# Production Deployment Guide - Post-ERG

This guide covers deploying the production nginx configuration with proper security and permissions.

## 🎯 Overview

- **Server**: xamxam.erg.be (internal IP: 192.168.6.125)
- **PHP Version**: 8.4
- **SSL/TLS**: Handled by upstream reverse proxy
- **Document Root**: `/var/www/xamxam/public/`

## 🚀 Quick Deployment

From your local machine:

```bash
# Deploy nginx config and upload deployment script
just deploy-nginx

# Then on the server:
ssh xamxam
sudo bash /tmp/deploy-server.sh
sudo systemctl reload nginx
```

This uploads:
- `nginx/xamxam.conf` → `/tmp/xamxam.conf`
- `scripts/deploy-server.sh` → `/tmp/deploy-server.sh`

## 📋 Step-by-Step Deployment

### 1. Set Up Admin Password (First Time Only)

```bash
ssh xamxam
sudo htpasswd -c /etc/nginx/.htpasswd-xamxam admin
# Enter a strong password when prompted
```

**💡 Tip**: Generate a strong password:
```bash
openssl rand -base64 32
```

### 2. Deploy Configuration

```bash
# From your local machine
just deploy-nginx

# On the server
sudo bash /tmp/deploy-server.sh
sudo systemctl reload nginx
```

The script will:
- ✅ Fix file permissions (set to www-data:xamxam)
- ✅ Install nginx configuration
- ✅ Test nginx configuration
- ✅ Check PHP-FPM status

## 🔧 Manual Deployment (Alternative)

### Step 1: Fix Permissions

```bash
ssh xamxam

# Set correct ownership
sudo chown -R www-data:xamxam /var/www/xamxam/

# Set directory permissions
sudo find /var/www/posterg -type d -exec chmod 755 {} \;

# Set file permissions
sudo find /var/www/posterg -type f -exec chmod 644 {} \;

# Make storage writable
sudo chmod 775 /var/www/xamxam/storage

# Protect database
sudo chmod 660 /var/www/xamxam/storage/test.db
sudo chown www-data:xamxam /var/www/xamxam/storage/test.db
```

### Step 2: Deploy Nginx Config

```bash
# Copy config
sudo cp /tmp/xamxam.conf /etc/nginx/sites-available/xamxam

# Enable site and disable default
sudo ln -sf /etc/nginx/sites-available/xamxam /etc/nginx/sites-enabled/xamxam
sudo rm -f /etc/nginx/sites-enabled/default

# Test and reload
sudo nginx -t
sudo systemctl reload nginx
```

## 🧪 Testing

### Test Public Site

```bash
# Should return 200 OK
curl -I https://xamxam.erg.be/
```

### Test Admin Protection

```bash
# Should return 401 Unauthorized
curl -I https://xamxam.erg.be/admin/

# With credentials
curl -u admin:your_password https://xamxam.erg.be/admin/
```

### Test File Protection

```bash
# Should return 403 Forbidden
curl -I https://xamxam.erg.be/storage/test.db
curl -I https://xamxam.erg.be/src/Database.php
curl -I https://xamxam.erg.be/config/bootstrap.php
```

### Test Security Headers

```bash
curl -I https://xamxam.erg.be/ | grep -E "X-Frame|X-Content|Strict-Transport"
```

## 🔍 Troubleshooting

### Still Getting 403 Forbidden

**Check file permissions:**
```bash
ls -la /var/www/xamxam/public/index.php
groups www-data  # Should include xamxam
```

### 502 Bad Gateway

**Check PHP-FPM:**
```bash
sudo systemctl status php8.4-fpm
sudo systemctl restart php8.4-fpm
```

### Admin Password Not Working

```bash
sudo htpasswd /etc/nginx/.htpasswd-xamxam admin
```

## 📊 Monitoring

```bash
# Watch logs
sudo tail -f /var/log/nginx/xamxam_access.log
sudo tail -f /var/log/nginx/xamxam_error.log

# Check status
sudo systemctl status nginx
```

## 🔒 Security Checklist

After deployment, verify:

- [ ] Public site accessible at https://xamxam.erg.be/
- [ ] Admin panel requires password
- [ ] Database files return 403 Forbidden
- [ ] Source files return 403 Forbidden
- [ ] Security headers present
- [ ] PHP-FPM running

## 🔄 Updating the Site

```bash
# Deploy code changes
just deploy

# Reload nginx if config changed
ssh xamxam "sudo systemctl reload nginx"
```

## 🆘 Emergency Recovery

```bash
# Restore default nginx config
ssh xamxam
sudo rm /etc/nginx/sites-enabled/xamxam
sudo systemctl reload nginx

# Reset permissions
sudo chown -R www-data:xamxam /var/www/xamxam/
sudo find /var/www/posterg -type d -exec chmod 755 {} \;
sudo find /var/www/posterg -type f -exec chmod 644 {} \;
```

---

**See also:**
- [QUICK_REFERENCE.md](QUICK_REFERENCE.md) - Command reference
- [ADMIN_USERS.md](ADMIN_USERS.md) - User management
- [SECURITY_HEADERS.md](SECURITY_HEADERS.md) - Security headers