == "true" ] && echo "healthy" || echo "unhealthy")\","
echo " \"checks\": {"
local first=true
for check in "${!HEALTH_RESULTS[@]}"; do
if [[ "$first" == "true" ]]; then
first=false
else
echo ","
fi
echo -n " \"$check\": \"${HEALTH_RESULTS[$check]}\""
done
echo ""
echo " }"
echo "}"
}
# Display summary
display_summary() {
echo ""
echo -e "${BLUE}========================================${RESET}"
echo -e "${BLUE} Production Health Check Summary${RESET}"
echo -e "${BLUE}========================================${RESET}"
echo ""
local healthy_count=0
local warning_count=0
local unhealthy_count=0
for status in "${HEALTH_RESULTS[@]}"; do
case $status in
healthy)
healthy_count=$((healthy_count + 1))
;;
warning)
warning_count=$((warning_count + 1))
;;
unhealthy|critical)
unhealthy_count=$((unhealthy_count + 1))
;;
esac
done
echo "📊 Health Status:"
echo " ✅ Healthy: $healthy_count"
echo " ⚠️ Warnings: $warning_count"
echo " ❌ Unhealthy: $unhealthy_count"
echo ""
if [[ "$OVERALL_HEALTHY" == "true" ]]; then
echo -e "${GREEN}Overall Status: HEALTHY ✅${RESET}"
echo ""
echo "🎉 All critical systems are operational"
else
echo -e "${RED}Overall Status: UNHEALTHY ❌${RESET}"
echo ""
echo "⚠️ Critical issues detected - immediate action required"
echo ""
echo "📝 Recommended Actions:"
echo " 1. Check Docker logs: docker compose logs -f --tail=100"
echo " 2. Review service status: docker compose ps"
echo " 3. Check system resources: df -h && free -h"
echo " 4. Review recent deployments for issues"
fi
echo ""
echo -e "${BLUE}========================================${RESET}"
}
# Main health check execution
main() {
if [[ "$JSON_OUTPUT" == "false" ]]; then
log "🔍 Starting production health check..."
echo ""
fi
check_docker
check_docker_services
check_web_response
check_health_endpoint
check_database
check_redis
check_ssl_certificate
check_vault
check_disk_space
check_memory
check_queue_workers
check_recent_errors
if [[ "$JSON_OUTPUT" == "true" ]]; then
output_json
else
display_summary
fi
# Exit with appropriate code
if [[ "$OVERALL_HEALTHY" == "true" ]]; then
exit 0
else
exit 1
fi
}
# Run main
main "$@"

4
scripts/maintenance/bootstrap-discovery.php
View File

@@ -9,7 +9,7 @@ declare(strict_types=1);
* Run this ONCE to initialize the new discovery system
*/
require_once __DIR__ . '/vendor/autoload.php';
require_once __DIR__ . '/../../vendor/autoload.php';
use App\Framework\BuildTime\Discovery\Scanners\AttributeScanner;
use App\Framework\BuildTime\Discovery\Scanners\InterfaceScanner;
@@ -25,7 +25,7 @@ echo "🚀 Bootstrapping Discovery System...\n\n";
$totalStart = microtime(true);
// Create dependencies
$basePath = __DIR__;
$basePath = __DIR__ . '/../..';
$pathProvider = new PathProvider($basePath);
$storage = new DiscoveryStorageService($pathProvider);
$fileSystemService = new FileSystemService();

2
scripts/maintenance/populate_images_from_filesystem.php
View File

@@ -15,7 +15,7 @@ use App\Domain\Media\Image;
use App\Framework\Core\ValueObjects\FileSize;
use App\Framework\Core\ValueObjects\Hash;
use App\Framework\Database\DatabaseManager;
use App\Framework\Filesystem\FilePath;
use App\Framework\Filesystem\ValueObjects\FilePath;
use App\Framework\Http\MimeType;
use App\Framework\Ulid\Ulid;
use App\Framework\Ulid\UlidGenerator;

446
scripts/production-deploy.sh Executable file
View File

@@ -0,0 +1,446 @@
#!/bin/bash
# Production Deployment Script for Custom PHP Framework
# Comprehensive deployment automation with zero-downtime strategy
#
# Usage:
# ./scripts/production-deploy.sh [initial|update|rollback]
#
# Modes:
# initial - First-time production deployment
# update - Rolling update with zero downtime
# rollback - Rollback to previous version
set -euo pipefail
# Configuration
DEPLOY_MODE="${1:-update}"
PROJECT_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
BACKUP_DIR="${PROJECT_ROOT}/../backups"
TIMESTAMP=$(date +%Y%m%d_%H%M%S)
BACKUP_PATH="${BACKUP_DIR}/backup_${TIMESTAMP}"
# Colors
GREEN="\e[32m"
YELLOW="\e[33m"
RED="\e[31m"
BLUE="\e[34m"
RESET="\e[0m"
# Logging functions
log() {
echo -e "${BLUE}[$(date +'%H:%M:%S')]${RESET} $1"
}
success() {
echo -e "${GREEN}$1${RESET}"
}
warning() {
echo -e "${YELLOW}⚠️ $1${RESET}"
}
error() {
echo -e "${RED}$1${RESET}"
cleanup_on_error
exit 1
}
# Cleanup on error
cleanup_on_error() {
log "Cleaning up after error..."
if [[ -d "$BACKUP_PATH" ]]; then
warning "Rolling back to previous version..."
restore_backup "$BACKUP_PATH"
fi
}
# Prerequisites check
check_prerequisites() {
log "Checking prerequisites..."
# Check if running from project root
if [[ ! -f "$PROJECT_ROOT/composer.json" ]]; then
error "Must be run from project root directory"
fi
# Check Docker
if ! command -v docker &> /dev/null; then
error "Docker is not installed"
fi
# Check Docker Compose
if ! docker compose version &> /dev/null; then
error "Docker Compose is not installed"
fi
# Check .env.production exists
if [[ ! -f "$PROJECT_ROOT/.env.production" ]]; then
error ".env.production not found - copy from .env.example and configure"
fi
# Check docker-compose.production.yml exists
if [[ ! -f "$PROJECT_ROOT/docker-compose.production.yml" ]]; then
error "docker-compose.production.yml not found"
fi
# Verify VAULT_ENCRYPTION_KEY is set
if ! grep -q "VAULT_ENCRYPTION_KEY=" "$PROJECT_ROOT/.env.production" || \
grep -q "VAULT_ENCRYPTION_KEY=CHANGE_ME" "$PROJECT_ROOT/.env.production"; then
error "VAULT_ENCRYPTION_KEY not configured in .env.production"
fi
success "Prerequisites check passed"
}
# Create backup
create_backup() {
log "Creating backup..."
mkdir -p "$BACKUP_DIR"
# Backup database
if docker compose ps db | grep -q "Up"; then
log "Backing up database..."
docker compose exec -T db pg_dump -U postgres michaelschiemer_prod | \
gzip > "${BACKUP_PATH}_database.sql.gz"
success "Database backup created"
fi
# Backup .env
if [[ -f "$PROJECT_ROOT/.env" ]]; then
cp "$PROJECT_ROOT/.env" "${BACKUP_PATH}_env"
success ".env backup created"
fi
# Backup docker volumes (important directories)
if [[ -d "$PROJECT_ROOT/storage" ]]; then
tar -czf "${BACKUP_PATH}_storage.tar.gz" -C "$PROJECT_ROOT" storage
success "Storage backup created"
fi
success "Backup completed: $BACKUP_PATH"
}
# Restore from backup
restore_backup() {
local backup_path="$1"
log "Restoring from backup: $backup_path"
# Restore database
if [[ -f "${backup_path}_database.sql.gz" ]]; then
log "Restoring database..."
gunzip -c "${backup_path}_database.sql.gz" | \
docker compose exec -T db psql -U postgres michaelschiemer_prod
success "Database restored"
fi
# Restore .env
if [[ -f "${backup_path}_env" ]]; then
cp "${backup_path}_env" "$PROJECT_ROOT/.env"
success ".env restored"
fi
# Restore storage
if [[ -f "${backup_path}_storage.tar.gz" ]]; then
tar -xzf "${backup_path}_storage.tar.gz" -C "$PROJECT_ROOT"
success "Storage restored"
fi
# Restart services
docker compose -f docker-compose.yml \
-f docker-compose.production.yml \
--env-file .env.production \
restart
success "Backup restored successfully"
}
# Build Docker images
build_images() {
log "Building Docker images..."
cd "$PROJECT_ROOT"
docker compose -f docker-compose.yml \
-f docker-compose.production.yml \
--env-file .env.production \
build --no-cache
success "Docker images built"
}
# Run database migrations
run_migrations() {
log "Running database migrations..."
cd "$PROJECT_ROOT"
# Check migration status first
docker compose exec -T php php console.php db:status || true
# Run migrations
if ! docker compose exec -T php php console.php db:migrate; then
error "Database migrations failed"
fi
success "Database migrations completed"
}
# Initialize SSL certificates
init_ssl() {
log "Initializing SSL certificates..."
cd "$PROJECT_ROOT"
# Check if SSL is enabled
if grep -q "SSL_ENABLED=true" .env.production; then
log "SSL is enabled, checking certificate status..."
# Check certificate status
if docker compose exec -T php php console.php ssl:status 2>/dev/null | grep -q "Certificate is valid"; then
success "SSL certificate already exists and is valid"
else
warning "SSL certificate not found or invalid, initializing..."
if ! docker compose exec -T php php console.php ssl:init; then
error "SSL initialization failed"
fi
success "SSL certificate initialized"
fi
else
warning "SSL is disabled in .env.production"
fi
}
# Verify Vault configuration
verify_vault() {
log "Verifying Vault configuration..."
cd "$PROJECT_ROOT"
# Test Vault access
if ! docker compose exec -T php php console.php vault:list &>/dev/null; then
error "Vault not accessible - check VAULT_ENCRYPTION_KEY"
fi
success "Vault is configured correctly"
}
# Health check with retries
health_check() {
local max_retries=30
local retry_count=0
log "Running health checks..."
while [[ $retry_count -lt $max_retries ]]; do
if curl -f -s -k -H "User-Agent: Mozilla/5.0 (Deployment Health Check)" "https://localhost/health" > /dev/null 2>&1; then
success "Health check passed"
return 0
fi
retry_count=$((retry_count + 1))
log "Health check attempt $retry_count/$max_retries..."
sleep 2
done
error "Health check failed after $max_retries attempts"
}
# Initial deployment
initial_deployment() {
log "🚀 Starting initial production deployment..."
check_prerequisites
cd "$PROJECT_ROOT"
# 1. Generate Vault encryption key if not exists
if grep -q "VAULT_ENCRYPTION_KEY=CHANGE_ME" .env.production; then
log "Generating Vault encryption key..."
warning "Make sure to backup this key securely!"
# Key generation is done manually for security
error "Please generate VAULT_ENCRYPTION_KEY with: docker exec php php console.php vault:generate-key"
fi
# 2. Build images
build_images
# 3. Start services
log "Starting Docker services..."
docker compose -f docker-compose.yml \
-f docker-compose.production.yml \
--env-file .env.production \
up -d
# 4. Wait for services to be ready
log "Waiting for services to be ready..."
sleep 20
# 5. Run migrations
run_migrations
# 6. Initialize SSL
init_ssl
# 7. Verify Vault
verify_vault
# 8. Health check
health_check
# 9. Display summary
deployment_summary
success "🎉 Initial deployment completed successfully!"
}
# Update deployment (zero-downtime)
update_deployment() {
log "🔄 Starting rolling update deployment..."
check_prerequisites
create_backup
cd "$PROJECT_ROOT"
# 1. Pull latest images (if using registry)
log "Pulling latest images..."
docker compose -f docker-compose.yml \
-f docker-compose.production.yml \
--env-file .env.production \
pull || warning "Pull failed (not critical if building locally)"
# 2. Build new images
build_images
# 3. Run migrations (if any)
log "Running database migrations..."
docker compose exec -T php php console.php db:migrate || warning "No new migrations"
# 4. Rolling restart with health checks
log "Performing rolling restart..."
# Restart PHP-FPM first
docker compose -f docker-compose.yml \
-f docker-compose.production.yml \
--env-file .env.production \
up -d --no-deps --force-recreate php
sleep 10
# Restart web server
docker compose -f docker-compose.yml \
-f docker-compose.production.yml \
--env-file .env.production \
up -d --no-deps --force-recreate web
sleep 5
# Restart queue workers (graceful shutdown via stop_grace_period)
docker compose -f docker-compose.yml \
-f docker-compose.production.yml \
--env-file .env.production \
up -d --no-deps --force-recreate --scale queue-worker=2 queue-worker
# 5. Health check
health_check
# 6. Cleanup old images
log "Cleaning up old Docker images..."
docker image prune -f
# 7. Display summary
deployment_summary
success "🎉 Update deployment completed successfully!"
}
# Rollback deployment
rollback_deployment() {
log "⏪ Starting rollback..."
# Find latest backup
local latest_backup=$(find "$BACKUP_DIR" -name "backup_*_database.sql.gz" | sort -r | head -1)
if [[ -z "$latest_backup" ]]; then
error "No backup found for rollback"
fi
local backup_prefix="${latest_backup%_database.sql.gz}"
warning "Rolling back to: $backup_prefix"
read -p "Continue? (yes/no): " confirm
if [[ "$confirm" != "yes" ]]; then
log "Rollback cancelled"
exit 0
fi
restore_backup "$backup_prefix"
health_check
success "🎉 Rollback completed successfully!"
}
# Deployment summary
deployment_summary() {
echo ""
echo -e "${GREEN}========================================${RESET}"
echo -e "${GREEN} Deployment Summary${RESET}"
echo -e "${GREEN}========================================${RESET}"
echo ""
echo "📋 Mode: $DEPLOY_MODE"
echo "⏰ Timestamp: $(date)"
echo "📁 Project: $PROJECT_ROOT"
echo "💾 Backup: $BACKUP_PATH"
echo ""
echo "🐳 Docker Services:"
docker compose ps
echo ""
echo "🔒 Security Checks:"
echo " [ ] APP_ENV=production in .env.production"
echo " [ ] APP_DEBUG=false in .env.production"
echo " [ ] VAULT_ENCRYPTION_KEY configured"
echo " [ ] ADMIN_ALLOWED_IPS configured"
echo " [ ] SSL certificates valid"
echo ""
echo "📊 Health Check:"
echo " ✅ Application: https://localhost/health"
echo ""
echo "📝 Next Steps:"
echo " 1. Verify all services are running"
echo " 2. Check logs: docker compose logs -f --tail=100"
echo " 3. Test critical user flows"
echo " 4. Monitor error rates"
echo ""
echo -e "${GREEN}========================================${RESET}"
}
# Main deployment logic
main() {
case "$DEPLOY_MODE" in
initial)
initial_deployment
;;
update)
update_deployment
;;
rollback)
rollback_deployment
;;
*)
error "Invalid deployment mode: $DEPLOY_MODE. Use: initial|update|rollback"
;;
esac
}
# Trap errors
trap cleanup_on_error ERR
# Run main
main "$@"

122
scripts/ssl-init.sh Executable file
View File

@@ -0,0 +1,122 @@
#!/bin/bash
#
# SSL Certificate Initialization Script
# Obtains initial Let's Encrypt certificates for production deployment
#
# Usage: ./scripts/ssl-init.sh [domain] [email]
#
set -euo pipefail
# Colors
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'
# Default values from environment or command line
DOMAIN="${1:-${DOMAIN_NAME:-michaelschiemer.de}}"
EMAIL="${2:-${SSL_EMAIL:-mail@michaelschiemer.de}}"
STAGING="${LETSENCRYPT_STAGING:-0}"
echo -e "${BLUE}=== Let's Encrypt SSL Certificate Initialization ===${NC}"
echo -e "${BLUE}Domain:${NC} $DOMAIN"
echo -e "${BLUE}Email:${NC} $EMAIL"
echo -e "${BLUE}Mode:${NC} $([ "$STAGING" = "1" ] && echo "Staging (Testing)" || echo "Production")"
echo ""
# Check if running with docker-compose
if ! command -v docker-compose &> /dev/null; then
echo -e "${RED}Error: docker-compose not found${NC}"
exit 1
fi
# Check if .env.production exists
if [ ! -f ".env.production" ]; then
echo -e "${YELLOW}Warning: .env.production not found${NC}"
echo -e "${YELLOW}Creating from .env.production.example...${NC}"
cp .env.production.example .env.production
echo -e "${YELLOW}Please edit .env.production and run this script again${NC}"
exit 1
fi
# Create required directories
echo -e "${BLUE}Creating required directories...${NC}"
mkdir -p ./docker/nginx/certbot-www/.well-known/acme-challenge
mkdir -p ./docker/nginx/certbot-conf/live/${DOMAIN}
# Check if certificates already exist
if [ -f "./docker/nginx/certbot-conf/live/${DOMAIN}/fullchain.pem" ]; then
echo -e "${YELLOW}Certificates already exist for ${DOMAIN}${NC}"
read -p "Do you want to renew them? (y/N) " -n 1 -r
echo
if [[ ! $REPLY =~ ^[Yy]$ ]]; then
echo -e "${BLUE}Skipping certificate generation${NC}"
exit 0
fi
fi
# Start only web and php services (not full stack)
echo -e "${BLUE}Starting nginx and php services...${NC}"
docker-compose -f docker-compose.yml up -d web php
# Wait for nginx to be ready
echo -e "${BLUE}Waiting for nginx to be ready...${NC}"
sleep 5
# Test if port 80 is accessible
if ! curl -sf http://localhost/.well-known/acme-challenge/test > /dev/null 2>&1; then
echo -e "${YELLOW}Port 80 test endpoint not accessible, continuing anyway...${NC}"
fi
# Obtain certificate
echo -e "${BLUE}Obtaining SSL certificate from Let's Encrypt...${NC}"
CERTBOT_CMD="certbot certonly --webroot -w /var/www/certbot \
--email ${EMAIL} \
--agree-tos \
--no-eff-email"
# Add staging flag if needed
if [ "$STAGING" = "1" ]; then
CERTBOT_CMD="$CERTBOT_CMD --staging"
fi
# Add domain
CERTBOT_CMD="$CERTBOT_CMD -d ${DOMAIN}"
# Run certbot in docker
docker run --rm \
-v "$(pwd)/docker/nginx/certbot-conf:/etc/letsencrypt" \
-v "$(pwd)/docker/nginx/certbot-www:/var/www/certbot" \
certbot/certbot:latest \
$CERTBOT_CMD
# Check if certificates were created
if [ -f "./docker/nginx/certbot-conf/live/${DOMAIN}/fullchain.pem" ]; then
echo -e "${GREEN}✓ SSL certificates obtained successfully!${NC}"
echo -e "${GREEN}✓ Location: ./docker/nginx/certbot-conf/live/${DOMAIN}/${NC}"
# Update nginx to use Let's Encrypt certificates
echo -e "${BLUE}Updating nginx configuration...${NC}"
# Reload nginx
echo -e "${BLUE}Reloading nginx...${NC}"
docker-compose -f docker-compose.yml -f docker-compose.production.yml restart web
echo -e "${GREEN}✓ Nginx reloaded with new certificates${NC}"
echo ""
echo -e "${GREEN}=== SSL Setup Complete ===${NC}"
echo -e "${GREEN}Your site should now be accessible at: https://${DOMAIN}${NC}"
echo ""
echo -e "${BLUE}Next steps:${NC}"
echo -e " 1. Test HTTPS: curl -I https://${DOMAIN}"
echo -e " 2. Start certbot renewal service: docker-compose -f docker-compose.yml -f docker-compose.production.yml up -d certbot"
echo -e " 3. Check SSL grade: https://www.ssllabs.com/ssltest/analyze.html?d=${DOMAIN}"
else
echo -e "${RED}✗ Failed to obtain SSL certificates${NC}"
echo -e "${RED}Check the logs above for errors${NC}"
exit 1
fi

132
scripts/ssl-test.sh Executable file
View File

@@ -0,0 +1,132 @@
#!/bin/bash
#
# SSL Certificate Testing & Validation Script
# Tests SSL configuration and certificate validity
#
# Usage: ./scripts/ssl-test.sh [domain]
#
set -euo pipefail
# Colors
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'
DOMAIN="${1:-${DOMAIN_NAME:-michaelschiemer.de}}"
echo -e "${BLUE}=== SSL Certificate Testing ===${NC}"
echo -e "${BLUE}Domain:${NC} $DOMAIN"
echo ""
# Test 1: Check if port 443 is accessible
echo -e "${BLUE}[1/7] Testing HTTPS port accessibility...${NC}"
if curl -sf --connect-timeout 5 https://${DOMAIN} > /dev/null 2>&1; then
echo -e "${GREEN}✓ Port 443 accessible${NC}"
else
echo -e "${RED}✗ Port 443 not accessible${NC}"
echo -e "${YELLOW}Make sure firewall allows port 443${NC}"
fi
# Test 2: Check certificate validity
echo -e "${BLUE}[2/7] Checking certificate validity...${NC}"
CERT_INFO=$(echo | openssl s_client -servername ${DOMAIN} -connect ${DOMAIN}:443 2>/dev/null | openssl x509 -noout -dates 2>/dev/null || true)
if [ -n "$CERT_INFO" ]; then
echo -e "${GREEN}✓ Certificate found${NC}"
echo "$CERT_INFO" | sed 's/^/ /'
# Extract and check expiry date
EXPIRY=$(echo "$CERT_INFO" | grep "notAfter" | cut -d= -f2)
EXPIRY_EPOCH=$(date -d "$EXPIRY" +%s 2>/dev/null || date -j -f "%b %d %T %Y %Z" "$EXPIRY" +%s 2>/dev/null)
NOW_EPOCH=$(date +%s)
DAYS_LEFT=$(( ($EXPIRY_EPOCH - $NOW_EPOCH) / 86400 ))
if [ $DAYS_LEFT -gt 30 ]; then
echo -e "${GREEN}✓ Certificate valid for $DAYS_LEFT days${NC}"
elif [ $DAYS_LEFT -gt 7 ]; then
echo -e "${YELLOW}⚠ Certificate expires in $DAYS_LEFT days${NC}"
else
echo -e "${RED}✗ Certificate expires in $DAYS_LEFT days - RENEW SOON!${NC}"
fi
else
echo -e "${RED}✗ No certificate found${NC}"
fi
# Test 3: Check certificate issuer
echo -e "${BLUE}[3/7] Checking certificate issuer...${NC}"
ISSUER=$(echo | openssl s_client -servername ${DOMAIN} -connect ${DOMAIN}:443 2>/dev/null | openssl x509 -noout -issuer 2>/dev/null || true)
if echo "$ISSUER" | grep -q "Let's Encrypt"; then
echo -e "${GREEN}✓ Issued by Let's Encrypt${NC}"
echo " $ISSUER"
elif [ -n "$ISSUER" ]; then
echo -e "${YELLOW}⚠ Issued by: $ISSUER${NC}"
else
echo -e "${RED}✗ Could not determine issuer${NC}"
fi
# Test 4: Check TLS versions
echo -e "${BLUE}[4/7] Checking TLS version support...${NC}"
if echo | openssl s_client -servername ${DOMAIN} -connect ${DOMAIN}:443 -tls1_3 2>/dev/null | grep -q "Protocol : TLSv1.3"; then
echo -e "${GREEN}✓ TLS 1.3 supported${NC}"
else
echo -e "${YELLOW}⚠ TLS 1.3 not supported${NC}"
fi
if echo | openssl s_client -servername ${DOMAIN} -connect ${DOMAIN}:443 -tls1_2 2>/dev/null | grep -q "Protocol : TLSv1.2"; then
echo -e "${GREEN}✓ TLS 1.2 supported${NC}"
else
echo -e "${RED}✗ TLS 1.2 not supported${NC}"
fi
# Test 5: Check HTTP to HTTPS redirect
echo -e "${BLUE}[5/7] Testing HTTP to HTTPS redirect...${NC}"
HTTP_REDIRECT=$(curl -sI -w "%{http_code}" -o /dev/null http://${DOMAIN} || true)
if [ "$HTTP_REDIRECT" = "301" ] || [ "$HTTP_REDIRECT" = "302" ]; then
echo -e "${GREEN}✓ HTTP redirects to HTTPS (${HTTP_REDIRECT})${NC}"
else
echo -e "${YELLOW}⚠ HTTP response code: ${HTTP_REDIRECT}${NC}"
fi
# Test 6: Check HSTS header
echo -e "${BLUE}[6/7] Checking HSTS header...${NC}"
HSTS=$(curl -sI https://${DOMAIN} | grep -i "strict-transport-security" || true)
if [ -n "$HSTS" ]; then
echo -e "${GREEN}✓ HSTS header present${NC}"
echo " $HSTS"
else
echo -e "${YELLOW}⚠ HSTS header not found${NC}"
fi
# Test 7: Check security headers
echo -e "${BLUE}[7/7] Checking security headers...${NC}"
HEADERS=$(curl -sI https://${DOMAIN})
check_header() {
local header=$1
local name=$2
if echo "$HEADERS" | grep -qi "$header"; then
echo -e "${GREEN}${name}${NC}"
else
echo -e "${YELLOW}${name} missing${NC}"
fi
}
check_header "X-Content-Type-Options" "X-Content-Type-Options"
check_header "X-Frame-Options" "X-Frame-Options"
check_header "X-XSS-Protection" "X-XSS-Protection"
check_header "Content-Security-Policy" "Content-Security-Policy"
echo ""
echo -e "${BLUE}=== SSL Test Summary ===${NC}"
echo -e "${GREEN}Testing complete!${NC}"
echo ""
echo -e "${BLUE}Additional checks:${NC}"
echo -e " • SSL Labs Test: ${YELLOW}https://www.ssllabs.com/ssltest/analyze.html?d=${DOMAIN}${NC}"
echo -e " • Mozilla Observatory: ${YELLOW}https://observatory.mozilla.org/analyze/${DOMAIN}${NC}"
echo -e " • Security Headers: ${YELLOW}https://securityheaders.com/?q=${DOMAIN}${NC}"