Production Deployment
Production deployment creates a secure, scalable TractStack installation with SSL certificates, reverse proxy, and automatic service management.
Production Installation Types
Section titled “Production Installation Types”Single-Tenant Production
Section titled “Single-Tenant Production”One website per server installation.
curl -fsSL https://get.tractstack.com | bash -s -- --prod --domain=yourdomain.comMulti-Tenant Production
Section titled “Multi-Tenant Production”Multiple websites from one installation with subdomain support.
curl -fsSL https://get.tractstack.com | bash -s -- --multi --domain=yourdomain.comDedicated Instance
Section titled “Dedicated Instance”Completely isolated installation for maximum customization.
curl -fsSL https://get.tractstack.com | bash -s -- --dedicated SITE_ID --domain=yourdomain.comPrerequisites for Production
Section titled “Prerequisites for Production”System Requirements
Section titled “System Requirements”- Linux server (Ubuntu 20.04+ recommended)
- Root or sudo access
- Domain name pointed to your server
- Ports 80 and 443 open for web traffic
DNS Configuration
Section titled “DNS Configuration”Before installation, configure DNS:
# A recordyourdomain.com → YOUR_SERVER_IP
# For multi-tenant (wildcard)*.yourdomain.com → YOUR_SERVER_IPSSL Certificate Setup
Section titled “SSL Certificate Setup”Option 1: Cloudflare DNS (Automated)
Section titled “Option 1: Cloudflare DNS (Automated)”Create API credentials file:
sudo mkdir -p /root/.secrets/certbotsudo nano /root/.secrets/certbot/cloudflare.iniAdd your Cloudflare API token:
dns_cloudflare_api_token = YOUR_API_TOKEN_HERESet secure permissions:
sudo chmod 600 /root/.secrets/certbot/cloudflare.iniThe installer will automatically obtain SSL certificates.
Option 2: Manual DNS Verification
Section titled “Option 2: Manual DNS Verification”Without Cloudflare credentials, the installer will:
- Display TXT records to add to your DNS
- Wait for verification - add the records and press Enter
- Issue certificates once DNS propagates
Production Installation Process
Section titled “Production Installation Process”The installer will:
- Create system user
t8kfor security isolation - Install dependencies (nginx, PM2, certbot)
- Clone and build TractStack source code
- Configure services:
- systemd service for Go backend
- PM2 process for Astro frontend
- nginx reverse proxy
- Obtain SSL certificates via Let’s Encrypt
- Start services and verify operation
Production Directory Structure
Section titled “Production Directory Structure”/home/t8k/├── src/ # Source code│ ├── tractstack-go/ # Go backend│ └── my-tractstack/ # Astro frontend├── bin/ # Production binaries│ └── tractstack-go # Compiled Go binary├── t8k-go-server/ # Data directory│ ├── config/default/ # Site configuration│ ├── db/default/ # Database files│ └── log/ # Application logs├── etc/ # Configuration│ ├── letsencrypt/ # SSL certificates│ ├── pm2/ # PM2 configs│ └── t8k-ports.conf # Port allocations└── scripts/ # Maintenance scripts └── t8k-concierge.sh # Build automationService Management
Section titled “Service Management”systemd Services
Section titled “systemd Services”Main installation:
# Statussudo systemctl status tractstack-go
# Start/Stop/Restartsudo systemctl start tractstack-gosudo systemctl stop tractstack-gosudo systemctl restart tractstack-go
# Enable/Disable auto-startsudo systemctl enable tractstack-gosudo systemctl disable tractstack-go
# View logssudo journalctl -u tractstack-go -fDedicated instances:
# Replace SITE_ID with your site identifiersudo systemctl status tractstack-go@SITE_IDsudo systemctl restart tractstack-go@SITE_IDsudo journalctl -u tractstack-go@SITE_ID -fPM2 Process Management
Section titled “PM2 Process Management”# Switch to t8k usersudo -u t8k bash
# View processespm2 status
# Restart processespm2 restart astro-main # Main installationpm2 restart astro-SITE_ID # Dedicated instance
# View logspm2 logs astro-mainpm2 logs astro-SITE_ID
# Monitor in real-timepm2 monitnginx Configuration
Section titled “nginx Configuration”# Test configurationsudo nginx -t
# Reload configurationsudo systemctl reload nginx
# View error logssudo tail -f /var/log/nginx/error.log
# View access logssudo tail -f /var/log/nginx/access.logPort Allocation
Section titled “Port Allocation”TractStack automatically manages ports via /home/t8k/etc/t8k-ports.conf:
Main Installation
Section titled “Main Installation”- Go backend: Port 10000
- Astro frontend: Port 20000
Dedicated Instances
Section titled “Dedicated Instances”- Go backend: Ports 10001, 10002, 10003…
- Astro frontend: Ports 20001, 20002, 20003…
nginx handles public traffic on ports 80/443 and proxies to these internal ports.
Multi-Tenant Features
Section titled “Multi-Tenant Features”Tenant Registration
Section titled “Tenant Registration”Visit https://yourdomain.com/sandbox/register to create new tenants.
Subdomain Routing
Section titled “Subdomain Routing”Each tenant gets a subdomain:
tenant1.yourdomain.comtenant2.yourdomain.comadmin.yourdomain.com
Tenant Isolation
Section titled “Tenant Isolation”- Separate databases per tenant
- Isolated media storage
- Independent configurations
- Usage monitoring and limits
Build Automation
Section titled “Build Automation”The build concierge processes automated deployments:
Triggering Builds
Section titled “Triggering Builds”Create CSV files in /home/t8k/state/:
type=main,tenant=default,command=buildFor dedicated instances:
type=dedicated,site=SITE_ID,command=buildBuild Process
Section titled “Build Process”- Pull latest code from Git repositories
- Build Go backend and Astro frontend
- Extract Tailwind whitelist for optimization
- Restart services automatically
- Clean up processed files
Manual Build
Section titled “Manual Build”sudo -u t8k /home/t8k/scripts/t8k-concierge.shSSL Certificate Management
Section titled “SSL Certificate Management”Certificate Renewal
Section titled “Certificate Renewal”Certificates auto-renew via cron job:
# Check renewal statussudo -u t8k /home/t8k/certbot_venv/bin/certbot certificates
# Test renewalsudo -u t8k /home/t8k/certbot_venv/bin/certbot renew --dry-run
# Force renewal (if needed)sudo -u t8k /home/t8k/certbot_venv/bin/certbot renew --force-renewalManual Certificate Request
Section titled “Manual Certificate Request”sudo -u t8k bash -c "source /home/t8k/certbot_venv/bin/activate && \ certbot certonly --manual --preferred-challenges dns \ --config-dir /home/t8k/etc/letsencrypt \ --work-dir /home/t8k/lib/letsencrypt \ --logs-dir /home/t8k/log/letsencrypt \ --agree-tos --email admin@yourdomain.com \ -d yourdomain.com -d *.yourdomain.com"Monitoring & Maintenance
Section titled “Monitoring & Maintenance”Log Files
Section titled “Log Files”- Application logs:
/home/t8k/t8k-go-server/log/ - nginx logs:
/var/log/nginx/ - systemd logs:
journalctl -u tractstack-go - PM2 logs:
pm2 logs
Health Checks
Section titled “Health Checks”# Check all servicessudo systemctl status tractstack-go nginxsudo -u t8k pm2 status
# Test HTTP responsecurl -I https://yourdomain.com
# Check SSL certificateecho | openssl s_client -connect yourdomain.com:443 2>/dev/null | openssl x509 -noout -datesDatabase Backup
Section titled “Database Backup”# Backup SQLite databasesudo -u t8k cp /home/t8k/t8k-go-server/db/default/tractstack.db \ /home/t8k/backups/tractstack-$(date +%Y%m%d).db
# Automated backup scriptsudo -u t8k crontab -e# Add: 0 2 * * * cp /home/t8k/t8k-go-server/db/default/tractstack.db /home/t8k/backups/tractstack-$(date +\%Y\%m\%d).dbSecurity Considerations
Section titled “Security Considerations”Firewall Configuration
Section titled “Firewall Configuration”# Allow web trafficsudo ufw allow 80/tcpsudo ufw allow 443/tcp
# Allow SSH (adjust port as needed)sudo ufw allow 22/tcp
# Enable firewallsudo ufw enableUser Security
Section titled “User Security”- Dedicated user: Services run as
t8kuser, not root - File permissions: Restrictive permissions on configuration files
- Process isolation: Each service runs in its own context
SSL Security
Section titled “SSL Security”- A+ SSL rating: Modern TLS configuration
- HSTS headers: Force HTTPS connections
- Certificate transparency: Automatic CT log submission
Troubleshooting Production
Section titled “Troubleshooting Production”Common Issues
Section titled “Common Issues”Services won’t start:
# Check logs for errorssudo journalctl -u tractstack-go --no-pagersudo -u t8k pm2 logs astro-main
# Verify ports aren't in usesudo netstat -tlnp | grep :10000sudo netstat -tlnp | grep :20000SSL certificate issues:
# Check certificate statussudo -u t8k /home/t8k/certbot_venv/bin/certbot certificates
# Verify DNS propagationdig yourdomain.comdig _acme-challenge.yourdomain.com TXTnginx configuration errors:
# Test configurationsudo nginx -t
# Check configuration filessudo ls -la /etc/nginx/sites-enabled/sudo cat /etc/nginx/sites-enabled/t8k-main.confPerformance Optimization
Section titled “Performance Optimization”nginx Tuning
Section titled “nginx Tuning”Edit /etc/nginx/sites-enabled/t8k-main.conf:
# Add caching headerslocation ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ { expires 1y; add_header Cache-Control "public, immutable";}
# Enable gzip compressiongzip on;gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;Database Optimization
Section titled “Database Optimization”- Regular VACUUM:
VACUUM;on SQLite database - Consider Turso: For high-traffic sites
- Monitor size: Keep track of database growth
Production deployment provides a secure, scalable foundation for your TractStack site. For ongoing maintenance, see the Operations guide.