Overview of Deploying BrainyCP on Server¶

Prerequisites and Basic Requirements¶

• Operating System – The installation is designed for Debian‑based distributions (Ubuntu 20.04 or newer).
• Root Access – All commands run as the root user or a user with sudo privileges.
• Internet Connectivity – Required to download the installer script, Docker images, and Let's‑Encrypt certificates.
• Docker Engine – Must be present on the host; it is automatically installed if missing.
• System Resources – A minimum of 2 GB RAM and 2 CPU cores is recommended for a production instance.

File and Directory Structure¶

After the installation completes, the following key directories and files will exist on the server:

/root/nginx
├── compose.yml            # Docker‑Compose configuration for Nginx‑Certbot
├── <other generated files>
/data/nginx
├── nginx-certbot.env      # Environment file with CERTBOT_EMAIL and domain settings
├── user_conf.d
│   └── <prefix><server_id>.hostkey.in.conf   # Custom Nginx configuration for the application
└── ... (other data directories used by BrainyCP)
/etc/letsencrypt          # Mounted as external volume nginx_secrets

• The /root/nginx directory holds the Docker‑Compose file and is owned by root with 0755 permissions.
• The compose.yml file is owned by root, has 0644 permissions, and defines a single service: nginx.

Access Rights and Security¶

• Root Ownership – All configuration files created by the deployment are owned by root.
• Permission Settings –
• compose.yml: 0644 – readable by all users, writable only by root.
• /root/nginx: 0755 – executable and readable for all, writable by root.
• Installation script: 0700 – executable only by root.
• Docker Security – The Nginx container runs with network_mode: host, which exposes the service on the host’s network stack. The container’s internal ports are not published on the host.
• Certificate Storage – Let’s Encrypt secrets are stored in an external Docker volume named nginx_secrets. This volume is mounted at /etc/letsencrypt inside the container, keeping TLS keys and certificates isolated from the host filesystem.

Databases¶

No database components are installed or configured by this deployment process. If BrainyCP requires a database, it must be set up separately by the user.

Docker Containers and Their Deployment¶

The deployment relies on a single Docker container:

Running the Container¶

cd /root/nginx
docker compose up -d

The command starts the container in detached mode. If the container is already running, the command will keep it running and apply any new configuration changes.

Stopping the Container¶

cd /root/nginx
docker compose down

This stops the container and removes its containers but preserves the Docker volumes.

Proxy Servers¶

• Nginx‑Certbot – The deployed Nginx container handles HTTPS termination using Let’s Encrypt.
• Proxy Pass – The Nginx configuration file located in /data/nginx/user_conf.d/ has a proxy_pass line that routes incoming requests to the application service listening on 127.0.0.1:8002.
• Custom Domains – Domain names and SSL settings can be specified in the nginx-certbot.env file, which is sourced by the container at startup.

Permission Settings¶

• Files under /root/nginx are readable and executable by all users but writable only by root.
• The Nginx container runs as the default user defined in the Docker image; it does not run as root inside the container.
• The external volume nginx_secrets is owned by the Docker daemon user (root) on the host, providing secure storage for TLS artifacts.

Starting, Stopping, and Updating¶

These commands are intended to be executed from the /root/nginx directory where the compose.yml file resides.