admin/sides
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
226e142e3e648e089c58f91fb9470abb97d137d5
sides/docs/03-DEPLOYMENT.md
root c1b2a8d553 docs: rewrite deployment guide for Docker-only, add reverse proxy section 
- Remove adminer service (not used with PostgreSQL)
- Rewrite 03-DEPLOYMENT.md: Docker Compose is the only supported method
- Add reverse proxy examples (Nginx, Caddy, Cloudflare Tunnel)
- Document trusted proxy configuration for Laravel
- Add production checklist and autoscript env var documentation
- Remove all Makefile references (not recommended)
2026-05-21 02:46:41 +08:00

252 lines
7.5 KiB
Markdown
Raw Blame History

# Deployment & Infrastructure
## Architecture Overview
```
Internet → Reverse Proxy (443) → nginx container (80) → php-fpm container (9000) → postgres container (5432)
```
SIDES is deployed exclusively via **Docker Compose**. The stack consists of 4 services:
| Service | Image | Purpose |
|---------|-------|---------|
| `app` | Custom (php:8.2-fpm) | Laravel application (PHP-FPM) |
| `postgres` | postgres:16 | PostgreSQL database |
| `web` | nginx:stable-alpine | Reverse proxy to PHP-FPM, serves static assets |
| `pgadmin` | dpage/pgadmin4 | Database management UI (optional) |
## Prerequisites
- Docker Engine ^20.x
- Docker Compose v2+
- A reverse proxy in front (Nginx, Caddy, Traefik, Cloudflare Tunnel, etc.) for TLS termination
## Environment Configuration
Two `.env` files control the stack:
### Root `.env` — Docker Compose variables
Located at the project root. Controls container-level settings and credential defaults.
```env
POSTGRES_DB="sides_db"
POSTGRES_USER="tck"
POSTGRES_PASSWORD="<your_strong_password>"
PGADMIN_EMAIL="admin@example.com"
PGADMIN_PASSWORD="<your_pgadmin_password>"
FIREBASE_PROJECT_ID="sides-b4abb"
FIREBASE_CREDENTIALS="storage/app/firebase/sides-b4abb-3604a7cf7584.json"
FCM_TOPIC_RAINFALL_WARNING="rainfall_warning"
FCM_TOPIC_RAINFALL_DANGER="rainfall_danger"
FCM_TOPIC_WATERLEVEL_ALERT="waterlevel_alert"
FCM_TOPIC_WATERLEVEL_DANGER="waterlevel_danger"
ADMIN_EMAIL="admin@example.com"
ADMIN_PASSWORD="<set_a_strong_password>"
FTP_SERVER="myvscada.com"
FTP_USERNAME="tck"
FTP_PASSWORD="<your_ftp_password>"
```
### Application `.env` — Laravel variables
Located at `src/.env`. This file references Docker service names (e.g. `DB_HOST=postgres`) so Laravel connects to containers, not external hosts.
Key settings:
```env
APP_NAME=SIDES
APP_ENV=production
APP_DEBUG=false
APP_URL=https://sides.tck.com.my
DB_CONNECTION=pgsql
DB_HOST=postgres
DB_PORT=5432
DB_DATABASE=${POSTGRES_DB}
DB_USERNAME=${POSTGRES_USER}
DB_PASSWORD=${POSTGRES_PASSWORD}
SESSION_DRIVER=database
CACHE_STORE=database
QUEUE_CONNECTION=database
```
## Quick Start
```bash
# 1. Clone the repository
git clone <repo-url> && cd tckdev
# 2. Configure environment
cp .env.example .env
# Edit .env with your actual passwords and settings
# 3. Configure Laravel env
cp src/.env.example src/.env
# Edit src/.env — ensure DB_HOST=postgres (the Docker service name)
# 4. Build and start
docker compose up -d --build
```
The `app` container's entrypoint automatically runs on first start:
1. `composer install` (if `vendor/` missing)
2. `npm install && npm run build` (if `public/build/` missing)
3. `php artisan migrate --force` (if `RUN_MIGRATIONS=true`)
4. `php artisan db:seed --force` (if `RUN_SEEDER=true`)
5. Caches config, routes, and views
6. Starts PHP-FPM
## Common Operations
```bash
docker compose ps # Check container status
docker compose logs app # View Laravel logs
docker compose logs app --follow # Tail Laravel logs
docker compose logs postgres # View database logs
docker compose exec app bash # Shell into app container
docker compose exec app php artisan migrate # Run migrations
docker compose exec app php artisan migrate:fresh --seed # Reset DB
docker compose exec app php artisan db:seed # Run seeders
docker compose exec app php artisan tinker # Interactive REPL
docker compose exec app php artisan test # Run tests
docker compose down # Stop all containers
docker compose down --volumes # Stop and delete data volumes
docker compose up -d --build # Rebuild and restart
```
## Reverse Proxy Setup
The `web` container (nginx) listens on port **80 internally**. A reverse proxy in front handles TLS termination and forwards traffic to it.
The nginx container does **not** handle HTTPS itself — it expects plain HTTP from the reverse proxy. Configure your reverse proxy to:
1. Listen on port **443** with your TLS certificate
2. Forward to `localhost:80` (or the Docker host's port 80)
3. Set the `X-Forwarded-Proto` header so Laravel generates `https://` URLs
4. Set the `X-Forwarded-Host` header with the original hostname
### Example: Nginx Reverse Proxy
On the host machine running Docker, add a server block:
```nginx
server {
listen 443 ssl http2;
server_name sides.tck.com.my;
ssl_certificate /etc/ssl/certs/sides.tck.com.my.crt;
ssl_certificate_key /etc/ssl/private/sides.tck.com.my.key;
location / {
proxy_pass http://127.0.0.1:80;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
```
### Example: Caddy
```
sides.tck.com.my {
reverse_proxy localhost:80
}
```
Caddy handles TLS automatically via Let's Encrypt.
### Example: Cloudflare Tunnel
```bash
cloudflared tunnel --hostname sides.tck.com.my --url http://localhost:80
```
### Laravel Trusted Proxy
Laravel must trust the proxy headers to generate correct URLs. The app already has `URL::forceScheme('https')` enabled in `AppServiceProvider`. Ensure `APP_URL` in `src/.env` uses `https://`:
```env
APP_URL=https://sides.tck.com.my
```
If using a load balancer or multi-hop proxy, configure `TrustProxies` middleware:
```php
// src/app/Http/Middleware/TrustProxies.php
protected $proxies = '*';
protected $headers = Request::HEADER_X_FORWARDED_FOR |
Request::HEADER_X_FORWARDED_HOST |
Request::HEADER_X_FORWARDED_PORT |
Request::HEADER_X_FORWARDED_PROTO;
```
## Access Points
| Service | Internal | External (via reverse proxy) |
|---------|----------|------------------------------|
| Application | `web:80` | `https://sides.tck.com.my` |
| pgAdmin | `pgadmin:80` | `http://<host>:5050` |
| PostgreSQL | `postgres:5432` | `localhost:5432` (optional, for external tools) |
**Security note**: pgAdmin (port 5050) and PostgreSQL (port 5432) should not be exposed to the public internet. Restrict access via firewall rules or only publish to `127.0.0.1`:
```yaml
# docker-compose.yml — restrict to localhost only
ports:
- "127.0.0.1:5050:80" # pgAdmin
- "127.0.0.1:5432:5432" # PostgreSQL
```
## Data Persistence
Two named volumes store persistent data:
| Volume | Mount Point | Purpose |
|--------|------------|---------|
| `pgdata` | `/var/lib/postgresql/data` | PostgreSQL data |
| `pgadmin_data` | `/var/lib/pgadmin` | pgAdmin sessions and config |
The `src/` directory is bind-mounted into both `app` and `web` containers at `/var/www/html`.
## Autoscript Deployment
The Python data pipeline (`autoscript/sidesdecode.py`) connects to PostgreSQL via environment variables. When running it outside Docker (e.g. as a cron job on the host):
```bash
export PG_HOST=localhost
export PG_PORT=5432
export PG_DATABASE=sides_db
export PG_USER=tck
export PG_PASSWORD=<your_password>
export FTP_SERVER=myvscada.com
export FTP_USERNAME=tck
export FTP_PASSWORD=<your_ftp_password>
python3 autoscript/sidesdecode.py
```
When running inside Docker on the same network, use `PG_HOST=postgres` (the service name).
## Production Checklist
- [ ] `APP_ENV=production` and `APP_DEBUG=false` in `src/.env`
- [ ] `APP_URL` uses `https://`
- [ ] All passwords in `.env` changed from defaults
- [ ] `ADMIN_PASSWORD` set to a strong value in root `.env`
- [ ] TLS configured on reverse proxy
- [ ] pgAdmin and PostgreSQL ports restricted to localhost
- [ ] Firebase credentials JSON stored securely (not in git)
- [ ] Mail credentials configured for password reset
Reference in New Issue View Git Blame Copy Permalink