kenschae/gaussian-wellworks
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

updated runbook

Browse Source
This commit is contained in:
Ken Schaefer
2026-04-30 14:53:51 -05:00
parent c8598f8985
commit 76680fbeb1
2 changed files with 250 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
Admin_Guide.md
View File

@@ -21,6 +21,7 @@
## SSH ## SSH
Keyname: gaussianwellworks_do_ed25519
Secure Passcode: L0neSt@r Secure Passcode: L0neSt@r
## DROPLET ## DROPLET

259
Runbook.md → Implementation Runbook.md
View File

@@ -3,6 +3,7 @@
## Gaussian Wellworks ## Gaussian Wellworks
## 1. Runbook Objective ## 1. Runbook Objective
This runbook provides a step-by-step procedure to deploy a secure, self-hosted pilot environment in DigitalOcean within five business days, including infrastructure provisioning, domain and DNS configuration, email platform integration, containerized Nextcloud deployment, and secure HTTPS access via reverse proxy. The objective is to deliver a fully functional, production-ready pilot system that supports internal collaboration and client file ingestion workflows, with validated end-to-end functionality (upload, access, delivery), clear administrative controls, and a scalable foundation for future expansion or migration.
## 2. Critical Dependencies ## 2. Critical Dependencies
@@ -10,12 +11,119 @@
### 2.2 Administrative Access ### 2.2 Administrative Access
### 2.3 Decision Checklist ### 2.3 Decision Checklist
## 3. Detailed Runbook ## 3. Detailed Implementation Runbook
### 3.1 Create Digital Ocean Account ### 3.1 Create Digital Ocean Account
**Objective**
Provision a cloud account capable of hosting the pilot environment:
- Account created and secured
- Billing configured
- Team/ownership clarified
- Ready to provision Droplet (Task 3.3)
**Architectural Context**
This account will own:
- Droplet (server)
- Backups/snapshots
- Networking (firewall, IP)
- Future scaling resources
**Step 1 - Register Account**
Go to:
```
https://cloud.digitalocean.com/registrations/new
```
1.1 Enter account details
```
Email address (prefer client-owned)
Password (strong, unique)
```
1.2 Verify email
```
Check inbox
Click verification link
```
**Step 2 - Secure the Account (Highly Recommended)**
2.1 Enable Two-Factor Authentication (2FA)
Navigate to:
```
Settings → Security → Two-Factor Authentication
```
Enable using:
Authenticator app (recommended)
2.2 Store recovery codes
✔ Save securely (password manager)
**Step 3 - Add Billing Method**
Navigate to:
```
Billing → Payment Methods
```
3.1 Add payment method
3.2 Confirm billing active
**Step 4 - Create/Confirm Team Context**
DigitalOcean uses teams/projects.
Navigate:
```
Projects → Default Project
```
4.1 Rename project (recommended)
GaussianWellworks-Pilot
4.2 Assign resources later
Droplets will be attached here.
**Step 5 - Configure Default Settings**
5.1 Enable backups (account-level awareness)
While backups are enabled per droplet, confirm understanding:
✔ Backups cost ~20% of droplet price
✔ Enable during droplet creation
5.2 (Optional) Enable monitoring
Settings → Monitoring → Enable
*Not required for pilot, but useful later.*
**Validation Checklist**
- [✔] Account created
- [✔] Email verified
- [✔] 2FA enabled
- [✔] Billing method added
- [✔] Project created/renamed
- [✔] Dashboard accessible
- [✔] Able to initiate droplet creation
### 3.2 Create SSH Key Pair (Windows 11) ### 3.2 Create SSH Key Pair (Windows 11)
**Objective**
Create an SSH key pair on a Windows 11 workstation and upload the public key to DigitalOcean so it can be attached when provisioning the Ubuntu droplet.
DigitalOcean recommends SSH keys over passwords for Droplet access, and uploaded team keys can be selected during Droplet creation.
**Generate key** **Generate key**
```Powershell ```Powershell
</> Powershell </> Powershell
@@ -40,18 +148,34 @@ Get-Content $env:USERPROFILE\.ssh\id_ed25519.pub | Set-Clipboard
- Settings → Security → SSH Keys → Add - Settings → Security → SSH Keys → Add
- Name: admin-windows11 - Name: admin-windows11
**Validation** **Validation Checklist**
[✔] Key visible in DigitalOcean - [✔] Key visible in DigitalOcean
### 3.3 Provision Droplet ### 3.3 Provision Droplet
**Configuration** **Objective**
Provision a production-ready virtual server (Droplet) in DigitalOcean that will host:
- Nextcloud (Docker-based)
- Reverse proxy (Nginx)
- Supporting services
This step establishes the core infrastructure node for the entire pilot.
**Create Dropet**
1. Login to DigitalOcean
2. Click Create
3. Select Droplets
**Droplet Configuration**
``` ```
Image: Ubuntu 22.04 LTS Image: Ubuntu 22.04 LTS
Plan: Premium Intel Plan: Premium Intel
Size: 4 vCPU / 8GB RAM Size: 2 vCPU / 8GB RAM
Region: closest to users Region: closest to users
Auth: SSH key Auth: SSH key
Backups: Enabled Backups: Enabled
@@ -63,13 +187,24 @@ Hostname: gw-drive-01
ssh root@<IP> ssh root@<IP>
``` ```
**Validation** **Validation Checklist**
[✔] SSH login works - [✔] SSH login works
[✔] IP recorded - [✔] IP recorded
### 3.4 Initial Server Configuration ### 3.4 Initial Server Configuration
**Objective**
Harden the freshly provisioned Ubuntu server and establish a secure administrative baseline before any application deployment.
At the end of this task, the system will:
- Allow SSH access only via key-based authentication
- Use a non-root administrative user
- Be fully patched and up to date
- Be ready for firewall and application installation
**Create admin user** **Create admin user**
```Bash ```Bash
@@ -129,6 +264,15 @@ sudo apt autoremove -y
### 3.5 Configure Firewall ### 3.5 Configure Firewall
**Objective**
Establish a baseline network security posture so that:
- Only required ports are exposed
- All other inbound traffic is blocked
- SSH access remains available
- The system is prepared for web access (Nextcloud + HTTPS)
**DigitalOcean Firewall** **DigitalOcean Firewall**
Allow: Allow:
@@ -165,6 +309,19 @@ sudo ufw status
### 3.6 Configure DNS ### 3.6 Configure DNS
**Objective**
Create a public DNS record so that:
```
drive.company.com → your Droplet public IP
```
This enables:
- Browser access to Nextcloud (Day 3)
- SSL certificate issuance (Lets Encrypt)
- A stable, user-friendly endpoint
**Create A record** **Create A record**
``` ```
Host: drive Host: drive
@@ -185,6 +342,15 @@ nslookup drive.company.com
### 3.7 Install Docker ### 3.7 Install Docker
**Objective**
Prepare the server to run containerized services by installing:
- Docker Engine (container runtime)
- Docker Compose (multi-container orchestration)
**Required Dependencies**
```Bash ```Bash
</> Bash </> Bash
sudo apt install ca-certificates curl gnupg -y sudo apt install ca-certificates curl gnupg -y
@@ -203,6 +369,8 @@ $(lsb_release -cs) stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
``` ```
**Install Docker**
```Bash ```Bash
</> Bash </> Bash
sudo apt update sudo apt update
@@ -230,6 +398,15 @@ docker run hello-world
### 3.10 Deploy Nextcloud ### 3.10 Deploy Nextcloud
**Objective**
Deploy a production-capable Nextcloud stack using Docker Compose, including:
- Nextcloud application container
- MariaDB database container
- Redis (for performance + file locking)
- Persistent storage volumes
**Create directory** **Create directory**
```Bash ```Bash
@@ -312,6 +489,17 @@ http://<IP>:8080
### 3.11 Validate Internal Access ### 3.11 Validate Internal Access
**Objective**
Confirm that the deployed Nextcloud instance is:
- Reachable over the network (via Droplet IP)
- Functionally operational (login, file operations)
- Persisting data correctly
- Stable prior to exposing externally
This is a hard validation gate—do not proceed until this passes.
**Test:** **Test:**
- [ ] Login - [ ] Login
@@ -322,6 +510,16 @@ http://<IP>:8080
### 3.12 Install Nginx ### 3.12 Install Nginx
**Objective**
Install and validate Nginx as the web server that will act as a reverse proxy in front of Nextcloud.
At the end of this step:
- Nginx is installed and running
- Port 80 (HTTP) is actively serving traffic
- Server is ready for reverse proxy configuration (Task 3.13)
```Bash ```Bash
</> Bash </> Bash
sudo apt install nginx -y sudo apt install nginx -y
@@ -336,6 +534,20 @@ http://<IP> → nginx welcome page
### 3.13 Configure HTTP Reverse Proxy (Staging Only) ### 3.13 Configure HTTP Reverse Proxy (Staging Only)
**Objective**
Bind your domain to the application by configuring Nginx to proxy:
```
drive.company.com → Nginx (port 80) → Nextcloud (port 8080)
```
At the end of this step:
- Nginx reverse proxy configuration staged
- HTTP server block created for drive.company.com
- Nginx config syntax validates
- Nginx reloads successfully
- ⚠ Browser access may redirect to HTTPS and show 404 until SSL/HTTPS configuration is completed
```Bash ```Bash
</> Bash </> Bash
@@ -372,6 +584,18 @@ sudo systemctl reload nginx
### 3.14 Install SSL (Certbot) ### 3.14 Install SSL (Certbot)
**Objective**
Obtain and install a valid SSL certificate so that:
https://drive.company.com
is:
- Trusted (no browser warnings)
- Encrypted (HTTPS)
- Routed through Nginx to Nextcloud
```Bash ```Bash
</> Bash </> Bash
@@ -386,6 +610,22 @@ sudo certbot --nginx -d drive.company.com
### 3.15 Finalize HTTPS Reverse Proxy ### 3.15 Finalize HTTPS Reverse Proxy
**Objective**
Complete the system by:
- Wiring HTTPS (port 443) to Nextcloud
- Enforcing HTTP → HTTPS redirect
- Applying required Nextcloud proxy settings
- Performing end-to-end validation
At completion:
- https://drive.company.com fully functional
- Secure (SSL)
- Reverse proxy working
- Upload/download validated
**Replace config** **Replace config**
```Bash ```Bash
@@ -796,5 +1036,4 @@ Up to 24 hours
- [✔] DNS resolves correctly - [✔] DNS resolves correctly
- [✔] Email received externally - [✔] Email received externally
- [✔] Email sent externally - [✔] Email sent externally
- [✔] Deliverability validated - [✔] Deliverability validated