Go-Live Checklist

Everything to verify before opening the doors to real traffic.

v1.1.0

Run the automated check first

nself prod check --full

# Runs all items below automatically.
# Fix any FAIL before proceeding.

1. Infrastructure

Server meets minimum specs (2 vCPU / 4 GB RAM / 40 GB SSD).
Ubuntu 22.04 LTS or Debian 12. Docker 24+ installed.
Firewall: only ports 22 (SSH), 80 (HTTP), 443 (HTTPS) open. All others blocked.
SSH key auth only — password login disabled (PasswordAuthentication no in sshd_config).
Non-root deploy user created with sudo access to Docker only.
Automatic security updates enabled (unattended-upgrades).

# Verify firewall
nself prod check --item firewall

# Verify SSH config
nself prod check --item ssh

2. DNS

A record for root domain points to VPS IP.
Wildcard or explicit records for api., auth., storage., search. subdomains.
TTL set to 300 for initial launch (faster rollback if needed).
DNS propagation verified from at least two locations.

# Check DNS resolution
nself prod check --item dns --domain yourdomain.com

# Or manually
dig A yourdomain.com +short
dig A api.yourdomain.com +short

3. SSL / TLS

Let's Encrypt certificate issued for all public domains.
Auto-renewal cron active (nself ssl auto-renew --enable).
TLS 1.2 minimum enforced in Nginx config.
HTTP → HTTPS redirect active (301, not 302).
HSTS header present: max-age=63072000; includeSubDomains.

nself ssl verify --domain yourdomain.com
# Expected: Grade A or A+

nself ssl status
# Expected: All certificates VALID, expiry > 30 days

4. Secrets and Configuration

.env.secrets not committed to git.
HASURA_GRAPHQL_ADMIN_SECRET is at least 32 characters, randomly generated.
JWT_SECRET is at least 32 characters, randomly generated.
HASURA_GRAPHQL_ENABLE_CONSOLE=false in prod env.
NODE_ENV=production set.
All plugin license keys set if pro plugins are installed.

nself prod check --item secrets
nself prod check --item hasura-console

5. Database

All migrations applied and Hasura metadata consistent.
Postgres not exposed on a public port (only via Nginx/Hasura).
Row Level Security (RLS) enabled on all user-data tables.
Database password matches POSTGRES_PASSWORD in env.
Initial backup created before go-live.

nself db status --env prod
nself backup create --label pre-launch
nself prod check --item rls

6. Backups

Automated backup schedule configured (daily minimum).
Remote backup destination configured (S3, R2, GCS, or Azure).
Retention policy set (30 days recommended).
Test restore completed successfully in staging.

nself backup status
nself backup verify   # verifies most recent backup

7. Security Hardening

nself prod harden completed without errors.
Rate limiting active on auth endpoints.
SSRF guard enabled.
File upload limits configured.
Content Security Policy set.
Audit log enabled and writing to persistent storage.

nself prod check --full
# All items must show PASS.
# Fix any FAIL before proceeding.

8. Monitoring

Grafana dashboards loading at internal URL.
Prometheus scraping all services.
Loki receiving logs from all containers.
At least one alert channel configured (email or Slack).
Test alert fired and received.

nself monitor status
nself monitor test-alert   # sends test alert to configured channel

9. Health Checks

All services show healthy in nself health.
External uptime monitor pointed at https://yourdomain.com/health.
Status page URL shared with users (if applicable).

nself health
# All services: ✓ healthy

curl https://yourdomain.com/health
# {"status":"ok"}

10. Application

User registration flow works end-to-end.
Email delivery working (send a test email).
File uploads working (if storage plugin installed).
Pro plugins responding (if applicable).
Frontend apps loading without console errors.
404 and error pages are branded, not default Docker/Nginx pages.

# End-to-end smoke test
nself smoke-test --env prod --domain yourdomain.com

11. Final Steps

Increase DNS TTL to 3600 (after confirming everything works).
Document server IP, deploy user, and admin contacts in your runbook.
Store all secrets in your team password manager / vault.
Schedule a restore drill for 30 days post-launch.
Subscribe to nself security advisories: nself.org/security.

All items checked? You are ready to go live.

Go-Live Checklist

Everything to verify before opening the doors to real traffic.

v1.1.0

Run the automated check first

nself prod check --full

# Runs all items below automatically.
# Fix any FAIL before proceeding.

1. Infrastructure

Server meets minimum specs (2 vCPU / 4 GB RAM / 40 GB SSD).
Ubuntu 22.04 LTS or Debian 12. Docker 24+ installed.
Firewall: only ports 22 (SSH), 80 (HTTP), 443 (HTTPS) open. All others blocked.
SSH key auth only — password login disabled (PasswordAuthentication no in sshd_config).
Non-root deploy user created with sudo access to Docker only.
Automatic security updates enabled (unattended-upgrades).

# Verify firewall
nself prod check --item firewall

# Verify SSH config
nself prod check --item ssh

2. DNS

A record for root domain points to VPS IP.
Wildcard or explicit records for api., auth., storage., search. subdomains.
TTL set to 300 for initial launch (faster rollback if needed).
DNS propagation verified from at least two locations.

# Check DNS resolution
nself prod check --item dns --domain yourdomain.com

# Or manually
dig A yourdomain.com +short
dig A api.yourdomain.com +short

3. SSL / TLS

Let's Encrypt certificate issued for all public domains.
Auto-renewal cron active (nself ssl auto-renew --enable).
TLS 1.2 minimum enforced in Nginx config.
HTTP → HTTPS redirect active (301, not 302).
HSTS header present: max-age=63072000; includeSubDomains.

nself ssl verify --domain yourdomain.com
# Expected: Grade A or A+

nself ssl status
# Expected: All certificates VALID, expiry > 30 days

4. Secrets and Configuration

.env.secrets not committed to git.
HASURA_GRAPHQL_ADMIN_SECRET is at least 32 characters, randomly generated.
JWT_SECRET is at least 32 characters, randomly generated.
HASURA_GRAPHQL_ENABLE_CONSOLE=false in prod env.
NODE_ENV=production set.
All plugin license keys set if pro plugins are installed.

nself prod check --item secrets
nself prod check --item hasura-console

5. Database

All migrations applied and Hasura metadata consistent.
Postgres not exposed on a public port (only via Nginx/Hasura).
Row Level Security (RLS) enabled on all user-data tables.
Database password matches POSTGRES_PASSWORD in env.
Initial backup created before go-live.

nself db status --env prod
nself backup create --label pre-launch
nself prod check --item rls

6. Backups

Automated backup schedule configured (daily minimum).
Remote backup destination configured (S3, R2, GCS, or Azure).
Retention policy set (30 days recommended).
Test restore completed successfully in staging.

nself backup status
nself backup verify   # verifies most recent backup

7. Security Hardening

nself prod harden completed without errors.
Rate limiting active on auth endpoints.
SSRF guard enabled.
File upload limits configured.
Content Security Policy set.
Audit log enabled and writing to persistent storage.

nself prod check --full
# All items must show PASS.
# Fix any FAIL before proceeding.

8. Monitoring

Grafana dashboards loading at internal URL.
Prometheus scraping all services.
Loki receiving logs from all containers.
At least one alert channel configured (email or Slack).
Test alert fired and received.

nself monitor status
nself monitor test-alert   # sends test alert to configured channel

9. Health Checks

All services show healthy in nself health.
External uptime monitor pointed at https://yourdomain.com/health.
Status page URL shared with users (if applicable).

nself health
# All services: ✓ healthy

curl https://yourdomain.com/health
# {"status":"ok"}

10. Application

User registration flow works end-to-end.
Email delivery working (send a test email).
File uploads working (if storage plugin installed).
Pro plugins responding (if applicable).
Frontend apps loading without console errors.
404 and error pages are branded, not default Docker/Nginx pages.

# End-to-end smoke test
nself smoke-test --env prod --domain yourdomain.com

11. Final Steps

Increase DNS TTL to 3600 (after confirming everything works).
Document server IP, deploy user, and admin contacts in your runbook.
Store all secrets in your team password manager / vault.
Schedule a restore drill for 30 days post-launch.
Subscribe to nself security advisories: nself.org/security.

All items checked? You are ready to go live.

Go-Live Checklist

1. Infrastructure

2. DNS

3. SSL / TLS

4. Secrets and Configuration

5. Database

6. Backups

7. Security Hardening

8. Monitoring

9. Health Checks

10. Application

11. Final Steps

Related

Go-Live Checklist

1. Infrastructure

2. DNS

3. SSL / TLS

4. Secrets and Configuration

5. Database

6. Backups

7. Security Hardening

8. Monitoring

9. Health Checks

10. Application

11. Final Steps

Related