michael/michaelschiemer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
093d3df92defad2cadedd29cd926803afae91da3
michaelschiemer/deployment/infrastructure/README.md
Michael Schiemer 9b74ade5b0 feat: Fix discovery system critical issues 
Resolved multiple critical discovery system issues:

## Discovery System Fixes
- Fixed console commands not being discovered on first run
- Implemented fallback discovery for empty caches
- Added context-aware caching with separate cache keys
- Fixed object serialization preventing __PHP_Incomplete_Class

## Cache System Improvements
- Smart caching that only caches meaningful results
- Separate caches for different execution contexts (console, web, test)
- Proper array serialization/deserialization for cache compatibility
- Cache hit logging for debugging and monitoring

## Object Serialization Fixes
- Fixed DiscoveredAttribute serialization with proper string conversion
- Sanitized additional data to prevent object reference issues
- Added fallback for corrupted cache entries

## Performance & Reliability
- All 69 console commands properly discovered and cached
- 534 total discovery items successfully cached and restored
- No more __PHP_Incomplete_Class cache corruption
- Improved error handling and graceful fallbacks

## Testing & Quality
- Fixed code style issues across discovery components
- Enhanced logging for better debugging capabilities
- Improved cache validation and error recovery

Ready for production deployment with stable discovery system.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-08-13 12:04:17 +02:00

319 lines
9.0 KiB
Markdown
Raw Blame History

# Custom PHP Framework - Infrastructure Automation
Modern, secure Ansible infrastructure automation for the Custom PHP Framework with PHP 8.4 optimization.
## 🏗️ Architecture Overview
### Security-First Design
- **SSH Hardening**: Secure SSH configuration with key-based authentication
- **Firewall Protection**: UFW firewall with fail2ban intrusion detection
- **SSL/TLS**: Let's Encrypt certificates with modern cipher suites
- **Security Headers**: Comprehensive HTTP security headers
- **System Hardening**: Kernel parameters, audit logging, and security monitoring
### Docker-Optimized Runtime
- **PHP 8.4**: Optimized Docker containers with custom PHP configuration
- **Security Profiles**: AppArmor and seccomp security profiles
- **Resource Limits**: Memory and CPU constraints for production workloads
- **Health Checks**: Automated container health monitoring
### Production-Ready Infrastructure
- **Environment Separation**: Development, staging, and production configurations
- **Monitoring**: System health checks and performance monitoring
- **Backup System**: Automated backup with encryption and retention policies
- **Log Management**: Centralized logging with rotation and monitoring
## 🚀 Quick Start
### Prerequisites
```bash
# Install Ansible
pip install ansible
# Install required collections
ansible-galaxy collection install community.general
ansible-galaxy collection install community.crypto
ansible-galaxy collection install community.docker
```
### Initial Setup
1. **Configure Ansible Vault**:
```bash
cd deployment/infrastructure
echo "your_vault_password" > .vault_pass
chmod 600 .vault_pass
# Encrypt sensitive variables
ansible-vault encrypt group_vars/all/vault.yml
```
2. **Update Inventory**:
- Edit `inventories/production/hosts.yml` with your server details
- Update domain and SSL email configuration
3. **Deploy Infrastructure**:
```bash
# Production deployment
ansible-playbook -i inventories/production site.yml
# Staging deployment
ansible-playbook -i inventories/staging site.yml
```
## 📁 Directory Structure
```
deployment/infrastructure/
├── ansible.cfg # Ansible configuration
├── site.yml # Main deployment playbook
├── inventories/ # Environment-specific inventory
│ ├── production/
│ ├── staging/
│ └── development/
├── group_vars/ # Global variables
│ └── all/
├── roles/ # Ansible roles
│ ├── base-security/ # Security hardening
│ ├── docker-runtime/ # Docker with PHP 8.4
│ ├── nginx-proxy/ # Nginx reverse proxy
│ └── monitoring/ # Health monitoring
└── playbooks/ # Additional playbooks
```
## 🔒 Security Features
### SSH Hardening
- Key-based authentication only
- Strong cipher suites and key exchange algorithms
- Connection rate limiting
- Security banners and access logging
### Firewall Configuration
- Default deny policy with specific allow rules
- Rate limiting for SSH connections
- Protection for Docker containers
- Environment-specific rule sets
### SSL/TLS Security
- Let's Encrypt certificates with auto-renewal
- Modern TLS protocols (1.2, 1.3)
- HSTS with preloading
- OCSP stapling enabled
### Application Security
- Security headers (CSP, HSTS, X-Frame-Options)
- Rate limiting for API endpoints
- Input validation and sanitization
- OWASP security compliance
## 🐳 Docker Configuration
### PHP 8.4 Optimization
- Custom PHP 8.4 container with security hardening
- OPcache configuration for production performance
- Memory and execution time limits
- Extension management for framework requirements
### Container Security
- Non-root user execution
- Read-only root filesystem where possible
- Security profiles (AppArmor, seccomp)
- Resource constraints and health checks
### Network Security
- Custom bridge networks with isolation
- No inter-container communication by default
- Encrypted internal communication
- External access controls
## 📊 Monitoring & Health Checks
### System Monitoring
- CPU, memory, and disk usage monitoring
- Load average and process monitoring
- Network and I/O performance tracking
- Automated alerting for threshold breaches
### Application Health Checks
- HTTP endpoint monitoring
- Database connectivity checks
- Framework-specific health validation
- Container health verification
### Log Management
- Centralized log collection and rotation
- Error pattern detection and alerting
- Security event logging and monitoring
- Performance metrics collection
## 🔧 Environment Configuration
### Production Environment
- High security settings with strict firewall
- Performance optimizations enabled
- Comprehensive monitoring and alerting
- Daily automated backups
### Staging Environment
- Relaxed security for testing
- Debug mode enabled
- Basic monitoring
- Weekly backups
### Development Environment
- Minimal security restrictions
- Full debugging capabilities
- No production optimizations
- No automated backups
## 📋 Deployment Playbooks
### Main Infrastructure (`site.yml`)
Deploys complete infrastructure stack:
- Base security hardening
- Docker runtime environment
- Nginx reverse proxy with SSL
- System monitoring and health checks
### Application Deployment (`playbooks/deploy-application.yml`)
Handles application-specific deployment:
- Code deployment from Git repository
- Dependency installation (Composer, NPM)
- Database migrations
- Asset compilation and optimization
- Service restarts and health verification
## 🛠️ Management Commands
### Infrastructure Management
```bash
# Deploy to production
ansible-playbook -i inventories/production site.yml
# Deploy specific role
ansible-playbook -i inventories/production site.yml --tags security
# Run health checks
ansible-playbook -i inventories/production site.yml --tags verification
# Update SSL certificates
ansible-playbook -i inventories/production site.yml --tags ssl
```
### Application Management
```bash
# Deploy application code
ansible-playbook -i inventories/production playbooks/deploy-application.yml
# Deploy specific branch
ansible-playbook -i inventories/production playbooks/deploy-application.yml -e deploy_branch=feature/new-feature
```
### Security Operations
```bash
# Security audit
ansible-playbook -i inventories/production site.yml --tags audit
# Update security configurations
ansible-playbook -i inventories/production site.yml --tags security
# Restart security services
ansible-playbook -i inventories/production site.yml --tags security,restart
```
## 🔐 Ansible Vault Usage
### Encrypting Secrets
```bash
# Encrypt vault file
ansible-vault encrypt group_vars/all/vault.yml
# Edit encrypted file
ansible-vault edit group_vars/all/vault.yml
# View encrypted file
ansible-vault view group_vars/all/vault.yml
```
### Running Playbooks with Vault
```bash
# Using vault password file (configured in ansible.cfg)
ansible-playbook site.yml
# Prompt for vault password
ansible-playbook site.yml --ask-vault-pass
# Using vault password file explicitly
ansible-playbook site.yml --vault-password-file .vault_pass
```
## 📝 Customization
### Adding Custom Roles
1. Create role directory structure
2. Define role metadata in `meta/main.yml`
3. Add role to main playbook
4. Test in development environment
### Environment-Specific Variables
- Update inventory files for environment-specific settings
- Modify group variables for global changes
- Use vault files for sensitive information
### SSL Certificate Management
- Let's Encrypt: Automatic certificate generation and renewal
- Self-signed: For development and testing environments
- Custom certificates: Place in appropriate directories
## 🚨 Troubleshooting
### Common Issues
**SSH Connection Failures**:
- Verify SSH key configuration
- Check firewall rules and fail2ban status
- Ensure user has proper sudo privileges
**SSL Certificate Problems**:
- Verify DNS resolution for domain
- Check Let's Encrypt rate limits
- Ensure port 80 is accessible for validation
**Docker Container Issues**:
- Check Docker daemon status and logs
- Verify image build and pull permissions
- Review container resource limits
**Performance Problems**:
- Monitor system resources and logs
- Check application and database performance
- Review caching and optimization settings
### Getting Help
For issues specific to the Custom PHP Framework infrastructure:
1. Check Ansible logs in `/var/log/ansible.log`
2. Review system logs for specific services
3. Use the monitoring dashboard for system health
4. Contact the development team at kontakt@michaelschiemer.de
## 📄 License
This infrastructure automation is part of the Custom PHP Framework project.
Licensed under MIT License - see LICENSE file for details.
## 🤝 Contributing
1. Fork the repository
2. Create a feature branch
3. Test changes in development environment
4. Submit a pull request with detailed description
---
**Domain**: michaelschiemer.de
**Environment**: Production-ready with PHP 8.4 optimization
**Security**: Enterprise-grade hardening and monitoring
**Maintainer**: kontakt@michaelschiemer.de
Reference in New Issue View Git Blame Copy Permalink