# Production Deployment Setup Guide for deploying the Custom PHP Framework to production on Netcup VPS. ## Server Details - **IP Address**: 94.16.110.151 - **Domain**: michaelschiemer.de - **Email**: kontakt@michaelschiemer.de - **SSH Key**: /home/michael/.ssh/production - **OS**: Fresh Ubuntu 22.04 or Debian 12 ## Initial Server Setup ### 1. First-time Server Configuration Run the initial server setup (only once on fresh server): ```bash cd deployment/infrastructure # Run initial setup as root user ansible-playbook -i inventories/production/hosts.yml setup-fresh-server.yml ``` This will: - Create the `deploy` user with sudo privileges - Configure SSH key authentication - Harden SSH security - Set up firewall (UFW) - Configure fail2ban - Install essential packages - Create directory structure ### 2. Update Inventory Configuration After initial setup, update `inventories/production/hosts.yml`: ```yaml # Change from: ansible_user: root fresh_server_setup: true # To: ansible_user: deploy fresh_server_setup: false ``` ### 3. Full Infrastructure Deployment Deploy the complete infrastructure: ```bash # Deploy infrastructure only ansible-playbook -i inventories/production/hosts.yml site.yml # Or use the orchestration script ./deploy.sh production --infrastructure-only ``` ## Environment Configuration ### 1. Configure Production Environment Edit the production environment file: ```bash nano applications/environments/.env.production ``` Update these required values: ```env # Database passwords (generate strong passwords) DB_PASSWORD=*** SET_STRONG_PASSWORD *** DB_ROOT_PASSWORD=*** SET_STRONG_ROOT_PASSWORD *** # Redis password REDIS_PASSWORD=*** SET_STRONG_PASSWORD *** # Application security key (generate: openssl rand -base64 32) APP_KEY=*** GENERATE_KEY *** # Mail configuration (configure with your SMTP provider) MAIL_HOST=*** YOUR_SMTP_HOST *** MAIL_USERNAME=*** YOUR_SMTP_USERNAME *** MAIL_PASSWORD=*** YOUR_SMTP_PASSWORD *** # External API keys SHOPIFY_WEBHOOK_SECRET=*** YOUR_WEBHOOK_SECRET *** RAPIDMAIL_USERNAME=*** IF_USING_RAPIDMAIL *** RAPIDMAIL_PASSWORD=*** IF_USING_RAPIDMAIL *** # Monitoring GRAFANA_ADMIN_PASSWORD=*** SET_STRONG_PASSWORD *** ``` ### 2. Generate Required Keys ```bash # Generate application key openssl rand -base64 32 # Generate secure passwords openssl rand -base64 24 ``` ## Deployment Process ### Full Deployment Deploy both infrastructure and application: ```bash ./deploy.sh production ``` ### Infrastructure Only Deploy only the infrastructure (server setup, Nginx, Docker, etc.): ```bash ./deploy.sh production --infrastructure-only ``` ### Application Only Deploy only the application code: ```bash ./deploy.sh production --application-only ``` ### Dry Run Test deployment without making changes: ```bash ./deploy.sh production --dry-run ``` ## Security Considerations ### SSH Access - Root login disabled after initial setup - Only `deploy` user has access - SSH key authentication required - Password authentication disabled ### Firewall Rules - Only ports 22 (SSH), 80 (HTTP), 443 (HTTPS) open - UFW configured with default deny - Fail2ban protecting SSH ### SSL/TLS - Let's Encrypt SSL certificates - HTTPS enforced - Modern TLS configuration (TLS 1.2/1.3) - HSTS headers ## Post-Deployment ### 1. Verify Deployment Check services are running: ```bash # SSH into the server ssh deploy@94.16.110.151 # Check Docker containers docker ps # Check Nginx sudo systemctl status nginx # Check firewall sudo ufw status # Check fail2ban sudo fail2ban-client status ``` ### 2. Test Application - Visit https://michaelschiemer.de - Check health endpoint: https://michaelschiemer.de/health.php - Verify SSL certificate ### 3. DNS Configuration Make sure your DNS points to the server: ```bash # Check DNS resolution dig michaelschiemer.de nslookup michaelschiemer.de ``` ## Monitoring and Maintenance ### Log Locations - Application logs: `/var/log/custom-php-framework/` - Nginx logs: `/var/log/nginx/` - Docker logs: `docker logs ` ### Health Checks - Health endpoint: `/health.php` - Prometheus metrics: `:9090/metrics` (if enabled) ### Backups - Database backups run daily at 2 AM - Backups retained for 30 days - Location: `/var/www/backups/` ## Troubleshooting ### Common Issues 1. **Permission denied**: Check SSH key permissions 2. **Connection refused**: Verify firewall rules 3. **SSL certificate issues**: Check Let's Encrypt logs 4. **Docker issues**: Check Docker service status ### Debug Mode Run deployment with verbose output: ```bash ./deploy.sh production --verbose ``` ### Manual Commands ```bash # SSH into server ssh -i /home/michael/.ssh/production deploy@94.16.110.151 # Check system status sudo systemctl status nginx docker fail2ban # View Docker containers docker ps -a # Check logs sudo tail -f /var/log/nginx/error.log docker logs php-container ``` ## Security Updates ### Regular Maintenance 1. Update system packages monthly 2. Review fail2ban logs for suspicious activity 3. Monitor SSL certificate expiration 4. Check for security updates ### Update Commands ```bash # Update system packages sudo apt update && sudo apt upgrade -y # Update Docker containers cd /var/www/html docker-compose pull docker-compose up -d # Renew SSL certificates (automatic with certbot) sudo certbot renew ``` ## Recovery Procedures ### Rollback Deployment If issues occur: ```bash # Stop application docker-compose down # Restore from backup sudo rsync -av /var/www/backups/latest/ /var/www/html/ # Restart application docker-compose up -d ``` ### Emergency Access If SSH key issues occur: 1. Access via Netcup VPS console 2. Re-enable password authentication temporarily 3. Fix SSH key configuration 4. Disable password authentication again ## Support and Documentation - Framework documentation: `/docs/` - Deployment logs: Check Ansible output - System logs: `journalctl -xe` - Application logs: Docker container logs For issues, check the troubleshooting guide in `deployment/docs/TROUBLESHOOTING.md`.