# Droplet Setup Guide — warehouse.soldered.com One-time setup on `aux-server-soldered`. Run all commands as `root` unless noted. This guide is safe to follow alongside other existing Nginx sites. --- ## 1. Install system dependencies ```bash apt-get update apt-get install -y git python3-pip python3-venv ``` Check what Python is installed: ```bash python3 --version ls /usr/bin/python* ``` If you need Python 3.14 specifically (deadsnakes PPA for Ubuntu 24.04): ```bash add-apt-repository ppa:deadsnakes/ppa apt-get update apt-get install -y python3.14 python3.14-venv python3.14-dev ``` --- ## 2. Clone the repo ```bash mkdir -p /var/www/warehouse.soldered.com cd /var/www/warehouse.soldered.com git clone git@github.com:YOUR_ORG/YOUR_REPO.git . ``` > **SSH key:** If the repo is private, add the droplet's SSH public key > (`cat ~/.ssh/id_rsa.pub`) as a Deploy Key on GitHub → Settings → Deploy keys. --- ## 3. Create the virtualenv and install packages ```bash cd /var/www/warehouse.soldered.com python3.14 -m venv .venv # or python3 if 3.14 isn't installed separately .venv/bin/pip install --upgrade pip .venv/bin/pip install -r requirements.txt ``` --- ## 4. Database — store it OUTSIDE the app folder The database must NOT live inside the cloned repo directory because `git reset --hard` during deploys would risk overwriting it. ```bash mkdir -p /var/www/warehouse.soldered.com/data # On first run the app auto-creates the schema, so no manual init needed. ``` --- ## 5. Create the .env file ```bash cp /var/www/warehouse.soldered.com/.env.example /var/www/warehouse.soldered.com/.env chmod 600 /var/www/warehouse.soldered.com/.env nano /var/www/warehouse.soldered.com/.env ``` Critical values to set in `.env`: ``` DATABASE_PATH=/var/www/warehouse.soldered.com/data/warehouse.db FLASK_SECRET_KEY= ERACUNI_URL=... ERACUNI_USERNAME=... ERACUNI_PASSWORD=... ERACUNI_TOKEN=... SHOPIFY_DOMAIN=... SHOPIFY_ACCESS_TOKEN=... # ... etc — copy from your local .env ``` --- ## 6. Install the systemd service ```bash cp /var/www/warehouse.soldered.com/deploy/warehouse.service /etc/systemd/system/warehouse.service systemctl daemon-reload systemctl enable warehouse systemctl start warehouse ``` Check it started: ```bash systemctl status warehouse journalctl -u warehouse -f # live logs ``` Test that Gunicorn is listening: ```bash curl -s http://127.0.0.1:8080 | head -5 ``` --- ## 7. Create an HTTP basic auth password file ```bash apt-get install -y apache2-utils # provides htpasswd htpasswd -c /etc/nginx/.htpasswd warehouse # Enter password when prompted — this is the browser login password ``` --- ## 8. Add the Nginx site (safe — won't touch existing sites) Copy the config: ```bash cp /var/www/warehouse.soldered.com/deploy/nginx.conf /etc/nginx/sites-available/warehouse ``` Enable it (does NOT touch your other sites): ```bash ln -s /etc/nginx/sites-available/warehouse /etc/nginx/sites-enabled/warehouse ``` Test the config before reloading: ```bash nginx -t ``` If the test passes: ```bash systemctl reload nginx ``` --- ## 9. Point the domain in Cloudflare Before running Certbot, `warehouse.soldered.com` must resolve to your droplet's IP. 1. Log in to [dash.cloudflare.com](https://dash.cloudflare.com) and select the **soldered.com** zone. 2. Go to **DNS → Records → Add record**. 3. Fill in: | Field | Value | |---------|--------------------------------| | Type | `A` | | Name | `warehouse` | | IPv4 | your droplet's public IP | | TTL | Auto | | Proxy | **DNS only** (grey cloud) | > **Important:** keep the Cloudflare proxy **off** (grey cloud, "DNS only"). > Certbot needs to reach the server directly over HTTP to complete its domain validation challenge. If the orange proxy is on, the challenge will fail. 4. Click **Save**. Propagation is usually under a minute with Cloudflare. Verify it resolves before continuing: ```bash dig +short warehouse.soldered.com # should return your droplet IP # or curl -I http://warehouse.soldered.com # should get a response from Nginx ``` --- ## 10. SSL certificate (Certbot) DNS must be resolving to this server (step 9) before running this. ```bash apt-get install -y certbot python3-certbot-nginx certbot --nginx -d warehouse.soldered.com ``` Certbot will modify `/etc/nginx/sites-available/warehouse` to add SSL config. It does NOT touch your other sites. Auto-renewal is set up automatically. Test it with: ```bash certbot renew --dry-run ``` --- ## 11. GitHub Actions secrets (for automated deploys) In your private GitHub repo → Settings → Secrets and variables → Actions, add: | Secret name | Value | |------------------|--------------------------------------------| | `DROPLET_HOST` | The server's IP address or hostname | | `DROPLET_USER` | `root` | | `DROPLET_SSH_KEY`| Contents of a private SSH key whose public key is in `/root/.ssh/authorized_keys` on the server | To generate a dedicated deploy key pair (recommended): ```bash # On your local machine: ssh-keygen -t ed25519 -f ~/.ssh/warehouse_deploy -N "" -C "warehouse-deploy" cat ~/.ssh/warehouse_deploy.pub # add this to /root/.ssh/authorized_keys on the droplet cat ~/.ssh/warehouse_deploy # paste this as the DROPLET_SSH_KEY secret on GitHub ``` Add the public key to the droplet: ```bash # On the droplet: echo "ssh-ed25519 AAAA... warehouse-deploy" >> /root/.ssh/authorized_keys ``` --- ## Useful commands ```bash # Check app status systemctl status warehouse # Live app logs journalctl -u warehouse -f # Restart app (e.g. after editing .env) systemctl restart warehouse # Check RAM usage free -h # Check CPU / RAM live htop # Check what's listening on port 8080 ss -tlnp | grep 8080 # Check Python versions installed ls /usr/bin/python* python3 --version ```