Skip to main content

Inventory Management System Setup on Debian Trixie

Inventory Management System Setup on Debian Trixie

Date: November 2025
OS: Debian 13 (Trixie)
Purpose: Production-ready Server for Inventory Management System

📋 Table of Contents

  1. Initial Server Setup
  2. Hostname & RDNS Configuration
  3. Docker CE Installation
  4. Nginx Installation & 3-Phase Setup
    • Phase 1: Basic Config (HTTP for Let's Encrypt)
    • Phase 2: Let's Encrypt Certificate
    • Phase 3: Production Config (SSL + Optimizations)
  5. SSL/TLS with Certbot
  6. Firewall Configuration
  7. Docker Compose Production Setup
  8. Monitoring & Maintenance
  9. Troubleshooting
  10. Production Deployment Checklist

Initial Server Setup

1. System Update & Upgrade


# Update package lists
sudo apt update

# Upgrade packages
sudo apt upgrade -y

# Install essential tools
sudo apt install -y \
    curl \
    wget \
    git \
    vim \
    htop \
    net-tools \
    ufw \
    sudo \
    apt-transport-https \
    ca-certificates \
    gnupg \
    lsb-release \
    certbot \
    python3-certbot-nginx

2. Timezone Configuration


# Set timezone to Europe/Berlin (or as needed)
sudo timedatectl set-timezone Europe/Berlin

# Verify timezone
timedatectl

Problem: Backend Shows Errors


cd /opt/inventar

# Check logs
docker compose -f docker-compose.prod.yml logs -f backend

# Execute bash in backend for debugging
docker compose -f docker-compose.prod.yml exec backend bash

# Within container - check:
ls -la /app/
python manage.py shell
python manage.py check

Hostname & RDNS Configuration

1. Set Hostname


# Check current hostname
hostnamectl status

# Set new hostname (e.g. "inventory-production")
sudo hostnamectl set-hostname inventory-production

# Verify
hostnamectl status

# Also update /etc/hosts
sudo nano /etc/hosts

Content of `/etc/hosts`:


127.0.0.1       localhost
::1             localhost ip6-localhost ip6-loopback
<your-public-ip> inventory-production

# Example:
# 192.168.1.100 inventory-production

2. RDNS (Reverse DNS) Configuration

IMPORTANT: RDNS is configured on the DNS provider side, not on the server!

Steps at your provider:

  1. Go to your DNS management (e.g. hoster panel)
  2. Find "Reverse DNS" or "PTR Records"
  3. Set PTR record for your IP:
    • IP: <your-public-ip>
    • Hostname: inventory-production.yourdomain.com

Verify RDNS (after 24h):


# Check reverse DNS
nslookup <your-public-ip>
# or
dig -x <your-public-ip>

# Expected output:
# <your-public-ip>.in-addr.arpa. <ttl> IN PTR inventory-production.yourdomain.com.

Docker CE Installation

1. Add Docker's GPG Repo Key


# Download and add Docker's GPG key
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker.gpg

2. Add Docker Repository


# Add official Docker repository
echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker.gpg] https://download.docker.com/linux/debian trixie stable" | \
  sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

# Refresh package lists again
sudo apt update

3. Install Docker on Debian 13 (Trixie)


# Install Docker and related components
sudo apt install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

4. Verify Docker Installation


# Check if Docker service is active
sudo systemctl is-active docker

Nginx Installation & Configuration

1. Install Nginx


# Install Nginx
sudo apt install -y nginx

# Start Nginx
sudo systemctl start nginx

# Enable on boot
sudo systemctl enable nginx

# Verify
sudo systemctl status nginx

# Check version
nginx -v

2. Phase 1: Basic Nginx Config (for Let's Encrypt)

⚠️ IMPORTANT: Start with a simple HTTP config first so Let's Encrypt can create the certificate!

Step 1: Create Nginx config


sudo nano /etc/nginx/sites-available/inventar

Insert content (Basic config for Let's Encrypt):


server {
    listen 80;
    server_name Your.Domain.here;

    # Required for Certbot
    location /.well-known/acme-challenge/ {
        root /var/www/html;
    }

    # Redirect all other requests to HTTPS
    location / {
        return 301 https://$host$request_uri;
    }
}

Step 2: Enable config & test


# Enable site
sudo ln -s /etc/nginx/sites-available/inventar /etc/nginx/sites-enabled/

# Test nginx config
sudo nginx -t

# Restart Nginx
sudo systemctl restart nginx

# Verify running
sudo systemctl status nginx

SSL/TLS with Certbot - Phase 2 & Phase 3

1. Phase 2: Create SSL Certificate with Certbot

⚠️ IMPORTANT: The basic Nginx config (Phase 1) must be running!


# Certbot with Nginx plugin (will automatically update Nginx)
sudo certbot --nginx -d Your.Domain.here

# Certbot will then automatically:
# 1. Validate the certificate (HTTP Challenge via Port 80)
# 2. Download Let's Encrypt Certificate
# 3. Automatically update Nginx config (HTTP → HTTPS Redirect)

# Follow prompts:
# - Enter email for renewals
# - Accept Let's Encrypt Terms (Y)
# - Optional: Share email with EFF (Y/N)

# Verify certificate was created
sudo certbot certificates

3. Phase 3: Adjust Production Nginx Config

After Certbot, the certificates are in place - now adjust & optimize:


sudo nano /etc/nginx/sites-available/inventar

Production Config (optimized for Inventory System):


# HTTP: ACME Challenge + Redirect to HTTPS
server {
    listen 80;
    server_name Your.Domain.here;

    # ACME Challenge (Certbot)
    location /.well-known/acme-challenge/ {
        root /var/www/html;
    }

    # Redirect everything else to HTTPS
    location / {
        return 301 https://$host$request_uri;
    }
}

# HTTPS: Main Application
server {
    listen 443 ssl;
    http2 on;
    server_name Your.Domain.here;

    # SSL/TLS (Certbot-managed files)
    ssl_certificate /etc/letsencrypt/live/Your.Domain.here/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/Your.Domain.here/privkey.pem;

    # Security: HSTS (1 year)
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    # Performance: gzip compression
    gzip on;
    gzip_vary on;
    gzip_proxied any;
    gzip_min_length 1024;
    gzip_comp_level 6;
    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml;

    # Serve media files directly from host (user uploads)
    location /media/ {
        alias /opt/inventar/media/;
        try_files $uri =404;
        expires 1d;
        add_header Cache-Control "public";
        access_log off;
    }

    # Serve static files directly from host (MAXIMUM PERFORMANCE)
    location /static/ {
        alias /opt/inventar/static/;
        try_files $uri =404;
        expires 1y;
        add_header Cache-Control "public, immutable";
        access_log off;
    }

    # Reverse proxy for the app (frontend container at 127.0.0.1:8080)
    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_set_header Host              $host;
        proxy_set_header X-Real-IP         $remote_addr;
        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;

        # Keepalive and limits
        proxy_http_version 1.1;
        proxy_set_header Connection "";
        client_max_body_size 70m;
        proxy_read_timeout 60s;
        proxy_send_timeout 60s;
    }

    # API Backend
    location /api/ {
        proxy_pass http://127.0.0.1:8000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_http_version 1.1;
        proxy_set_header Connection "";
        client_max_body_size 70m;
    }

    # Admin Panel
    location /admin/ {
        proxy_pass http://127.0.0.1:8000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_http_version 1.1;
        proxy_set_header Connection "";
        client_max_body_size 70m;
    }
}

Test config & restart Nginx:


# Test the configuration
sudo nginx -t

# Reload Nginx with new config
sudo systemctl reload nginx

# Verify it's working
sudo systemctl status nginx

4. Enable Production Config & Test


# Test new nginx config
sudo nginx -t

# If OK, reload
sudo systemctl reload nginx

# Verify SSL certificate
echo | openssl s_client -servername Your.Domain.here -connect Your.Domain.here:443 2>/dev/null | openssl x509 -noout -dates

# Test HTTP Redirect to HTTPS
curl -I http://Your.Domain.here
# Should show: HTTP/1.1 301 Moved Permanently
# Location: https://Your.Domain.here/

# Test HTTPS
curl -I https://Your.Domain.here
# Should show: HTTP/2 200

5. Configure Certbot Auto-Renewal


# Enable auto-renewal timer
sudo systemctl enable certbot.timer

# Start timer
sudo systemctl start certbot.timer

# Check status
sudo systemctl status certbot.timer

# Test renewal (dry-run - no actual renewal!)
sudo certbot renew --dry-run

# View renewal logs
sudo journalctl -u certbot.timer -f

Firewall Configuration

1. UFW (Uncomplicated Firewall) Setup

Only open these 4 ports - everything else remains blocked:


# Enable UFW
sudo ufw enable

# Allow SSH (IMPORTANT: BEFORE enabling firewall!)
sudo ufw allow 22/tcp

# Allow HTTP (for Let's Encrypt)
sudo ufw allow 80/tcp

# Allow HTTPS
sudo ufw allow 443/tcp

# Allow SMTP (outbound email)
sudo ufw allow 587/tcp

# Verify all rules
sudo ufw status verbose

# Show added rules only
sudo ufw show added

⚠️ IMPORTANT: Only these 4 ports are allowed. All others (5432, 8000, etc.) remain blocked!

Docker Compose Production Setup

0. Create Directory Structure

Create the required directory structure with correct permissions:


# Create main application directory
sudo mkdir -p /opt/inventar

# Create subdirectories for static and media files
sudo mkdir -p /opt/inventar/static
sudo mkdir -p /opt/inventar/media

# Set permissions (www-data for web content, docker user for app files)
sudo chmod 777 /opt/inventar
sudo chown root:www-data /opt/inventar/static
sudo chown root:www-data /opt/inventar/media
sudo chmod 755 /opt/inventar/static
sudo chmod 755 /opt/inventar/media

# Verify structure
ls -la /opt/inventar/

Expected result:


root@inv:/opt/inventar# ls -l
total 0
drwxr-xr-x  2 root www-data  4096 Nov  2 12:00 static
drwxr-xr-x  2 root www-data  4096 Nov  2 12:00 media

1. Create Docker Compose File

File: `/opt/inventar/docker-compose.prod.yml`


services:
  db:
    image: inventory-system-db-postgres:1.1
    container_name: inventory_db
    restart: unless-stopped
    env_file:
      - .env.production
    volumes:
      - postgres_data:/var/lib/postgresql/data
    networks:
      - inventory_network
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U inventory_user -d inventory_db"]
      interval: 10s
      timeout: 5s
      retries: 5
    logging:
      driver: "json-file"
      options:
        max-size: "10m"
        max-file: "3"
    command: >
      postgres
      -c shared_buffers=256MB
      -c max_connections=200
      -c effective_cache_size=1GB
      -c maintenance_work_mem=64MB

  backend:
    image: inventory-system-backend:1.1
    container_name: inventory_backend
    restart: unless-stopped
    env_file: 
      - .env.production
    depends_on:
      db:
        condition: service_healthy
    volumes:
      - ./media:/app/media
      - ./static:/app/static
    networks:
      - inventory_network
    logging:
      driver: "json-file"
      options:
        max-size: "10m"
        max-file: "3"

  frontend:
    image: inventory-system-frontend:1.1
    container_name: inventory_frontend
    restart: unless-stopped
    depends_on:
      - backend
    ports:
      - "127.0.0.1:8080:80"
    networks:
      - inventory_network
    logging:
      driver: "json-file"
      options:
        max-size: "10m"
        max-file: "3"

volumes:
  postgres_data:
    name: inventory_postgres_data

networks:
  inventory_network:
    driver: bridge

2. Load Docker Images

The Docker images must be loaded into Docker before Docker Compose is started:

⚠️ IMPORTANT: Docker Images Download on Request!
The Docker images (backend.tar, db-postgres.tar, redis.tar, frontend.tar) are provided on request. You must upload them to the `/opt/inventar/` directory before executing the following commands.


cd /opt/inventar

# Load Docker images from tar files
docker load < backend.tar
docker load < db-postgres.tar
docker load < redis.tar
docker load < frontend.tar

# Verify images were loaded
docker images | grep inventory-system

3. Create Environment File

File: `/opt/inventar/.env.production`

⚠️ IMPORTANT - Email Configuration:
The system supports two email modes:

  • SMTP (Production): Real emails via SMTP server (if valid credentials are provided)
  • Console (Fallback): Emails are logged to console output (if credentials are empty/invalid)

If you DON'T need email configuration:
Simply omit the SMTP lines or leave them empty. The frontend will show a warning and password reset will be disabled. You can configure email later anytime in the Admin Interface!


# Production environment variables - PostgreSQL Version
ENVIRONMENT=production
DEBUG=False

# Django Security & Configuration
SECRET_KEY=<GENERATE_STRONG_64_CHAR_KEY>
ALLOWED_HOSTS=Your.Domain.here,<YOUR_IP>,localhost,127.0.0.1
DOMAIN=Your.Domain.here
FRONTEND_URL=https://Your.Domain.here

# Admin User
ADMIN_USERNAME=admin
ADMIN_EMAIL=admin@yourdomain.com
ADMIN_PASSWORD=<STRONG_PASSWORD>

# PostgreSQL 18 Database
POSTGRES_DB=inventory_db
POSTGRES_USER=inventory_user
POSTGRES_PASSWORD=<STRONG_DATABASE_PASSWORD>
POSTGRES_HOST=db
POSTGRES_PORT=5432

# Connection String
DATABASE_URL=postgresql://inventory_user:<STRONG_DATABASE_PASSWORD>@db:5432/inventory_db

# SMTP Configuration (OPTIONAL - leave empty if not needed)
# System automatically falls back to console backend if empty
EMAIL_BACKEND=django.core.mail.backends.smtp.EmailBackend
EMAIL_HOST=smtp.yourdomain.com
EMAIL_PORT=587
EMAIL_USE_TLS=True
EMAIL_HOST_USER=noreply@yourdomain.com
EMAIL_HOST_PASSWORD=<SMTP_PASSWORD>
DEFAULT_FROM_EMAIL=noreply@yourdomain.com

4. Start Docker Compose


cd /opt/inventar

# Start services (images already loaded via docker load)
docker compose -f docker-compose.prod.yml up -d

# Check status
docker compose -f docker-compose.prod.yml ps

# View logs (all services)
docker compose -f docker-compose.prod.yml logs -f

# View logs per service
docker compose -f docker-compose.prod.yml logs -f frontend
docker compose -f docker-compose.prod.yml logs -f backend
docker compose -f docker-compose.prod.yml logs -f db

# Execute bash in backend container (for debugging)
docker compose -f docker-compose.prod.yml exec backend bash

# Collect static files (only if not done automatically)
docker compose -f docker-compose.prod.yml exec backend python manage.py collectstatic --noinput

Monitoring & Maintenance

1. Log Monitoring


# Nginx access logs
sudo tail -f /var/log/nginx/itemp_access.log

# Nginx error logs
sudo tail -f /var/log/nginx/itemp_error.log

# Docker logs (all services)
cd /opt/inventar
docker compose -f docker-compose.prod.yml logs -f

# Docker logs per service
docker compose -f docker-compose.prod.yml logs -f backend
docker compose -f docker-compose.prod.yml logs -f frontend
docker compose -f docker-compose.prod.yml logs -f db

2. Disk Space Monitoring


# Check disk usage
df -h

# Check Docker usage
docker system df

# Clean up unused resources
docker system prune -a

3. Regular Maintenance


# Update system packages
sudo apt update && sudo apt upgrade -y

# Check for security updates
sudo apt list --upgradable

# Clean package cache
sudo apt autoclean
sudo apt autoremove

4. Certificate Expiry Monitoring


# Check certificate expiry
echo | openssl s_client -servername Your.Domain.here -connect Your.Domain.here:443 2>/dev/null | openssl x509 -noout -dates

# Certbot will send email alerts 30 days before expiry

📝 Troubleshooting

Problem: Nginx shows 502 Bad Gateway


# Check backend
curl http://localhost:8000

# Test Nginx config
sudo nginx -t

# Check Nginx logs
sudo tail -f /var/log/nginx/itemp_error.log

Problem: PostgreSQL does not start (Healthcheck failing)


# Check PostgreSQL logs
cd /opt/inventar
docker compose -f docker-compose.prod.yml logs db

# Verify environment variables
docker compose -f docker-compose.prod.yml config | grep POSTGRES

# Try restarting
docker compose -f docker-compose.prod.yml down
docker compose -f docker-compose.prod.yml up -d

Problem: Static/Media Files return 404


# Verify Host Directories exist
ls -la /opt/inventar/static/
ls -la /opt/inventar/media/

# Check permissions
sudo chown -R 1000:1000 /opt/inventar/static/
sudo chown -R 1000:1000 /opt/inventar/media/

# Verify docker volume mounts
cd /opt/inventar
docker compose -f docker-compose.prod.yml exec backend ls -la /app/static/

Last Update: November 2, 2025
Status: ✅ Production-Ready

🚀 Production Deployment Checklist

🔧 Nginx 3-Phase Setup (CRITICAL)

  • PHASE 1: Basic Nginx with HTTP (Port 80)
    • ☐ Nginx installed
    • ☐ Basic config with domain created (/etc/nginx/sites-available/inventar)
    • ☐ Config enabled: sudo ln -s sites-available/inventar sites-enabled/
    • ☐ Nginx reloaded: sudo systemctl reload nginx
    • ☐ HTTP working: curl -I http://Your.Domain.here
    • ☐ Firewall ports 80 & 443: sudo ufw allow 80/tcp; sudo ufw allow 443/tcp
  • PHASE 2: Let's Encrypt Certificate
    • ☐ Certbot installed
    • ☐ Certificate created: sudo certbot --nginx -d Your.Domain.here
    • ☐ Certificate verified: sudo certbot certificates
    • ☐ Paths present: /etc/letsencrypt/live/Your.Domain.here/
  • PHASE 3: Production Nginx Config
    • ☐ Old config backed up: sudo cp sites-available/inventar sites-available/inventar.bak
    • ☐ Production config inserted (with SSL, Gzip, Security Headers)
    • ☐ Config tested: sudo nginx -t
    • ☐ Nginx reloaded: sudo systemctl reload nginx
    • ☐ HTTPS working: curl -I https://Your.Domain.here
    • ☐ HTTP redirect working: curl -I http://Your.Domain.here
    • ☐ SSL grade check: https://www.ssllabs.com/ssltest/

Pre-Deployment (Host Setup)

  • ☐ Debian Trixie installed & fully updated
  • ☐ Hostname set (hostnamectl)
  • ☐ RDNS configured at provider
  • ☐ SSH access configured for non-root user
  • ☐ UFW Firewall enabled (Ports 22, 80, 443)
  • ☐ Docker CE installed (docker --version)
  • ☐ Docker Compose installed (docker-compose --version)

Docker Setup

  • /opt/inventar/ directory created
  • docker-compose.prod.yml placed
  • .env.production created with secrets
  • .gitignore updated
  • ☐ Static/Media directories created
  • ☐ Docker permissions configured

Initial Deployment

  • ☐ Docker images loaded: docker load < *.tar
  • ☐ Docker Compose started: docker compose -f docker-compose.prod.yml up -d
  • ☐ Services running: docker compose -f docker-compose.prod.yml ps
  • ☐ Static files collected: docker compose -f docker-compose.prod.yml exec backend python manage.py collectstatic --noinput
  • ☐ Backend health check: curl http://127.0.0.1:8000/api/health/

Final Verification

  • ☐ All services running stably: docker compose -f docker-compose.prod.yml ps
  • ☐ Logs show no errors: docker compose -f docker-compose.prod.yml logs
  • ☐ Website accessible (HTTPS): https://Your.Domain.here
  • ☐ HTTP redirects to HTTPS
  • ☐ SSL Certificate valid: curl -I https://Your.Domain.here
  • ☐ API working: curl https://Your.Domain.here/api/books
  • ☐ Frontend responsive
  • ☐ Admin login working

📌 Important Notice

Docker Images Download on Request:

The Docker container images (backend.tar, db-postgres.tar, redis.tar, frontend.tar) are required for operating the Inventory Management System. These images are provided on request and must be uploaded to the `/opt/inventar/` directory before starting the system.

Please contact support or your administrator to obtain the necessary images.

Back to top