michaelschiemer/docs/deployment/production-prerequisites.md

# Production Deployment Prerequisites Checklist

Vollständige Checkliste für Production Deployment des Custom PHP Frameworks.

## ✅ Server Requirements

### Hardware Minimum
- [ ] **CPU**: 2 Cores minimum, 4+ recommended
- [ ] **RAM**: 4GB minimum, 8GB+ recommended
- [ ] **Storage**: 50GB SSD minimum, 100GB+ recommended
- [ ] **Network**: Static IP address
- [ ] **Bandwidth**: 100 Mbit/s minimum

### Operating System
- [ ] **OS**: Ubuntu 22.04 LTS or Debian 12
- [ ] **User**: Non-root user with sudo privileges
- [ ] **SSH**: Key-based authentication configured
- [ ] **Firewall**: UFW or iptables configured

### DNS Configuration
- [ ] Domain registered and DNS configured
- [ ] A record pointing to server IP
- [ ] AAAA record for IPv6 (optional)
- [ ] CAA record for SSL certificate authority

## ✅ Software Prerequisites

### Docker Installation
- [ ] Docker Engine 24.0+ installed
- [ ] Docker Compose V2 installed
- [ ] Docker user group configured
- [ ] Docker daemon running on boot

```bash
# Install Docker
curl -fsSL https://get.docker.com | sh
sudo usermod -aG docker $USER
newgrp docker

# Verify installation
docker --version
docker compose version
```

### System Packages
- [ ] `git` installed
- [ ] `make` installed
- [ ] `curl` or `wget` installed
- [ ] `ufw` firewall installed

```bash
sudo apt update
sudo apt install -y git make curl ufw
```

## ✅ Security Prerequisites

### SSL/TLS Certificates
- [ ] Domain ownership verified
- [ ] Port 80 (HTTP) accessible for ACME challenge
- [ ] Port 443 (HTTPS) open in firewall
- [ ] Let's Encrypt rate limits understood

### Firewall Configuration
- [ ] Port 22 (SSH) - Restricted to known IPs
- [ ] Port 80 (HTTP) - Open for ACME challenge & redirect
- [ ] Port 443 (HTTPS) - Open for production traffic
- [ ] All other ports closed by default

```bash
# UFW Configuration
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22/tcp    # SSH (restrict to your IP)
sudo ufw allow 80/tcp    # HTTP
sudo ufw allow 443/tcp   # HTTPS
sudo ufw enable
```

### SSH Hardening
- [ ] Password authentication disabled
- [ ] Root login disabled
- [ ] SSH key authentication only
- [ ] Fail2ban or similar installed

```bash
# /etc/ssh/sshd_config
PasswordAuthentication no
PermitRootLogin no
PubkeyAuthentication yes
```

## ✅ Environment Configuration

### Environment Variables
- [ ] `.env.production` created (see template below)
- [ ] Database credentials configured
- [ ] Redis password set
- [ ] Vault encryption keys generated
- [ ] OAuth credentials configured (if needed)
- [ ] API keys configured (if needed)

### Secrets Management
- [ ] `VAULT_ENCRYPTION_KEY` generated (32 bytes, base64)
- [ ] `STATE_ENCRYPTION_KEY` generated (32 bytes, base64)
- [ ] Keys stored securely (not in git)
- [ ] Backup encryption key stored separately

```bash
# Generate encryption keys
php -r "echo base64_encode(random_bytes(32)) . PHP_EOL;"
```

## ✅ Database Prerequisites

### PostgreSQL Configuration
- [ ] Database user created with strong password
- [ ] Database created with UTF8 encoding
- [ ] Connection pool limits configured
- [ ] Backup strategy defined
- [ ] `postgresql.production.conf` configured

### Database Migrations
- [ ] All migrations tested in staging
- [ ] Migration rollback plan prepared
- [ ] Database backup before migration
- [ ] Migration execution script ready

## ✅ Application Prerequisites

### Code Repository
- [ ] Production branch created
- [ ] Latest stable code pushed
- [ ] Git hooks configured (if needed)
- [ ] `.gitignore` properly configured

### Composer Dependencies
- [ ] Production dependencies only (`--no-dev`)
- [ ] Autoloader optimized (`--optimize-autoloader`)
- [ ] Classmap authoritative (`--classmap-authoritative`)
- [ ] Composer version 2.x installed

### PHP Configuration
- [ ] OPcache enabled and configured
- [ ] Memory limits appropriate (512M+)
- [ ] Error reporting disabled in production
- [ ] Log rotation configured

## ✅ Docker Configuration

### Images & Builds
- [ ] `docker/nginx/Dockerfile.production` exists
- [ ] `docker/php/Dockerfile.production` exists
- [ ] `docker/worker/Dockerfile.production` exists
- [ ] Production PHP configuration files ready
- [ ] Nginx production configuration ready

### Volumes & Persistence
- [ ] Database volume strategy defined
- [ ] Redis persistence configured
- [ ] Log storage strategy defined
- [ ] Backup storage configured
- [ ] File upload storage configured

### Networks & Security
- [ ] Backend network set to internal-only
- [ ] Cache network set to internal-only
- [ ] Frontend network properly exposed
- [ ] Container security options configured

## ✅ Monitoring & Logging

### Logging Configuration
- [ ] Log aggregation strategy defined
- [ ] Log rotation configured
- [ ] Error notification configured
- [ ] Access logs configured

### Monitoring Setup
- [ ] Health check endpoints configured
- [ ] Uptime monitoring configured
- [ ] Performance metrics collection
- [ ] Alert thresholds defined

### Backup Strategy
- [ ] Database backup frequency defined (daily recommended)
- [ ] Backup retention policy defined (30 days recommended)
- [ ] Backup encryption configured
- [ ] Backup restoration tested
- [ ] Off-site backup storage configured

## ✅ Deployment Automation

### Deployment Scripts
- [ ] `deploy.sh` script created
- [ ] Zero-downtime deployment strategy
- [ ] Rollback script prepared
- [ ] Health check validation
- [ ] Post-deployment tests defined

### CI/CD Pipeline (Optional)
- [ ] GitHub Actions / GitLab CI configured
- [ ] Automated tests on push
- [ ] Automated deployment to staging
- [ ] Manual approval for production
- [ ] Deployment notifications

## ✅ Performance Optimization

### PHP Optimizations
- [ ] OPcache validate_timestamps=0
- [ ] OPcache preloading configured (optional)
- [ ] JIT enabled (PHP 8.4)
- [ ] Memory limits tuned
- [ ] Execution timeouts configured

### Database Optimizations
- [ ] Connection pooling configured
- [ ] Query optimization completed
- [ ] Indexes properly configured
- [ ] VACUUM strategy defined
- [ ] Statistics collection configured

### Caching Strategy
- [ ] Redis persistence configured (AOF + RDB)
- [ ] Cache warming strategy defined
- [ ] Cache invalidation strategy defined
- [ ] Cache monitoring configured

### CDN & Assets (Optional)
- [ ] Static assets minified
- [ ] Asset versioning configured
- [ ] CDN configured (if applicable)
- [ ] Image optimization configured

## ✅ Documentation

### Required Documentation
- [ ] Deployment procedure documented
- [ ] Rollback procedure documented
- [ ] Disaster recovery plan documented
- [ ] Architecture diagram created
- [ ] Runbook for common issues

### Team Knowledge
- [ ] Team trained on deployment process
- [ ] Access credentials shared securely
- [ ] On-call rotation defined
- [ ] Escalation procedures defined

## ✅ Testing & Validation

### Pre-Deployment Testing
- [ ] All unit tests passing
- [ ] Integration tests passing
- [ ] E2E tests passing (if applicable)
- [ ] Load testing completed
- [ ] Security scan completed

### Staging Environment
- [ ] Staging environment mirrors production
- [ ] Deployment tested on staging
- [ ] Performance tested on staging
- [ ] SSL certificates tested on staging

### Post-Deployment Validation
- [ ] Health check endpoints responding
- [ ] SSL certificate valid
- [ ] Database connections working
- [ ] Redis connections working
- [ ] Queue workers running
- [ ] Scheduled tasks running
- [ ] Monitoring alerts functional

## ✅ Final Checklist Before Go-Live

### Critical Path
1. [ ] **Backup current data** (if migrating)
2. [ ] **DNS TTL lowered** (24h before)
3. [ ] **Maintenance page ready**
4. [ ] **Team notified and available**
5. [ ] **Rollback plan reviewed**

### Go-Live Steps
1. [ ] Enable maintenance mode
2. [ ] Pull latest production code
3. [ ] Run database migrations
4. [ ] Build and start containers
5. [ ] Verify health checks
6. [ ] Update DNS records (if new server)
7. [ ] Monitor for 30 minutes
8. [ ] Disable maintenance mode
9. [ ] Announce deployment

### Post Go-Live Monitoring
- [ ] Monitor error logs (30 min)
- [ ] Check performance metrics (1 hour)
- [ ] Verify all services running (2 hours)
- [ ] Review user feedback (24 hours)

## ⚠️ Emergency Contacts

### Critical Issues
- [ ] Emergency contact list prepared
- [ ] Hosting provider support number
- [ ] Database administrator contact
- [ ] Senior developer on-call

## 📋 Environment-Specific Checklists

### Staging Environment
- [ ] All prerequisites met
- [ ] Deployment tested successfully
- [ ] Performance acceptable
- [ ] No critical bugs

### Production Environment
- [ ] All prerequisites met
- [ ] Staging tests passed
- [ ] Backup and rollback tested
- [ ] Team approval obtained

---

## Next Steps

After completing this checklist:

1. **Create `.env.production`** - See `docs/deployment/env-production-template.md`
2. **Configure SSL Certificates** - See `docs/deployment/ssl-setup.md`
3. **Run Deployment Script** - See `scripts/deploy-production.sh`
4. **Verify Health Checks** - See `docs/deployment/health-checks.md`
5. **Monitor Logs** - See `docs/deployment/monitoring.md`

## Additional Resources

- **Deployment Guide**: `docs/deployment/deployment-guide.md`
- **Troubleshooting**: `docs/deployment/troubleshooting.md`
- **Rollback Guide**: `docs/deployment/rollback-guide.md`
- **Security Hardening**: `docs/deployment/security-hardening.md`