FirmFlow Production Deployment Guide¶
This guide is for IT Operations and DevOps teams responsible for deploying firmflow. into high-security production environments. It expands upon the basic installation guide with security hardening, reliability, and maintenance best practices.
1. Host System Hardening¶
Before installing Docker, ensure the host OS (Ubuntu 22.04 LTS recommended) is hardened.
1.1 Secure the Host¶
- Disabled Root Login: Ensure SSH root login is disabled in
/etc/ssh/sshd_config. - UFW Firewall: Enable the firewall and only allow required ports:
- Fail2Ban: Install and configure Fail2Ban to prevent brute-force attacks on SSH.
1.2 Dedicated Storage Partition¶
Mount the FirmFlow data directory on a dedicated, encrypted partition (LVM with LUKS recommended) to protect data at rest:
# Recommended structure
/opt/firmflow/ # Base directory
/opt/firmflow/pgdata # Database persistence
/opt/firmflow/uploads # Vault persistence
2. Environment Configuration¶
The .env file contains critical encryption secrets. Leakage or loss of the AUTH_SECRET results in permanent data loss.
2.1 Generate Production Secrets¶
Do not use simple strings. Use openssl to generate high-entropy keys:
2.2 Permissions¶
Restrict access to the environment file:
3. Reverse Proxy & SSL (Nginx)¶
Never expose the Next.js container (port 3000) directly to the internet/network. Always use a reverse proxy.
3.1 Recommended Nginx Configuration¶
server {
listen 443 ssl http2;
server_name portal.yourfirm.com;
# SSL hardening
ssl_certificate /etc/letsencrypt/live/yourfirm.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourfirm.com/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
# Security Headers
add_header X-Frame-Options "DENY";
add_header X-Content-Type-Options "nosniff";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self' https://generativelanguage.googleapis.com;";
location / {
proxy_pass http://127.0.0.1:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
# Buffering for large document uploads
client_max_body_size 50M;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
4. Deployment Workflow¶
4.1 Initial Launch¶
- Pull production images:
docker compose pull - Start the stack:
docker compose up -d - Execute migrations:
docker compose exec web npx prisma migrate deploy - Verify license connectivity: Check logs for
[License] Validated successfully.
4.2 Handling Updates¶
FirmFlow updates follow a "blue-green" lite approach via Docker:
1. Backup the database (See Backup Guide).
2. Pull new images: docker compose pull
3. Restart services: docker compose up -d
4. The application will automatically perform schema checks on startup.
5. Maintenance & Monitoring¶
5.1 Log Management¶
Logs are directed to stdout within Docker. Use journald or a log rotation policy in /etc/docker/daemon.json to prevent disk exhaustion:
5.2 Health Checks¶
The web container includes a built-in healthcheck at /api/health. Monitoring tools should alert if this endpoint returns non-200.
6. Post-Deployment Checklist¶
- [ ] SSL Labs rating of "A" or higher for the portal URL.
- [ ] Outbound firewall rules verified (See Network Requirements).
- [ ] Daily backup
cronjob active and verified. - [ ] Initial
SUPER_ADMINuser created and password changed. - [ ] MFA enabled for all administrative accounts.