Add complete infrastructure automation and documentation

- infrastructure/setup.sh: Master provisioning script for fresh Ubuntu servers - infrastructure/docker-compose.yml: Production Docker Compose configuration - infrastructure/.env.template: Environment variables template - infrastructure/nginx/: Nginx configuration with security headers - infrastructure/postfix/: Postfix + OpenDKIM email configuration - infrastructure/README.md: Complete disaster recovery guide - scripts/docfast-backup.sh: SQLite backup script with rotation All services now fully reproducible with documented disaster recovery procedures.
2026-02-15 11:04:34 +00:00 · 2026-02-15 11:04:34 +00:00 · 3820d7ea4d
commit 3820d7ea4d
parent d99eea517c
9 changed files with 766 additions and 0 deletions
--- a/infrastructure/setup.sh
+++ b/infrastructure/setup.sh
@ -0,0 +1,193 @@
+#!/bin/bash
+# DocFast Infrastructure Setup Script
+# Provisions a fresh Ubuntu/Debian server with all required services
+# Run as root: ./setup.sh
+
+set -euo pipefail
+
+# Colors for output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m' # No Color
+
+log() {
+    echo -e "${GREEN}[INFO]${NC} $1"
+}
+
+warn() {
+    echo -e "${YELLOW}[WARN]${NC} $1"
+}
+
+error() {
+    echo -e "${RED}[ERROR]${NC} $1"
+    exit 1
+}
+
+# Check if running as root
+if [[ $EUID -ne 0 ]]; then
+   error "This script must be run as root"
+fi
+
+# Domain and user configuration
+DOMAIN="${DOMAIN:-docfast.dev}"
+APP_USER="${APP_USER:-docfast}"
+BACKUP_DIR="/opt/docfast-backups"
+INSTALL_DIR="/opt/docfast"
+
+log "Setting up DocFast infrastructure for domain: $DOMAIN"
+
+# Update system
+log "Updating system packages..."
+apt update && apt upgrade -y
+
+# Install required packages
+log "Installing required packages..."
+apt install -y \
+    nginx \
+    postfix \
+    opendkim \
+    opendkim-tools \
+    certbot \
+    python3-certbot-nginx \
+    ufw \
+    docker.io \
+    docker-compose-plugin \
+    git \
+    sqlite3 \
+    curl \
+    wget \
+    unzip \
+    htop \
+    postgresql \
+    postgresql-contrib
+
+# Enable and start services
+log "Enabling services..."
+systemctl enable nginx postfix opendkim docker postgresql
+systemctl start nginx postfix opendkim docker postgresql
+
+# Create application user
+if ! id "$APP_USER" &>/dev/null; then
+    log "Creating application user: $APP_USER"
+    useradd -r -m -s /bin/bash "$APP_USER"
+fi
+
+# Add user to docker group
+usermod -aG docker "$APP_USER"
+
+# Setup UFW firewall
+log "Configuring firewall..."
+ufw --force enable
+ufw default deny incoming
+ufw default allow outgoing
+ufw allow ssh
+ufw allow 80/tcp
+ufw allow 443/tcp
+ufw allow from 172.16.0.0/12 to any port 25 comment "Docker SMTP relay"
+ufw allow from 172.16.0.0/12 to any port 5432 comment "Docker PostgreSQL"
+
+# Setup PostgreSQL
+log "Configuring PostgreSQL..."
+sudo -u postgres createuser -D -A -P docfast || true  # -P prompts for password
+sudo -u postgres createdb -O docfast docfast || true
+
+# Update PostgreSQL to allow Docker connections
+PG_VERSION=$(ls /etc/postgresql/)
+PG_CONF="/etc/postgresql/$PG_VERSION/main/postgresql.conf"
+PG_HBA="/etc/postgresql/$PG_VERSION/main/pg_hba.conf"
+
+# Backup original configs
+cp "$PG_CONF" "$PG_CONF.backup" || true
+cp "$PG_HBA" "$PG_HBA.backup" || true
+
+# Allow connections from Docker networks
+if ! grep -q "listen_addresses = '*'" "$PG_CONF"; then
+    sed -i "s/#listen_addresses = 'localhost'/listen_addresses = '*'/" "$PG_CONF"
+fi
+
+# Allow Docker networks to connect
+if ! grep -q "172.17.0.0/16" "$PG_HBA"; then
+    echo "host docfast docfast 172.17.0.0/16 md5" >> "$PG_HBA"
+    echo "host docfast docfast 172.18.0.0/16 md5" >> "$PG_HBA"
+fi
+
+systemctl restart postgresql
+
+# Setup OpenDKIM
+log "Configuring OpenDKIM..."
+mkdir -p /etc/opendkim/keys/"$DOMAIN"
+chown -R opendkim:opendkim /etc/opendkim/keys
+
+# Generate DKIM keys if they don't exist
+if [[ ! -f /etc/opendkim/keys/"$DOMAIN"/mail.private ]]; then
+    log "Generating DKIM keys..."
+    cd /etc/opendkim/keys/"$DOMAIN"
+    opendkim-genkey -s mail -d "$DOMAIN"
+    chown opendkim:opendkim mail.private mail.txt
+    chmod 600 mail.private
+fi
+
+# Copy configuration files
+log "Installing configuration files..."
+cp nginx/"$DOMAIN" /etc/nginx/sites-available/"$DOMAIN" || warn "Nginx config not found, you'll need to configure manually"
+cp postfix/main.cf /etc/postfix/main.cf || warn "Postfix config not found, you'll need to configure manually"
+cp postfix/opendkim.conf /etc/opendkim.conf || warn "OpenDKIM config not found, you'll need to configure manually"
+cp postfix/TrustedHosts /etc/opendkim/TrustedHosts || warn "TrustedHosts config not found, you'll need to configure manually"
+
+# Enable nginx site
+if [[ -f /etc/nginx/sites-available/"$DOMAIN" ]]; then
+    ln -sf /etc/nginx/sites-available/"$DOMAIN" /etc/nginx/sites-enabled/
+    rm -f /etc/nginx/sites-enabled/default
+    nginx -t && systemctl reload nginx
+fi
+
+# Update configurations with actual domain
+log "Updating configuration files..."
+sed -i "s/docfast\.dev/$DOMAIN/g" /etc/nginx/sites-available/"$DOMAIN" 2>/dev/null || true
+sed -i "s/docfast\.dev/$DOMAIN/g" /etc/postfix/main.cf 2>/dev/null || true
+sed -i "s/docfast\.dev/$DOMAIN/g" /etc/opendkim.conf 2>/dev/null || true
+
+# Restart services with new configs
+systemctl restart postfix opendkim
+
+# Setup backup directory and script
+log "Setting up backup system..."
+mkdir -p "$BACKUP_DIR"
+cp ../scripts/docfast-backup.sh /opt/docfast-backup.sh || warn "Backup script not found"
+chmod +x /opt/docfast-backup.sh
+
+# Add backup cron job
+if ! crontab -l 2>/dev/null | grep -q docfast-backup; then
+    (crontab -l 2>/dev/null; echo "0 */6 * * * /opt/docfast-backup.sh >> /var/log/docfast-backup.log 2>&1") | crontab -
+fi
+
+# Setup application directory
+log "Setting up application directory..."
+mkdir -p "$INSTALL_DIR"
+chown "$APP_USER":"$APP_USER" "$INSTALL_DIR"
+
+# Install Docker Compose
+if ! command -v docker-compose &> /dev/null; then
+    log "Installing docker-compose..."
+    COMPOSE_VERSION=$(curl -s https://api.github.com/repos/docker/compose/releases/latest | grep 'tag_name' | cut -d\" -f4)
+    curl -L "https://github.com/docker/compose/releases/download/${COMPOSE_VERSION}/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
+    chmod +x /usr/local/bin/docker-compose
+fi
+
+log "Base infrastructure setup complete!"
+echo
+log "Next steps:"
+echo "1. Configure DNS A record for $DOMAIN to point to this server"
+echo "2. Generate SSL certificates: certbot --nginx -d $DOMAIN"
+echo "3. Copy your .env file with secrets to $INSTALL_DIR/.env"
+echo "4. Copy your docker-compose.yml to $INSTALL_DIR/"
+echo "5. Build and start the application:"
+echo "   cd $INSTALL_DIR"
+echo "   docker-compose up -d"
+echo
+warn "Remember to:"
+echo "- Set up your DKIM DNS record (see /etc/opendkim/keys/$DOMAIN/mail.txt)"
+echo "- Configure Stripe webhooks"
+echo "- Set up monitoring/alerting"
+echo "- Test email delivery"