Add the Production Linode steps back

2025-06-28 20:13:12 -04:00 · 2025-06-28 20:13:12 -04:00 · 853b92edc4
commit 853b92edc4
parent 718343a3d0
1 changed files with 305 additions and 1 deletions
--- a/CI_CD_PIPELINE_SETUP_GUIDE.md
+++ b/CI_CD_PIPELINE_SETUP_GUIDE.md
@ -1053,3 +1053,307 @@ curl http://localhost:5000/v2/_catalog
 ```bash
 cat ~/.ssh/id_ed25519.pub
 ```
 **Important**: Copy this public key - you'll need it for the production server setup.
 ---
 ## Part 2: Production Linode Setup
 ### Step 11: Initial System Setup
 #### 11.1 Update the System
 ```bash
 sudo apt update && sudo apt upgrade -y
 ```
 #### 11.2 Configure Timezone
 ```bash
 # Configure timezone interactively
 sudo dpkg-reconfigure tzdata
 # Verify timezone setting
 date
 ```
 **What this does**: Opens an interactive dialog to select your timezone. Navigate through the menus to choose your preferred timezone (e.g., UTC, America/New_York, Europe/London, Asia/Tokyo).
 **Expected output**: After selecting your timezone, the `date` command should show the current date and time in your selected timezone.
 #### 11.3 Configure /etc/hosts
 ```bash
 # Add localhost entries for both IPv4 and IPv6
 echo "127.0.0.1 localhost" | sudo tee -a /etc/hosts
 echo "::1 localhost ip6-localhost ip6-loopback" | sudo tee -a /etc/hosts
 echo "YOUR_PRODUCTION_IPV4_ADDRESS localhost" | sudo tee -a /etc/hosts
 echo "YOUR_PRODUCTION_IPV6_ADDRESS localhost" | sudo tee -a /etc/hosts
 # Verify the configuration
 cat /etc/hosts
 ```
 **What this does**: 
 - Adds localhost entries for both IPv4 and IPv6 addresses to `/etc/hosts`
 - Ensures proper localhost resolution for both IPv4 and IPv6
 **Important**: Replace `YOUR_PRODUCTION_IPV4_ADDRESS` and `YOUR_PRODUCTION_IPV6_ADDRESS` with the actual IPv4 and IPv6 addresses of your Production Linode obtained from your Linode dashboard.
 **Expected output**: The `/etc/hosts` file should show entries for `127.0.0.1`, `::1`, and your Linode's actual IP addresses all mapping to `localhost`.
 #### 11.4 Install Essential Packages
 ```bash
 sudo apt install -y \
    curl \
    wget \
    git \
    ca-certificates \
    apt-transport-https \
    software-properties-common \
    ufw \
    fail2ban \
    htop \
    nginx \
    certbot \
    python3-certbot-nginx
 ```
 ### Step 12: Create Users
 #### 12.1 Create the SERVICE_USER User
 ```bash
 # Create dedicated group for the service account
 sudo groupadd -r SERVICE_USER
 # Create service account user with dedicated group
 sudo useradd -r -g SERVICE_USER -s /bin/bash -m -d /home/SERVICE_USER SERVICE_USER
 echo "SERVICE_USER:$(openssl rand -base64 32)" | sudo chpasswd
 ```
 #### 12.2 Create the DEPLOY_USER User
 ```bash
 # Create deployment user
 sudo useradd -m -s /bin/bash DEPLOY_USER
 sudo usermod -aG sudo DEPLOY_USER
 echo "DEPLOY_USER:$(openssl rand -base64 32)" | sudo chpasswd
 ```
 #### 12.3 Verify Users
 ```bash
 sudo su - SERVICE_USER
 whoami
 pwd
 exit
 sudo su - DEPLOY_USER
 whoami
 pwd
 exit
 ```
 ### Step 13: Install Docker
 #### 13.1 Add Docker Repository
 ```bash
 curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
 echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
 sudo apt update
 ```
 #### 13.2 Install Docker Packages
 ```bash
 sudo apt install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin
 ```
 #### 13.3 Configure Docker for Service Account
 ```bash
 sudo usermod -aG docker SERVICE_USER
 ```
 ### Step 14: Install Docker Compose
 ```bash
 sudo curl -L "https://github.com/docker/compose/releases/latest/download/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
 sudo chmod +x /usr/local/bin/docker-compose
 ```
 ### Step 15: Configure Security
 #### 15.1 Configure Firewall
 ```bash
 sudo ufw --force enable
 sudo ufw default deny incoming
 sudo ufw default allow outgoing
 sudo ufw allow ssh
 sudo ufw allow 80/tcp
 sudo ufw allow 443/tcp
 sudo ufw allow 3000/tcp
 sudo ufw allow 3001/tcp
 ```
 #### 15.2 Configure Fail2ban
 ```bash
 sudo systemctl enable fail2ban
 sudo systemctl start fail2ban
 ```
 ### Step 16: Create Application Directory
 #### 16.1 Create Directory Structure
 ```bash
 sudo mkdir -p /opt/APP_NAME
 sudo chown SERVICE_USER:SERVICE_USER /opt/APP_NAME
 ```
 **Note**: Replace `APP_NAME` with your actual application name. This directory name can be controlled via the `APP_NAME` secret in your Forgejo repository settings. If you set the `APP_NAME` secret to `myapp`, the deployment directory will be `/opt/myapp`.
 #### 16.2 Create SSL Directory (Optional - for domain users)
 ```bash
 sudo mkdir -p /opt/APP_NAME/nginx/ssl
 sudo chown SERVICE_USER:SERVICE_USER /opt/APP_NAME/nginx/ssl
 ```
 ### Step 17: Clone Repository and Set Up Application Files
 #### 17.1 Switch to SERVICE_USER User
 ```bash
 sudo su - SERVICE_USER
 ```
 #### 17.2 Clone Repository
 ```bash
 cd /opt/APP_NAME
 git clone https://your-forgejo-instance/your-username/APP_NAME.git .
 ```
 **Important**: The repository includes a pre-configured `nginx/nginx.conf` file that handles both SSL and non-SSL scenarios, with proper security headers, rate limiting, and CORS configuration. This file will be automatically used by the Docker Compose setup.
 **Important**: The repository also includes a pre-configured `.forgejo/workflows/ci.yml` file that handles the complete CI/CD pipeline including testing, building, and deployment. This workflow is already set up to work with the private registry and production deployment.
 **Note**: Replace `your-forgejo-instance` and `your-username/APP_NAME` with your actual Forgejo instance URL and repository path.
 #### 17.3 Create Environment File
 The repository doesn't include a `.env.example` file for security reasons. The CI/CD pipeline will create the `.env` file dynamically during deployment. However, for manual testing or initial setup, you can create a basic `.env` file:
 ```bash
 cat > /opt/APP_NAME/.env << 'EOF'
 # Production Environment Variables
 POSTGRES_PASSWORD=your_secure_password_here
 REGISTRY=YOUR_CI_CD_IP:5000
 IMAGE_NAME=APP_NAME
 IMAGE_TAG=latest
 # Database Configuration
 POSTGRES_DB=sharenet
 POSTGRES_USER=sharenet
 DATABASE_URL=postgresql://sharenet:your_secure_password_here@postgres:5432/sharenet
 # Application Configuration
 NODE_ENV=production
 RUST_LOG=info
 RUST_BACKTRACE=1
 EOF
 ```
 **Important**: Replace `YOUR_CI_CD_IP` with your actual CI/CD Linode IP address and `your_secure_password_here` with a strong password.
 #### 17.4 Configure Docker for Registry Access
 ```bash
 # Add the CI/CD registry to Docker's insecure registries
 sudo mkdir -p /etc/docker
 sudo tee /etc/docker/daemon.json << EOF
 {
  "insecure-registries": ["YOUR_CI_CD_IP:5000"]
 }
 EOF
 # Restart Docker to apply changes
 sudo systemctl restart docker
 ```
 **Important**: Replace `YOUR_CI_CD_IP` with your actual CI/CD Linode IP address.
 ### Step 18: Set Up SSH Key Authentication
 #### 18.1 Add CI/CD Public Key
 ```bash
 # Create .ssh directory for SERVICE_USER
 mkdir -p ~/.ssh
 chmod 700 ~/.ssh
 # Add the CI/CD public key (copy from CI/CD Linode)
 echo "YOUR_CI_CD_PUBLIC_KEY" >> ~/.ssh/authorized_keys
 chmod 600 ~/.ssh/authorized_keys
 ```
 **Important**: Replace `YOUR_CI_CD_PUBLIC_KEY` with the public key from the CI/CD Linode (the output from `cat ~/.ssh/id_ed25519.pub` on the CI/CD Linode).
 #### 18.2 Test SSH Connection
 From the CI/CD Linode, test the SSH connection:
 ```bash
 ssh production
 ```
 **Expected output**: You should be able to SSH to the production server without a password prompt.
 ### Step 19: Test Production Setup
 #### 19.1 Test Docker Installation
 ```bash
 docker --version
 docker compose --version
 ```
 #### 19.2 Test Registry Access
 ```bash
 # Test pulling an image from the CI/CD registry
 docker pull YOUR_CI_CD_IP:5000/APP_NAME/backend:latest
 ```
 **Important**: Replace `YOUR_CI_CD_IP` with your actual CI/CD Linode IP address.
 #### 19.3 Test Application Deployment
 ```bash
 cd /opt/APP_NAME
 docker compose up -d
 ```
 #### 19.4 Verify Application Status
 ```bash
 docker compose ps
 curl http://localhost:3000
 curl http://localhost:3001/health
 ```
 **Expected Output**:
 - All containers should be running
 - Frontend should be accessible on port 3000
 - Backend health check should return 200 OK
 ---
 ## Part 3: Final Configuration and Testing