Production CLI Commands

Updated for nself v0.4.8

Essential CLI commands for deploying and managing nself in production environments with the v0.4.8 environment management, security hardening, and deployment capabilities.

Production Environment Management

nself prod status

Show production environment status (default subcommand):

# Show production status
nself prod status
nself prod

# Displays:
# - Environment settings (ENV, domain, debug mode)
# - Secrets file status
# - SSL certificate status and expiry
# - Docker Compose file status

nself prod init

Initialize production configuration:

# Initialize production for your domain
nself prod init yourdomain.com --email admin@yourdomain.com

# What it does:
# - Sets ENV=production
# - Disables debug mode
# - Enables SSL with Let's Encrypt
# - Disables Hasura dev mode and console
# - Creates docker-compose.prod.yml

nself prod check / audit

Run comprehensive security audit:

# Run security audit
nself prod check
nself prod audit --verbose

# Checks performed:
# - Environment settings (DEBUG, LOG_LEVEL, etc.)
# - Secrets strength and configuration
# - SSL certificate validity and expiry
# - Docker security settings
# - Network security (HSTS, XSS protection, etc.)
# - File permissions

# Exit codes:
# 0 - All checks passed
# 1 - Critical failures detected
# 2 - Warnings only (no critical failures)

nself prod secrets

Manage production secrets:

# Generate all production secrets
nself prod secrets generate
nself prod secrets generate --force  # Overwrite existing

# Validate secrets file
nself prod secrets validate

# Rotate a specific secret
nself prod secrets rotate POSTGRES_PASSWORD

# Show secrets (masked by default)
nself prod secrets show
nself prod secrets show --unmask

# Generated secrets:
# - POSTGRES_PASSWORD
# - HASURA_GRAPHQL_ADMIN_SECRET
# - JWT_SECRET
# - COOKIE_SECRET
# - MINIO_ROOT_PASSWORD
# - REDIS_PASSWORD
# - GRAFANA_ADMIN_PASSWORD

nself prod ssl

Manage SSL/TLS certificates:

# Check SSL certificate status
nself prod ssl status

# Request Let's Encrypt certificate
nself prod ssl request yourdomain.com --email admin@yourdomain.com
nself prod ssl request yourdomain.com --staging  # For testing

# Renew SSL certificates
nself prod ssl renew
nself prod ssl renew --force

# Generate self-signed certificate
nself prod ssl self-signed yourdomain.com

# Verify certificate chain
nself prod ssl verify

nself prod firewall

Configure and manage firewall rules:

# Check firewall status
nself prod firewall status

# Configure recommended rules
nself prod firewall configure --dry-run
nself prod firewall configure

# Allow/block specific ports
nself prod firewall allow 8080
nself prod firewall allow 53 udp
nself prod firewall block 3306

# Show security recommendations
nself prod firewall recommendations

nself prod harden

Apply all security hardening measures:

# Apply all hardening
nself prod harden

# Preview changes without applying
nself prod harden --dry-run

# Skip firewall configuration
nself prod harden --skip-firewall

# Hardening steps:
# 1. Generate secrets (if missing)
# 2. Apply production environment settings
# 3. Fix SSL key permissions
# 4. Check firewall status
# 5. Fix sensitive file permissions

Deployment Commands

nself deploy

Deploy your nself project to remote servers via SSH:

# Deploy to staging (full stack including frontends)
nself deploy staging

# Deploy to production (backend only by default)
nself deploy prod

# Preview deployment without executing
nself deploy staging --dry-run
nself deploy prod --dry-run

# Force deployment without confirmation
nself deploy staging --force

# Skip health checks after deployment
nself deploy prod --skip-health

# Include/exclude frontends
nself deploy prod --include-frontends
nself deploy staging --exclude-frontends

# Rolling deployment (zero-downtime)
nself deploy prod --rolling

nself deploy check-access

Verify SSH access to environments:

# Check access to all environments
nself deploy check-access

# Check before deploying
nself deploy staging --check-access

nself deploy health

Check deployment health:

# Check staging health
nself deploy health staging

# Check production health
nself deploy health prod

nself deploy rollback

Rollback to previous deployment:

# Rollback if something goes wrong
nself deploy rollback

nself deploy logs

View deployment logs:

# View deployment logs
nself deploy logs

Environment Management

nself env

Manage deployment environments:

# List all environments
nself env list

# Create new environment
nself env create staging staging
nself env create production prod

# Switch environment
nself env switch dev
nself env switch staging
nself env switch prod

# Show current environment status
nself env status

# Compare environments
nself env diff staging prod
nself env diff dev staging --values

# Validate environment configuration
nself env validate staging

# Delete environment
nself env delete qa

# Export/import environments
nself env export staging --output staging-env.tar.gz
nself env import staging-env.tar.gz

System Management

nself update

Update nself to the latest version:

# Update to latest version
nself update

# Check current version
nself version

nself status

Check comprehensive system status:

# Basic status check
nself status

# Show all service URLs
nself urls

Health Monitoring

nself logs

Access and monitor service logs:

# View all service logs
nself logs

# Follow logs in real-time
nself logs -f

# View specific service logs
nself logs postgres
nself logs hasura

nself exec

Execute commands in service containers:

# Shell into a container
nself exec postgres

# Run specific command
nself exec postgres psql -U postgres

Monitoring Commands

nself monitor

Open monitoring dashboards:

# Open Grafana (default)
nself monitor
nself monitor grafana

# Open Prometheus
nself monitor prometheus

# Open Alertmanager
nself monitor alerts

# Open Loki in Grafana
nself monitor loki

# CLI service status view
nself monitor services

# CLI resource usage view
nself monitor resources

# Tail service logs
nself monitor logs
nself monitor logs postgres

nself metrics

Configure monitoring profiles:

# Enable monitoring profiles
nself metrics enable minimal   # 4 services (~500MB)
nself metrics enable standard  # 7 services (~1GB)
nself metrics enable full      # 10 services (~2GB)
nself metrics enable auto      # Auto-detect based on ENV

# Show current profile
nself metrics status

Backup and Recovery

nself backup

Create system backups:

# Create full system backup
nself backup

# Database only backup
nself db backup

# Include configuration files
nself backup --include-config

# Compressed backup
nself backup --compress

# Remote backup to S3
nself backup --remote s3://my-backups/nself/

nself restore

Restore from backups:

# Restore from latest backup
nself restore

# Restore from specific backup
nself restore --from backup-20250806-140000

# Restore database only
nself db restore backup.sql

# Restore with verification
nself restore --verify

Security Commands

nself security

Security auditing and hardening:

# Run security audit
nself security audit

# Check for vulnerabilities
nself security scan

# Update security configurations
nself security harden

# Generate new secrets
nself security rotate-secrets

# SSL certificate management
nself security ssl-renew
nself security ssl-status

nself encrypt

Data encryption utilities:

# Encrypt sensitive files
nself encrypt .env.prod

# Decrypt files
nself decrypt .env.prod.enc

# Rotate encryption keys
nself encrypt rotate-keys

Maintenance Commands

nself cleanup

System cleanup and optimization:

# Clean up unused resources
nself cleanup

# Deep clean (removes old images, volumes)
nself cleanup --deep

# Clean specific components
nself cleanup docker
nself cleanup logs
nself cleanup backups

# Dry run (show what would be cleaned)
nself cleanup --dry-run

nself optimize

Performance optimization:

# Optimize database performance
nself optimize database

# Optimize Docker images
nself optimize images

# Full system optimization
nself optimize --all

# Generate optimization report
nself optimize --report

Configuration Management

nself config

Production configuration management:

# Validate configuration
nself config validate

# Show configuration (sanitized)
nself config show

# Update configuration value
nself config set POSTGRES_MAX_CONNECTIONS 200

# Generate new configuration template
nself config generate --environment production

# Import configuration from file
nself config import production.env

# Export configuration
nself config export --sanitize > config-backup.env

Service Management

nself scale

Scale services for production load:

# Scale specific service
nself scale hasura 3

# Auto-scale based on load
nself scale --auto

# Scale all services
nself scale --replicas 2

# Scale with resource limits
nself scale hasura 3 --memory 512MB --cpu 0.5

nself reload

Reload services without downtime:

# Reload specific service
nself reload hasura

# Reload configuration
nself reload --config

# Rolling reload (zero downtime)
nself reload --rolling

Network and Connectivity

nself network

Network diagnostics and configuration:

# Test network connectivity
nself network test

# Show network configuration
nself network show

# Test external connectivity
nself network test-external

# Diagnose network issues
nself network diagnose

Automated Scripts

Production Deployment Script

#!/bin/bash
# production-deploy.sh

set -e

echo "🚀 Starting production deployment..."

# Backup current state
echo "Creating backup..."
nself backup --name "pre-deploy-$(date +%Y%m%d-%H%M%S)"

# Update system
echo "Updating nself..."
nself update

# Deploy new version
echo "Deploying services..."
nself prod
cp .env.prod-template .env
nself build
nself up --no-deps

# Run health checks
echo "Running health checks..."
sleep 30
nself doctor

# Verify deployment
if nself status --check; then
    echo "✅ Deployment successful!"
else
    echo "❌ Deployment failed, rolling back..."
    nself restore
    exit 1
fi

Monitoring Script

#!/bin/bash
# monitor.sh - Add to cron for continuous monitoring

# Check system health
if ! nself doctor --quick; then
    echo "Health check failed" | mail -s "nself Alert" admin@example.com
fi

# Check resource usage
CPU_USAGE=$(nself resources --format json | jq '.total.cpu')
if (( $(echo "$CPU_USAGE > 80" | bc -l) )); then
    echo "High CPU usage: $CPU_USAGE%" | mail -s "nself Resource Alert" admin@example.com
fi

# Check disk space
DISK_USAGE=$(df / | tail -1 | awk '{print $5}' | sed 's/%//')
if [ "$DISK_USAGE" -gt 85 ]; then
    nself cleanup --auto
fi

# Rotate logs
find logs/ -name "*.log" -mtime +7 -delete

Integration with CI/CD

GitHub Actions Example

# .github/workflows/deploy.yml
name: Deploy to Production
on:
  push:
    branches: [main]

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      
      - name: Install nself
        run: |
          curl -sSL https://install.nself.org | bash
          
      - name: Deploy to production
        run: |
          echo "${{ secrets.ENV_PROD }}" > .env
          nself build
          nself up --detach
          
      - name: Health check
        run: |
          sleep 30
          nself doctor

Best Practices

• Automated Backups - Schedule regular database and system backups
• Health Monitoring - Run nself doctor regularly via cron
• Resource Monitoring - Monitor CPU, memory, and disk usage
• Log Management - Implement log rotation and retention policies
• Security Updates - Keep nself and Docker images updated
• Testing - Test backup restoration procedures regularly
• Alerts - Set up alerts for critical system events
• Documentation - Document your production setup and procedures

Next Steps

• Production Setup Guide
• SSL Configuration
• Backup & Restore
• Troubleshooting Guide