Files

defiQUG 903c03c65b Add full monorepo: virtual-banker, backend, frontend, docs, scripts, deployment

Co-authored-by: Cursor <cursoragent@cursor.com>

2026-02-10 11:32:49 -08:00

19 KiB

Raw Permalink Blame History

Complete Deployment Task List

This document provides a detailed checklist of all tasks required to deploy the ChainID 138 Explorer Platform using LXC, Nginx, Cloudflare DNS, SSL, and Cloudflare Tunnel.

📋 Complete Task List (71 Tasks)

PRE-DEPLOYMENT (5 tasks)

Task 1: Verify Prerequisites

Access to Proxmox VE host with LXC support
Cloudflare account created and domain added
Domain DNS managed by Cloudflare
Cloudflare API token created (with DNS edit permissions)
SSH access to Proxmox host configured

PHASE 1: LXC CONTAINER SETUP (8 tasks)

Task 2: Create LXC Container

Log into Proxmox host
Download Ubuntu 22.04 template (if not exists)
Run container creation command
Verify container created successfully
Note container ID for future reference

Task 3: Start and Access Container

Start container: pct start <CONTAINER_ID>
Access container: pct enter <CONTAINER_ID>
Verify network connectivity
Update system: apt update && apt upgrade -y

Task 4: Install Base Packages

Install essential packages (curl, wget, git, vim, etc.)
Install firewall: apt install -y ufw
Install fail2ban: apt install -y fail2ban
Install security updates tool: apt install -y unattended-upgrades

Task 5: Configure System Settings

Set timezone: timedatectl set-timezone UTC
Configure hostname: hostnamectl set-hostname explorer-prod
Configure locale settings

Task 6: Create Deployment User

Create user: adduser explorer
Add to sudo group: usermod -aG sudo explorer
Configure SSH access for new user
Disable root SSH login in /etc/ssh/sshd_config
Restart SSH service

PHASE 2: APPLICATION INSTALLATION (12 tasks)

Task 7: Install Go 1.21+

Download Go 1.21.6: wget https://go.dev/dl/go1.21.6.linux-amd64.tar.gz
Extract to /usr/local/go
Add Go to PATH in /etc/profile and ~/.bashrc
Source profile or logout/login
Verify: go version (should show 1.21.6+)

Task 8: Install Node.js 20+

Add NodeSource repository
Install Node.js 20.x
Verify: node --version (should show v20.x.x+)
Verify: npm --version

Task 9: Install Docker & Docker Compose

Add Docker GPG key
Add Docker repository
Install Docker CE
Install Docker Compose plugin
Start Docker service: systemctl start docker
Enable Docker on boot: systemctl enable docker
Add explorer user to docker group
Verify: docker --version and docker compose version

Task 10: Clone Repository

Switch to deployment user: su - explorer
Navigate to home: cd /home/explorer
Clone repository: git clone <repo-url> explorer-monorepo
Verify repository cloned correctly

Task 11: Install Dependencies

Navigate to backend: cd explorer-monorepo/backend
Download Go modules: go mod download
Navigate to frontend: cd ../frontend
Install npm packages: npm ci --production

Task 12: Build Applications

Build indexer: go build -o /usr/local/bin/explorer-indexer ./indexer/main.go
Build API: go build -o /usr/local/bin/explorer-api ./api/rest/main.go
Build gateway: go build -o /usr/local/bin/explorer-gateway ./api/gateway/main.go
Build search service: go build -o /usr/local/bin/explorer-search ./api/search/main.go
Build frontend: cd frontend && npm run build
Verify all binaries exist and are executable

PHASE 3: DATABASE SETUP (10 tasks)

Task 13: Install PostgreSQL 16

Add PostgreSQL APT repository
Add PostgreSQL GPG key
Update package list
Install PostgreSQL 16: apt install -y postgresql-16 postgresql-contrib-16

Task 14: Install TimescaleDB

Add TimescaleDB repository
Add TimescaleDB GPG key
Update package list
Install TimescaleDB: apt install -y timescaledb-2-postgresql-16
Run TimescaleDB tuner: timescaledb-tune --quiet --yes
Restart PostgreSQL: systemctl restart postgresql

Task 15: Create Database and User

Switch to postgres user: su - postgres
Create database user: CREATE USER explorer WITH PASSWORD '<SECURE_PASSWORD>'
Create database: CREATE DATABASE explorer OWNER explorer;
Connect to database: \c explorer
Enable TimescaleDB extension: CREATE EXTENSION IF NOT EXISTS timescaledb;
Enable UUID extension: CREATE EXTENSION IF NOT EXISTS "uuid-ossp";
Grant privileges: GRANT ALL PRIVILEGES ON DATABASE explorer TO explorer;

Task 16: Run Database Migrations

Return to deployment user
Navigate to backend: cd /home/explorer/explorer-monorepo/backend
Run migrations: go run database/migrations/migrate.go
Verify migrations completed successfully
Check database tables exist

Task 17: Configure PostgreSQL

Edit postgresql.conf: /etc/postgresql/16/main/postgresql.conf
Set max_connections = 100
Set shared_buffers = 4GB
Set effective_cache_size = 12GB
Set other performance tuning parameters
Edit pg_hba.conf for local connections
Restart PostgreSQL: systemctl restart postgresql
Verify PostgreSQL is running: systemctl status postgresql

PHASE 4: INFRASTRUCTURE SERVICES (6 tasks)

Task 18: Deploy Elasticsearch/OpenSearch

Navigate to deployment directory: cd /home/explorer/explorer-monorepo/deployment
Start Elasticsearch: docker compose -f docker-compose.yml up -d elasticsearch
Wait for Elasticsearch to be ready
Verify Elasticsearch: curl http://localhost:9200

Task 19: Deploy Redis

Start Redis: docker compose -f docker-compose.yml up -d redis
Verify Redis: redis-cli ping
Verify both services running: docker ps

PHASE 5: APPLICATION SERVICES (10 tasks)

Task 20: Create Environment Configuration

Copy .env.example to .env: cp .env.example .env
Edit .env file with production values
Set database credentials
Set RPC URLs and Chain ID
Set API URLs and ports
Verify all required variables are set
Set proper file permissions: chmod 600 .env

Task 21: Create Systemd Service Files

Create /etc/systemd/system/explorer-indexer.service
Create /etc/systemd/system/explorer-api.service
Create /etc/systemd/system/explorer-frontend.service
Set proper ownership: chown root:root /etc/systemd/system/explorer-*.service
Set proper permissions: chmod 644 /etc/systemd/system/explorer-*.service

Task 22: Enable and Start Services

Reload systemd: systemctl daemon-reload
Enable indexer: systemctl enable explorer-indexer
Enable API: systemctl enable explorer-api
Enable frontend: systemctl enable explorer-frontend
Start indexer: systemctl start explorer-indexer
Start API: systemctl start explorer-api
Start frontend: systemctl start explorer-frontend

Task 23: Verify Services

Check indexer status: systemctl status explorer-indexer
Check API status: systemctl status explorer-api
Check frontend status: systemctl status explorer-frontend
Check indexer logs: journalctl -u explorer-indexer -f
Check API logs: journalctl -u explorer-api -f
Verify API responds: curl http://localhost:8080/health
Verify frontend responds: curl http://localhost:3000

PHASE 6: NGINX REVERSE PROXY (9 tasks)

Task 24: Install Nginx

Install Nginx: apt install -y nginx
Verify installation: nginx -v

Task 25: Create Nginx Configuration

Copy config template: cp deployment/nginx/explorer.conf /etc/nginx/sites-available/explorer
Edit configuration file (update domain if needed)
Enable site: ln -s /etc/nginx/sites-available/explorer /etc/nginx/sites-enabled/
Remove default site: rm /etc/nginx/sites-enabled/default
Test configuration: nginx -t
If test passes, reload Nginx: systemctl reload nginx

Task 26: Configure Rate Limiting

Verify rate limiting zones in config
Adjust rate limits as needed
Test rate limiting (optional)

Task 27: Test Nginx Proxy

Verify Nginx is running: systemctl status nginx
Test HTTP endpoint: curl -I http://localhost
Test API proxy: curl http://localhost/api/v1/blocks
Check Nginx access logs: tail -f /var/log/nginx/explorer-access.log
Check Nginx error logs: tail -f /var/log/nginx/explorer-error.log

PHASE 7: CLOUDFLARE CONFIGURATION (18 tasks)

Task 28: Set Up Cloudflare DNS Records

Login to Cloudflare Dashboard
Select domain
Go to DNS → Records
Add A record for explorer (or @):
- Type: A
- Name: explorer
- IPv4: [Your server IP] (if direct) or leave empty (if tunnel)
- Proxy: Proxied (orange cloud)
- TTL: Auto
Add CNAME for www:
- Type: CNAME
- Name: www
- Target: explorer.d-bis.org
- Proxy: Proxied
- TTL: Auto
Save DNS records
Verify DNS propagation

Task 29: Configure Cloudflare SSL/TLS

Go to SSL/TLS → Overview
Set encryption mode to: Full (strict)
Go to SSL/TLS → Edge Certificates
Enable: "Always Use HTTPS"
Enable: "Automatic HTTPS Rewrites"
Enable: "Opportunistic Encryption"
Enable: "TLS 1.3"
Save settings

Task 30: Install Cloudflare Tunnel (cloudflared)

Download cloudflared: wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb
Install: dpkg -i cloudflared-linux-amd64.deb
Verify: cloudflared --version

Task 31: Authenticate Cloudflare Tunnel

Run: cloudflared tunnel login
Follow browser authentication
Verify authentication successful

Task 32: Create Cloudflare Tunnel

Create tunnel: cloudflared tunnel create explorer-tunnel
List tunnels: cloudflared tunnel list
Note tunnel ID

Task 33: Configure Cloudflare Tunnel

Create config directory: mkdir -p /etc/cloudflared
Copy tunnel config template: cp deployment/cloudflare/tunnel-config.yml /etc/cloudflared/config.yml
Edit config file with tunnel ID
Update hostnames in config
Verify config: cloudflared tunnel --config /etc/cloudflared/config.yml ingress validate

Task 34: Install Cloudflare Tunnel as Service

Install service: cloudflared service install
Enable service: systemctl enable cloudflared
Start service: systemctl start cloudflared
Check status: systemctl status cloudflared
View logs: journalctl -u cloudflared -f

Task 35: Verify Cloudflare Tunnel

Check tunnel is running: cloudflared tunnel info explorer-tunnel
Verify DNS routes are configured in Cloudflare dashboard
Test domain access: curl -I https://explorer.d-bis.org
Verify SSL certificate is active

Task 36: Configure Cloudflare WAF

Go to Security → WAF
Enable Cloudflare Managed Ruleset
Enable OWASP Core Ruleset
Create custom rate limiting rule (if needed)
Save rules

Task 37: Configure Cloudflare Caching

Go to Caching → Configuration
Set Caching Level: Standard
Go to Caching → Cache Rules
Create rule for static assets (Cache everything, Edge TTL: 1 year)
Create rule for API endpoints (Bypass cache)
Create rule for frontend pages (Cache HTML for 5 minutes)

Task 38: Configure DDoS Protection

Go to Security → DDoS
Enable DDoS protection
Configure protection level (Medium recommended)
Review and adjust as needed

PHASE 8: SECURITY HARDENING (12 tasks)

Task 39: Configure Firewall (UFW)

Enable UFW: ufw --force enable
Allow SSH: ufw allow 22/tcp
Allow HTTP: ufw allow 80/tcp (if direct connection)
Allow HTTPS: ufw allow 443/tcp (if direct connection)
Add Cloudflare IP ranges (if direct connection)
Check status: ufw status verbose

Task 40: Configure Fail2ban

Create Nginx jail config: /etc/fail2ban/jail.d/nginx.conf
Configure nginx-limit-req jail
Configure nginx-botsearch jail
Restart fail2ban: systemctl restart fail2ban
Check status: fail2ban-client status

Task 41: Configure Automatic Updates

Configure /etc/apt/apt.conf.d/50unattended-upgrades
Enable security updates only
Disable automatic reboot
Enable service: systemctl enable unattended-upgrades
Start service: systemctl start unattended-upgrades

Task 42: Configure Log Rotation

Create logrotate config: /etc/logrotate.d/explorer
Set rotation schedule (daily)
Set retention (30 days)
Configure compression
Test: logrotate -d /etc/logrotate.d/explorer

Task 43: Set Up Backup Script

Create backup script: /usr/local/bin/explorer-backup.sh
Configure database backup
Configure config file backup
Set cleanup of old backups
Make executable: chmod +x /usr/local/bin/explorer-backup.sh
Test backup script manually
Add to crontab: Daily at 2 AM

Task 44: Secure Environment File

Set proper permissions: chmod 600 /home/explorer/explorer-monorepo/.env
Verify only owner can read: ls -l .env
Add .env to .gitignore (verify)

Task 45: Configure SSH Hardening

Edit /etc/ssh/sshd_config
Disable root login: PermitRootLogin no
Disable password authentication (use keys only): PasswordAuthentication no
Set SSH port (optional, change from 22)
Restart SSH: systemctl restart sshd
Test SSH connection before closing session

PHASE 9: MONITORING & MAINTENANCE (8 tasks)

Task 46: Create Health Check Script

Create script: /usr/local/bin/explorer-health-check.sh
Configure API health check
Configure service restart on failure
Add alert mechanism (email/Slack)
Make executable: chmod +x /usr/local/bin/explorer-health-check.sh
Test script manually

Task 47: Configure Health Check Cron Job

Add to crontab: Every 5 minutes
Verify cron job added: crontab -l

Task 48: Set Up Log Monitoring

Install logwatch: apt install -y logwatch
Configure logwatch
Set up daily log summaries (optional)

Task 49: Configure Cloudflare Analytics

Access Cloudflare Analytics dashboard
Set up custom dashboards
Configure alert thresholds

Task 50: Set Up Alerts

Configure email alerts in Cloudflare
Set up high error rate alerts
Set up DDoS detection alerts
Set up certificate expiration alerts
Test alert mechanism

POST-DEPLOYMENT VERIFICATION (13 tasks)

Task 51: Verify All Services

Check all systemd services: systemctl status explorer-*
Verify no service errors
Check service logs for warnings

Task 52: Verify Database

Test database connection: psql -U explorer -d explorer -h localhost
Check database tables exist
Verify migrations applied

Task 53: Verify Infrastructure Services

Check Elasticsearch: curl http://localhost:9200
Check Redis: redis-cli ping
Check Docker containers: docker ps

Task 54: Verify API

Test health endpoint: curl https://explorer.d-bis.org/api/health
Test blocks endpoint: curl https://explorer.d-bis.org/api/v1/blocks
Test transactions endpoint
Test search endpoint

Task 55: Verify Frontend

Open browser: https://explorer.d-bis.org
Verify homepage loads
Test navigation
Verify static assets load

Task 56: Verify DNS

Check DNS resolution: dig explorer.d-bis.org
Verify DNS points to Cloudflare IPs
Test from multiple locations

Task 57: Verify SSL/TLS

Check SSL certificate: openssl s_client -connect explorer.d-bis.org:443 -servername explorer.d-bis.org
Verify certificate is valid
Verify TLS 1.3 is enabled
Check SSL Labs rating (optional): https://www.ssllabs.com/ssltest/

Task 58: Verify Cloudflare Tunnel

Check tunnel status: systemctl status cloudflared
View tunnel info: cloudflared tunnel info explorer-tunnel
Check tunnel logs for errors

Task 59: Verify Nginx

Check Nginx status: systemctl status nginx
Test configuration: nginx -t
Check access logs
Check error logs

Task 60: Verify Security

Test firewall: ufw status
Test fail2ban: fail2ban-client status
Verify security headers present
Test rate limiting (optional)

Task 61: Verify Performance

Test response times
Verify caching working
Check Cloudflare cache hit ratio
Monitor resource usage

Task 62: Verify Monitoring

Test health check script
Verify cron jobs running
Check log rotation working
Verify backups running

Task 63: Documentation

Document deployed version
Document configuration changes
Document known issues
Update deployment checklist

OPTIONAL ENHANCEMENTS (8 tasks)

Task 64: Set Up Let's Encrypt Certificates (Optional)

Install certbot: apt install -y certbot python3-certbot-nginx
Obtain certificate: certbot --nginx -d explorer.d-bis.org -d www.explorer.d-bis.org
Test renewal: certbot renew --dry-run
Set up auto-renewal cron job

Task 65: Configure CDN for Static Assets

Configure Cloudflare cache rules
Set up custom cache headers
Verify CDN serving static assets

Task 66: Set Up Monitoring Dashboard (Optional)

Install Prometheus (optional)
Install Grafana (optional)
Configure dashboards
Set up alerts

Task 67: Configure Database Replication (Optional)

Set up read replica
Configure connection pooling
Update application config

Task 68: Set Up Load Balancing (Optional)

Configure multiple API instances
Set up load balancer
Configure health checks

Task 69: Configure Auto-Scaling (Optional)

Set up monitoring metrics
Configure scaling rules
Test auto-scaling

Task 70: Set Up Disaster Recovery

Configure automated backups
Set up backup verification
Document recovery procedures
Test recovery process

Task 71: Performance Optimization

Optimize database queries
Configure Redis caching
Optimize Nginx config
Review and optimize Cloudflare settings

📊 Deployment Summary

Total Tasks: 71
Required Tasks: 63
Optional Tasks: 8
Estimated Time: 6-8 hours (first deployment)

🚀 Quick Start Commands

# 1. Run automated deployment script (Phase 1-2)
./deployment/scripts/deploy-lxc.sh

# 2. Follow manual steps for remaining phases
# See DEPLOYMENT_GUIDE.md for detailed instructions

# 3. Use checklist to track progress
# See DEPLOYMENT_CHECKLIST.md

📝 Notes

Tasks marked with ⚠️ require careful attention
Tasks marked with ✅ can be automated
Always test in staging before production
Keep backups before major changes
Document any deviations from standard procedure

Last Updated: 2024-12-23 Version: 1.0.0

19 KiB Raw Permalink Blame History