Inventory Management System Setup auf Debian Trixie
Datum: November 2025
OS: Debian 13 (Trixie)
Zweck: Production-ready Server für ItemP Inventory System
📋 Inhaltsverzeichnis
- Initial Server Setup
- Hostname & RDNS Konfiguration
- Docker CE Installation
- Nginx Installation & 3-Phase Setup
- Phase 1: Basis-Config (HTTP für Let's Encrypt)
- Phase 2: Let's Encrypt Certificate
- Phase 3: Production-Config (SSL + Optimierungen)
- SSL/TLS mit Certbot
- Firewall Konfiguration
- Docker Compose Production Setup
- Monitoring & Maintenance
- Troubleshooting
- Production Deployment Checklist
Initial Server Setup
1. System Update & Upgrade
# Update package lists
sudo apt update
# Upgrade packages
sudo apt upgrade -y
# Install essential tools
sudo apt install -y \
curl \
wget \
git \
vim \
htop \
net-tools \
ufw \
sudo \
apt-transport-https \
ca-certificates \
gnupg \
lsb-release \
certbot \
python3-certbot-nginx
2. Zeitzonen Konfiguration
# Set timezone to Europe/Berlin (oder nach Bedarf)
sudo timedatectl set-timezone Europe/Berlin
# Verify timezone
timedatectl
Problem: Backend zeigt Errors
cd /opt/inventar
# Check logs
docker compose -f docker-compose.prod.yml logs -f backend
# Execute bash in backend for debugging
docker compose -f docker-compose.prod.yml exec backend bash
# Within container - check:
ls -la /app/
python manage.py shell
python manage.py check
Hostname & RDNS Konfiguration
1. Hostname Setzen
# Check current hostname
hostnamectl status
# Set new hostname (z.B. "itemp-production")
sudo hostnamectl set-hostname itemp-production
# Verify
hostnamectl status
# Also update /etc/hosts
sudo nano /etc/hosts
Inhalt von `/etc/hosts`:
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
<your-public-ip> itemp-production
# Example:
# 192.168.1.100 itemp-production
2. RDNS (Reverse DNS) Konfiguration
WICHTIG: RDNS wird auf Seite des DNS-Providers konfiguriert, nicht auf dem Server!
Schritte beim Provider:
- Gehe zu deiner DNS-Verwaltung (z.B. Hoster-Panel)
- Finde "Reverse DNS" oder "PTR Records"
- Setze PTR-Record für deine IP:
- IP:
<deine-public-ip> - Hostname:
itemp-production.yourdomain.com
- IP:
Verify RDNS (nach 24h):
# Check reverse DNS
nslookup <your-public-ip>
# oder
dig -x <your-public-ip>
# Expected output:
# <your-public-ip>.in-addr.arpa. <ttl> IN PTR itemp-production.yourdomain.com.
Docker CE Installation
1. Add Docker's GPG Repo Key
# Download and add Docker's GPG key
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker.gpg
2. Add Docker Repository
# Add official Docker repository
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker.gpg] https://download.docker.com/linux/debian trixie stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
# Refresh package lists again
sudo apt update
3. Install Docker on Debian 13 (Trixie)
# Install Docker and related components
sudo apt install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
4. Verify Docker Installation
# Check if Docker service is active
sudo systemctl is-active docker
Nginx Installation & Konfiguration
1. Nginx Installieren
# Install Nginx
sudo apt install -y nginx
# Start Nginx
sudo systemctl start nginx
# Enable on boot
sudo systemctl enable nginx
# Verify
sudo systemctl status nginx
# Check version
nginx -v
2. Phase 1: Basis-Nginx-Config (für Let's Encrypt)
⚠️ WICHTIG: Erst mit einfacher HTTP-Config starten, damit Let's Encrypt Zertifikat erstellen kann!
Schritt 1: Nginx Config erstellen
sudo nano /etc/nginx/sites-available/inventar
Inhalt einfügen (Basis-Config für Let's Encrypt):
server {
listen 80;
server_name Ihre.Domain.hier;
# Notwendig für Certbot
location /.well-known/acme-challenge/ {
root /var/www/html;
}
# Alle anderen Anfragen direkt auf HTTPS umleiten
location / {
return 301 https://$host$request_uri;
}
}
Schritt 2: Config aktivieren & testen
# Enable site
sudo ln -s /etc/nginx/sites-available/inventar /etc/nginx/sites-enabled/
# Test nginx config
sudo nginx -t
# Restart Nginx
sudo systemctl restart nginx
# Verify running
sudo systemctl status nginx
SSL/TLS mit Certbot - Phase 2 & Phase 3
1. Phase 2: SSL Certificate mit Certbot erstellen
⚠️ WICHTIG: Die Basis-Nginx-Config (Phase 1) muss laufen!
# Certbot mit Nginx Plugin (wird automatisch Nginx aktualisieren)
sudo certbot --nginx -d Ihre.Domain.hier
# Certbot führt dann automatisch:
# 1. Certificate-Validierung durch (HTTP Challenge via Port 80)
# 2. Let's Encrypt Certificate Download
# 3. Nginx-Config automatisch anpassen (HTTP → HTTPS Redirect)
# Follow prompts:
# - Enter email for renewals
# - Accept Let's Encrypt Terms (Y)
# - Optional: Share email with EFF (Y/N)
# Verify certificate was created
sudo certbot certificates
3. Phase 3: Production Nginx-Config anpassen
Nach Certbot sind die Zertifikate da - jetzt anpassen & optimieren:
sudo nano /etc/nginx/sites-available/inventar
Production-Config (optimiert für ItemP):
# HTTP: ACME Challenge + Redirect to HTTPS
server {
listen 80;
server_name Ihre.Domain.hier;
# ACME Challenge (Certbot)
location /.well-known/acme-challenge/ {
root /var/www/html;
}
# Redirect everything else to HTTPS
location / {
return 301 https://$host$request_uri;
}
}
# HTTPS: Main Application
server {
listen 443 ssl;
http2 on;
server_name Ihre.Domain.hier;
# SSL/TLS (Certbot-managed files)
ssl_certificate /etc/letsencrypt/live/Ihre.Domain.hier/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/Ihre.Domain.hier/privkey.pem;
# Security: HSTS (1 year)
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# Performance: gzip compression
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_min_length 1024;
gzip_comp_level 6;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml;
# Serve media files directly from host (user uploads)
location /media/ {
alias /opt/inventar/media/;
try_files $uri =404;
expires 1d;
add_header Cache-Control "public";
access_log off;
}
# Serve static files directly from host (MAXIMUM PERFORMANCE)
location /static/ {
alias /opt/inventar/static/;
try_files $uri =404;
expires 1y;
add_header Cache-Control "public, immutable";
access_log off;
}
# Reverse proxy for the app (frontend container at 127.0.0.1:8080)
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
# Keepalive and limits
proxy_http_version 1.1;
proxy_set_header Connection "";
client_max_body_size 70m;
proxy_read_timeout 60s;
proxy_send_timeout 60s;
}
}
Config testen & Nginx neustarten:
# Test the configuration
sudo nginx -t
# Reload Nginx with new config
sudo systemctl reload nginx
# Verify it's working
sudo systemctl status nginx
# API Backend
location /api/ {
proxy_pass http://127.0.0.1:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Connection "";
client_max_body_size 70m;
}
# Admin Panel
location /admin/ {
proxy_pass http://127.0.0.1:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Connection "";
client_max_body_size 70m;
}
}
4. Production-Config aktivieren & testen
# Test new nginx config
sudo nginx -t
# If OK, reload
sudo systemctl reload nginx
# Verify SSL certificate
echo | openssl s_client -servername Ihre.Domain.hier -connect Ihre.Domain.hier:443 2>/dev/null | openssl x509 -noout -dates
# Test HTTP Redirect to HTTPS
curl -I http://Ihre.Domain.hier
# Should show: HTTP/1.1 301 Moved Permanently
# Location: https://Ihre.Domain.hier/
# Test HTTPS
curl -I https://Ihre.Domain.hier
# Should show: HTTP/2 200
5. Certbot Auto-Renewal konfigurieren
# Enable auto-renewal timer
sudo systemctl enable certbot.timer
# Start timer
sudo systemctl start certbot.timer
# Check status
sudo systemctl status certbot.timer
# Test renewal (dry-run - kein echtes Renewal!)
sudo certbot renew --dry-run
# View renewal logs
sudo journalctl -u certbot.timer -f
Firewall Konfiguration
1. UFW (Uncomplicated Firewall) Setup
Nur diese 4 Ports öffnen - alles andere bleibt blockiert:
# Enable UFW
sudo ufw enable
# Allow SSH (WICHTIG: VOR dem Firewall Enable!)
sudo ufw allow 22/tcp
# Allow HTTP (für Let's Encrypt)
sudo ufw allow 80/tcp
# Allow HTTPS
sudo ufw allow 443/tcp
# Allow SMTP (E-Mail nach außen)
sudo ufw allow 587/tcp
# Verify all rules
sudo ufw status verbose
# Show added rules only
sudo ufw show added
⚠️ WICHTIG: Nur diese 4 Ports sind erlaubt. Alle anderen (5432, 8000, etc.) sind blocked!
Docker Compose Production Setup
0. Verzeichnis-Struktur erstellen
Erstelle die erforderliche Verzeichnisstruktur mit den korrekten Rechten:
# Create main application directory
sudo mkdir -p /opt/inventar
# Create subdirectories for static and media files
sudo mkdir -p /opt/inventar/static
sudo mkdir -p /opt/inventar/media
# Set permissions (www-data for web content, docker user for app files)
sudo chmod 777 /opt/inventar
sudo chown root:www-data /opt/inventar/static
sudo chown root:www-data /opt/inventar/media
sudo chmod 755 /opt/inventar/static
sudo chmod 755 /opt/inventar/media
# Verify structure
ls -la /opt/inventar/
Erwartetes Ergebnis:
root@inv:/opt/inventar# ls -l
total 0
drwxr-xr-x 2 root www-data 4096 Nov 2 12:00 static
drwxr-xr-x 2 root www-data 4096 Nov 2 12:00 media
1. Docker Compose Datei erstellen
Datei: `/opt/inventar/docker-compose.prod.yml`
services:
db:
image: inventory-system-db-postgres:1.1
container_name: inventory_db
restart: unless-stopped
env_file:
- .env.production
volumes:
- postgres_data:/var/lib/postgresql/data
networks:
- inventory_network
healthcheck:
test: ["CMD-SHELL", "pg_isready -U inventory_user -d inventory_db"]
interval: 10s
timeout: 5s
retries: 5
logging:
driver: "json-file"
options:
max-size: "10m"
max-file: "3"
command: >
postgres
-c shared_buffers=256MB
-c max_connections=200
-c effective_cache_size=1GB
-c maintenance_work_mem=64MB
backend:
image: inventory-system-backend:1.1
container_name: inventory_backend
restart: unless-stopped
env_file:
- .env.production
depends_on:
db:
condition: service_healthy
volumes:
- ./media:/app/media
- ./static:/app/static
networks:
- inventory_network
logging:
driver: "json-file"
options:
max-size: "10m"
max-file: "3"
frontend:
image: inventory-system-frontend:1.1
container_name: inventory_frontend
restart: unless-stopped
depends_on:
- backend
ports:
- "127.0.0.1:8080:80"
networks:
- inventory_network
logging:
driver: "json-file"
options:
max-size: "10m"
max-file: "3"
volumes:
postgres_data:
name: inventory_postgres_data
networks:
inventory_network:
driver: bridge
2. Load Docker Images
Die Docker Images müssen erst in Docker geladen werden, bevor Docker Compose gestartet wird:
⚠️ WICHTIG: Docker Images Download auf Anfrage!
Die Docker Images (backend.tar, db-postgres.tar, redis.tar, frontend.tar) werden auf Anfrage bereitgestellt. Diese müssen Sie in das Verzeichnis `/opt/inventar/` hochladen, bevor Sie die folgenden Befehle ausführen.
cd /opt/inventar
# Load Docker images from tar files
docker load < backend.tar
docker load < db-postgres.tar
docker load < redis.tar
docker load < frontend.tar
# Verify images were loaded
docker images | grep inventory-system
3. Environment Datei erstellen
Datei: `/opt/inventar/.env.production`
# Production environment variables - PostgreSQL Version
ENVIRONMENT=production
DEBUG=False
# Django Security & Configuration
SECRET_KEY=<GENERATE_STRONG_64_CHAR_KEY>
ALLOWED_HOSTS=Ihre.Domain.hier,<YOUR_IP>,localhost,127.0.0.1
DOMAIN=Ihre.Domain.hier
FRONTEND_URL=https://Ihre.Domain.hier
# Admin User
ADMIN_USERNAME=admin
ADMIN_EMAIL=admin@yourdomain.com
ADMIN_PASSWORD=<STRONG_PASSWORD>
# PostgreSQL 18 Database
POSTGRES_DB=inventory_db
POSTGRES_USER=inventory_user
POSTGRES_PASSWORD=<STRONG_DATABASE_PASSWORD>
POSTGRES_HOST=db
POSTGRES_PORT=5432
# Connection String
DATABASE_URL=postgresql://inventory_user:<STRONG_DATABASE_PASSWORD>@db:5432/inventory_db
# SMTP Configuration
EMAIL_BACKEND=django.core.mail.backends.smtp.EmailBackend
EMAIL_HOST=smtp.yourdomain.com
EMAIL_PORT=587
EMAIL_USE_TLS=True
EMAIL_HOST_USER=noreply@yourdomain.com
EMAIL_HOST_PASSWORD=<SMTP_PASSWORD>
DEFAULT_FROM_EMAIL=noreply@yourdomain.com
4. Docker Compose starten
cd /opt/inventar
# Start services (images already loaded via docker load)
docker compose -f docker-compose.prod.yml up -d
# Check status
docker compose -f docker-compose.prod.yml ps
# View logs (all services)
docker compose -f docker-compose.prod.yml logs -f
# View logs per service
docker compose -f docker-compose.prod.yml logs -f frontend
docker compose -f docker-compose.prod.yml logs -f backend
docker compose -f docker-compose.prod.yml logs -f db
# Execute bash in backend container (for debugging)
docker compose -f docker-compose.prod.yml exec backend bash
# Collect static files (nur falls nicht automatisch gemacht)
docker compose -f docker-compose.prod.yml exec backend python manage.py collectstatic --noinput
Monitoring & Maintenance
1. Log Monitoring
# Nginx access logs
sudo tail -f /var/log/nginx/itemp_access.log
# Nginx error logs
sudo tail -f /var/log/nginx/itemp_error.log
# Docker logs (all services)
cd /opt/inventar
docker compose -f docker-compose.prod.yml logs -f
# Docker logs per service
docker compose -f docker-compose.prod.yml logs -f backend
docker compose -f docker-compose.prod.yml logs -f frontend
docker compose -f docker-compose.prod.yml logs -f db
2. Disk Space Monitoring
# Check disk usage
df -h
# Check Docker usage
docker system df
# Clean up unused resources
docker system prune -a
3. Regular Maintenance
# Update system packages
sudo apt update && sudo apt upgrade -y
# Check for security updates
sudo apt list --upgradable
# Clean package cache
sudo apt autoclean
sudo apt autoremove
4. Certificate Expiry Monitoring
# Check certificate expiry
echo | openssl s_client -servername Ihre.Domain.hier -connect Ihre.Domain.hier:443 2>/dev/null | openssl x509 -noout -dates
# Certbot will send email alerts 30 days before expiry
📝 Troubleshooting
Problem: Nginx zeigt 502 Bad Gateway
# Check backend
curl http://localhost:8000
# Test Nginx config
sudo nginx -t
# Check Nginx logs
sudo tail -f /var/log/nginx/itemp_error.log
Problem: PostgreSQL startet nicht (Healthcheck failing)
# Check PostgreSQL logs
cd /opt/inventar
docker compose -f docker-compose.prod.yml logs db
# Verify environment variables
docker compose -f docker-compose.prod.yml config | grep POSTGRES
# Try restarting
docker compose -f docker-compose.prod.yml down
docker compose -f docker-compose.prod.yml up -d
Problem: Static/Media Files sind 404
# Verify Host Directories exist
ls -la /opt/inventar/static/
ls -la /opt/inventar/media/
# Check permissions
sudo chown -R 1000:1000 /opt/inventar/static/
sudo chown -R 1000:1000 /opt/inventar/media/
# Verify docker volume mounts
cd /opt/inventar
docker compose -f docker-compose.prod.yml exec backend ls -la /app/static/
Letztes Update: 2. November 2025
Status: ✅ Production-Ready
🚀 Production Deployment Checklist
🔧 Nginx 3-Phase Setup (CRITICAL)
- ☐ PHASE 1: Basis-Nginx mit HTTP (Port 80)
- ☐ Nginx installiert
- ☐ Basis-Config mit Domain erstellt (
/etc/nginx/sites-available/inventar) - ☐ Config aktiviert:
sudo ln -s sites-available/inventar sites-enabled/ - ☐ Nginx lädt:
sudo systemctl reload nginx - ☐ HTTP funktioniert:
curl -I http://Ihre.Domain.hier - ☐ Firewall Port 80 & 443:
sudo ufw allow 80/tcp; sudo ufw allow 443/tcp
- ☐ PHASE 2: Let's Encrypt Certificate
- ☐ Certbot installiert
- ☐ Certificate erstellt:
sudo certbot --nginx -d Ihre.Domain.hier - ☐ Certificate überprüft:
sudo certbot certificates - ☐ Paths vorhanden:
/etc/letsencrypt/live/Ihre.Domain.hier/
- ☐ PHASE 3: Production Nginx Config
- ☐ Alte Config gebackuped:
sudo cp sites-available/inventar sites-available/inventar.bak - ☐ Production-Config eingefügt (mit SSL, Gzip, Security Headers)
- ☐ Config testet:
sudo nginx -t - ☐ Nginx reloaded:
sudo systemctl reload nginx - ☐ HTTPS funktioniert:
curl -I https://Ihre.Domain.hier - ☐ HTTP Redirect funktioniert:
curl -I http://Ihre.Domain.hier - ☐ SSL Grade prüfen: https://www.ssllabs.com/ssltest/
- ☐ Alte Config gebackuped:
Pre-Deployment (Host Setup)
- ☐ Debian Trixi installed & fully updated
- ☐ Hostname gesetzt (
hostnamectl) - ☐ RDNS beim Provider konfiguriert
- ☐ SSH-Zugang als non-root user konfiguriert
- ☐ UFW Firewall aktiviert (Port 22, 80, 443)
- ☐ Docker CE installiert (
docker --version) - ☐ Docker Compose installiert (
docker-compose --version)
Docker Setup
- ☐
/opt/inventar/Verzeichnis erstellt - ☐
docker-compose.prod.ymlplaciert - ☐
.env.productionmit Secrets erstellt - ☐
.gitignoreaktualisiert - ☐ Static/Media Verzeichnisse erstellt
- ☐ Docker Permissions konfiguriert
Initial Deployment
- ☐ Docker Images gepullt:
docker compose pull - ☐ Docker Compose gestartet:
docker compose up -d - ☐ Services laufen:
docker compose ps - ☐ Django Migrations:
docker compose exec backend python manage.py migrate - ☐ Static Files:
docker compose exec backend python manage.py collectstatic --noinput - ☐ Superuser erstellt:
docker compose exec backend python manage.py createsuperuser - ☐ Backend Health:
curl http://127.0.0.1:8000/api/health/
Final Verification
- ☐ Alle Services laufen stabil:
docker compose ps - ☐ Logs zeigen keine Fehler:
docker compose logs - ☐ Website erreichbar (HTTPS):
https://Ihre.Domain.hier - ☐ HTTP redirected zu HTTPS
- ☐ SSL Certificate valid:
curl -I https://Ihre.Domain.hier - ☐ API funktioniert:
curl https://Ihre.Domain.hier/api/books - ☐ Frontend responsive
- ☐ Admin Login funktioniert
📌 Wichtiger Hinweis
Docker Images Download auf Anfrage:
Die Docker Container Images (backend.tar, db-postgres.tar, redis.tar, frontend.tar) sind notwendig für die Inbetriebnahme des Inventory Management Systems. Diese Images werden auf Anfrage bereitgestellt und müssen vor dem Start des Systems in das Verzeichnis `/opt/inventar/` hochgeladen werden.
Bitte kontaktieren Sie den Support oder den Administrator, um die notwendigen Images zu erhalten.