Inventory Management System Setup on Debian Trixie
Inventory Management System Setup on Debian Trixie
Date: November 2025
OS: Debian 13 (Trixie)
Purpose: Production-ready Server for Inventory Management System
π Table of Contents
- Initial Server Setup
- Hostname & RDNS Configuration
- Docker CE Installation
- Nginx Installation & 3-Phase Setup
- Phase 1: Basic Config (HTTP for Let's Encrypt)
- Phase 2: Let's Encrypt Certificate
- Phase 3: Production Config (SSL + Optimizations)
- SSL/TLS with Certbot
- Firewall Configuration
- Docker Compose Production Setup
- Monitoring & Maintenance
- Django Management Commands
- Troubleshooting
- Production Deployment Checklist
Initial Server Setup
1. System Update & Upgrade
# Update package lists
sudo apt update
# Upgrade packages
sudo apt upgrade -y
# Install essential tools
sudo apt install -y \
curl \
wget \
git \
vim \
htop \
net-tools \
ufw \
sudo \
apt-transport-https \
ca-certificates \
gnupg \
lsb-release \
certbot \
python3-certbot-nginx
2. Timezone Configuration
# Set timezone to Europe/Berlin (or as needed)
sudo timedatectl set-timezone Europe/Berlin
# Verify timezone
timedatectl
Hostname & RDNS Configuration
1. Set Hostname
# Check current hostname
hostnamectl status
# Set new hostname (e.g. "inventory-production")
sudo hostnamectl set-hostname inventory-production
# Verify
hostnamectl status
# Also update /etc/hosts
sudo nano /etc/hosts
Content of `/etc/hosts`:
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
<your-public-ip> inventory-production
# Example:
# 192.168.1.100 inventory-production
2. RDNS (Reverse DNS) Configuration
IMPORTANT: RDNS is configured on the DNS provider side, not on the server!
Steps at your provider:
- Go to your DNS management (e.g. hoster panel)
- Find "Reverse DNS" or "PTR Records"
- Set PTR record for your IP:
- IP:
<your-public-ip> - Hostname:
inventory-production.yourdomain.com
- IP:
Verify RDNS (after 24h):
# Check reverse DNS
nslookup <your-public-ip>
# or
dig -x <your-public-ip>
# Expected output:
# <your-public-ip>.in-addr.arpa. <ttl> IN PTR inventory-production.yourdomain.com.
Docker CE Installation
1. Add Docker's GPG Repo Key
# Download and add Docker's GPG key
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker.gpg
2. Add Docker Repository
# Add official Docker repository
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker.gpg] https://download.docker.com/linux/debian trixie stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
# Refresh package lists again
sudo apt update
3. Install Docker on Debian 13 (Trixie)
# Install Docker and related components
sudo apt install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
4. Verify Docker Installation
# Check if Docker service is active
sudo systemctl is-active docker
Nginx Installation & Configuration
1. Install Nginx
# Install Nginx
sudo apt install -y nginx
# Start Nginx
sudo systemctl start nginx
# Enable on boot
sudo systemctl enable nginx
# Verify
sudo systemctl status nginx
# Check version
nginx -v
2. Phase 1: Basic Nginx Config (for Let's Encrypt)
β οΈ IMPORTANT: Start with a simple HTTP config first so Let's Encrypt can create the certificate!
Step 1: Create Nginx config
sudo nano /etc/nginx/sites-available/inventar
Insert content (Basic config for Let's Encrypt):
server {
listen 80;
server_name Your.Domain.here;
# Required for Certbot
location /.well-known/acme-challenge/ {
root /var/www/html;
}
# Redirect all other requests to HTTPS
location / {
return 301 https://$host$request_uri;
}
}
Step 2: Enable config & test
# Enable site
sudo ln -s /etc/nginx/sites-available/inventar /etc/nginx/sites-enabled/
# Test nginx config
sudo nginx -t
# Restart Nginx
sudo systemctl restart nginx
# Verify running
sudo systemctl status nginx
SSL/TLS with Certbot - Phase 2 & Phase 3
1. Phase 2: Create SSL Certificate with Certbot
β οΈ IMPORTANT: The basic Nginx config (Phase 1) must be running!
# Certbot with Nginx plugin (will automatically update Nginx)
sudo certbot --nginx -d Your.Domain.here
# Certbot will then automatically:
# 1. Validate the certificate (HTTP Challenge via Port 80)
# 2. Download Let's Encrypt Certificate
# 3. Automatically update Nginx config (HTTP β HTTPS Redirect)
# Follow prompts:
# - Enter email for renewals
# - Accept Let's Encrypt Terms (Y)
# - Optional: Share email with EFF (Y/N)
# Verify certificate was created
sudo certbot certificates
3. Phase 3: Adjust Production Nginx Config
After Certbot, the certificates are in place - now adjust & optimize:
sudo nano /etc/nginx/sites-available/inventar
Production Config (optimized for Inventory System):
# HTTP: ACME Challenge + Redirect to HTTPS
server {
listen 80;
server_name Your.Domain.here;
# ACME Challenge (Certbot)
location /.well-known/acme-challenge/ {
root /var/www/html;
}
# Redirect everything else to HTTPS
location / {
return 301 https://$host$request_uri;
}
}
# HTTPS: Main Application
server {
listen 443 ssl;
http2 on;
server_name Your.Domain.here;
# SSL/TLS (Certbot-managed files)
ssl_certificate /etc/letsencrypt/live/Your.Domain.here/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/Your.Domain.here/privkey.pem;
# Security: HSTS (1 year)
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# Performance: gzip compression
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_min_length 1024;
gzip_comp_level 6;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml;
# Serve media files directly from host (user uploads)
location /media/ {
alias /opt/inventar/media/;
try_files $uri =404;
expires 1d;
add_header Cache-Control "public";
access_log off;
}
# Serve static files directly from host (MAXIMUM PERFORMANCE)
location /static/ {
alias /opt/inventar/static/;
try_files $uri =404;
expires 1y;
add_header Cache-Control "public, immutable";
access_log off;
}
# Reverse proxy for the app (frontend container at 127.0.0.1:8080)
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
# Keepalive and limits
proxy_http_version 1.1;
proxy_set_header Connection "";
client_max_body_size 70m;
proxy_read_timeout 60s;
proxy_send_timeout 60s;
}
}
Test config & restart Nginx:
# Test the configuration
sudo nginx -t
# Reload Nginx with new config
sudo systemctl reload nginx
# Verify it's working
sudo systemctl status nginx
4. Enable Production Config & Test
# Test new nginx config
sudo nginx -t
# If OK, reload
sudo systemctl reload nginx
# Verify SSL certificate
echo | openssl s_client -servername Your.Domain.here -connect Your.Domain.here:443 2>/dev/null | openssl x509 -noout -dates
# Test HTTP Redirect to HTTPS
curl -I http://Your.Domain.here
# Should show: HTTP/1.1 301 Moved Permanently
# Location: https://Your.Domain.here/
# Test HTTPS
curl -I https://Your.Domain.here
# Should show: HTTP/2 200
5. Configure Certbot Auto-Renewal
# Enable auto-renewal timer
sudo systemctl enable certbot.timer
# Start timer
sudo systemctl start certbot.timer
# Check status
sudo systemctl status certbot.timer
# Test renewal (dry-run - no actual renewal!)
sudo certbot renew --dry-run
# View renewal logs
sudo journalctl -u certbot.timer -f
Firewall Configuration
1. UFW (Uncomplicated Firewall) Setup
Only open these 4 ports - everything else remains blocked:
# Enable UFW
sudo ufw enable
# Allow SSH (IMPORTANT: BEFORE enabling firewall!)
sudo ufw allow 22/tcp
# Allow HTTP (for Let's Encrypt)
sudo ufw allow 80/tcp
# Allow HTTPS
sudo ufw allow 443/tcp
# Allow SMTP (outbound email)
sudo ufw allow 587/tcp
# Verify all rules
sudo ufw status verbose
# Show added rules only
sudo ufw show added
β οΈ IMPORTANT: Only these 4 ports are allowed. All others (5432, 8000, etc.) remain blocked!
Docker Compose Production Setup
0. Create Directory Structure
Create the required directory structure with correct permissions:
# Create main application directory
sudo mkdir -p /opt/inventar
# Create subdirectories for static and media files
sudo mkdir -p /opt/inventar/static
sudo mkdir -p /opt/inventar/media
# Set permissions (www-data for web content, docker user for app files)
sudo chmod 777 /opt/inventar
sudo chown root:www-data /opt/inventar/static
sudo chown root:www-data /opt/inventar/media
sudo chmod 755 /opt/inventar/static
sudo chmod 755 /opt/inventar/media
# Verify structure
ls -la /opt/inventar/
Expected result:
root@inv:/opt/inventar# ls -l
total 0
drwxr-xr-x 2 root www-data 4096 Nov 2 12:00 static
drwxr-xr-x 2 root www-data 4096 Nov 2 12:00 media
1. Create Docker Compose File
File: `/opt/inventar/docker-compose.prod.yml`
# Production Docker Compose - PostgreSQL + Host Nginx + Redis
# Version 1.2 - Redis Caching Added
# Verwendung: docker compose up -d
services:
db:
image: inventory-system-db-postgres:1.2
container_name: inventory_db
restart: unless-stopped
env_file:
- .env.production
# Keine Ports nach auΓen, nur Compose-Netz
volumes:
- postgres_data:/var/lib/postgresql/data
networks:
- inventory_network
healthcheck:
test: ["CMD-SHELL", "pg_isready -U inventory_user -d inventory_db"]
interval: 10s
timeout: 5s
retries: 5
logging:
driver: "json-file"
options:
max-size: "10m"
max-file: "3"
# PostgreSQL 18 Performance Optimization
command: >
postgres
-c shared_buffers=256MB
-c max_connections=200
-c effective_cache_size=1GB
-c maintenance_work_mem=64MB
-c checkpoint_completion_target=0.9
-c wal_buffers=16MB
-c default_statistics_target=100
-c random_page_cost=1.1
-c effective_io_concurrency=200
-c work_mem=2MB
-c min_wal_size=1GB
-c max_wal_size=4GB
-c max_worker_processes=4
-c max_parallel_workers_per_gather=2
-c max_parallel_workers=4
-c shared_preload_libraries='pg_stat_statements'
redis:
image: inventory-system-redis:1.2
container_name: inventory_redis
restart: unless-stopped
volumes:
- redis_data:/data
networks:
- inventory_network
logging:
driver: "json-file"
options:
max-size: "10m"
max-file: "3"
backend:
image: inventory-system-backend:1.2.6
container_name: inventory_backend
restart: unless-stopped
env_file:
- .env.production
depends_on:
db:
condition: service_healthy
redis:
condition: service_started
volumes:
- ./media:/app/media
- ./static:/app/static
networks:
- inventory_network
logging:
driver: "json-file"
options:
max-size: "10m"
max-file: "3"
frontend:
image: inventory-system-frontend:1.2
container_name: inventory_frontend
restart: unless-stopped
depends_on:
- backend
# Frontend nur lokal am Host erreichbar (fΓΌr Host-Nginx Reverse Proxy)
ports:
- "127.0.0.1:8080:80"
networks:
- inventory_network
logging:
driver: "json-file"
options:
max-size: "10m"
max-file: "3"
volumes:
postgres_data:
name: inventory_postgres_data
redis_data:
name: inventory_redis_data
# Optional: Falls du spΓ€ter zu Docker Volumes wechseln willst
# media_data:
# name: inventory_media_data
# static_data:
# name: inventory_static_data
networks:
inventory_network:
driver: bridge
2. Load Docker Images
The Docker images must be loaded into Docker before Docker Compose is started:
β οΈ IMPORTANT: Docker Images Download on Request!
The Docker images (backend.tar, db-postgres.tar, redis.tar, frontend.tar) are provided on request. You must upload them to the `/opt/inventar/` directory before executing the following commands.
cd /opt/inventar
# Load Docker images from tar files
docker load < backend.tar
docker load < db-postgres.tar
docker load < redis.tar
docker load < frontend.tar
# Verify images were loaded
docker images | grep inventory-system
3. Create Environment File
File: `/opt/inventar/.env.production`
β οΈ IMPORTANT - Email Configuration:
The system supports two email modes:
- SMTP (Production): Real emails via SMTP server (if valid credentials are provided)
- Console (Fallback): Emails are logged to console output (if credentials are empty/invalid)
If you DON'T need email configuration:
Simply omit the SMTP lines or leave them empty. The frontend will show a warning and password reset will be disabled. You can configure email later anytime in the Admin Interface!
# Production environment variables - PostgreSQL Version
ENVIRONMENT=production
DEBUG=False
# Django Security & Configuration
SECRET_KEY=<GENERATE_STRONG_64_CHAR_KEY>
ALLOWED_HOSTS=Your.Domain.here,<YOUR_IP>,localhost,127.0.0.1
DOMAIN=Your.Domain.here
FRONTEND_URL=https://Your.Domain.here
# Admin User
ADMIN_USERNAME=admin
ADMIN_EMAIL=admin@yourdomain.com
ADMIN_PASSWORD=<STRONG_PASSWORD>
# PostgreSQL 18 Database
POSTGRES_DB=inventory_db
POSTGRES_USER=inventory_user
POSTGRES_PASSWORD=<STRONG_DATABASE_PASSWORD>
POSTGRES_HOST=db
POSTGRES_PORT=5432
# Connection String
DATABASE_URL=postgresql://inventory_user:<STRONG_DATABASE_PASSWORD>@db:5432/inventory_db
# SMTP Configuration (OPTIONAL - leave empty if not needed)
# System automatically falls back to console backend if empty
EMAIL_BACKEND=django.core.mail.backends.smtp.EmailBackend
EMAIL_HOST=smtp.yourdomain.com
EMAIL_PORT=587
EMAIL_USE_TLS=True
EMAIL_HOST_USER=noreply@yourdomain.com
EMAIL_HOST_PASSWORD=<SMTP_PASSWORD>
DEFAULT_FROM_EMAIL=noreply@yourdomain.com
4. Start Docker Compose
cd /opt/inventar
# Start services (images already loaded via docker load)
docker compose -f docker-compose.prod.yml up -d
# Check status
docker compose -f docker-compose.prod.yml ps
# View logs (all services)
docker compose -f docker-compose.prod.yml logs -f
# View logs per service
docker compose -f docker-compose.prod.yml logs -f frontend
docker compose -f docker-compose.prod.yml logs -f backend
docker compose -f docker-compose.prod.yml logs -f db
# Execute bash in backend container (for debugging)
docker compose -f docker-compose.prod.yml exec backend bash
# Collect static files (only if not done automatically)
docker compose -f docker-compose.prod.yml exec backend python manage.py collectstatic --noinput
Cleanup Docker Resources (if needed)
# Stop all services and remove volumes
docker compose -f docker-compose.prod.yml down -v
# Remove all dangling/unused images
docker image prune -a -f
# Full system cleanup (all containers, images, volumes, networks)
docker system prune -a -f --volumes
Monitoring & Maintenance
1. Log Monitoring
# Nginx access logs
sudo tail -f /var/log/nginx/itemp_access.log
# Nginx error logs
sudo tail -f /var/log/nginx/itemp_error.log
# Docker logs (all services)
cd /opt/inventar
docker compose -f docker-compose.prod.yml logs -f
# Docker logs per service
docker compose -f docker-compose.prod.yml logs -f backend
docker compose -f docker-compose.prod.yml logs -f frontend
docker compose -f docker-compose.prod.yml logs -f db
2. Disk Space Monitoring
# Check disk usage
df -h
# Check Docker usage
docker system df
# Clean up unused resources
docker system prune -a
3. Regular Maintenance
# Update system packages
sudo apt update && sudo apt upgrade -y
# Check for security updates
sudo apt list --upgradable
# Clean package cache
sudo apt autoclean
sudo apt autoremove
4. Certificate Expiry Monitoring
# Check certificate expiry
echo | openssl s_client -servername Your.Domain.here -connect Your.Domain.here:443 2>/dev/null | openssl x509 -noout -dates
# Certbot will send email alerts 30 days before expiry
π§ Django Management Commands
All available management commands for system administration and maintenance:
π Database & Monitoring
# Check database health and detect Decimal anomalies
docker compose -f docker-compose.prod.yml exec backend python manage.py check_database_health
# Optimize database tables (OPTIMIZE/VACUUM)
docker compose -f docker-compose.prod.yml exec backend python manage.py optimize_database
# Rebuild database indexes
docker compose -f docker-compose.prod.yml exec backend python manage.py rebuild_indexes
# Create database backup
docker compose -f docker-compose.prod.yml exec backend python manage.py backup_database
π§Ή Cleanup & Maintenance
# Delete unused entries (categories, locations without items)
docker compose -f docker-compose.prod.yml exec backend python manage.py cleanup_database --dry-run
# Clean old django-simple-history records (keep only 4 per item)
docker compose -f docker-compose.prod.yml exec backend python manage.py cleanup_django_history
# Clean history entries (keep only last 4 per item)
docker compose -f docker-compose.prod.yml exec backend python manage.py cleanup_history
# Delete old log files
docker compose -f docker-compose.prod.yml exec backend python manage.py cleanup_logs
# Find and delete orphaned image and QR code files
docker compose -f docker-compose.prod.yml exec backend python manage.py cleanup_orphaned_files
# Clean expired user sessions
docker compose -f docker-compose.prod.yml exec backend python manage.py cleanup_sessions
# Clean expired JWT tokens
docker compose -f docker-compose.prod.yml exec backend python manage.py cleanup_tokens
# Delete all cache entries
docker compose -f docker-compose.prod.yml exec backend python manage.py clear_cache
π¦ Data & Import/Export
# Fast CSV bulk import (without per-item overhead)
docker compose -f docker-compose.prod.yml exec backend python manage.py bulk_import_items --csv /path/to/file.csv
# Generate dummy CSV for bulk import testing
docker compose -f docker-compose.prod.yml exec backend python manage.py generate_dummy_items_csv
# Export all data as CSV or JSON
docker compose -f docker-compose.prod.yml exec backend python manage.py export_data --format json
π§ͺ Test Data
# Create realistic test data
docker compose -f docker-compose.prod.yml exec backend python manage.py create_test_data
# Create 50 test items
docker compose -f docker-compose.prod.yml exec backend python manage.py create_test_items
# Delete test data
docker compose -f docker-compose.prod.yml exec backend python manage.py clear_test_data
# Create initial history entries for all items
docker compose -f docker-compose.prod.yml exec backend python manage.py populate_history
π· QR Codes
# Generate missing QR codes
docker compose -f docker-compose.prod.yml exec backend python manage.py generate_qr_codes
# Parallel QR code generation (faster)
docker compose -f docker-compose.prod.yml exec backend python manage.py generate_qr_parallel
# Regenerate all QR codes
docker compose -f docker-compose.prod.yml exec backend python manage.py regenerate_qrcodes
πΈ Media & Performance
# Optimize all item images (400x400px, WebP, square)
docker compose -f docker-compose.prod.yml exec backend python manage.py optimize_images
π View Logs
# View last error/warning logs with options
docker compose -f docker-compose.prod.yml exec backend python manage.py view_logs --lines 50 --level error
# Options:
# --lines N : Number of lines (default: 100)
# --level all|error|warning : Filter level (default: all)
π Troubleshooting
Problem: Backend Shows Errors
cd /opt/inventar
# Check logs
docker compose -f docker-compose.prod.yml logs -f backend
# Execute bash in backend for debugging
docker compose -f docker-compose.prod.yml exec backend bash
# Within container - check:
ls -la /app/
python manage.py shell
python manage.py check
Problem: Nginx shows 502 Bad Gateway
# Check backend
curl http://localhost:8000
# Test Nginx config
sudo nginx -t
# Check Nginx logs
sudo tail -f /var/log/nginx/itemp_error.log
Problem: PostgreSQL does not start (Healthcheck failing)
# Check PostgreSQL logs
cd /opt/inventar
docker compose -f docker-compose.prod.yml logs db
# Verify environment variables
docker compose -f docker-compose.prod.yml config | grep POSTGRES
# Try restarting
docker compose -f docker-compose.prod.yml down
docker compose -f docker-compose.prod.yml up -d
Problem: Static/Media Files return 404
# Verify Host Directories exist
ls -la /opt/inventar/static/
ls -la /opt/inventar/media/
# Check permissions
sudo chown -R 1000:1000 /opt/inventar/static/
sudo chown -R 1000:1000 /opt/inventar/media/
# Verify docker volume mounts
cd /opt/inventar
docker compose -f docker-compose.prod.yml exec backend ls -la /app/static/
Last Update: November 2, 2025
Status: β
Production-Ready
π Production Deployment Checklist
π§ Nginx 3-Phase Setup (CRITICAL)
- β PHASE 1: Basic Nginx with HTTP (Port 80)
- β Nginx installed
- β Basic config with domain created (
/etc/nginx/sites-available/inventar) - β Config enabled:
sudo ln -s sites-available/inventar sites-enabled/ - β Nginx reloaded:
sudo systemctl reload nginx - β HTTP working:
curl -I http://Your.Domain.here - β Firewall ports 80 & 443:
sudo ufw allow 80/tcp; sudo ufw allow 443/tcp
- β PHASE 2: Let's Encrypt Certificate
- β Certbot installed
- β Certificate created:
sudo certbot --nginx -d Your.Domain.here - β Certificate verified:
sudo certbot certificates - β Paths present:
/etc/letsencrypt/live/Your.Domain.here/
- β PHASE 3: Production Nginx Config
- β Old config backed up:
sudo cp sites-available/inventar sites-available/inventar.bak - β Production config inserted (with SSL, Gzip, Security Headers)
- β Config tested:
sudo nginx -t - β Nginx reloaded:
sudo systemctl reload nginx - β HTTPS working:
curl -I https://Your.Domain.here - β HTTP redirect working:
curl -I http://Your.Domain.here - β SSL grade check: https://www.ssllabs.com/ssltest/
- β Old config backed up:
Pre-Deployment (Host Setup)
- β Debian Trixie installed & fully updated
- β Hostname set (
hostnamectl) - β RDNS configured at provider
- β SSH access configured for non-root user
- β UFW Firewall enabled (Ports 22, 80, 443)
- β Docker CE installed (
docker --version) - β Docker Compose installed (
docker-compose --version)
Docker Setup
- β
/opt/inventar/directory created - β
docker-compose.prod.ymlplaced - β
.env.productioncreated with secrets - β
.gitignoreupdated - β Static/Media directories created
- β Docker permissions configured
Initial Deployment
- β Docker images loaded:
docker load < *.tar - β Docker Compose started:
docker compose -f docker-compose.prod.yml up -d - β Services running:
docker compose -f docker-compose.prod.yml ps - β Static files collected:
docker compose -f docker-compose.prod.yml exec backend python manage.py collectstatic --noinput - β Backend health check:
curl http://127.0.0.1:8000/api/health/
Final Verification
- β All services running stably:
docker compose -f docker-compose.prod.yml ps - β Logs show no errors:
docker compose -f docker-compose.prod.yml logs - β Website accessible (HTTPS):
https://Your.Domain.here - β HTTP redirects to HTTPS
- β SSL Certificate valid:
curl -I https://Your.Domain.here - β API working:
curl https://Your.Domain.here/api/books - β Frontend responsive
- β Admin login working
π Important Notice
Docker Images Download on Request:
The Docker container images (backend.tar, db-postgres.tar, redis.tar, frontend.tar) are required for operating the Inventory Management System. These images are provided on request and must be uploaded to the `/opt/inventar/` directory before starting the system.
Please contact support or your administrator to obtain the necessary images.