HR ERP — Complete Project Journey

📐 Complete Architecture — Developer PC → GitHub → Docker Hub → AWS EC2 → User

Development & Source

Developer PC

React + Node.js code

→ git push →

GitHub Repo

hr-admin-payroll-erp

→ triggers →

GitHub Actions

CI/CD Workflows

Build & Deploy

Lint + Test

ESLint, Jest, Trivy

→

Docker Build

Backend + Frontend images

→

Docker Hub

your-dockerhub/hr-erp-*

→ SSH pull →

AWS EC2

t3.medium Ubuntu 22.04

Production Stack on EC2

Nginx

Port 80/443 · Reverse Proxy

→

React Frontend

hr_erp_ui · Port 3000

Node.js API

hr_erp_api · Port 5000

PostgreSQL 15

hr_erp_db · Port 5432

Redis 7

hr_erp_redis · Port 6379

User Access

User Browser

Chrome / Mobile

→ HTTPS →

hrerp.infikuber.com

SSL via Let's Encrypt

→

Hostinger DNS

A record → YOUR_EC2_IP

📅 Development Timeline — 9 Steps from Code to Production

1

Code Preparation — Local PC

React 18 + Tailwind CSS frontend. Node.js + Express backend. PostgreSQL schema designed. Docker + docker-compose configured. All routes, middleware, services written.

2

GitHub Repository Setup

Created private repo hr-admin-payroll-erp. 5 GitHub Actions workflows added: ci-cd.yml, pr-checks.yml, security-scan.yml, rollback.yml, backup.yml. Dependabot configured for auto dependency updates.

3

AWS EC2 Instance Launch

AWS Console → EC2 → t3.medium (2 vCPU, 4GB RAM) · Ubuntu 22.04 LTS · 25GB gp3 storage. Security group: SSH port 22 (my IP only), HTTP 80 + HTTPS 443 (anywhere). Ports 3000/5000 NOT public — Docker binds to 127.0.0.1 only.

4

EC2 Server Configuration

Installed: Docker Engine, Nginx (reverse proxy), Certbot (SSL), UFW firewall. Generated SSH key for GitHub access. Created .env file with all secrets. Created systemd service for auto-start on reboot.

5

GitHub Actions CI/CD Setup

8 GitHub Secrets configured: DOCKERHUB_USERNAME, DOCKERHUB_TOKEN, EC2_HOST, EC2_SSH_KEY, DB_PASSWORD, REDIS_PASSWORD, JWT_SECRET, REFRESH_TOKEN_SECRET. Full pipeline: Lint → Security → Test → Docker Build → Deploy → Smoke Test (~3 min total).

6

Docker Containers Setup

4 containers in hr_net network: PostgreSQL 15, Redis 7-alpine, Node.js backend, React frontend (served via Nginx). All ports bound to 127.0.0.1. Healthchecks on all services. depends_on chaining: postgres+redis → backend → frontend.

7

Domain DNS Configuration

Domain: infikuber.com (Hostinger). Added A record: hrerp → YOUR_EC2_IP. Deleted old Hostinger A and AAAA records that were pointing to wrong IPs. Waited 5-10 min for DNS propagation.

8

SSL Certificate — HTTPS

Certbot auto-issued Let's Encrypt certificate. Auto-configured Nginx for HTTP→HTTPS redirect. Certificate saved at /etc/letsencrypt/live/hrerp.infikuber.com/. Expires 2026-06-09, auto-renewal scheduled.

9

🎉 LIVE — https://hrerp.infikuber.com

All 4 containers healthy. GitHub Actions all green. Every git push auto-deploys in ~3 minutes. Health check at /health endpoint confirmed working.

Frontend Stack

⚛️

React

v18.2.0

UI framework. JSX components. react-router-dom v6 for routing. react-hot-toast for notifications.

Frontend

🎨

Tailwind CSS

v3.4.0

Utility-first CSS. All UI styling. Responsive design. Custom config.

Styling

📊

Recharts

v2.10.1

Analytics charts. Payroll trend, headcount bar charts, attendance gauge.

Charts

🔗

Axios

v1.6.2

HTTP client. All API calls to backend. Interceptors for JWT headers.

HTTP

Backend Stack

🟢

Node.js

v20 LTS

JavaScript runtime. Non-blocking I/O. Required ≥18.0.0 per package.json engines field.

Runtime

🚂

Express

v4.18.2

Web framework. 25 route files. Middleware chain: helmet → cors → rate-limit → auth → handler.

Framework

🔐

JWT + bcryptjs

jwt 9.0.2

Authentication. JWT 8h access + 7d refresh tokens. bcrypt for password hashing. Role-based middleware.

Auth

📧

Nodemailer + PDFKit

nodemailer 6.9.7

SMTP email dispatch. PDFKit generates payslip PDFs. Multer for file uploads (receipts, photos).

Services

Database & Infrastructure

🐘

PostgreSQL

v15-alpine

Primary database. UUID primary keys. Multi-tenant with tenant_id on every table. 13 migration phases.

Database

🔴

Redis

v7-alpine

Caching layer. Session management. 256MB max memory. LRU eviction policy. Persistent with AOF.

Cache

🐳

Docker + Compose

Docker v24+

4 containers in hr_net network. Multi-stage frontend build. Non-root user for security. Health checks on all.

Container

🌐

Nginx

1.25-alpine

Reverse proxy. Serves React build. Proxies /api → Node.js. SSL termination. HTTP→HTTPS redirect.

Proxy

Backend Dependencies — Full List

Package	Version	Purpose	Used In
express	^4.18.2	Web framework, routing	server.js, all routes
pg + pg-pool	^8.11.3	PostgreSQL client + connection pool	database.js
redis	^4.6.11	Redis client for caching	rateLimiter, sessions
jsonwebtoken	^9.0.2	JWT sign/verify for auth	auth.js middleware
bcryptjs	^2.4.3	Password hashing	auth routes
helmet	^7.1.0	Security HTTP headers	server.js
cors	^2.8.5	Cross-origin resource sharing	server.js
express-rate-limit	^7.1.5	API + auth rate limiting	server.js
express-validator	^7.0.1	Request input validation	routes
multer	^1.4.5-lts.1	File upload handling (receipts, photos)	expenses.js, gps.js
nodemailer	^6.9.7	SMTP email sending	emailService.js
pdfkit	^0.14.0	PDF payslip generation	payslipPDF.js
razorpay	^2.9.2	Payment gateway for SaaS billing	billing.js
winston	^3.11.0	Structured logging	logger.js
sanitize-html	^2.11.0	XSS prevention, input sanitization	sanitize.js
compression	^1.7.4	Gzip response compression	server.js
uuid	^9.0.1	UUID generation	various routes
morgan	^1.10.0	HTTP request logging	server.js
dotenv	^16.3.1	Environment variable loading	server.js

Complete Project File Structure

Backend — 25 Route Files

backend/src/ ├── server.js Express app, middleware, 25+ routes ├── config/ │ ├── database.js PostgreSQL pool connection │ └── logger.js Winston structured logging ├── middleware/ │ ├── auth.js JWT verify + tenant_id from DB │ ├── rbac.js Role-based access control │ ├── rateLimiter.js 500/15min API, 20/15min auth │ ├── sanitize.js XSS input sanitization │ └── tenantMiddleware.js Plan limit check ├── routes/ │ ├── auth.js Login, OTP, refresh token │ ├── employees.js Employee CRUD + salary structure │ ├── attendance.js Daily attendance + GPS │ ├── payroll.js calcPayroll engine + PDF │ ├── leaves.js Apply, approve, balance │ ├── expenses.js Claims + receipt upload │ ├── compliance.js PF/ESI/TDS/PT reports │ ├── analytics.js 6 parallel DB queries KPIs │ ├── ats.js 7-stage recruitment Kanban │ ├── billing.js Razorpay + webhook HMAC │ ├── gpsAttendance.js Haversine geofence check │ ├── admin.js Users + per-user permissions │ ├── superAdmin.js All tenants — no tenant filter │ ├── shifts.js Shift master + bulk assign │ ├── advances.js Salary advance + EMI │ └── ... 10 more routes ├── services/ │ ├── payslipPDF.js PDFKit payslip generator │ ├── emailService.jsNodemailer SMTP dispatch │ └── emailTemplates.js HTML email templates └── utils/ └── geoUtils.js Haversine formula GPS

Frontend — 33 Page Components

frontend/src/ ├── App.jsx Router + auth guard + role routing ├── pages/ │ ├── Login.jsx JWT login + tenant check │ ├── Dashboard.jsx Role-based dashboard switch │ ├── Employees.jsx List + search + filter │ ├── EmployeeForm.jsx 5-step create/edit form │ ├── Attendance.jsx Table + GPS status │ ├── Payroll.jsx Run + preview + PDF │ ├── Leaves.jsx Apply + approve + balance │ ├── Expenses.jsx Claims + receipt upload │ ├── ATSKanban.jsx 7-stage Kanban board │ ├── ComplianceReports.jsx PF/ESI/TDS │ ├── AnalyticsDashboard.jsx Charts + KPIs │ ├── AuditLogs.jsx Activity trail │ ├── AdminUsers.jsx RBAC + permissions │ ├── BillingPortal.jsx Razorpay plans │ ├── Settings.jsx Company + GPS + SMTP │ └── ... 18 more pages ├── dashboards/ │ ├── AdminDashboard.jsx │ ├── HRDashboard.jsx │ ├── ManagerDashboard.jsx │ ├── EmployeeDashboard.jsx │ └── SuperAdminDashboard.jsx ├── components/ │ ├── GPSCheckin.jsx Live map + geofence UI │ └── layout/Layout.jsx Sidebar + topbar ├── services/ authService, employeeService... ├── context/ │ └── AuthContext.jsJWT + user state global └── utils/ ├── api.js Axios instance + interceptors └── useGPS.js Browser geolocation hook

Database — 13 Migration Phases

database/ ├── init.sql Base schema: employees, users, departments... ├── migration_phase7.sql ATS + recruitment pipeline ├── migration_phase8.sql GPS + geofence tables ├── migration_phase9.sql Tenant isolation + user_permissions ├── migration_phase9b.sql tenant_features JSON column ├── migration_phase10.sql Billing + subscription plans ├── migration_phase11.sql White label config ├── migration_phase12.sql Audit logs old_data/new_data ├── migration_phase13.sql Analytics snapshots ├── Master migration.sql Combined all phases └── run_migrations.sh Smart — skips already applied

5 GitHub Actions Workflow Files

🚀

ci-cd.yml

Trigger: push to main (~3 min)

Lint — ESLint backend code

Security — Trivy + Gitleaks + npm audit

Tests — Jest + PostgreSQL + Redis services

Docker Build + Push to Hub

SSH Deploy to EC2 + migrations

Smoke Test — curl /health

🔍

pr-checks.yml

Trigger: Pull Request to main

Validate PR title (skip Dependabot)

Build test — npm install check

Docker build test (no push)

🔒

security-scan.yml

Trigger: Every Monday 2AM

npm audit — critical vulnerabilities

Trivy — filesystem scan

Gitleaks — secret detection

↩️

rollback.yml

Trigger: Manual only

Input: specific image tag to rollback to

SSH to EC2 → docker compose pull tag

Restart containers with old image

💾

backup.yml

Trigger: Every day 1AM

SSH to EC2

pg_dump → compressed backup file

Store on EC2 with date stamp

Complete CI/CD Pipeline Flow

git push main

→

GitHub Actions trigger

→

Lint (38s)

+

Security (62s)

→

Tests (60s)

→

Docker Build + Push (26s)

→

Deploy EC2 (40s)

→

Smoke Test ✅

8 GitHub Secrets Required

🔑

DOCKERHUB_USERNAME

Docker Hub login

🔑

DOCKERHUB_TOKEN

Hub access token

🔑

EC2_HOST

YOUR_EC2_IP

🔑

EC2_SSH_KEY

your-server-key.pem content

🔒

DB_PASSWORD

PostgreSQL password

🔒

REDIS_PASSWORD

Redis password

🔒

JWT_SECRET

128-char random string

🔒

REFRESH_TOKEN_SECRET

128-char random string

Deploy Script — EC2 SSH Commands

# Runs on EC2 via appleboy/ssh-action set -e cd ~/hr-admin-payroll-erp # 1. Pull latest code git fetch origin main git reset --hard origin/main # 2. Pull new Docker images from Hub docker compose pull # 3. Restart containers (zero-downtime) docker compose up -d --remove-orphans --no-build # 4. Run DB migrations (smart — skips done) bash database/run_migrations.sh # 5. Health check loop (60s max) for i in $(seq 1 12); do if curl -sf http://localhost:5000/health; then echo "Backend healthy!" break fi # Rollback if all 12 checks fail if [ $i -eq 12 ]; then docker compose down git reset --hard HEAD~1 docker compose up -d exit 1 fi sleep 5 done # 6. Cleanup old images docker image prune -f

Docker Images — Built and Pushed to Hub

Backend Dockerfile — node:20-alpine

FROM node:20-alpine WORKDIR /app # Install deps (cache layer) COPY package*.json ./ RUN npm install --only=production --silent COPY . . RUN mkdir -p uploads logs # Non-root user for security RUN addgroup -g 1001 -S nodejs RUN adduser -S nodejs -u 1001 RUN chown -R nodejs:nodejs /app USER nodejs EXPOSE 5000 CMD ["node", "src/server.js"] # Tags pushed: your-dockerhub/hr-erp-backend:latest your-dockerhub/hr-erp-backend:abc12345

Frontend Dockerfile — Multi-stage Build

# Stage 1: Build React app FROM node:20-alpine AS builder WORKDIR /app COPY package*.json ./ RUN npm install --silent COPY . . ARG REACT_APP_API_URL=/api ENV REACT_APP_API_URL=$REACT_APP_API_URL # Fix Node 20 + OpenSSL issue ENV NODE_OPTIONS=--openssl-legacy-provider RUN npm run build # Stage 2: Serve with Nginx FROM nginx:1.25-alpine COPY --from=builder /app/build /usr/share/nginx/html COPY nginx.conf /etc/nginx/conf.d/default.conf EXPOSE 80 CMD ["nginx", "-g", "daemon off;"] # Tags pushed: your-dockerhub/hr-erp-frontend:latest

EC2 Instance Configuration

Instance Specs

Name	hr-erp-server
AMI	Ubuntu Server 22.04 LTS
Instance Type	t3.medium
vCPU	2
RAM	4 GB
Storage	25 GB gp3
Public IP	YOUR_EC2_IP
Key Pair	your-server-key.pem

Security Group — Firewall Rules

Type	Port	Source
SSH	22	My IP only
HTTP	80	Anywhere
HTTPS	443	Anywhere
3000 (React)	3000	127.0.0.1 only
5000 (API)	5000	127.0.0.1 only
5432 (PG)	5432	127.0.0.1 only
6379 (Redis)	6379	127.0.0.1 only

Software Installed on EC2

Docker Engine	Installed
Nginx	Installed
Certbot	Installed
python3-certbot-nginx	Installed
UFW Firewall	Enabled
systemd service	hr-erp.service
Docker group	ubuntu user added

Nginx Config — Reverse Proxy + SSL

# /etc/nginx/sites-available/hrerp.infikuber.com # HTTP → HTTPS redirect (added by Certbot) server { listen 80; server_name hrerp.infikuber.com; return 301 https://$host$request_uri; } server { listen 443 ssl; server_name hrerp.infikuber.com; # SSL — Let's Encrypt via Certbot ssl_certificate /etc/letsencrypt/live/hrerp.../fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/hrerp.../privkey.pem; # Frontend (React) — port 3000 location / { proxy_pass http://localhost:3000; } # Backend API — port 5000 location /api/ { proxy_pass http://localhost:5000/api/; } }

# systemd auto-start service # /etc/systemd/system/hr-erp.service [Unit] Description=HR ERP Docker Compose After=docker.service Requires=docker.service [Service] Type=oneshot RemainAfterExit=yes WorkingDirectory=/home/ubuntu/hr-admin-payroll-erp ExecStart=/usr/bin/docker compose up -d ExecStop=/usr/bin/docker compose down User=ubuntu [Install] WantedBy=multi-user.target # Commands: sudo systemctl daemon-reload sudo systemctl enable hr-erp sudo systemctl start hr-erp # DNS — Hostinger A Record Type: A Name: hrerp Points to: YOUR_EC2_IP TTL: 14400 # SSL Certbot command sudo certbot --nginx -d hrerp.infikuber.com

4 Docker Containers — hr_net Network

healthy

hr_erp_db

postgres:15-alpine

127.0.0.1:5432

Database: hr_erp · User: hr_admin · Data volume: postgres_data · Init: init.sql

healthy

hr_erp_redis

redis:7-alpine

127.0.0.1:6379

256MB max · LRU eviction · Persistence: save 60 1 · Password protected

healthy

hr_erp_api

hr-erp-backend:latest

127.0.0.1:5000

Node.js 20 · Depends on: postgres + redis healthy · Volumes: uploads, logs

running

hr_erp_ui

hr-erp-frontend:latest

127.0.0.1:3000

Nginx serving React build · Depends on: backend healthy · Port 80 internal

docker-compose.yml — Key Configuration

# docker-compose.yml — All 4 containers services: postgres: image: postgres:15-alpine container_name: hr_erp_db environment: POSTGRES_DB: hr_erp POSTGRES_PASSWORD: ${DB_PASSWORD:-Hr@Secret123} volumes: - postgres_data:/var/lib/postgresql/data - ./database/init.sql:/docker-entrypoint-initdb.d/init.sql:ro ports: ["127.0.0.1:5432:5432"] ← localhost only, not public healthcheck: { test: pg_isready, interval: 10s, retries: 5 } redis: image: redis:7-alpine command: redis-server --requirepass ${REDIS_PASSWORD} --maxmemory 256mb backend: image: ${DOCKERHUB_USERNAME}/hr-erp-backend:latest environment: DATABASE_URL: postgresql://hr_admin:${DB_PASSWORD}@postgres:5432/hr_erp REDIS_URL: redis://:${REDIS_PASSWORD}@redis:6379 JWT_SECRET: ${JWT_SECRET} depends_on: postgres: { condition: service_healthy } redis: { condition: service_healthy } healthcheck: ← Uses node http module, NOT wget (Alpine has no wget) test: node -e "require('http').get('http://localhost:5000/health',...)" frontend: image: ${DOCKERHUB_USERNAME}/hr-erp-frontend:latest ports: ["127.0.0.1:3000:80"] depends_on: backend: { condition: service_healthy } networks: hr_net: driver: bridge ipam: { config: [{ subnet: 172.20.0.0/16 }] }

ERROR 1

Resource not accessible by integration

pr-checks.yml → Validate PR job

Dependabot auto-creates PRs to update npm packages. PR Checks workflow tried to write a comment → bot PRs don't have write permission.

✅ Fix

jobs: validate: if: github.actor != 'dependabot[bot]'

ERROR 2

Unable to cache dependencies

CI/CD → Lint job

GitHub Actions tried to cache npm packages. Cache requires package-lock.json which was in .gitignore — didn't exist.

✅ Fix

Removed cache config from setup-node step completely. Changed npm ci → npm install in Dockerfiles.

ERROR 3

YAML syntax error on line 44

ci-cd.yml — GitHub showed red X

Used Unicode box-drawing characters ╔══╗ as visual separators in YAML comments. YAML parser rejected the file entirely.

✅ Fix

Replaced entire ci-cd.yml with clean version using only plain ASCII characters in comments.

ERROR 4

limit_req_zone not allowed here

EC2 → sudo nginx -t

Rate limit zone defined INSIDE server{} block. Nginx rule: limit_req_zone must be in http{} block only.

✅ Fix

Removed limit_req_zone completely. Used Express's own rate limiter (express-rate-limit) instead.

ERROR 5

No ssl_certificate defined

EC2 → sudo nginx -t

Nginx config had SSL certificate paths but Certbot hadn't run yet — certificate files didn't exist on disk.

✅ Fix

Commented out SSL lines temporarily. Got HTTP working first, then ran Certbot which auto-added SSL config.

ERROR 6

hr-erp.service does not exist

EC2 → sudo systemctl enable hr-erp

Tried to enable auto-start service without creating the .service file first. systemctl needs the file in /etc/systemd/system/.

✅ Fix

sudo tee /etc/systemd/system/hr-erp.service sudo systemctl daemon-reload sudo systemctl enable hr-erp

ERROR 7

Username and password required (Docker Hub)

GitHub Actions → Docker Build & Push

Workflow tried to push Docker images to Docker Hub but DOCKERHUB_USERNAME and DOCKERHUB_TOKEN secrets were not added to GitHub yet.

✅ Fix

hub.docker.com → Security → New Access Token. Added DOCKERHUB_USERNAME + DOCKERHUB_TOKEN to GitHub Secrets.

ERROR 8

npm ci failed, exit code 1

GitHub Actions → Docker Build

Both Dockerfiles used npm ci which REQUIRES package-lock.json. Repo didn't have it.

✅ Fix

# Before RUN npm ci --only=production --silent # After RUN npm install --only=production --silent

ERROR 9

Could not read Username for github.com

GitHub Actions → Deploy via SSH

Deploy script runs git fetch on EC2. EC2 had cloned repo via HTTPS which needs username/password. No credentials stored.

✅ Fix

ssh-keygen -t ed25519 -C "ec2-deploy" # Added public key to GitHub SSH keys rm -rf ~/hr-admin-payroll-erp git clone [email protected]:your-github/hr-admin-payroll-erp

ERROR 10

.env key cannot contain a space

EC2 → docker compose up -d

Accidentally typed "chmod 600 .env" as text inside the .env file. Docker read it as a key=value pair — spaces invalid.

✅ Fix

Opened nano .env, deleted the wrong first line. Correct format: KEY=value with NO spaces in key names.

ERROR 11

Port 5432 already in use

EC2 → docker compose up -d

Ubuntu had system PostgreSQL installed and running on port 5432. Docker also tried to use 5432. Two processes can't share one port.

✅ Fix

sudo systemctl stop postgresql sudo systemctl disable postgresql docker compose up -d

ERROR 12

init.sql: Is a directory

EC2 → docker logs hr_erp_db

When creating database/init.sql on GitHub, GitHub created a FOLDER instead of a FILE. Docker tried to mount directory as file → PostgreSQL couldn't initialize schema.

✅ Fix

sudo rm -rf database/init.sql git pull # Get correct file

ERROR 13

Backend container unhealthy

EC2 → docker compose ps

Healthcheck used wget but node:20-alpine doesn't include wget. Container marked unhealthy → frontend wouldn't start.

✅ Fix — Use Node.js built-in http module

test: node -e "require('http').get( 'http://localhost:5000/health', r=>process.exit(r.statusCode===200?0:1) )"

ERROR 14

Certbot: Invalid response 404

EC2 → sudo certbot --nginx

nslookup showed 3 IPs: EC2 (correct) + Hostinger old A record + IPv6 record. Let's Encrypt hit wrong IP → 404 → SSL verification failed.

✅ Fix

Hostinger DNS → Deleted old A record (OLD_HOSTINGER_IP) and AAAA record. Kept only EC2 A record. Waited 10 min, re-ran certbot.

GitHub Actions — All Jobs Green ✅

Job	Time	Status	What it does
Lint	38s	Passed	ESLint on all backend JS files
Security Scan	1m 2s	Passed	Trivy + Gitleaks + npm audit
Tests	1m 0s	Passed	Jest unit tests with live PostgreSQL + Redis
Docker Build & Push	26s	Passed	Backend + Frontend images pushed to Docker Hub
Deploy to Production	40s	Passed	SSH → git pull → docker compose up → migrations
Total Pipeline	~3 min	All Green	From git push to live production

Live Docker Containers Status

healthy

hr_erp_db

postgres:15-alpine

127.0.0.1:5432

healthy

hr_erp_redis

redis:7-alpine

127.0.0.1:6379

healthy

hr_erp_api

hr-erp-backend:latest

127.0.0.1:5000

running

hr_erp_ui

hr-erp-frontend:latest

127.0.0.1:3000

10 Key Lessons Learned

Lesson 1 — npm

Use npm install, not npm ci

npm ci requires package-lock.json. If you don't commit it, use npm install everywhere — Dockerfiles, GitHub Actions, local.

Lesson 2 — Docker Alpine

Alpine has no wget or curl

node:20-alpine is minimal. Ne skip Dependabot bot PRs

Add if: github.actor != 'dependabot[bot]' to any job that needs write permission. Dependabot PRs have limited permissions.

Lesson 4 — YAML

Never use Unicode in YAML files

Box-drawing characters ╔══╗ break the YAML parser. Use only plain ASCII in .yml files. GitHub Actions will reject the file silently.

Lesson 5 — DNS

Check ALL DNS records (A + AAAA)

Multiple DNS records cause SSL verification to fail. Delete old Hostinger A and AAAA records. Keep only EC2 A record. Wait 10 min before certbot.

Lesson 6 — Git on Server

Always SSH clone, never HTTPS

HTTPS git needs credentials. SSH uses key pair. Generate ed25519 key on EC2, add public key to GitHub SSH Keys, then clone via SSH.

Lesson 7 — Docker Ports

Bind to 127.0.0.1, not 0.0.0.0

All container ports should bind to 127.0.0.1 (localhost only). Let Nginx be the only public entry point on 80/443.

Lesson 8 — .env Files

No spaces in .env key names

chmod 600 .env to protect it. Never commit .env to git. No spaces in key names. Format is always KEY=value.

Lesson 9 — PostgreSQL

Disable system PostgreSQL on Ubuntu

Ubuntu has PostgreSQL in apt that starts on port 5432. Disable it before Docker uses the same port: systemctl stop + disable postgresql.

Lesson 10 — Nginx

HTTP first, then SSL

Always get HTTP working first with sudo nginx -t. Then run Certbot — it auto-adds SSL config. Never add SSL config before certs exist.