Skip to content

Self-hosted install script & production Docker setup#52

Merged
synio-wesley merged 11 commits intomainfrom
feature/self-hosted-install
Mar 22, 2026
Merged

Self-hosted install script & production Docker setup#52
synio-wesley merged 11 commits intomainfrom
feature/self-hosted-install

Conversation

@fblaser
Copy link
Copy Markdown
Collaborator

@fblaser fblaser commented Mar 22, 2026

Summary

  • Production Dockerfile (multi-stage: Node asset build → Ubuntu 24.04 + PHP 8.5-FPM + Nginx + Supervisor)
  • install.sh one-liner that provisions a fresh Ubuntu 24.04 VPS end-to-end: Docker, Traefik, MySQL, Redis, SWORD app, firewall
  • sword:init Artisan command to bootstrap admin user + localhost server record with SSH keys
  • Nginx, PHP-FPM, Supervisor, and Docker Compose configs for production

Test plan

  • Spin up a fresh Ubuntu 24.04 VPS (Hetzner/DO)
  • Point a domain A record to the VPS IP
  • Run curl -sL <raw-url> | bash and complete the prompts
  • Verify SWORD is accessible at https://<domain>
  • Verify the localhost server shows as "provisioned" and "online"
  • Create a WordPress site on the localhost server
  • Verify the WordPress site is accessible via its domain

fblaser added 10 commits March 22, 2026 12:53
@fblaser
✨ Add self-hosted install script and production Docker setup
02af1b8 
Single curl|bash installer that provisions SWORD on a fresh Ubuntu 24.04
VPS with Traefik, MySQL, Redis, and auto-registers the host as a
localhost server for immediate WordPress site creation.
@fblaser
🔧 Add BRANCH variable to install script for easier testing
0cf4954
@fblaser
🔧 Allow SWORD_BRANCH env var override for install script
9f2cefb
@fblaser
🐛 Fix YAML parsing in shared infra compose heredoc
8edc59f
@fblaser
🐛 Read prompts from /dev/tty for curl|bash compatibility
c38a491
@fblaser
🐛 Use container env var for MySQL auth instead of host shell var
7442129
@fblaser
🐛 Add PHP to asset build stage for Wayfinder plugin
1020641
@fblaser
🐛 Use PHP 8.5 from php-deps stage for asset build (Wayfinder needs >=…
1586a0f 
… 8.4)
@fblaser
🐛 Fix HTTPS detection behind Traefik reverse proxy
d2b8e24
@fblaser
🐛 Pass SSH keys as arguments to sword:init instead of reading from co…
dbcd4a9 
…ntainer filesystem
@fblaser
Copy link
Copy Markdown
Collaborator Author

fblaser commented Mar 22, 2026

To test it without merging :

curl -sL https://raw.githubusercontent.com/SynioBE/SWORD/feature/self-hosted-install/install.sh | SWORD_BRANCH=feature/self-hosted-install bash

@fblaser
🔒 Harden deployment process security
ad34000 
- Pass secrets to sword:init via temp JSON file instead of CLI args
  (prevents exposure in process listings)
- Set chmod 600 on all .env files immediately after creation
- Add Redis password authentication
- Validate domain format, email format, and password length on input
- Validate public IP is not a private address
- Pin Ofelia to v3.3.3 instead of :latest
- Explicitly disable Traefik dashboard
- Add cleanup trap for temp directories on script exit
- Display sudo password at end of install (not stored elsewhere)
- Use --env-file for Docker Compose variable interpolation
@synio-wesley synio-wesley merged commit 7a7456f into main Mar 22, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@synio-wesley synio-wesley synio-wesley approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@fblaser @synio-wesley