Skip to main content

Inventory Management System Setup auf Debian Trixie

Datum: November 2025
OS: Debian 13 (Trixie)
Zweck: Production-ready Server für ItemP Inventory System

📋 Inhaltsverzeichnis

  1. Initial Server Setup
  2. Hostname & RDNS Konfiguration
  3. Docker CE Installation
  4. Docker Compose Installation
  5. Nginx Installation & 3-Phase Setup
    • Phase 1: Basis-Config (HTTP für Let's Encrypt)
    • Phase 2: Let's Encrypt Certificate
    • Phase 3: Production-Config (SSL + Optimierungen)
  6. SSL/TLS mit Certbot
  7. Firewall Konfiguration
  8. Docker Compose Production Setup
  9. Monitoring & Maintenance
  10. Troubleshooting
  11. Production Deployment Checklist

Initial Server Setup

1. System Update & Upgrade


# Update package lists
sudo apt update

# Upgrade packages
sudo apt upgrade -y

# Install essential tools
sudo apt install -y \
    curl \
    wget \
    git \
    vim \
    htop \
    net-tools \
    ufw \
    sudo \
    apt-transport-https \
    ca-certificates \
    gnupg \
    lsb-release \
    certbot \
    python3-certbot-nginx

2. Zeitzonen Konfiguration


# Set timezone to Europe/Berlin (oder nach Bedarf)
sudo timedatectl set-timezone Europe/Berlin

# Verify timezone
timedatectl

3. Create Non-Root User (Optional aber empfohlen)


# Create user 'deploy'
sudo useradd -m -s /bin/bash deploy

# Add to sudoers
sudo usermod -aG sudo deploy

# Setup SSH key (auf Client-Seite)
ssh-copy-id -i ~/.ssh/id_rsa.pub deploy@<server-ip>

# Test
ssh deploy@<server-ip>

Hostname & RDNS Konfiguration

1. Hostname Setzen


# Check current hostname
hostnamectl status

# Set new hostname (z.B. "itemp-production")
sudo hostnamectl set-hostname itemp-production

# Verify
hostnamectl status

# Also update /etc/hosts
sudo nano /etc/hosts

Inhalt von `/etc/hosts`:


127.0.0.1       localhost
::1             localhost ip6-localhost ip6-loopback
<your-public-ip> itemp-production

# Example:
# 192.168.1.100 itemp-production

2. RDNS (Reverse DNS) Konfiguration

WICHTIG: RDNS wird auf Seite des DNS-Providers konfiguriert, nicht auf dem Server!

Schritte beim Provider:

  1. Gehe zu deiner DNS-Verwaltung (z.B. Hoster-Panel)
  2. Finde "Reverse DNS" oder "PTR Records"
  3. Setze PTR-Record für deine IP:
    • IP: <deine-public-ip>
    • Hostname: itemp-production.yourdomain.com

Verify RDNS (nach 24h):


# Check reverse DNS
nslookup <your-public-ip>
# oder
dig -x <your-public-ip>

# Expected output:
# <your-public-ip>.in-addr.arpa. <ttl> IN PTR itemp-production.yourdomain.com.

Docker CE Installation

1. Refresh Package Base


# Update package lists
sudo apt update

2. Install Prerequisites


# Install required packages for HTTPS repository support
sudo apt install -y apt-transport-https ca-certificates curl gpg

3. Add Docker's GPG Repo Key


# Download and add Docker's GPG key
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker.gpg

4. Add Docker Repository


# Add official Docker repository
echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker.gpg] https://download.docker.com/linux/debian trixie stable" | \
  sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

# Refresh package lists again
sudo apt update

5. Install Docker on Debian 13 (Trixie)


# Install Docker and related components
sudo apt install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

6. Verify Docker Installation


# Check if Docker service is active
sudo systemctl is-active docker

Docker Compose Installation

1. Install Docker Compose (Latest)


# Download latest version
sudo curl -L "https://github.com/docker/compose/releases/latest/download/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose

# Make executable
sudo chmod +x /usr/local/bin/docker-compose

# Verify installation
docker-compose --version

2. Shell Completion (Optional)


# Bash completion
sudo curl \
  -L https://raw.githubusercontent.com/docker/compose/1.29.2/contrib/completion/bash/docker-compose \
  -o /etc/bash_completion.d/docker-compose

# Reload bash
source ~/.bashrc

Nginx Installation & Konfiguration

1. Nginx Installieren


# Install Nginx
sudo apt install -y nginx

# Start Nginx
sudo systemctl start nginx

# Enable on boot
sudo systemctl enable nginx

# Verify
sudo systemctl status nginx

# Check version
nginx -v

2. Phase 1: Basis-Nginx-Config (für Let's Encrypt)

⚠️ WICHTIG: Erst mit einfacher HTTP-Config starten, damit Let's Encrypt Zertifikat erstellen kann!

Schritt 1: Nginx Config erstellen


sudo nano /etc/nginx/sites-available/inventar

Inhalt einfügen (Basis-Config für Let's Encrypt):


server {
    listen 80;
    server_name Ihre.Domain.hier;

    # Notwendig für Certbot
    location /.well-known/acme-challenge/ {
        root /var/www/html;
    }

    # Alle anderen Anfragen direkt auf HTTPS umleiten
    location / {
        return 301 https://$host$request_uri;
    }
}

Schritt 2: Config aktivieren & testen


# Enable site
sudo ln -s /etc/nginx/sites-available/inventar /etc/nginx/sites-enabled/

# Test nginx config
sudo nginx -t

# Restart Nginx
sudo systemctl restart nginx

# Verify running
sudo systemctl status nginx

SSL/TLS mit Certbot - Phase 2 & Phase 3

1. Phase 2: SSL Certificate mit Certbot erstellen

⚠️ WICHTIG: Die Basis-Nginx-Config (Phase 1) muss laufen!


# Certbot mit Nginx Plugin (wird automatisch Nginx aktualisieren)
sudo certbot --nginx -d Ihre.Domain.hier

# Certbot führt dann automatisch:
# 1. Certificate-Validierung durch (HTTP Challenge via Port 80)
# 2. Let's Encrypt Certificate Download
# 3. Nginx-Config automatisch anpassen (HTTP → HTTPS Redirect)

# Follow prompts:
# - Enter email for renewals
# - Accept Let's Encrypt Terms (Y)
# - Optional: Share email with EFF (Y/N)

# Verify certificate was created
sudo certbot certificates

3. Phase 3: Production Nginx-Config anpassen

Nach Certbot sind die Zertifikate da - jetzt anpassen & optimieren:


sudo nano /etc/nginx/sites-available/inventar

Production-Config (optimiert für ItemP):


# HTTP: ACME Challenge + Redirect to HTTPS
server {
    listen 80;
    server_name Ihre.Domain.hier;

    # ACME Challenge (Certbot)
    location /.well-known/acme-challenge/ {
        root /var/www/html;
    }

    # Redirect everything else to HTTPS
    location / {
        return 301 https://$host$request_uri;
    }
}

# HTTPS: Main Application
server {
    listen 443 ssl;
    http2 on;
    server_name Ihre.Domain.hier;

    # SSL/TLS (Certbot-managed files)
    ssl_certificate /etc/letsencrypt/live/Ihre.Domain.hier/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/Ihre.Domain.hier/privkey.pem;

    # Security: HSTS (1 year)
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    # Performance: gzip compression
    gzip on;
    gzip_vary on;
    gzip_proxied any;
    gzip_min_length 1024;
    gzip_comp_level 6;
    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml;

    # Serve media files directly from host (user uploads)
    location /media/ {
        alias /opt/inventar/media/;
        try_files $uri =404;
        expires 1d;
        add_header Cache-Control "public";
        access_log off;
    }

    # Serve static files directly from host (MAXIMUM PERFORMANCE)
    location /static/ {
        alias /opt/inventar/static/;
        try_files $uri =404;
        expires 1y;
        add_header Cache-Control "public, immutable";
        access_log off;
    }

    # Reverse proxy for the app (frontend container at 127.0.0.1:8080)
    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_set_header Host              $host;
        proxy_set_header X-Real-IP         $remote_addr;
        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;

        # Keepalive and limits
        proxy_http_version 1.1;
        proxy_set_header Connection "";
        client_max_body_size 70m;
        proxy_read_timeout 60s;
        proxy_send_timeout 60s;
    }
}

Config testen & Nginx neustarten:


# Test the configuration
sudo nginx -t

# Reload Nginx with new config
sudo systemctl reload nginx

# Verify it's working
sudo systemctl status nginx

    # API Backend
    location /api/ {
        proxy_pass http://127.0.0.1:8000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_http_version 1.1;
        proxy_set_header Connection "";
        client_max_body_size 70m;
    }

    # Admin Panel
    location /admin/ {
        proxy_pass http://127.0.0.1:8000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_http_version 1.1;
        proxy_set_header Connection "";
        client_max_body_size 70m;
    }
}

4. Production-Config aktivieren & testen


# Test new nginx config
sudo nginx -t

# If OK, reload
sudo systemctl reload nginx

# Verify SSL certificate
echo | openssl s_client -servername Ihre.Domain.hier -connect Ihre.Domain.hier:443 2>/dev/null | openssl x509 -noout -dates

# Test HTTP Redirect to HTTPS
curl -I http://Ihre.Domain.hier
# Should show: HTTP/1.1 301 Moved Permanently
# Location: https://Ihre.Domain.hier/

# Test HTTPS
curl -I https://Ihre.Domain.hier
# Should show: HTTP/2 200

5. Certbot Auto-Renewal konfigurieren


# Enable auto-renewal timer
sudo systemctl enable certbot.timer

# Start timer
sudo systemctl start certbot.timer

# Check status
sudo systemctl status certbot.timer

# Test renewal (dry-run - kein echtes Renewal!)
sudo certbot renew --dry-run

# View renewal logs
sudo journalctl -u certbot.timer -f

Firewall Konfiguration

1. UFW (Uncomplicated Firewall) Setup


# Enable UFW
sudo ufw enable

# Allow SSH (IMPORTANT before enabling firewall!)
sudo ufw allow 22/tcp

# Allow HTTP
sudo ufw allow 80/tcp

# Allow HTTPS
sudo ufw allow 443/tcp

# Check status
sudo ufw status verbose

# List rules
sudo ufw show added

2. UFW Rules für Docker (Optional)


# If using Docker with custom ports:
sudo ufw allow 8000/tcp  # Backend API
sudo ufw allow 5432/tcp  # PostgreSQL (nur lokal!)

Docker Compose Production Setup

1. Docker Compose Datei erstellen

Datei: `/opt/itemp/docker-compose.prod.yml`


services:
  db:
    image: inventory-system-db-postgres:1.1
    container_name: inventory_db
    restart: unless-stopped
    env_file:
      - .env.production
    volumes:
      - postgres_data:/var/lib/postgresql/data
    networks:
      - inventory_network
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U inventory_user -d inventory_db"]
      interval: 10s
      timeout: 5s
      retries: 5
    logging:
      driver: "json-file"
      options:
        max-size: "10m"
        max-file: "3"
    command: >
      postgres
      -c shared_buffers=256MB
      -c max_connections=200
      -c effective_cache_size=1GB
      -c maintenance_work_mem=64MB

  backend:
    image: inventory-system-backend:1.1
    container_name: inventory_backend
    restart: unless-stopped
    env_file: 
      - .env.production
    depends_on:
      db:
        condition: service_healthy
    volumes:
      - ./media:/app/media
      - ./static:/app/static
    networks:
      - inventory_network
    logging:
      driver: "json-file"
      options:
        max-size: "10m"
        max-file: "3"

  frontend:
    image: inventory-system-frontend:1.1
    container_name: inventory_frontend
    restart: unless-stopped
    depends_on:
      - backend
    ports:
      - "127.0.0.1:8080:80"
    networks:
      - inventory_network
    logging:
      driver: "json-file"
      options:
        max-size: "10m"
        max-file: "3"

volumes:
  postgres_data:
    name: inventory_postgres_data

networks:
  inventory_network:
    driver: bridge

2. Environment Datei erstellen

Datei: `/opt/itemp/.env.production`


# Production environment variables - PostgreSQL Version
ENVIRONMENT=production
DEBUG=False

# Django Security & Configuration
SECRET_KEY=<GENERATE_STRONG_64_CHAR_KEY>
ALLOWED_HOSTS=Ihre.Domain.hier,<YOUR_IP>,localhost,127.0.0.1
DOMAIN=Ihre.Domain.hier
FRONTEND_URL=https://Ihre.Domain.hier

# Admin User
ADMIN_USERNAME=admin
ADMIN_EMAIL=admin@yourdomain.com
ADMIN_PASSWORD=<STRONG_PASSWORD>

# PostgreSQL 18 Database
POSTGRES_DB=inventory_db
POSTGRES_USER=inventory_user
POSTGRES_PASSWORD=<STRONG_DATABASE_PASSWORD>
POSTGRES_HOST=db
POSTGRES_PORT=5432

# Connection String
DATABASE_URL=postgresql://inventory_user:<STRONG_DATABASE_PASSWORD>@db:5432/inventory_db

# Django Security
CSRF_TRUSTED_ORIGINS=https://Ihre.Domain.hier
SESSION_COOKIE_SECURE=True
CSRF_COOKIE_SECURE=True

# SMTP Configuration
EMAIL_BACKEND=django.core.mail.backends.smtp.EmailBackend
EMAIL_HOST=smtp.yourdomain.com
EMAIL_PORT=587
EMAIL_USE_TLS=True
EMAIL_HOST_USER=noreply@yourdomain.com
EMAIL_HOST_PASSWORD=<SMTP_PASSWORD>
DEFAULT_FROM_EMAIL=noreply@yourdomain.com

3. Docker Compose starten


cd /opt/itemp

# Pull images
docker compose pull

# Start services
docker compose up -d

# Check status
docker compose ps

# View logs
docker compose logs -f

# Run migrations
docker compose exec backend python manage.py migrate

# Collect static files
docker compose exec backend python manage.py collectstatic --noinput

Monitoring & Maintenance

1. Log Monitoring


# Nginx access logs
sudo tail -f /var/log/nginx/itemp_access.log

# Nginx error logs
sudo tail -f /var/log/nginx/itemp_error.log

# Docker logs
docker compose logs -f

# Docker logs per service
docker compose logs -f backend
docker compose logs -f db

2. Disk Space Monitoring


# Check disk usage
df -h

# Check Docker usage
docker system df

# Clean up unused resources
docker system prune -a

3. Regular Maintenance


# Update system packages
sudo apt update && sudo apt upgrade -y

# Check for security updates
sudo apt list --upgradable

# Clean package cache
sudo apt autoclean
sudo apt autoremove

4. Certificate Expiry Monitoring


# Check certificate expiry
echo | openssl s_client -servername Ihre.Domain.hier -connect Ihre.Domain.hier:443 2>/dev/null | openssl x509 -noout -dates

# Certbot will send email alerts 30 days before expiry

📝 Troubleshooting

Problem: Nginx zeigt 502 Bad Gateway


# Check backend
curl http://localhost:8000

# Test Nginx config
sudo nginx -t

# Check Nginx logs
sudo tail -f /var/log/nginx/itemp_error.log

Problem: PostgreSQL startet nicht (Healthcheck failing)


# Check PostgreSQL logs
docker compose logs db

# Verify environment variables
docker compose config | grep POSTGRES

# Try restarting
docker compose down
docker compose up -d

Problem: Static/Media Files sind 404


# Verify Host Directories exist
ls -la /opt/itemp/static/
ls -la /opt/itemp/media/

# Check permissions
sudo chown -R 1000:1000 /opt/itemp/static/
sudo chown -R 1000:1000 /opt/itemp/media/

# Verify docker volume mounts
docker compose exec backend ls -la /app/static/

Letztes Update: 2. November 2025
Status: ✅ Production-Ready

🚀 Production Deployment Checklist

🔧 Nginx 3-Phase Setup (CRITICAL)

  • PHASE 1: Basis-Nginx mit HTTP (Port 80)
    • ☐ Nginx installiert
    • ☐ Basis-Config mit Domain erstellt (/etc/nginx/sites-available/inventar)
    • ☐ Config aktiviert: sudo ln -s sites-available/inventar sites-enabled/
    • ☐ Nginx lädt: sudo systemctl reload nginx
    • ☐ HTTP funktioniert: curl -I http://Ihre.Domain.hier
    • ☐ Firewall Port 80 & 443: sudo ufw allow 80/tcp; sudo ufw allow 443/tcp
  • PHASE 2: Let's Encrypt Certificate
    • ☐ Certbot installiert
    • ☐ Certificate erstellt: sudo certbot --nginx -d Ihre.Domain.hier
    • ☐ Certificate überprüft: sudo certbot certificates
    • ☐ Paths vorhanden: /etc/letsencrypt/live/Ihre.Domain.hier/
  • PHASE 3: Production Nginx Config
    • ☐ Alte Config gebackuped: sudo cp sites-available/inventar sites-available/inventar.bak
    • ☐ Production-Config eingefügt (mit SSL, Gzip, Security Headers)
    • ☐ Config testet: sudo nginx -t
    • ☐ Nginx reloaded: sudo systemctl reload nginx
    • ☐ HTTPS funktioniert: curl -I https://Ihre.Domain.hier
    • ☐ HTTP Redirect funktioniert: curl -I http://Ihre.Domain.hier
    • ☐ SSL Grade prüfen: https://www.ssllabs.com/ssltest/

Pre-Deployment (Host Setup)

  • ☐ Debian Trixi installed & fully updated
  • ☐ Hostname gesetzt (hostnamectl)
  • ☐ RDNS beim Provider konfiguriert
  • ☐ SSH-Zugang als non-root user konfiguriert
  • ☐ UFW Firewall aktiviert (Port 22, 80, 443)
  • ☐ Docker CE installiert (docker --version)
  • ☐ Docker Compose installiert (docker-compose --version)

Docker Setup

  • /opt/itemp/ Verzeichnis erstellt
  • docker-compose.prod.yml placiert
  • .env.production mit Secrets erstellt
  • .gitignore aktualisiert
  • ☐ Static/Media Verzeichnisse erstellt
  • ☐ Docker Permissions konfiguriert

Initial Deployment

  • ☐ Docker Images gepullt: docker compose pull
  • ☐ Docker Compose gestartet: docker compose up -d
  • ☐ Services laufen: docker compose ps
  • ☐ Django Migrations: docker compose exec backend python manage.py migrate
  • ☐ Static Files: docker compose exec backend python manage.py collectstatic --noinput
  • ☐ Superuser erstellt: docker compose exec backend python manage.py createsuperuser
  • ☐ Backend Health: curl http://127.0.0.1:8000/api/health/

Final Verification

  • ☐ Alle Services laufen stabil: docker compose ps
  • ☐ Logs zeigen keine Fehler: docker compose logs
  • ☐ Website erreichbar (HTTPS): https://Ihre.Domain.hier
  • ☐ HTTP redirected zu HTTPS
  • ☐ SSL Certificate valid: curl -I https://Ihre.Domain.hier
  • ☐ API funktioniert: curl https://Ihre.Domain.hier/api/books
  • ☐ Frontend responsive
  • ☐ Admin Login funktioniert
Back to top