d-bis/explorer-monorepo
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ff8d94383cbe44faecbcd0606cbc68b324330cd7
explorer-monorepo/deployment/DEPLOYMENT_TASKS.md

562 lines
19 KiB
Markdown
Raw Blame History

# Complete Deployment Task List
This document provides a detailed checklist of all tasks required to deploy the ChainID 138 Explorer Platform using LXC, Nginx, Cloudflare DNS, SSL, and Cloudflare Tunnel.
---
## 📋 Complete Task List (71 Tasks)
### PRE-DEPLOYMENT (5 tasks)
#### Task 1: Verify Prerequisites
- [ ] Access to Proxmox VE host with LXC support
- [ ] Cloudflare account created and domain added
- [ ] Domain DNS managed by Cloudflare
- [ ] Cloudflare API token created (with DNS edit permissions)
- [ ] SSH access to Proxmox host configured
---
### PHASE 1: LXC CONTAINER SETUP (8 tasks)
#### Task 2: Create LXC Container
- [ ] Log into Proxmox host
- [ ] Download Ubuntu 22.04 template (if not exists)
- [ ] Run container creation command
- [ ] Verify container created successfully
- [ ] Note container ID for future reference
#### Task 3: Start and Access Container
- [ ] Start container: `pct start <CONTAINER_ID>`
- [ ] Access container: `pct enter <CONTAINER_ID>`
- [ ] Verify network connectivity
- [ ] Update system: `apt update && apt upgrade -y`
#### Task 4: Install Base Packages
- [ ] Install essential packages (curl, wget, git, vim, etc.)
- [ ] Install firewall: `apt install -y ufw`
- [ ] Install fail2ban: `apt install -y fail2ban`
- [ ] Install security updates tool: `apt install -y unattended-upgrades`
#### Task 5: Configure System Settings
- [ ] Set timezone: `timedatectl set-timezone UTC`
- [ ] Configure hostname: `hostnamectl set-hostname explorer-prod`
- [ ] Configure locale settings
#### Task 6: Create Deployment User
- [ ] Create user: `adduser explorer`
- [ ] Add to sudo group: `usermod -aG sudo explorer`
- [ ] Configure SSH access for new user
- [ ] Disable root SSH login in `/etc/ssh/sshd_config`
- [ ] Restart SSH service
---
### PHASE 2: APPLICATION INSTALLATION (12 tasks)
#### Task 7: Install Go 1.21+
- [ ] Download Go 1.21.6: `wget https://go.dev/dl/go1.21.6.linux-amd64.tar.gz`
- [ ] Extract to `/usr/local/go`
- [ ] Add Go to PATH in `/etc/profile` and `~/.bashrc`
- [ ] Source profile or logout/login
- [ ] Verify: `go version` (should show 1.21.6+)
#### Task 8: Install Node.js 20+
- [ ] Add NodeSource repository
- [ ] Install Node.js 20.x
- [ ] Verify: `node --version` (should show v20.x.x+)
- [ ] Verify: `npm --version`
#### Task 9: Install Docker & Docker Compose
- [ ] Add Docker GPG key
- [ ] Add Docker repository
- [ ] Install Docker CE
- [ ] Install Docker Compose plugin
- [ ] Start Docker service: `systemctl start docker`
- [ ] Enable Docker on boot: `systemctl enable docker`
- [ ] Add `explorer` user to docker group
- [ ] Verify: `docker --version` and `docker compose version`
#### Task 10: Clone Repository
- [ ] Switch to deployment user: `su - explorer`
- [ ] Navigate to home: `cd /home/explorer`
- [ ] Clone repository: `git clone <repo-url> explorer-monorepo`
- [ ] Verify repository cloned correctly
#### Task 11: Install Dependencies
- [ ] Navigate to backend: `cd explorer-monorepo/backend`
- [ ] Download Go modules: `go mod download`
- [ ] Navigate to frontend: `cd ../frontend`
- [ ] Install npm packages: `npm ci --production`
#### Task 12: Build Applications
- [ ] Build indexer: `go build -o /usr/local/bin/explorer-indexer ./indexer/main.go`
- [ ] Build API: `go build -o /usr/local/bin/explorer-api ./api/rest/main.go`
- [ ] Build gateway: `go build -o /usr/local/bin/explorer-gateway ./api/gateway/main.go`
- [ ] Build search service: `go build -o /usr/local/bin/explorer-search ./api/search/main.go`
- [ ] Build frontend: `cd frontend && npm run build`
- [ ] Verify all binaries exist and are executable
---
### PHASE 3: DATABASE SETUP (10 tasks)
#### Task 13: Install PostgreSQL 16
- [ ] Add PostgreSQL APT repository
- [ ] Add PostgreSQL GPG key
- [ ] Update package list
- [ ] Install PostgreSQL 16: `apt install -y postgresql-16 postgresql-contrib-16`
#### Task 14: Install TimescaleDB
- [ ] Add TimescaleDB repository
- [ ] Add TimescaleDB GPG key
- [ ] Update package list
- [ ] Install TimescaleDB: `apt install -y timescaledb-2-postgresql-16`
- [ ] Run TimescaleDB tuner: `timescaledb-tune --quiet --yes`
- [ ] Restart PostgreSQL: `systemctl restart postgresql`
#### Task 15: Create Database and User
- [ ] Switch to postgres user: `su - postgres`
- [ ] Create database user: `CREATE USER explorer WITH PASSWORD '<SECURE_PASSWORD>'`
- [ ] Create database: `CREATE DATABASE explorer OWNER explorer;`
- [ ] Connect to database: `\c explorer`
- [ ] Enable TimescaleDB extension: `CREATE EXTENSION IF NOT EXISTS timescaledb;`
- [ ] Enable UUID extension: `CREATE EXTENSION IF NOT EXISTS "uuid-ossp";`
- [ ] Grant privileges: `GRANT ALL PRIVILEGES ON DATABASE explorer TO explorer;`
#### Task 16: Run Database Migrations
- [ ] Return to deployment user
- [ ] Navigate to backend: `cd /home/explorer/explorer-monorepo/backend`
- [ ] Run migrations: `go run database/migrations/migrate.go`
- [ ] Verify migrations completed successfully
- [ ] Check database tables exist
#### Task 17: Configure PostgreSQL
- [ ] Edit `postgresql.conf`: `/etc/postgresql/16/main/postgresql.conf`
- [ ] Set `max_connections = 100`
- [ ] Set `shared_buffers = 4GB`
- [ ] Set `effective_cache_size = 12GB`
- [ ] Set other performance tuning parameters
- [ ] Edit `pg_hba.conf` for local connections
- [ ] Restart PostgreSQL: `systemctl restart postgresql`
- [ ] Verify PostgreSQL is running: `systemctl status postgresql`
---
### PHASE 4: INFRASTRUCTURE SERVICES (6 tasks)
#### Task 18: Deploy Elasticsearch/OpenSearch
- [ ] Navigate to deployment directory: `cd /home/explorer/explorer-monorepo/deployment`
- [ ] Start Elasticsearch: `docker compose -f docker-compose.yml up -d elasticsearch`
- [ ] Wait for Elasticsearch to be ready
- [ ] Verify Elasticsearch: `curl http://localhost:9200`
#### Task 19: Deploy Redis
- [ ] Start Redis: `docker compose -f docker-compose.yml up -d redis`
- [ ] Verify Redis: `redis-cli ping`
- [ ] Verify both services running: `docker ps`
---
### PHASE 5: APPLICATION SERVICES (10 tasks)
#### Task 20: Create Environment Configuration
- [ ] Copy `.env.example` to `.env`: `cp .env.example .env`
- [ ] Edit `.env` file with production values
- [ ] Set database credentials
- [ ] Set RPC URLs and Chain ID
- [ ] Set API URLs and ports
- [ ] Verify all required variables are set
- [ ] Set proper file permissions: `chmod 600 .env`
#### Task 21: Create Systemd Service Files
- [ ] Create `/etc/systemd/system/explorer-indexer.service`
- [ ] Create `/etc/systemd/system/explorer-api.service`
- [ ] Create `/etc/systemd/system/explorer-frontend.service`
- [ ] Set proper ownership: `chown root:root /etc/systemd/system/explorer-*.service`
- [ ] Set proper permissions: `chmod 644 /etc/systemd/system/explorer-*.service`
#### Task 22: Enable and Start Services
- [ ] Reload systemd: `systemctl daemon-reload`
- [ ] Enable indexer: `systemctl enable explorer-indexer`
- [ ] Enable API: `systemctl enable explorer-api`
- [ ] Enable frontend: `systemctl enable explorer-frontend`
- [ ] Start indexer: `systemctl start explorer-indexer`
- [ ] Start API: `systemctl start explorer-api`
- [ ] Start frontend: `systemctl start explorer-frontend`
#### Task 23: Verify Services
- [ ] Check indexer status: `systemctl status explorer-indexer`
- [ ] Check API status: `systemctl status explorer-api`
- [ ] Check frontend status: `systemctl status explorer-frontend`
- [ ] Check indexer logs: `journalctl -u explorer-indexer -f`
- [ ] Check API logs: `journalctl -u explorer-api -f`
- [ ] Verify API responds: `curl http://localhost:8080/health`
- [ ] Verify frontend responds: `curl http://localhost:3000`
---
### PHASE 6: NGINX REVERSE PROXY (9 tasks)
#### Task 24: Install Nginx
- [ ] Install Nginx: `apt install -y nginx`
- [ ] Verify installation: `nginx -v`
#### Task 25: Create Nginx Configuration
- [ ] Copy config template: `cp deployment/nginx/explorer.conf /etc/nginx/sites-available/explorer`
- [ ] Edit configuration file (update domain if needed)
- [ ] Enable site: `ln -s /etc/nginx/sites-available/explorer /etc/nginx/sites-enabled/`
- [ ] Remove default site: `rm /etc/nginx/sites-enabled/default`
- [ ] Test configuration: `nginx -t`
- [ ] If test passes, reload Nginx: `systemctl reload nginx`
#### Task 26: Configure Rate Limiting
- [ ] Verify rate limiting zones in config
- [ ] Adjust rate limits as needed
- [ ] Test rate limiting (optional)
#### Task 27: Test Nginx Proxy
- [ ] Verify Nginx is running: `systemctl status nginx`
- [ ] Test HTTP endpoint: `curl -I http://localhost`
- [ ] Test API proxy: `curl http://localhost/api/v1/blocks`
- [ ] Check Nginx access logs: `tail -f /var/log/nginx/explorer-access.log`
- [ ] Check Nginx error logs: `tail -f /var/log/nginx/explorer-error.log`
---
### PHASE 7: CLOUDFLARE CONFIGURATION (18 tasks)
#### Task 28: Set Up Cloudflare DNS Records
- [ ] Login to Cloudflare Dashboard
- [ ] Select domain
- [ ] Go to DNS → Records
- [ ] Add A record for `explorer` (or `@`):
- Type: A
- Name: explorer
- IPv4: [Your server IP] (if direct) or leave empty (if tunnel)
- Proxy: Proxied (orange cloud)
- TTL: Auto
- [ ] Add CNAME for `www`:
- Type: CNAME
- Name: www
- Target: explorer.d-bis.org
- Proxy: Proxied
- TTL: Auto
- [ ] Save DNS records
- [ ] Verify DNS propagation
#### Task 29: Configure Cloudflare SSL/TLS
- [ ] Go to SSL/TLS → Overview
- [ ] Set encryption mode to: **Full (strict)**
- [ ] Go to SSL/TLS → Edge Certificates
- [ ] Enable: "Always Use HTTPS"
- [ ] Enable: "Automatic HTTPS Rewrites"
- [ ] Enable: "Opportunistic Encryption"
- [ ] Enable: "TLS 1.3"
- [ ] Save settings
#### Task 30: Install Cloudflare Tunnel (cloudflared)
- [ ] Download cloudflared: `wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb`
- [ ] Install: `dpkg -i cloudflared-linux-amd64.deb`
- [ ] Verify: `cloudflared --version`
#### Task 31: Authenticate Cloudflare Tunnel
- [ ] Run: `cloudflared tunnel login`
- [ ] Follow browser authentication
- [ ] Verify authentication successful
#### Task 32: Create Cloudflare Tunnel
- [ ] Create tunnel: `cloudflared tunnel create explorer-tunnel`
- [ ] List tunnels: `cloudflared tunnel list`
- [ ] Note tunnel ID
#### Task 33: Configure Cloudflare Tunnel
- [ ] Create config directory: `mkdir -p /etc/cloudflared`
- [ ] Copy tunnel config template: `cp deployment/cloudflare/tunnel-config.yml /etc/cloudflared/config.yml`
- [ ] Edit config file with tunnel ID
- [ ] Update hostnames in config
- [ ] Verify config: `cloudflared tunnel --config /etc/cloudflared/config.yml ingress validate`
#### Task 34: Install Cloudflare Tunnel as Service
- [ ] Install service: `cloudflared service install`
- [ ] Enable service: `systemctl enable cloudflared`
- [ ] Start service: `systemctl start cloudflared`
- [ ] Check status: `systemctl status cloudflared`
- [ ] View logs: `journalctl -u cloudflared -f`
#### Task 35: Verify Cloudflare Tunnel
- [ ] Check tunnel is running: `cloudflared tunnel info explorer-tunnel`
- [ ] Verify DNS routes are configured in Cloudflare dashboard
- [ ] Test domain access: `curl -I https://explorer.d-bis.org`
- [ ] Verify SSL certificate is active
#### Task 36: Configure Cloudflare WAF
- [ ] Go to Security → WAF
- [ ] Enable Cloudflare Managed Ruleset
- [ ] Enable OWASP Core Ruleset
- [ ] Create custom rate limiting rule (if needed)
- [ ] Save rules
#### Task 37: Configure Cloudflare Caching
- [ ] Go to Caching → Configuration
- [ ] Set Caching Level: Standard
- [ ] Go to Caching → Cache Rules
- [ ] Create rule for static assets (Cache everything, Edge TTL: 1 year)
- [ ] Create rule for API endpoints (Bypass cache)
- [ ] Create rule for frontend pages (Cache HTML for 5 minutes)
#### Task 38: Configure DDoS Protection
- [ ] Go to Security → DDoS
- [ ] Enable DDoS protection
- [ ] Configure protection level (Medium recommended)
- [ ] Review and adjust as needed
---
### PHASE 8: SECURITY HARDENING (12 tasks)
#### Task 39: Configure Firewall (UFW)
- [ ] Enable UFW: `ufw --force enable`
- [ ] Allow SSH: `ufw allow 22/tcp`
- [ ] Allow HTTP: `ufw allow 80/tcp` (if direct connection)
- [ ] Allow HTTPS: `ufw allow 443/tcp` (if direct connection)
- [ ] Add Cloudflare IP ranges (if direct connection)
- [ ] Check status: `ufw status verbose`
#### Task 40: Configure Fail2ban
- [ ] Create Nginx jail config: `/etc/fail2ban/jail.d/nginx.conf`
- [ ] Configure nginx-limit-req jail
- [ ] Configure nginx-botsearch jail
- [ ] Restart fail2ban: `systemctl restart fail2ban`
- [ ] Check status: `fail2ban-client status`
#### Task 41: Configure Automatic Updates
- [ ] Configure `/etc/apt/apt.conf.d/50unattended-upgrades`
- [ ] Enable security updates only
- [ ] Disable automatic reboot
- [ ] Enable service: `systemctl enable unattended-upgrades`
- [ ] Start service: `systemctl start unattended-upgrades`
#### Task 42: Configure Log Rotation
- [ ] Create logrotate config: `/etc/logrotate.d/explorer`
- [ ] Set rotation schedule (daily)
- [ ] Set retention (30 days)
- [ ] Configure compression
- [ ] Test: `logrotate -d /etc/logrotate.d/explorer`
#### Task 43: Set Up Backup Script
- [ ] Create backup script: `/usr/local/bin/explorer-backup.sh`
- [ ] Configure database backup
- [ ] Configure config file backup
- [ ] Set cleanup of old backups
- [ ] Make executable: `chmod +x /usr/local/bin/explorer-backup.sh`
- [ ] Test backup script manually
- [ ] Add to crontab: Daily at 2 AM
#### Task 44: Secure Environment File
- [ ] Set proper permissions: `chmod 600 /home/explorer/explorer-monorepo/.env`
- [ ] Verify only owner can read: `ls -l .env`
- [ ] Add .env to .gitignore (verify)
#### Task 45: Configure SSH Hardening
- [ ] Edit `/etc/ssh/sshd_config`
- [ ] Disable root login: `PermitRootLogin no`
- [ ] Disable password authentication (use keys only): `PasswordAuthentication no`
- [ ] Set SSH port (optional, change from 22)
- [ ] Restart SSH: `systemctl restart sshd`
- [ ] Test SSH connection before closing session
---
### PHASE 9: MONITORING & MAINTENANCE (8 tasks)
#### Task 46: Create Health Check Script
- [ ] Create script: `/usr/local/bin/explorer-health-check.sh`
- [ ] Configure API health check
- [ ] Configure service restart on failure
- [ ] Add alert mechanism (email/Slack)
- [ ] Make executable: `chmod +x /usr/local/bin/explorer-health-check.sh`
- [ ] Test script manually
#### Task 47: Configure Health Check Cron Job
- [ ] Add to crontab: Every 5 minutes
- [ ] Verify cron job added: `crontab -l`
#### Task 48: Set Up Log Monitoring
- [ ] Install logwatch: `apt install -y logwatch`
- [ ] Configure logwatch
- [ ] Set up daily log summaries (optional)
#### Task 49: Configure Cloudflare Analytics
- [ ] Access Cloudflare Analytics dashboard
- [ ] Set up custom dashboards
- [ ] Configure alert thresholds
#### Task 50: Set Up Alerts
- [ ] Configure email alerts in Cloudflare
- [ ] Set up high error rate alerts
- [ ] Set up DDoS detection alerts
- [ ] Set up certificate expiration alerts
- [ ] Test alert mechanism
---
### POST-DEPLOYMENT VERIFICATION (13 tasks)
#### Task 51: Verify All Services
- [ ] Check all systemd services: `systemctl status explorer-*`
- [ ] Verify no service errors
- [ ] Check service logs for warnings
#### Task 52: Verify Database
- [ ] Test database connection: `psql -U explorer -d explorer -h localhost`
- [ ] Check database tables exist
- [ ] Verify migrations applied
#### Task 53: Verify Infrastructure Services
- [ ] Check Elasticsearch: `curl http://localhost:9200`
- [ ] Check Redis: `redis-cli ping`
- [ ] Check Docker containers: `docker ps`
#### Task 54: Verify API
- [ ] Test health endpoint: `curl https://explorer.d-bis.org/api/health`
- [ ] Test blocks endpoint: `curl https://explorer.d-bis.org/api/v1/blocks`
- [ ] Test transactions endpoint
- [ ] Test search endpoint
#### Task 55: Verify Frontend
- [ ] Open browser: `https://explorer.d-bis.org`
- [ ] Verify homepage loads
- [ ] Test navigation
- [ ] Verify static assets load
#### Task 56: Verify DNS
- [ ] Check DNS resolution: `dig explorer.d-bis.org`
- [ ] Verify DNS points to Cloudflare IPs
- [ ] Test from multiple locations
#### Task 57: Verify SSL/TLS
- [ ] Check SSL certificate: `openssl s_client -connect explorer.d-bis.org:443 -servername explorer.d-bis.org`
- [ ] Verify certificate is valid
- [ ] Verify TLS 1.3 is enabled
- [ ] Check SSL Labs rating (optional): https://www.ssllabs.com/ssltest/
#### Task 58: Verify Cloudflare Tunnel
- [ ] Check tunnel status: `systemctl status cloudflared`
- [ ] View tunnel info: `cloudflared tunnel info explorer-tunnel`
- [ ] Check tunnel logs for errors
#### Task 59: Verify Nginx
- [ ] Check Nginx status: `systemctl status nginx`
- [ ] Test configuration: `nginx -t`
- [ ] Check access logs
- [ ] Check error logs
#### Task 60: Verify Security
- [ ] Test firewall: `ufw status`
- [ ] Test fail2ban: `fail2ban-client status`
- [ ] Verify security headers present
- [ ] Test rate limiting (optional)
#### Task 61: Verify Performance
- [ ] Test response times
- [ ] Verify caching working
- [ ] Check Cloudflare cache hit ratio
- [ ] Monitor resource usage
#### Task 62: Verify Monitoring
- [ ] Test health check script
- [ ] Verify cron jobs running
- [ ] Check log rotation working
- [ ] Verify backups running
#### Task 63: Documentation
- [ ] Document deployed version
- [ ] Document configuration changes
- [ ] Document known issues
- [ ] Update deployment checklist
---
### OPTIONAL ENHANCEMENTS (8 tasks)
#### Task 64: Set Up Let's Encrypt Certificates (Optional)
- [ ] Install certbot: `apt install -y certbot python3-certbot-nginx`
- [ ] Obtain certificate: `certbot --nginx -d explorer.d-bis.org -d www.explorer.d-bis.org`
- [ ] Test renewal: `certbot renew --dry-run`
- [ ] Set up auto-renewal cron job
#### Task 65: Configure CDN for Static Assets
- [ ] Configure Cloudflare cache rules
- [ ] Set up custom cache headers
- [ ] Verify CDN serving static assets
#### Task 66: Set Up Monitoring Dashboard (Optional)
- [ ] Install Prometheus (optional)
- [ ] Install Grafana (optional)
- [ ] Configure dashboards
- [ ] Set up alerts
#### Task 67: Configure Database Replication (Optional)
- [ ] Set up read replica
- [ ] Configure connection pooling
- [ ] Update application config
#### Task 68: Set Up Load Balancing (Optional)
- [ ] Configure multiple API instances
- [ ] Set up load balancer
- [ ] Configure health checks
#### Task 69: Configure Auto-Scaling (Optional)
- [ ] Set up monitoring metrics
- [ ] Configure scaling rules
- [ ] Test auto-scaling
#### Task 70: Set Up Disaster Recovery
- [ ] Configure automated backups
- [ ] Set up backup verification
- [ ] Document recovery procedures
- [ ] Test recovery process
#### Task 71: Performance Optimization
- [ ] Optimize database queries
- [ ] Configure Redis caching
- [ ] Optimize Nginx config
- [ ] Review and optimize Cloudflare settings
---
## 📊 Deployment Summary
- **Total Tasks**: 71
- **Required Tasks**: 63
- **Optional Tasks**: 8
- **Estimated Time**: 6-8 hours (first deployment)
## 🚀 Quick Start Commands
```bash
# 1. Run automated deployment script (Phase 1-2)
./deployment/scripts/deploy-lxc.sh
# 2. Follow manual steps for remaining phases
# See DEPLOYMENT_GUIDE.md for detailed instructions
# 3. Use checklist to track progress
# See DEPLOYMENT_CHECKLIST.md
```
## 📝 Notes
- Tasks marked with ⚠️ require careful attention
- Tasks marked with ✅ can be automated
- Always test in staging before production
- Keep backups before major changes
- Document any deviations from standard procedure
---
**Last Updated**: 2024-12-23
**Version**: 1.0.0
Reference in New Issue View Git Blame Copy Permalink