Skip to main content

Overview

Before deploying PhotoFlow to production, review this checklist to ensure a secure, reliable, and performant installation. This guide covers critical areas that differ from development setups.
Skipping items on this checklist can lead to security vulnerabilities, data loss, or poor performance.

Security

Authentication and Access

1

Change Default Passwords

CRITICAL: Never use default passwords in production!
Update all credentials:
.env
# Before (INSECURE)
DATABASE_URL="postgresql://photoflow:photoflow_password@..."

# After (SECURE)
DATABASE_URL="postgresql://photoflow:9mK$7nP@2xL#vQ5r@..."
Generate strong passwords:
# Linux/macOS
openssl rand -base64 32

# Or use a password manager
2

Secure Database Access

Restrict PostgreSQL access:Edit pg_hba.conf:
# Allow only localhost and specific IPs
host    photoflow    photoflow    127.0.0.1/32    md5
host    photoflow    photoflow    192.168.1.0/24  md5
Disable remote access if not needed:
# In postgresql.conf
listen_addresses = 'localhost'
3

Firewall Configuration

Only expose necessary ports:
# Allow only PhotoFlow port
sudo ufw allow 4173/tcp

# Block PostgreSQL from external access
sudo ufw deny 5432/tcp

# Enable firewall
sudo ufw enable
If using Docker, ensure container ports are bound to 127.0.0.1 for localhost-only access, or configure firewall rules for the Docker network.
4

HTTPS Setup (Recommended)

For internet-facing deployments, use HTTPS:Option 1: Reverse Proxy (nginx)
server {
    listen 443 ssl http2;
    server_name photoflow.yourdomain.com;

    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/key.pem;

    location / {
        proxy_pass http://localhost:4173;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
    }
}
Option 2: Coolify Automatic HTTPS with Let’s Encrypt (see Coolify Deployment)
5

File Permissions

Restrict access to sensitive files:
# .env file - owner read/write only
chmod 600 .env

# Config files - owner and group read
chmod 640 *.config.js

# Verify
ls -la .env
# Output: -rw------- 1 user user ... .env

Network Security

For offline/internal networks:
  • Isolate PhotoFlow network from guest WiFi
  • Use VLANs to separate business networks
  • Disable WPS on routers
  • Use WPA3 or WPA2 encryption
For internet-facing deployments:
  • Use a VPN for remote access
  • Implement rate limiting
  • Add authentication middleware
  • Use Web Application Firewall (WAF)

Data Protection

Backup Strategy

1

Automated Database Backups

Create a backup script:
backup.sh
#!/bin/bash
BACKUP_DIR="/backups/photoflow"
DATE=$(date +%Y%m%d_%H%M%S)
FILENAME="photoflow_backup_${DATE}.sql.gz"

# Create backup
pg_dump -U photoflow photoflow | gzip > "${BACKUP_DIR}/${FILENAME}"

# Keep only last 30 days
find ${BACKUP_DIR} -name "*.sql.gz" -mtime +30 -delete

echo "Backup completed: ${FILENAME}"
Schedule with cron:
# Daily at 2 AM
crontab -e
0 2 * * * /path/to/backup.sh
2

Docker Backup

For Docker deployments:
# Backup script
docker compose exec postgres pg_dump -U photoflow photoflow | \
  gzip > "backup_$(date +%Y%m%d).sql.gz"

# Backup volumes
docker run --rm -v photoflow_postgres_data:/data \
  -v $(pwd):/backup alpine \
  tar czf /backup/volume_backup.tar.gz /data
3

Off-Site Backups

Store backups in multiple locations:
  • Local server - Fast recovery
  • Network storage - NAS or file server
  • Cloud storage - S3, Backblaze, etc. (encrypted)
  • External drive - Physical backup
# Example: Sync to S3
aws s3 sync /backups/photoflow s3://my-bucket/photoflow-backups/
4

Test Restoration

Regularly verify backups work:
# Create test database
createdb photoflow_test

# Restore from backup
gunzip -c backup_20260301.sql.gz | psql -U photoflow photoflow_test

# Verify data
psql -U photoflow photoflow_test -c "SELECT COUNT(*) FROM \"Tasks\";"

# Cleanup
dropdb photoflow_test
Schedule quarterly restore tests to ensure backups are valid.

Data Retention

  • Active tasks: Keep indefinitely
  • Finished tasks: Archive after 1 year or per business needs
  • Comments: Keep with associated tasks
  • Logs: Rotate and keep 90 days
-- Archive old finished tasks
DELETE FROM "Tasks" 
WHERE is_finished = true 
AND created_at < NOW() - INTERVAL '1 year';
Export data before deleting for compliance/records.

Performance

Server Configuration

1

Resource Allocation

Minimum requirements by team size:
Team SizeCPURAMDisk
1-5 users2 cores2 GB20 GB
5-10 users4 cores4 GB50 GB
10-20 users8 cores8 GB100 GB
Monitor usage:
# CPU and memory
htop

# Disk space
df -h

# Docker resources
docker stats
2

Database Optimization

PostgreSQL tuning:
postgresql.conf
# For 4GB RAM server
shared_buffers = 1GB
effective_cache_size = 3GB
maintenance_work_mem = 256MB
work_mem = 16MB
max_connections = 50
Add indexes:
CREATE INDEX idx_tasks_column ON "Tasks"("taskColumn");
CREATE INDEX idx_tasks_finished ON "Tasks"("is_finished");
CREATE INDEX idx_tasks_dueat ON "Tasks"("dueAt");
CREATE INDEX idx_comments_task ON "task_comments"("task_id");
3

Regular Maintenance

Schedule maintenance tasks:
maintenance.sh
#!/bin/bash
# Run weekly

echo "Starting database maintenance..."

# Vacuum and analyze
psql -U photoflow photoflow -c "VACUUM ANALYZE;"

# Reindex
psql -U photoflow photoflow -c "REINDEX DATABASE photoflow;"

echo "Maintenance complete"

# Schedule weekly (Sunday 3 AM)
0 3 * * 0 /path/to/maintenance.sh

Application Performance

  • Enable production mode: NODE_ENV=production
  • Use built version: npm run build && npm run preview
  • Enable compression: Add gzip to reverse proxy
  • CDN for static assets: If internet-facing

Monitoring and Logging

Log Management

1

Application Logs

Configure log rotation:
/etc/logrotate.d/photoflow
/var/log/photoflow/*.log {
    daily
    rotate 90
    compress
    delaycompress
    notifempty
    create 0640 photoflow photoflow
    sharedscripts
}
2

Docker Logs

Limit log size:
docker-compose.yml
services:
  app:
    logging:
      driver: "json-file"
      options:
        max-size: "10m"
        max-file: "3"
3

PostgreSQL Logs

Enable query logging for slow queries:
postgresql.conf
log_min_duration_statement = 1000  # Log queries > 1 second
log_line_prefix = '%t [%p]: [%l-1] user=%u,db=%d '

Health Monitoring

Set up monitoring for:

Uptime

  • Service availability
  • Response times
  • Error rates
Tools: Uptime Kuma, Pingdom

Resources

  • CPU usage
  • Memory usage
  • Disk space
Tools: Prometheus, Grafana, Netdata

Database

  • Connection count
  • Query performance
  • Replication lag
Tools: pg_stat_statements

Application

  • Error logs
  • Socket.io connections
  • Active users
Tools: Sentry, LogRocket

Reliability

High Availability

1

Automatic Restart

Ensure services restart on failure:Docker:
services:
  app:
    restart: unless-stopped
Systemd:
[Service]
Restart=always
RestartSec=10
2

Start on Boot

Enable services at startup:
# Docker
sudo systemctl enable docker

# Custom service
sudo systemctl enable photoflow
3

Graceful Shutdown

Handle shutdown properly:
# In scripts
trap 'docker compose down' EXIT

# Allow time for connections to close
docker compose down --timeout 30

Disaster Recovery Plan

Document and test:
  1. Backup locations - Where backups are stored
  2. Restoration steps - Step-by-step recovery process
  3. Contact information - Who to call for help
  4. RTO/RPO targets - Recovery time/point objectives
Example recovery procedure: 
# 1. Install PhotoFlow on new server
git clone https://github.com/DomenicWalther/PhotoFlow.git
cd PhotoFlow

# 2. Install dependencies
npm install

# 3. Configure environment
cp .env.example .env
# Edit .env with production values

# 4. Restore database
createdb photoflow
gunzip -c /path/to/backup.sql.gz | psql photoflow

# 5. Start application
npm run build
npm run preview -- --host

Compliance and Documentation

Document Your Setup

Maintain documentation for:
  • Architecture diagram - Network topology
  • Configurations - All .env values (sanitized)
  • Procedures - Deployment, backup, recovery
  • Contacts - Admin, support, vendor info
  • Credentials - Securely store (password manager)
  • Change log - Track configuration changes

Regular Reviews

1

Monthly

  • Review logs for errors
  • Check disk space usage
  • Verify backups are running
  • Update dependencies
2

Quarterly

  • Test backup restoration
  • Review access permissions
  • Update documentation
  • Security audit
3

Annually

  • Disaster recovery drill
  • Performance review
  • Capacity planning
  • Full security assessment

Pre-Launch Checklist

Before going live, verify:

Security

  • Changed all default passwords
  • Configured firewall rules
  • Set proper file permissions
  • HTTPS enabled (if internet-facing)
  • Database access restricted

Backups

  • Automated backups configured
  • Off-site backup location set up
  • Tested restoration process
  • Backup monitoring in place

Performance

  • Adequate server resources
  • Database optimized and indexed
  • Production mode enabled
  • Caching configured (if applicable)

Monitoring

  • Log rotation configured
  • Health checks set up
  • Alerting configured
  • Monitoring dashboard accessible

Reliability

  • Services restart automatically
  • Start on boot enabled
  • Disaster recovery plan documented
  • Tested failover procedures

Documentation

  • Architecture documented
  • Procedures written
  • Contacts and credentials secured
  • Training completed for team

Maintenance Schedule

Recommended ongoing maintenance:
TaskFrequencyEstimated Time
Review logsDaily5 min
Check backupsDaily2 min
Monitor resourcesWeekly10 min
Update dependenciesMonthly30 min
Test restorationQuarterly1 hour
Security auditQuarterly2 hours
Full DR drillAnnually4 hours

Getting Help

If you need assistance:

GitHub Issues

Report bugs or request features: PhotoFlow Issues

Email Support

Contact the maintainer: [email protected]

Community

Discuss with other users (if forum exists)

Professional Support

Consider hiring consultants for:
  • Custom modifications
  • Enterprise deployment
  • Training

Next Steps

Network Setup

Configure multi-PC access securely

Database Setup

Advanced database configuration and maintenance

Docker Deployment

Containerized production deployment

Coolify Deployment

Managed deployment platform

Build docs developers (and LLMs) love

Get started for freeTalk to us