5d06ad791f
🐳 Docker Deployment Infrastructure Complete Portainer stacks with Traefik reverse proxy integration for zero-downtime deployments ## Stack Files Created ### 1. Staging Stack (docker/portainer-stack-staging.yml) **Services** (4 containers): - `postgres-staging`: PostgreSQL 15 (db.t3.medium equivalent) - `redis-staging`: Redis 7 with 512MB cache - `backend-staging`: NestJS API (1 instance) - `frontend-staging`: Next.js app (1 instance) **Domains**: - Frontend: `staging.xpeditis.com` - Backend API: `api-staging.xpeditis.com` **Features**: - HTTP → HTTPS redirect - Let's Encrypt SSL certificates - Health checks on all services - Security headers (HSTS, XSS protection, frame deny) - Rate limiting via Traefik - Sandbox carrier APIs - Sentry monitoring (10% sampling) ### 2. Production Stack (docker/portainer-stack-production.yml) **Services** (6 containers for High Availability): - `postgres-prod`: PostgreSQL 15 with automated backups - `redis-prod`: Redis 7 with persistence (1GB cache) - `backend-prod-1` & `backend-prod-2`: NestJS API (2 instances, load balanced) - `frontend-prod-1` & `frontend-prod-2`: Next.js app (2 instances, load balanced) **Domains**: - Frontend: `xpeditis.com` + `www.xpeditis.com` (auto-redirect to non-www) - Backend API: `api.xpeditis.com` **Features**: - **Zero-downtime deployments** (rolling updates with 2 instances) - **Load balancing** with sticky sessions - **Strict security headers** (HSTS 2 years, CSP, force TLS) - **Resource limits** (CPU, memory) - **Production carrier APIs** (Maersk, MSC, CMA CGM, Hapag-Lloyd, ONE) - **Enhanced monitoring** (Sentry + Google Analytics) - **WWW redirect** (www → non-www) - **Rate limiting** (stricter than staging) ### 3. Environment Files - `docker/.env.staging.example`: Template for staging environment variables - `docker/.env.production.example`: Template for production environment variables **Variables** (30+ required): - Database credentials (PostgreSQL, Redis) - JWT secrets (256-512 bits) - AWS configuration (S3, SES, region) - Carrier API keys (Maersk, MSC, CMA CGM, etc.) - Monitoring (Sentry DSN, Google Analytics) - Email service configuration ### 4. Deployment Guide (docker/PORTAINER_DEPLOYMENT_GUIDE.md) **Comprehensive 400+ line guide** covering: - Prerequisites (server, Traefik, DNS, Docker images) - Step-by-step Portainer deployment - Environment variables configuration - SSL/TLS certificate verification - Health check validation - Troubleshooting (5 common issues with solutions) - Rolling updates (zero-downtime) - Monitoring setup (Portainer, Sentry, logs) - Security best practices (12 recommendations) - Backup procedures ## 🏗️ Architecture Highlights ### High Availability (Production) ``` Traefik Load Balancer ├── frontend-prod-1 ──┐ └── frontend-prod-2 ──┼── Sticky Sessions │ ├── backend-prod-1 ───┤ └── backend-prod-2 ───┘ │ ├── postgres-prod (Single instance with backups) └── redis-prod (Persistence enabled) ``` ### Traefik Labels Integration - **HTTPS Routing**: Host-based routing with SSL termination - **HTTP Redirect**: Automatic HTTP → HTTPS (permanent 301) - **Security Middleware**: Custom headers, HSTS, XSS protection - **Compression**: Gzip compression for responses - **Rate Limiting**: Traefik-level + application-level - **Health Checks**: Automatic container removal if unhealthy - **Sticky Sessions**: Cookie-based session affinity ### Network Architecture - **Internal Network**: `xpeditis_internal_staging` / `xpeditis_internal_prod` (isolated) - **Traefik Network**: `traefik_network` (external, shared with Traefik) - **Database/Redis**: Only accessible from internal network - **Frontend/Backend**: Connected to both networks (internal + Traefik) ## 📊 Resource Allocation ### Staging (Single Instances) - PostgreSQL: 2 vCPU, 4GB RAM - Redis: 0.5 vCPU, 512MB cache - Backend: 1 vCPU, 1GB RAM - Frontend: 1 vCPU, 1GB RAM - **Total**: ~4 vCPU, ~6.5GB RAM ### Production (High Availability) - PostgreSQL: 2 vCPU, 4GB RAM (limits) - Redis: 1 vCPU, 1.5GB RAM (limits) - Backend x2: 2 vCPU, 2GB RAM each (4 vCPU, 4GB total) - Frontend x2: 2 vCPU, 2GB RAM each (4 vCPU, 4GB total) - **Total**: ~13 vCPU, ~17GB RAM ## 🔒 Security Features 1. **SSL/TLS**: Let's Encrypt certificates with auto-renewal 2. **HSTS**: Strict-Transport-Security (1 year staging, 2 years production) 3. **Security Headers**: XSS protection, frame deny, content-type nosniff 4. **Rate Limiting**: Traefik (50-100 req/min) + Application-level 5. **Secrets Management**: Environment variables, never hardcoded 6. **Network Isolation**: Services communicate only via internal network 7. **Health Checks**: Automatic restart on failure 8. **Resource Limits**: Prevent resource exhaustion attacks ## 🚀 Deployment Process 1. **Prerequisites**: Traefik + DNS configured 2. **Build Images**: Docker build + push to registry 3. **Configure Environment**: Copy .env.example, fill secrets 4. **Deploy Stack**: Portainer UI → Add Stack → Deploy 5. **Verify**: Health checks, SSL, DNS, logs 6. **Monitor**: Sentry + Portainer stats ## 📦 Files Summary ``` docker/ ├── portainer-stack-staging.yml (250 lines) - 4 services ├── portainer-stack-production.yml (450 lines) - 6 services ├── .env.staging.example (80 lines) ├── .env.production.example (100 lines) └── PORTAINER_DEPLOYMENT_GUIDE.md (400+ lines) ``` Total: 5 files, ~1,280 lines of infrastructure-as-code ## 🎯 Next Steps 1. Build Docker images (frontend + backend) 2. Push to Docker registry (Docker Hub / GHCR) 3. Configure DNS (staging + production domains) 4. Deploy Traefik (if not already done) 5. Copy .env files and fill secrets 6. Deploy staging stack via Portainer 7. Test staging thoroughly 8. Deploy production stack 9. Setup monitoring (Sentry, Uptime Robot) ## 🔗 Related Documentation - [DEPLOYMENT.md](../DEPLOYMENT.md) - General deployment guide - [ARCHITECTURE.md](../ARCHITECTURE.md) - System architecture - [PHASE4_SUMMARY.md](../PHASE4_SUMMARY.md) - Phase 4 completion status 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
98 lines
3.0 KiB
Plaintext
98 lines
3.0 KiB
Plaintext
# Xpeditis - Production Environment Variables
|
|
# Copy this file to .env.production and fill in the values
|
|
|
|
# ===================================
|
|
# DOCKER REGISTRY
|
|
# ===================================
|
|
DOCKER_REGISTRY=docker.io
|
|
BACKEND_IMAGE=xpeditis/backend
|
|
BACKEND_TAG=latest
|
|
FRONTEND_IMAGE=xpeditis/frontend
|
|
FRONTEND_TAG=latest
|
|
|
|
# ===================================
|
|
# DATABASE (PostgreSQL)
|
|
# ===================================
|
|
POSTGRES_DB=xpeditis_prod
|
|
POSTGRES_USER=xpeditis
|
|
POSTGRES_PASSWORD=CHANGE_ME_SECURE_PASSWORD_64_CHARS_MINIMUM
|
|
|
|
# ===================================
|
|
# REDIS CACHE
|
|
# ===================================
|
|
REDIS_PASSWORD=CHANGE_ME_REDIS_PASSWORD_64_CHARS_MINIMUM
|
|
|
|
# ===================================
|
|
# JWT AUTHENTICATION
|
|
# ===================================
|
|
JWT_SECRET=CHANGE_ME_JWT_SECRET_512_BITS_MINIMUM
|
|
|
|
# ===================================
|
|
# AWS CONFIGURATION
|
|
# ===================================
|
|
AWS_REGION=eu-west-3
|
|
AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
|
|
AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
|
|
AWS_SES_REGION=eu-west-1
|
|
|
|
# S3 Buckets
|
|
S3_BUCKET_DOCUMENTS=xpeditis-prod-documents
|
|
S3_BUCKET_UPLOADS=xpeditis-prod-uploads
|
|
|
|
# ===================================
|
|
# EMAIL CONFIGURATION
|
|
# ===================================
|
|
EMAIL_SERVICE=ses
|
|
EMAIL_FROM=noreply@xpeditis.com
|
|
EMAIL_FROM_NAME=Xpeditis
|
|
|
|
# ===================================
|
|
# MONITORING (Sentry) - REQUIRED
|
|
# ===================================
|
|
SENTRY_DSN=https://your-sentry-dsn@sentry.io/project-id
|
|
NEXT_PUBLIC_SENTRY_DSN=https://your-sentry-dsn@sentry.io/project-id
|
|
|
|
# ===================================
|
|
# ANALYTICS (Google Analytics) - REQUIRED
|
|
# ===================================
|
|
NEXT_PUBLIC_GA_MEASUREMENT_ID=G-XXXXXXXXXX
|
|
|
|
# ===================================
|
|
# CARRIER APIs (Production) - REQUIRED
|
|
# ===================================
|
|
# Maersk Production
|
|
MAERSK_API_URL=https://api.maersk.com
|
|
MAERSK_API_KEY=your-maersk-production-api-key
|
|
|
|
# MSC Production
|
|
MSC_API_URL=https://api.msc.com
|
|
MSC_API_KEY=your-msc-production-api-key
|
|
|
|
# CMA CGM Production
|
|
CMA_CGM_API_URL=https://api.cma-cgm.com
|
|
CMA_CGM_API_KEY=your-cma-cgm-production-api-key
|
|
|
|
# Hapag-Lloyd Production
|
|
HAPAG_LLOYD_API_URL=https://api.hapag-lloyd.com
|
|
HAPAG_LLOYD_API_KEY=your-hapag-lloyd-api-key
|
|
|
|
# ONE (Ocean Network Express)
|
|
ONE_API_URL=https://api.one-line.com
|
|
ONE_API_KEY=your-one-api-key
|
|
|
|
# ===================================
|
|
# SECURITY BEST PRACTICES
|
|
# ===================================
|
|
# ✅ Use AWS Secrets Manager for production secrets
|
|
# ✅ Rotate credentials every 90 days
|
|
# ✅ Enable AWS CloudTrail for audit logs
|
|
# ✅ Use IAM roles with least privilege
|
|
# ✅ Enable MFA on all AWS accounts
|
|
# ✅ Use strong passwords (min 64 characters, random)
|
|
# ✅ Never commit this file with real credentials
|
|
# ✅ Restrict database access to VPC only
|
|
# ✅ Enable SSL/TLS for all connections
|
|
# ✅ Monitor failed login attempts (Sentry)
|
|
# ✅ Setup automated backups (daily, 30-day retention)
|
|
# ✅ Test disaster recovery procedures monthly
|