# Complete Deployment Task List This document provides a detailed checklist of all tasks required to deploy the ChainID 138 Explorer Platform using LXC, Nginx, Cloudflare DNS, SSL, and Cloudflare Tunnel. --- ## 📋 Complete Task List (71 Tasks) ### PRE-DEPLOYMENT (5 tasks) #### Task 1: Verify Prerequisites - [ ] Access to Proxmox VE host with LXC support - [ ] Cloudflare account created and domain added - [ ] Domain DNS managed by Cloudflare - [ ] Cloudflare API token created (with DNS edit permissions) - [ ] SSH access to Proxmox host configured --- ### PHASE 1: LXC CONTAINER SETUP (8 tasks) #### Task 2: Create LXC Container - [ ] Log into Proxmox host - [ ] Download Ubuntu 22.04 template (if not exists) - [ ] Run container creation command - [ ] Verify container created successfully - [ ] Note container ID for future reference #### Task 3: Start and Access Container - [ ] Start container: `pct start ` - [ ] Access container: `pct enter ` - [ ] Verify network connectivity - [ ] Update system: `apt update && apt upgrade -y` #### Task 4: Install Base Packages - [ ] Install essential packages (curl, wget, git, vim, etc.) - [ ] Install firewall: `apt install -y ufw` - [ ] Install fail2ban: `apt install -y fail2ban` - [ ] Install security updates tool: `apt install -y unattended-upgrades` #### Task 5: Configure System Settings - [ ] Set timezone: `timedatectl set-timezone UTC` - [ ] Configure hostname: `hostnamectl set-hostname explorer-prod` - [ ] Configure locale settings #### Task 6: Create Deployment User - [ ] Create user: `adduser explorer` - [ ] Add to sudo group: `usermod -aG sudo explorer` - [ ] Configure SSH access for new user - [ ] Disable root SSH login in `/etc/ssh/sshd_config` - [ ] Restart SSH service --- ### PHASE 2: APPLICATION INSTALLATION (12 tasks) #### Task 7: Install Go 1.21+ - [ ] Download Go 1.21.6: `wget https://go.dev/dl/go1.21.6.linux-amd64.tar.gz` - [ ] Extract to `/usr/local/go` - [ ] Add Go to PATH in `/etc/profile` and `~/.bashrc` - [ ] Source profile or logout/login - [ ] Verify: `go version` (should show 1.21.6+) #### Task 8: Install Node.js 20+ - [ ] Add NodeSource repository - [ ] Install Node.js 20.x - [ ] Verify: `node --version` (should show v20.x.x+) - [ ] Verify: `npm --version` #### Task 9: Install Docker & Docker Compose - [ ] Add Docker GPG key - [ ] Add Docker repository - [ ] Install Docker CE - [ ] Install Docker Compose plugin - [ ] Start Docker service: `systemctl start docker` - [ ] Enable Docker on boot: `systemctl enable docker` - [ ] Add `explorer` user to docker group - [ ] Verify: `docker --version` and `docker compose version` #### Task 10: Clone Repository - [ ] Switch to deployment user: `su - explorer` - [ ] Navigate to home: `cd /home/explorer` - [ ] Clone repository: `git clone explorer-monorepo` - [ ] Verify repository cloned correctly #### Task 11: Install Dependencies - [ ] Navigate to backend: `cd explorer-monorepo/backend` - [ ] Download Go modules: `go mod download` - [ ] Navigate to frontend: `cd ../frontend` - [ ] Install npm packages: `npm ci --production` #### Task 12: Build Applications - [ ] Build indexer: `go build -o /usr/local/bin/explorer-indexer ./indexer/main.go` - [ ] Build API: `go build -o /usr/local/bin/explorer-api ./api/rest/main.go` - [ ] Build gateway: `go build -o /usr/local/bin/explorer-gateway ./api/gateway/main.go` - [ ] Build search service: `go build -o /usr/local/bin/explorer-search ./api/search/main.go` - [ ] Build frontend: `cd frontend && npm run build` - [ ] Verify all binaries exist and are executable --- ### PHASE 3: DATABASE SETUP (10 tasks) #### Task 13: Install PostgreSQL 16 - [ ] Add PostgreSQL APT repository - [ ] Add PostgreSQL GPG key - [ ] Update package list - [ ] Install PostgreSQL 16: `apt install -y postgresql-16 postgresql-contrib-16` #### Task 14: Install TimescaleDB - [ ] Add TimescaleDB repository - [ ] Add TimescaleDB GPG key - [ ] Update package list - [ ] Install TimescaleDB: `apt install -y timescaledb-2-postgresql-16` - [ ] Run TimescaleDB tuner: `timescaledb-tune --quiet --yes` - [ ] Restart PostgreSQL: `systemctl restart postgresql` #### Task 15: Create Database and User - [ ] Switch to postgres user: `su - postgres` - [ ] Create database user: `CREATE USER explorer WITH PASSWORD ''` - [ ] Create database: `CREATE DATABASE explorer OWNER explorer;` - [ ] Connect to database: `\c explorer` - [ ] Enable TimescaleDB extension: `CREATE EXTENSION IF NOT EXISTS timescaledb;` - [ ] Enable UUID extension: `CREATE EXTENSION IF NOT EXISTS "uuid-ossp";` - [ ] Grant privileges: `GRANT ALL PRIVILEGES ON DATABASE explorer TO explorer;` #### Task 16: Run Database Migrations - [ ] Return to deployment user - [ ] Navigate to backend: `cd /home/explorer/explorer-monorepo/backend` - [ ] Run migrations: `go run database/migrations/migrate.go` - [ ] Verify migrations completed successfully - [ ] Check database tables exist #### Task 17: Configure PostgreSQL - [ ] Edit `postgresql.conf`: `/etc/postgresql/16/main/postgresql.conf` - [ ] Set `max_connections = 100` - [ ] Set `shared_buffers = 4GB` - [ ] Set `effective_cache_size = 12GB` - [ ] Set other performance tuning parameters - [ ] Edit `pg_hba.conf` for local connections - [ ] Restart PostgreSQL: `systemctl restart postgresql` - [ ] Verify PostgreSQL is running: `systemctl status postgresql` --- ### PHASE 4: INFRASTRUCTURE SERVICES (6 tasks) #### Task 18: Deploy Elasticsearch/OpenSearch - [ ] Navigate to deployment directory: `cd /home/explorer/explorer-monorepo/deployment` - [ ] Start Elasticsearch: `docker compose -f docker-compose.yml up -d elasticsearch` - [ ] Wait for Elasticsearch to be ready - [ ] Verify Elasticsearch: `curl http://localhost:9200` #### Task 19: Deploy Redis - [ ] Start Redis: `docker compose -f docker-compose.yml up -d redis` - [ ] Verify Redis: `redis-cli ping` - [ ] Verify both services running: `docker ps` --- ### PHASE 5: APPLICATION SERVICES (10 tasks) #### Task 20: Create Environment Configuration - [ ] Copy `.env.example` to `.env`: `cp .env.example .env` - [ ] Edit `.env` file with production values - [ ] Set database credentials - [ ] Set RPC URLs and Chain ID - [ ] Set API URLs and ports - [ ] Verify all required variables are set - [ ] Set proper file permissions: `chmod 600 .env` #### Task 21: Create Systemd Service Files - [ ] Create `/etc/systemd/system/explorer-indexer.service` - [ ] Create `/etc/systemd/system/explorer-api.service` - [ ] Create `/etc/systemd/system/explorer-frontend.service` - [ ] Set proper ownership: `chown root:root /etc/systemd/system/explorer-*.service` - [ ] Set proper permissions: `chmod 644 /etc/systemd/system/explorer-*.service` #### Task 22: Enable and Start Services - [ ] Reload systemd: `systemctl daemon-reload` - [ ] Enable indexer: `systemctl enable explorer-indexer` - [ ] Enable API: `systemctl enable explorer-api` - [ ] Enable frontend: `systemctl enable explorer-frontend` - [ ] Start indexer: `systemctl start explorer-indexer` - [ ] Start API: `systemctl start explorer-api` - [ ] Start frontend: `systemctl start explorer-frontend` #### Task 23: Verify Services - [ ] Check indexer status: `systemctl status explorer-indexer` - [ ] Check API status: `systemctl status explorer-api` - [ ] Check frontend status: `systemctl status explorer-frontend` - [ ] Check indexer logs: `journalctl -u explorer-indexer -f` - [ ] Check API logs: `journalctl -u explorer-api -f` - [ ] Verify API responds: `curl http://localhost:8080/health` - [ ] Verify frontend responds: `curl http://localhost:3000` --- ### PHASE 6: NGINX REVERSE PROXY (9 tasks) #### Task 24: Install Nginx - [ ] Install Nginx: `apt install -y nginx` - [ ] Verify installation: `nginx -v` #### Task 25: Create Nginx Configuration - [ ] Copy config template: `cp deployment/nginx/explorer.conf /etc/nginx/sites-available/explorer` - [ ] Edit configuration file (update domain if needed) - [ ] Enable site: `ln -s /etc/nginx/sites-available/explorer /etc/nginx/sites-enabled/` - [ ] Remove default site: `rm /etc/nginx/sites-enabled/default` - [ ] Test configuration: `nginx -t` - [ ] If test passes, reload Nginx: `systemctl reload nginx` #### Task 26: Configure Rate Limiting - [ ] Verify rate limiting zones in config - [ ] Adjust rate limits as needed - [ ] Test rate limiting (optional) #### Task 27: Test Nginx Proxy - [ ] Verify Nginx is running: `systemctl status nginx` - [ ] Test HTTP endpoint: `curl -I http://localhost` - [ ] Test API proxy: `curl http://localhost/api/v1/blocks` - [ ] Check Nginx access logs: `tail -f /var/log/nginx/explorer-access.log` - [ ] Check Nginx error logs: `tail -f /var/log/nginx/explorer-error.log` --- ### PHASE 7: CLOUDFLARE CONFIGURATION (18 tasks) #### Task 28: Set Up Cloudflare DNS Records - [ ] Login to Cloudflare Dashboard - [ ] Select domain - [ ] Go to DNS → Records - [ ] Add A record for `explorer` (or `@`): - Type: A - Name: explorer - IPv4: [Your server IP] (if direct) or leave empty (if tunnel) - Proxy: Proxied (orange cloud) - TTL: Auto - [ ] Add CNAME for `www`: - Type: CNAME - Name: www - Target: explorer.d-bis.org - Proxy: Proxied - TTL: Auto - [ ] Save DNS records - [ ] Verify DNS propagation #### Task 29: Configure Cloudflare SSL/TLS - [ ] Go to SSL/TLS → Overview - [ ] Set encryption mode to: **Full (strict)** - [ ] Go to SSL/TLS → Edge Certificates - [ ] Enable: "Always Use HTTPS" - [ ] Enable: "Automatic HTTPS Rewrites" - [ ] Enable: "Opportunistic Encryption" - [ ] Enable: "TLS 1.3" - [ ] Save settings #### Task 30: Install Cloudflare Tunnel (cloudflared) - [ ] Download cloudflared: `wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb` - [ ] Install: `dpkg -i cloudflared-linux-amd64.deb` - [ ] Verify: `cloudflared --version` #### Task 31: Authenticate Cloudflare Tunnel - [ ] Run: `cloudflared tunnel login` - [ ] Follow browser authentication - [ ] Verify authentication successful #### Task 32: Create Cloudflare Tunnel - [ ] Create tunnel: `cloudflared tunnel create explorer-tunnel` - [ ] List tunnels: `cloudflared tunnel list` - [ ] Note tunnel ID #### Task 33: Configure Cloudflare Tunnel - [ ] Create config directory: `mkdir -p /etc/cloudflared` - [ ] Copy tunnel config template: `cp deployment/cloudflare/tunnel-config.yml /etc/cloudflared/config.yml` - [ ] Edit config file with tunnel ID - [ ] Update hostnames in config - [ ] Verify config: `cloudflared tunnel --config /etc/cloudflared/config.yml ingress validate` #### Task 34: Install Cloudflare Tunnel as Service - [ ] Install service: `cloudflared service install` - [ ] Enable service: `systemctl enable cloudflared` - [ ] Start service: `systemctl start cloudflared` - [ ] Check status: `systemctl status cloudflared` - [ ] View logs: `journalctl -u cloudflared -f` #### Task 35: Verify Cloudflare Tunnel - [ ] Check tunnel is running: `cloudflared tunnel info explorer-tunnel` - [ ] Verify DNS routes are configured in Cloudflare dashboard - [ ] Test domain access: `curl -I https://explorer.d-bis.org` - [ ] Verify SSL certificate is active #### Task 36: Configure Cloudflare WAF - [ ] Go to Security → WAF - [ ] Enable Cloudflare Managed Ruleset - [ ] Enable OWASP Core Ruleset - [ ] Create custom rate limiting rule (if needed) - [ ] Save rules #### Task 37: Configure Cloudflare Caching - [ ] Go to Caching → Configuration - [ ] Set Caching Level: Standard - [ ] Go to Caching → Cache Rules - [ ] Create rule for static assets (Cache everything, Edge TTL: 1 year) - [ ] Create rule for API endpoints (Bypass cache) - [ ] Create rule for frontend pages (Cache HTML for 5 minutes) #### Task 38: Configure DDoS Protection - [ ] Go to Security → DDoS - [ ] Enable DDoS protection - [ ] Configure protection level (Medium recommended) - [ ] Review and adjust as needed --- ### PHASE 8: SECURITY HARDENING (12 tasks) #### Task 39: Configure Firewall (UFW) - [ ] Enable UFW: `ufw --force enable` - [ ] Allow SSH: `ufw allow 22/tcp` - [ ] Allow HTTP: `ufw allow 80/tcp` (if direct connection) - [ ] Allow HTTPS: `ufw allow 443/tcp` (if direct connection) - [ ] Add Cloudflare IP ranges (if direct connection) - [ ] Check status: `ufw status verbose` #### Task 40: Configure Fail2ban - [ ] Create Nginx jail config: `/etc/fail2ban/jail.d/nginx.conf` - [ ] Configure nginx-limit-req jail - [ ] Configure nginx-botsearch jail - [ ] Restart fail2ban: `systemctl restart fail2ban` - [ ] Check status: `fail2ban-client status` #### Task 41: Configure Automatic Updates - [ ] Configure `/etc/apt/apt.conf.d/50unattended-upgrades` - [ ] Enable security updates only - [ ] Disable automatic reboot - [ ] Enable service: `systemctl enable unattended-upgrades` - [ ] Start service: `systemctl start unattended-upgrades` #### Task 42: Configure Log Rotation - [ ] Create logrotate config: `/etc/logrotate.d/explorer` - [ ] Set rotation schedule (daily) - [ ] Set retention (30 days) - [ ] Configure compression - [ ] Test: `logrotate -d /etc/logrotate.d/explorer` #### Task 43: Set Up Backup Script - [ ] Create backup script: `/usr/local/bin/explorer-backup.sh` - [ ] Configure database backup - [ ] Configure config file backup - [ ] Set cleanup of old backups - [ ] Make executable: `chmod +x /usr/local/bin/explorer-backup.sh` - [ ] Test backup script manually - [ ] Add to crontab: Daily at 2 AM #### Task 44: Secure Environment File - [ ] Set proper permissions: `chmod 600 /home/explorer/explorer-monorepo/.env` - [ ] Verify only owner can read: `ls -l .env` - [ ] Add .env to .gitignore (verify) #### Task 45: Configure SSH Hardening - [ ] Edit `/etc/ssh/sshd_config` - [ ] Disable root login: `PermitRootLogin no` - [ ] Disable password authentication (use keys only): `PasswordAuthentication no` - [ ] Set SSH port (optional, change from 22) - [ ] Restart SSH: `systemctl restart sshd` - [ ] Test SSH connection before closing session --- ### PHASE 9: MONITORING & MAINTENANCE (8 tasks) #### Task 46: Create Health Check Script - [ ] Create script: `/usr/local/bin/explorer-health-check.sh` - [ ] Configure API health check - [ ] Configure service restart on failure - [ ] Add alert mechanism (email/Slack) - [ ] Make executable: `chmod +x /usr/local/bin/explorer-health-check.sh` - [ ] Test script manually #### Task 47: Configure Health Check Cron Job - [ ] Add to crontab: Every 5 minutes - [ ] Verify cron job added: `crontab -l` #### Task 48: Set Up Log Monitoring - [ ] Install logwatch: `apt install -y logwatch` - [ ] Configure logwatch - [ ] Set up daily log summaries (optional) #### Task 49: Configure Cloudflare Analytics - [ ] Access Cloudflare Analytics dashboard - [ ] Set up custom dashboards - [ ] Configure alert thresholds #### Task 50: Set Up Alerts - [ ] Configure email alerts in Cloudflare - [ ] Set up high error rate alerts - [ ] Set up DDoS detection alerts - [ ] Set up certificate expiration alerts - [ ] Test alert mechanism --- ### POST-DEPLOYMENT VERIFICATION (13 tasks) #### Task 51: Verify All Services - [ ] Check all systemd services: `systemctl status explorer-*` - [ ] Verify no service errors - [ ] Check service logs for warnings #### Task 52: Verify Database - [ ] Test database connection: `psql -U explorer -d explorer -h localhost` - [ ] Check database tables exist - [ ] Verify migrations applied #### Task 53: Verify Infrastructure Services - [ ] Check Elasticsearch: `curl http://localhost:9200` - [ ] Check Redis: `redis-cli ping` - [ ] Check Docker containers: `docker ps` #### Task 54: Verify API - [ ] Test health endpoint: `curl https://explorer.d-bis.org/api/health` - [ ] Test blocks endpoint: `curl https://explorer.d-bis.org/api/v1/blocks` - [ ] Test transactions endpoint - [ ] Test search endpoint #### Task 55: Verify Frontend - [ ] Open browser: `https://explorer.d-bis.org` - [ ] Verify homepage loads - [ ] Test navigation - [ ] Verify static assets load #### Task 56: Verify DNS - [ ] Check DNS resolution: `dig explorer.d-bis.org` - [ ] Verify DNS points to Cloudflare IPs - [ ] Test from multiple locations #### Task 57: Verify SSL/TLS - [ ] Check SSL certificate: `openssl s_client -connect explorer.d-bis.org:443 -servername explorer.d-bis.org` - [ ] Verify certificate is valid - [ ] Verify TLS 1.3 is enabled - [ ] Check SSL Labs rating (optional): https://www.ssllabs.com/ssltest/ #### Task 58: Verify Cloudflare Tunnel - [ ] Check tunnel status: `systemctl status cloudflared` - [ ] View tunnel info: `cloudflared tunnel info explorer-tunnel` - [ ] Check tunnel logs for errors #### Task 59: Verify Nginx - [ ] Check Nginx status: `systemctl status nginx` - [ ] Test configuration: `nginx -t` - [ ] Check access logs - [ ] Check error logs #### Task 60: Verify Security - [ ] Test firewall: `ufw status` - [ ] Test fail2ban: `fail2ban-client status` - [ ] Verify security headers present - [ ] Test rate limiting (optional) #### Task 61: Verify Performance - [ ] Test response times - [ ] Verify caching working - [ ] Check Cloudflare cache hit ratio - [ ] Monitor resource usage #### Task 62: Verify Monitoring - [ ] Test health check script - [ ] Verify cron jobs running - [ ] Check log rotation working - [ ] Verify backups running #### Task 63: Documentation - [ ] Document deployed version - [ ] Document configuration changes - [ ] Document known issues - [ ] Update deployment checklist --- ### OPTIONAL ENHANCEMENTS (8 tasks) #### Task 64: Set Up Let's Encrypt Certificates (Optional) - [ ] Install certbot: `apt install -y certbot python3-certbot-nginx` - [ ] Obtain certificate: `certbot --nginx -d explorer.d-bis.org -d www.explorer.d-bis.org` - [ ] Test renewal: `certbot renew --dry-run` - [ ] Set up auto-renewal cron job #### Task 65: Configure CDN for Static Assets - [ ] Configure Cloudflare cache rules - [ ] Set up custom cache headers - [ ] Verify CDN serving static assets #### Task 66: Set Up Monitoring Dashboard (Optional) - [ ] Install Prometheus (optional) - [ ] Install Grafana (optional) - [ ] Configure dashboards - [ ] Set up alerts #### Task 67: Configure Database Replication (Optional) - [ ] Set up read replica - [ ] Configure connection pooling - [ ] Update application config #### Task 68: Set Up Load Balancing (Optional) - [ ] Configure multiple API instances - [ ] Set up load balancer - [ ] Configure health checks #### Task 69: Configure Auto-Scaling (Optional) - [ ] Set up monitoring metrics - [ ] Configure scaling rules - [ ] Test auto-scaling #### Task 70: Set Up Disaster Recovery - [ ] Configure automated backups - [ ] Set up backup verification - [ ] Document recovery procedures - [ ] Test recovery process #### Task 71: Performance Optimization - [ ] Optimize database queries - [ ] Configure Redis caching - [ ] Optimize Nginx config - [ ] Review and optimize Cloudflare settings --- ## 📊 Deployment Summary - **Total Tasks**: 71 - **Required Tasks**: 63 - **Optional Tasks**: 8 - **Estimated Time**: 6-8 hours (first deployment) ## 🚀 Quick Start Commands ```bash # 1. Run automated deployment script (Phase 1-2) ./deployment/scripts/deploy-lxc.sh # 2. Follow manual steps for remaining phases # See DEPLOYMENT_GUIDE.md for detailed instructions # 3. Use checklist to track progress # See DEPLOYMENT_CHECKLIST.md ``` ## 📝 Notes - Tasks marked with ⚠️ require careful attention - Tasks marked with ✅ can be automated - Always test in staging before production - Keep backups before major changes - Document any deviations from standard procedure --- **Last Updated**: 2024-12-23 **Version**: 1.0.0