Refactor deployment workflows and add SSL setup documentation for production

DIGICERT_SSL_SETUP.md

@@ -0,0 +1,125 @@
+# DigiCert SSL Certificate Setup for Production
+
+## Certificate Files Required
+
+From DigiCert, you'll receive these files:
+- `merchbay_com.crt` - Your domain certificate
+- `merchbay_com.key` - Private key (generated during CSR creation)
+- `DigiCertCA.crt` - Intermediate certificate
+- `TrustedRoot.crt` - Root certificate (optional)
+
+## Step 1: Combine Certificate Chain (on your local machine)
+
+```bash
+# Create full chain certificate
+cat merchbay_com.crt DigiCertCA.crt > merchbay.com.crt
+
+# Copy private key
+cp merchbay_com.key merchbay.com.key
+```
+
+## Step 2: Upload to Production Server
+
+```bash
+# SSH to production server
+ssh PROD_DEPLOY_USER@PROD_DEPLOY_HOST
+
+# Create certificates directory
+sudo mkdir -p /srv/certs
+sudo chmod 700 /srv/certs
+
+# Exit SSH, then upload from local machine
+scp merchbay.com.crt PROD_DEPLOY_USER@PROD_DEPLOY_HOST:/tmp/
+scp merchbay.com.key PROD_DEPLOY_USER@PROD_DEPLOY_HOST:/tmp/
+
+# SSH back to server and move files
+ssh PROD_DEPLOY_USER@PROD_DEPLOY_HOST
+sudo mv /tmp/merchbay.com.crt /srv/certs/
+sudo mv /tmp/merchbay.com.key /srv/certs/
+sudo chmod 600 /srv/certs/*
+sudo chown root:root /srv/certs/*
+```
+
+## Step 3: Upload Traefik Configuration
+
+```bash
+# From local machine
+scp traefik-certs.yml PROD_DEPLOY_USER@PROD_DEPLOY_HOST:/tmp/
+
+# SSH to server
+ssh PROD_DEPLOY_USER@PROD_DEPLOY_HOST
+sudo mkdir -p /srv/traefik
+sudo mv /tmp/traefik-certs.yml /srv/traefik/dynamic-certs.yml
+sudo chmod 644 /srv/traefik/dynamic-certs.yml
+```
+
+## Step 4: Update Traefik Container
+
+Ensure your Traefik docker-compose.yml includes:
+
+```yaml
+services:
+  traefik:
+    image: traefik:v2.10
+    command:
+      - --providers.docker=true
+      - --providers.docker.exposedbydefault=false
+      - --providers.file.filename=/dynamic-certs.yml
+      - --entrypoints.web.address=:80
+      - --entrypoints.websecure.address=:443
+      - --entrypoints.web.http.redirections.entrypoint.to=websecure
+      - --entrypoints.web.http.redirections.entrypoint.scheme=https
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - /srv/certs:/srv/certs:ro
+      - /srv/traefik/dynamic-certs.yml:/dynamic-certs.yml:ro
+    networks:
+      - traefik-public
+    restart: unless-stopped
+```
+
+## Step 5: Restart Traefik
+
+```bash
+cd /opt/traefik  # or wherever your traefik docker-compose.yml is
+docker compose restart traefik
+
+# Verify certificate is loaded
+docker compose logs traefik | grep -i certificate
+```
+
+## Step 6: Deploy merchbay Application
+
+Once Traefik is configured, deploy merchbay:
+
+```bash
+cd /var/www/merchbay
+docker compose up -d
+```
+
+## Verification
+
+```bash
+# Check certificate
+openssl s_client -connect merchbay.com:443 -servername merchbay.com < /dev/null 2>/dev/null | openssl x509 -noout -subject -issuer -dates
+
+# Should show:
+# subject=CN = merchbay.com
+# issuer=O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
+# notBefore=...
+# notAfter=...
+```
+
+## Certificate Renewal
+
+DigiCert certificates typically last 1-2 years. Set a reminder to renew 30 days before expiration and repeat Steps 1-3 and 5.
+
+## Security Notes
+
+- Never commit `.key` files to git
+- Keep private keys secure (600 permissions)
+- Use strong encryption for private key storage
+- Consider using a certificate management system for automatic renewal