notes

Migrations

from the bash of django container:

docker exec -it id123 bash

python manage.py makemigrations authentication
python manage.py makemigrations main
python manage.py migrate

Admin

Create a superuser:

python manage.py createsuperuser

Admin board is now available at lycaste.eu/admin

Dockerization

The project is dockerized using docker-compose.

• The PostgreSQL data base runs as a service.
• The Django app runs as a service.

2 important folders are not gitted:

• .env contains all secrets (db & django app credentials) and the environment info (prod/dev). It looks like:

ENVIRONMENT=prod
POSTGRES_DB=db_prod
POSTGRES_USER=admin
POSTGRES_PASSWORD=123
DJANGO_SECRET_KEY=abc
SERVER_IP=111.222.333.444

And a symlink to the right docker-compose is made such as:

ln -s docker-compose.prod.yml docker-compose.yml

• data which is made as such:

in the prod envt:

mkdir data
mkdir data/db
mkdir data/img
mkdir data/migrations
mkdir data/migrations/main
mkdir data/migrations/authentication
mkdir data/mailserver
mkdir data/mailserver/mail-data
mkdir data/mailserver/mail-state
mkdir data/mailserver/mail-logs
mkdir data/mailserver/config
mkdir data/certbot
mkdir data/certbot/www
mkdir data/certbot/conf

in the dev envt:

mkdir data
mkdir data/db
mkdir data/img
mkdir data/migrations
mkdir data/migrations/main
mkdir data/migrations/authentication
mkdir data/wordpress
mkdir data/wordpress/db
mkdir data/wordpress/content

These files need to be manually added to the VPS environment.

The app is built & launched using:

docker compose build
docker compose up

To manage the django app, it is required to enter within the webapp container. First identify the webapp container id:

docker ps

Say "id123", then:

docker exec -it id123 bash

to enter the container from which python manage.py commands may be launched.

create email user

from within the smtp container:

docker compose exec mailserver setup email add user@lycaste.eu
docker compose exec mailserver setup email list

It is important to well parameterize the SPF so that the mails are not red-flagged (see OVH documentation) ; and to make sure the domain links to the IP with no competition with for instance OVH mail hosting services.

firewall

UFW should then be parameterized as such:

UFW and docker both interact with iptables hence may have a competitive behavior (see this blog). To keep control over IP access, unallow docker to access iptables:

echo '{
    "iptables": false
}' | sudo tee /etc/docker/daemon.json
sudo systemctl restart docker
sudo ufw reload

create ssl

The certbot service needs access to iptables. Therefore, allow docker to access docker. Before restarting docker, all services should be gracefully shut down.

echo '{
    "iptables": true
}' | sudo tee /etc/docker/daemon.json
sudo systemctl restart docker

After restarting docker services should be relaunched.

docker compose run --rm  certbot certonly --webroot --webroot-path /var/www/certbot/ -d lycaste.eu -d www.lycaste.eu -d mail.lycaste.eu

After renewing the certificates, reinforce UFW rules:

echo '{
    "iptables": false
}' | sudo tee /etc/docker/daemon.json
sudo systemctl restart docker
sudo ufw reload

email access

New mailbox on thunderbird :

database backups and migrations

From the source:

docker exec -t id123 pg_dump -U admin db_prod > ./backup/$(date +\%Y\%m\%d).sql

To the target:

docker cp ./backup/20250125.sql id456:/backup.sql
docker exec -t id456 psql -U admin -d db_dev -f /backup.sql

Wordpress

A wordpress image is also used in order to support the website design. It is behind ufw and only a few IPs have access to it.

Database access

The database may be accessed from lycaste.eu/admin, using the right credentials ; or from DBeaver from one of the few IPs that are allowed to access port 5432 in the UFW configuration.

License

This project and embedded resources are copyrighted and the property of their author.