updated runbook

2026-04-30 14:53:51 -05:00
parent c8598f8985
commit 76680fbeb1
2 changed files with 250 additions and 10 deletions
--- a/Admin_Guide.md
+++ b/Admin_Guide.md
@@ -21,6 +21,7 @@


 ## SSH
+Keyname: gaussianwellworks_do_ed25519
 Secure Passcode: L0neSt@r

 ## DROPLET
--- a/Runbook.md
+++ b/Runbook.md
@@ -3,6 +3,7 @@
 ## Gaussian Wellworks

 ## 1. Runbook Objective
+This runbook provides a step-by-step procedure to deploy a secure, self-hosted pilot environment in DigitalOcean within five business days, including infrastructure provisioning, domain and DNS configuration, email platform integration, containerized Nextcloud deployment, and secure HTTPS access via reverse proxy. The objective is to deliver a fully functional, production-ready pilot system that supports internal collaboration and client file ingestion workflows, with validated end-to-end functionality (upload, access, delivery), clear administrative controls, and a scalable foundation for future expansion or migration.

 ## 2. Critical Dependencies

@@ -10,12 +11,119 @@
 ### 2.2 Administrative Access
 ### 2.3 Decision Checklist

-## 3. Detailed Runbook
+## 3. Detailed Implementation Runbook

 ### 3.1 Create Digital Ocean Account

+**Objective**
+
+Provision a cloud account capable of hosting the pilot environment:
+
+- Account created and secured
+- Billing configured
+- Team/ownership clarified
+- Ready to provision Droplet (Task 3.3)
+
+**Architectural Context**
+
+This account will own:
+- Droplet (server)
+- Backups/snapshots
+- Networking (firewall, IP)
+- Future scaling resources
+
+**Step 1 - Register Account**
+
+Go to:
+```
+https://cloud.digitalocean.com/registrations/new
+```
+
+1.1 Enter account details
+```
+Email address (prefer client-owned)
+Password (strong, unique)
+```
+
+1.2 Verify email
+```
+Check inbox
+Click verification link
+```
+
+**Step 2 - Secure the Account (Highly Recommended)**
+
+2.1 Enable Two-Factor Authentication (2FA)
+
+Navigate to:
+```
+Settings → Security → Two-Factor Authentication
+```
+
+Enable using:
+Authenticator app (recommended)
+
+2.2 Store recovery codes
+
+✔ Save securely (password manager)
+
+**Step 3 - Add Billing Method**
+
+Navigate to:
+```
+Billing → Payment Methods
+```
+
+3.1 Add payment method
+
+3.2 Confirm billing active
+
+**Step 4 - Create/Confirm Team Context**
+
+DigitalOcean uses teams/projects.
+
+Navigate:
+```
+Projects → Default Project
+```
+
+4.1 Rename project (recommended)
+GaussianWellworks-Pilot
+
+4.2 Assign resources later
+Droplets will be attached here.
+
+**Step 5 - Configure Default Settings**
+
+5.1 Enable backups (account-level awareness)
+While backups are enabled per droplet, confirm understanding:
+
+✔ Backups cost ~20% of droplet price
+✔ Enable during droplet creation
+
+5.2 (Optional) Enable monitoring
+Settings → Monitoring → Enable
+
+*Not required for pilot, but useful later.*
+
+**Validation Checklist**
+
+- [✔] Account created
+- [✔] Email verified
+- [✔] 2FA enabled
+- [✔] Billing method added
+- [✔] Project created/renamed
+- [✔] Dashboard accessible
+- [✔] Able to initiate droplet creation
+
 ### 3.2 Create SSH Key Pair (Windows 11)

+**Objective**
+
+Create an SSH key pair on a Windows 11 workstation and upload the public key to DigitalOcean so it can be attached when provisioning the Ubuntu droplet.
+
+DigitalOcean recommends SSH keys over passwords for Droplet access, and uploaded team keys can be selected during Droplet creation.
+
 **Generate key**
 ```Powershell
 </> Powershell
@@ -40,18 +148,34 @@ Get-Content $env:USERPROFILE\.ssh\id_ed25519.pub | Set-Clipboard
 - Settings → Security → SSH Keys → Add
 - Name: admin-windows11

-**Validation**
+**Validation Checklist**

-[✔] Key visible in DigitalOcean
+- [✔] Key visible in DigitalOcean


 ### 3.3 Provision Droplet

-**Configuration**
+**Objective**
+
+Provision a production-ready virtual server (Droplet) in DigitalOcean that will host:
+
+- Nextcloud (Docker-based)
+- Reverse proxy (Nginx)
+- Supporting services
+
+This step establishes the core infrastructure node for the entire pilot.
+
+**Create Dropet**
+
+1. Login to DigitalOcean
+2. Click Create
+3. Select Droplets
+
+**Droplet Configuration**
 ```
 Image: Ubuntu 22.04 LTS
 Plan: Premium Intel
-Size: 4 vCPU / 8GB RAM
+Size: 2 vCPU / 8GB RAM
 Region: closest to users
 Auth: SSH key
 Backups: Enabled
@@ -63,13 +187,24 @@ Hostname: gw-drive-01
 ssh root@<IP>
 ```

-**Validation**
+**Validation Checklist**

-[✔] SSH login works
-[✔] IP recorded
+- [✔] SSH login works
+- [✔] IP recorded

 ### 3.4 Initial Server Configuration

+**Objective**
+
+Harden the freshly provisioned Ubuntu server and establish a secure administrative baseline before any application deployment.
+
+At the end of this task, the system will:
+
+- Allow SSH access only via key-based authentication
+- Use a non-root administrative user
+- Be fully patched and up to date
+- Be ready for firewall and application installation
+
 **Create admin user**

 ```Bash
@@ -129,6 +264,15 @@ sudo apt autoremove -y

 ### 3.5 Configure Firewall

+**Objective**
+
+Establish a baseline network security posture so that:
+
+- Only required ports are exposed
+- All other inbound traffic is blocked
+- SSH access remains available
+- The system is prepared for web access (Nextcloud + HTTPS)
+
 **DigitalOcean Firewall**

 Allow:
@@ -165,6 +309,19 @@ sudo ufw status

 ### 3.6 Configure DNS

+**Objective**
+
+Create a public DNS record so that:
+```
+drive.company.com → your Droplet public IP
+```
+
+This enables:
+
+- Browser access to Nextcloud (Day 3)
+- SSL certificate issuance (Let’s Encrypt)
+- A stable, user-friendly endpoint
+
 **Create A record**
 ```
 Host: drive
@@ -185,6 +342,15 @@ nslookup drive.company.com

 ### 3.7 Install Docker

+**Objective**
+
+Prepare the server to run containerized services by installing:
+
+- Docker Engine (container runtime)
+- Docker Compose (multi-container orchestration)
+
+**Required Dependencies**
+
 ```Bash
 </> Bash
 sudo apt install ca-certificates curl gnupg -y
@@ -203,6 +369,8 @@ $(lsb_release -cs) stable" | \
 sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
 ```

+**Install Docker**
+
 ```Bash
 </> Bash
 sudo apt update
@@ -230,6 +398,15 @@ docker run hello-world

 ### 3.10 Deploy Nextcloud

+**Objective**
+
+Deploy a production-capable Nextcloud stack using Docker Compose, including:
+
+- Nextcloud application container
+- MariaDB database container
+- Redis (for performance + file locking)
+- Persistent storage volumes
+
 **Create directory**

 ```Bash
@@ -312,6 +489,17 @@ http://<IP>:8080

 ### 3.11 Validate Internal Access

+**Objective**
+
+Confirm that the deployed Nextcloud instance is:
+
+- Reachable over the network (via Droplet IP)
+- Functionally operational (login, file operations)
+- Persisting data correctly
+- Stable prior to exposing externally
+
+This is a hard validation gate—do not proceed until this passes.
+
 **Test:**

 - [ ] Login
@@ -322,6 +510,16 @@ http://<IP>:8080

 ### 3.12 Install Nginx

+**Objective**
+
+Install and validate Nginx as the web server that will act as a reverse proxy in front of Nextcloud.
+
+At the end of this step:
+
+- Nginx is installed and running
+- Port 80 (HTTP) is actively serving traffic
+- Server is ready for reverse proxy configuration (Task 3.13)
+
 ```Bash
 </> Bash
 sudo apt install nginx -y
@@ -336,6 +534,20 @@ http://<IP> → nginx welcome page

 ### 3.13 Configure HTTP Reverse Proxy (Staging Only)

+**Objective**
+
+Bind your domain to the application by configuring Nginx to proxy:
+```
+drive.company.com → Nginx (port 80) → Nextcloud (port 8080)
+```
+
+At the end of this step:
+- Nginx reverse proxy configuration staged
+- HTTP server block created for drive.company.com
+- Nginx config syntax validates
+- Nginx reloads successfully
+- ⚠ Browser access may redirect to HTTPS and show 404 until SSL/HTTPS configuration is completed
+
 ```Bash
 </> Bash

@@ -372,6 +584,18 @@ sudo systemctl reload nginx

 ### 3.14 Install SSL (Certbot)

+**Objective**
+
+Obtain and install a valid SSL certificate so that:
+
+https://drive.company.com
+
+is:
+
+- Trusted (no browser warnings)
+- Encrypted (HTTPS)
+- Routed through Nginx to Nextcloud
+
 ```Bash
 </> Bash

@@ -386,6 +610,22 @@ sudo certbot --nginx -d drive.company.com

 ### 3.15 Finalize HTTPS Reverse Proxy

+**Objective**
+
+Complete the system by:
+
+- Wiring HTTPS (port 443) to Nextcloud
+- Enforcing HTTP → HTTPS redirect
+- Applying required Nextcloud proxy settings
+- Performing end-to-end validation
+
+At completion:
+
+- https://drive.company.com fully functional
+- Secure (SSL)
+- Reverse proxy working
+- Upload/download validated
+
 **Replace config**

 ```Bash
@@ -796,5 +1036,4 @@ Up to 24 hours
 - [✔] DNS resolves correctly
 - [✔] Email received externally
 - [✔] Email sent externally
- [✔] Deliverability validated
-
+- [✔] Deliverability validated