From 853b92edc462aca9287e249d623caff85f67616e Mon Sep 17 00:00:00 2001 From: continuist Date: Sat, 28 Jun 2025 20:13:12 -0400 Subject: [PATCH] Add the Production Linode steps back --- CI_CD_PIPELINE_SETUP_GUIDE.md | 306 +++++++++++++++++++++++++++++++++- 1 file changed, 305 insertions(+), 1 deletion(-) diff --git a/CI_CD_PIPELINE_SETUP_GUIDE.md b/CI_CD_PIPELINE_SETUP_GUIDE.md index 963bc9e..db69cc7 100644 --- a/CI_CD_PIPELINE_SETUP_GUIDE.md +++ b/CI_CD_PIPELINE_SETUP_GUIDE.md @@ -1052,4 +1052,308 @@ curl http://localhost:5000/v2/_catalog ```bash cat ~/.ssh/id_ed25519.pub -``` \ No newline at end of file +``` + +**Important**: Copy this public key - you'll need it for the production server setup. + +--- + +## Part 2: Production Linode Setup + +### Step 11: Initial System Setup + +#### 11.1 Update the System + +```bash +sudo apt update && sudo apt upgrade -y +``` + +#### 11.2 Configure Timezone + +```bash +# Configure timezone interactively +sudo dpkg-reconfigure tzdata + +# Verify timezone setting +date +``` + +**What this does**: Opens an interactive dialog to select your timezone. Navigate through the menus to choose your preferred timezone (e.g., UTC, America/New_York, Europe/London, Asia/Tokyo). + +**Expected output**: After selecting your timezone, the `date` command should show the current date and time in your selected timezone. + +#### 11.3 Configure /etc/hosts + +```bash +# Add localhost entries for both IPv4 and IPv6 +echo "127.0.0.1 localhost" | sudo tee -a /etc/hosts +echo "::1 localhost ip6-localhost ip6-loopback" | sudo tee -a /etc/hosts +echo "YOUR_PRODUCTION_IPV4_ADDRESS localhost" | sudo tee -a /etc/hosts +echo "YOUR_PRODUCTION_IPV6_ADDRESS localhost" | sudo tee -a /etc/hosts + +# Verify the configuration +cat /etc/hosts +``` + +**What this does**: +- Adds localhost entries for both IPv4 and IPv6 addresses to `/etc/hosts` +- Ensures proper localhost resolution for both IPv4 and IPv6 + +**Important**: Replace `YOUR_PRODUCTION_IPV4_ADDRESS` and `YOUR_PRODUCTION_IPV6_ADDRESS` with the actual IPv4 and IPv6 addresses of your Production Linode obtained from your Linode dashboard. + +**Expected output**: The `/etc/hosts` file should show entries for `127.0.0.1`, `::1`, and your Linode's actual IP addresses all mapping to `localhost`. + +#### 11.4 Install Essential Packages + +```bash +sudo apt install -y \ + curl \ + wget \ + git \ + ca-certificates \ + apt-transport-https \ + software-properties-common \ + ufw \ + fail2ban \ + htop \ + nginx \ + certbot \ + python3-certbot-nginx +``` + +### Step 12: Create Users + +#### 12.1 Create the SERVICE_USER User + +```bash +# Create dedicated group for the service account +sudo groupadd -r SERVICE_USER + +# Create service account user with dedicated group +sudo useradd -r -g SERVICE_USER -s /bin/bash -m -d /home/SERVICE_USER SERVICE_USER +echo "SERVICE_USER:$(openssl rand -base64 32)" | sudo chpasswd +``` + +#### 12.2 Create the DEPLOY_USER User + +```bash +# Create deployment user +sudo useradd -m -s /bin/bash DEPLOY_USER +sudo usermod -aG sudo DEPLOY_USER +echo "DEPLOY_USER:$(openssl rand -base64 32)" | sudo chpasswd +``` + +#### 12.3 Verify Users + +```bash +sudo su - SERVICE_USER +whoami +pwd +exit + +sudo su - DEPLOY_USER +whoami +pwd +exit +``` + +### Step 13: Install Docker + +#### 13.1 Add Docker Repository + +```bash +curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg +echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null +sudo apt update +``` + +#### 13.2 Install Docker Packages + +```bash +sudo apt install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin +``` + +#### 13.3 Configure Docker for Service Account + +```bash +sudo usermod -aG docker SERVICE_USER +``` + +### Step 14: Install Docker Compose + +```bash +sudo curl -L "https://github.com/docker/compose/releases/latest/download/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose +sudo chmod +x /usr/local/bin/docker-compose +``` + +### Step 15: Configure Security + +#### 15.1 Configure Firewall + +```bash +sudo ufw --force enable +sudo ufw default deny incoming +sudo ufw default allow outgoing +sudo ufw allow ssh +sudo ufw allow 80/tcp +sudo ufw allow 443/tcp +sudo ufw allow 3000/tcp +sudo ufw allow 3001/tcp +``` + +#### 15.2 Configure Fail2ban + +```bash +sudo systemctl enable fail2ban +sudo systemctl start fail2ban +``` + +### Step 16: Create Application Directory + +#### 16.1 Create Directory Structure + +```bash +sudo mkdir -p /opt/APP_NAME +sudo chown SERVICE_USER:SERVICE_USER /opt/APP_NAME +``` + +**Note**: Replace `APP_NAME` with your actual application name. This directory name can be controlled via the `APP_NAME` secret in your Forgejo repository settings. If you set the `APP_NAME` secret to `myapp`, the deployment directory will be `/opt/myapp`. + +#### 16.2 Create SSL Directory (Optional - for domain users) + +```bash +sudo mkdir -p /opt/APP_NAME/nginx/ssl +sudo chown SERVICE_USER:SERVICE_USER /opt/APP_NAME/nginx/ssl +``` + +### Step 17: Clone Repository and Set Up Application Files + +#### 17.1 Switch to SERVICE_USER User + +```bash +sudo su - SERVICE_USER +``` + +#### 17.2 Clone Repository + +```bash +cd /opt/APP_NAME +git clone https://your-forgejo-instance/your-username/APP_NAME.git . +``` + +**Important**: The repository includes a pre-configured `nginx/nginx.conf` file that handles both SSL and non-SSL scenarios, with proper security headers, rate limiting, and CORS configuration. This file will be automatically used by the Docker Compose setup. + +**Important**: The repository also includes a pre-configured `.forgejo/workflows/ci.yml` file that handles the complete CI/CD pipeline including testing, building, and deployment. This workflow is already set up to work with the private registry and production deployment. + +**Note**: Replace `your-forgejo-instance` and `your-username/APP_NAME` with your actual Forgejo instance URL and repository path. + +#### 17.3 Create Environment File + +The repository doesn't include a `.env.example` file for security reasons. The CI/CD pipeline will create the `.env` file dynamically during deployment. However, for manual testing or initial setup, you can create a basic `.env` file: + +```bash +cat > /opt/APP_NAME/.env << 'EOF' +# Production Environment Variables +POSTGRES_PASSWORD=your_secure_password_here +REGISTRY=YOUR_CI_CD_IP:5000 +IMAGE_NAME=APP_NAME +IMAGE_TAG=latest + +# Database Configuration +POSTGRES_DB=sharenet +POSTGRES_USER=sharenet +DATABASE_URL=postgresql://sharenet:your_secure_password_here@postgres:5432/sharenet + +# Application Configuration +NODE_ENV=production +RUST_LOG=info +RUST_BACKTRACE=1 +EOF +``` + +**Important**: Replace `YOUR_CI_CD_IP` with your actual CI/CD Linode IP address and `your_secure_password_here` with a strong password. + +#### 17.4 Configure Docker for Registry Access + +```bash +# Add the CI/CD registry to Docker's insecure registries +sudo mkdir -p /etc/docker +sudo tee /etc/docker/daemon.json << EOF +{ + "insecure-registries": ["YOUR_CI_CD_IP:5000"] +} +EOF + +# Restart Docker to apply changes +sudo systemctl restart docker +``` + +**Important**: Replace `YOUR_CI_CD_IP` with your actual CI/CD Linode IP address. + +### Step 18: Set Up SSH Key Authentication + +#### 18.1 Add CI/CD Public Key + +```bash +# Create .ssh directory for SERVICE_USER +mkdir -p ~/.ssh +chmod 700 ~/.ssh + +# Add the CI/CD public key (copy from CI/CD Linode) +echo "YOUR_CI_CD_PUBLIC_KEY" >> ~/.ssh/authorized_keys +chmod 600 ~/.ssh/authorized_keys +``` + +**Important**: Replace `YOUR_CI_CD_PUBLIC_KEY` with the public key from the CI/CD Linode (the output from `cat ~/.ssh/id_ed25519.pub` on the CI/CD Linode). + +#### 18.2 Test SSH Connection + +From the CI/CD Linode, test the SSH connection: + +```bash +ssh production +``` + +**Expected output**: You should be able to SSH to the production server without a password prompt. + +### Step 19: Test Production Setup + +#### 19.1 Test Docker Installation + +```bash +docker --version +docker compose --version +``` + +#### 19.2 Test Registry Access + +```bash +# Test pulling an image from the CI/CD registry +docker pull YOUR_CI_CD_IP:5000/APP_NAME/backend:latest +``` + +**Important**: Replace `YOUR_CI_CD_IP` with your actual CI/CD Linode IP address. + +#### 19.3 Test Application Deployment + +```bash +cd /opt/APP_NAME +docker compose up -d +``` + +#### 19.4 Verify Application Status + +```bash +docker compose ps +curl http://localhost:3000 +curl http://localhost:3001/health +``` + +**Expected Output**: +- All containers should be running +- Frontend should be accessible on port 3000 +- Backend health check should return 200 OK + +--- + +## Part 3: Final Configuration and Testing \ No newline at end of file