generated from bisco/codex-bootstrap
3.1 KiB
3.1 KiB
Runbook
Site shows fallback content
- Check
docker compose psand the backend health status. - Request
http://azionelab.org:8080/api/site/home/through NGINX. - Inspect
docker compose logs backend db. - Verify
PUBLIC_CMS_API_URLresolves from the frontend container. - Restart the frontend after recovery so its static page is rebuilt from CMS data.
Wagtail does not start
- Confirm PostgreSQL is healthy.
- Check
DATABASE_URLand allowed hosts without printing secret values in shared logs. - Run
docker compose exec backend python manage.py migrate. - Review backend logs for a specific migration or configuration error.
Images are missing
- Verify the
media_datavolume is mounted at/app/media. - Check
WAGTAILADMIN_BASE_URLuses a URL reachable by the browser. - Confirm the image still exists in Wagtail and has not been removed from the volume.
A service is unhealthy
- Run
docker compose psand inspectdocker compose logs --tail=200 SERVICE. - For PostgreSQL, check volume capacity and database/user configuration.
- For the backend, check
/health/, migrations, and database connectivity. - For the frontend, request port
4321, then check the API separately because fallback content can mask a CMS outage.
NGINX returns 404 or 502
- Confirm the request host is exactly
azionelab.org; unknown hosts intentionally receive 404. - Run
docker compose exec proxy nginx -t. - Check
docker compose psand verify both backend and frontend are healthy. - Inspect
docker compose logs --tail=200 proxy backend frontend. - Verify local DNS or
/etc/hostsmapsazionelab.orgto the proxy address.
Let's Encrypt does not issue a certificate
- Confirm
LETSENCRYPT_ENABLED=1and thatdocker compose ps -a certbot proxyshows both containers running and the proxy healthy. - Check that the domain's public A/AAAA records point to this host. Remove an AAAA record if IPv6 does not actually reach it.
- Verify inbound TCP port 80 reaches NGINX; HTTP-01 cannot use only port 443.
- Request
http://azionelab.org/.well-known/acme-challenge/missing: a 404 from NGINX confirms the challenge route is reachable, while a timeout or another server does not. - Inspect
docker compose logs --tail=200 certbot proxyfor ACME validation or rate limit errors. Do not repeatedly retry the production CA; use staging while fixing connectivity.
HTTPS is not activated after issuance
- Run
docker compose run --rm --no-deps --entrypoint certbot certbot certificates. - Confirm
LETSENCRYPT_DOMAINexactly matches the certificate name used by both services. - Wait for
TLS_RELOAD_INTERVAL_SECONDS, then inspect proxy logs fornginx -tor reload errors. - Run
docker compose exec proxy nginx -tand check HTTPS locally with an explicit DNS override.
Rollback
Disable Certbot with LETSENCRYPT_ENABLED=0 if TLS is moving to a load balancer, then
recreate the affected services. Revert the application commit and rebuild containers
for a full rollback. Preserve database, media, and certificate volumes. Before
reversing migrations or deleting volumes, make and validate coordinated backups.