# Pre-Deployment Checklist

Complete this checklist before deploying to production servers.

## Infrastructure Verification

### RU VDS (176.124.216.197)

- [ ] Can SSH into server: `ssh root@176.124.216.197`
- [ ] Have root access: `sudo -i` or logged in as root
- [ ] Server is Debian 12 (or compatible): `cat /etc/debian_version`
- [ ] Adequate resources:
  - [ ] At least 1GB RAM: `free -h`
  - [ ] At least 5GB free disk: `df -h`
  - [ ] CPU is reasonable: `lscpu`
- [ ] Internet connectivity: `ping -c 4 8.8.8.8`
- [ ] Can resolve DNS: `nslookup google.com`
- [ ] Port 51820/udp not in use: `ss -ulnp | grep 51820` (should be empty)
- [ ] Port 53 not in use by another service: `ss -ulnp | grep :53` (or just systemd-resolved)

### DE VDS (194.31.173.178)

- [ ] Can SSH into server: `ssh root@194.31.173.178`
- [ ] Have root access: `sudo -i` or logged in as root
- [ ] Server is Debian 13 (or compatible): `cat /etc/debian_version`
- [ ] Adequate resources:
  - [ ] At least 512MB RAM: `free -h`
  - [ ] At least 5GB free disk: `df -h`
  - [ ] CPU is reasonable: `lscpu`
- [ ] Internet connectivity: `ping -c 4 8.8.8.8`
- [ ] Can resolve DNS: `nslookup google.com`
- [ ] Port 51821/udp not in use: `ss -ulnp | grep 51821` (should be empty)

### Network Connectivity

- [ ] RU VDS can reach DE VDS: `ping -c 4 194.31.173.178` (from RU VDS)
- [ ] DE VDS can reach RU VDS: `ping -c 4 176.124.216.197` (from DE VDS)
- [ ] No firewall blocking UDP between servers (if any external firewall exists)

## Security Preparation

### SSH Access

- [ ] Have backup SSH access method (console access, VNC, etc.)
- [ ] Know how to access server if SSH breaks
- [ ] Current SSH session is stable
- [ ] Consider opening second SSH session before making changes

### Firewall Considerations

- [ ] Understand current firewall setup (if any): `iptables -L -n` or `nft list ruleset`
- [ ] Have documented how to disable firewall if something goes wrong
- [ ] Won't lock yourself out when applying new firewall rules

### Backup Current State

- [ ] Backup current network config: `cp /etc/network/interfaces /root/interfaces.backup` (if applicable)
- [ ] Backup current SSH config: `cp /etc/ssh/sshd_config /root/sshd_config.backup`
- [ ] Know how to rollback changes if needed

## Client Device Preparation

- [ ] Have at least one device to test VPN client
- [ ] WireGuard app installed on test device:
  - iOS/Android: WireGuard app from App Store/Play Store
  - Windows: WireGuard from wireguard.com
  - macOS: WireGuard from App Store or wireguard.com
  - Linux: `apt install wireguard-tools`
- [ ] Device can scan QR codes (for mobile) or can copy/paste config text

## Tools and Access

### Local Machine

- [ ] Have SSH access from local machine to both servers
- [ ] Can copy files via SCP: `scp test.txt root@176.124.216.197:/tmp/` works
- [ ] Have text editor ready for editing configs
- [ ] Have terminal with multiple tabs/windows open

### Required Information

- [ ] DE VDS IP: 194.31.173.178 (confirmed)
- [ ] RU VDS IP: 176.124.216.197 (confirmed)
- [ ] Root password or SSH keys for both servers
- [ ] Know which local device will be first test client

## Time and Planning

- [ ] Have allocated 1-2 hours for deployment
- [ ] Not during critical business hours (in case of issues)
- [ ] Have time for troubleshooting if needed
- [ ] Not in a rush

## Documentation Review

- [ ] Read QUICKSTART.md overview
- [ ] Reviewed DEPLOYMENT.md deployment steps
- [ ] Know where to find troubleshooting info (DEPLOYMENT.md)
- [ ] Have TESTING.md ready for post-deployment tests

## Script Verification

### Check scripts are ready

```bash
cd /home/mish/vpn.git
ls -la scripts/
```

Should see:
- [ ] setup-de-vds.sh (executable)
- [ ] setup-ru-vds.sh (executable)
- [ ] add-client.sh (executable)
- [ ] disable-client.sh (executable)
- [ ] enable-client.sh (executable)
- [ ] remove-client.sh (executable)
- [ ] list-clients.sh (executable)

## Configuration Files Check

```bash
cd /home/mish/vpn.git
ls -la configs/de-vds/
ls -la configs/ru-vds/
```

Should see all required config files.

## Risk Assessment

### Understand the risks

- [ ] Understand that changes will be made to network configuration
- [ ] Understand that firewall rules will be modified
- [ ] Understand that new services will be installed
- [ ] Have rollback plan if things go wrong
- [ ] Won't lose access to servers (have console/recovery access)

### Rollback Plan

If something goes wrong:

**DE VDS:**
```bash
# Stop services
systemctl stop wg-quick@wg0
systemctl stop nftables

# Flush firewall
nft flush ruleset
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X

# Default accept
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
```

**RU VDS:**
```bash
# Stop services
systemctl stop wg-quick@wg0
systemctl stop wg-quick@wg1
systemctl stop dnsmasq

# Start systemd-resolved if it was stopped
systemctl start systemd-resolved

# Flush firewall
nft flush ruleset

# Remove policy routing
ip rule del from 10.10.0.0/24 fwmark 0x1 table proxy 2>/dev/null || true
ip route flush table proxy 2>/dev/null || true
```

## Post-Deployment Preparation

- [ ] Have notepad ready to save:
  - DE VDS public key
  - RU VDS server public key
  - RU VDS DE tunnel public key
- [ ] Ready to run tests from TESTING.md
- [ ] Have client device ready for connection test

## Final Verification

- [ ] All above items checked
- [ ] Confident to proceed
- [ ] Have time allocated
- [ ] No critical dependencies on servers right now
- [ ] Ready to start deployment

---

## Ready to Deploy?

If all items are checked, proceed to:

1. **QUICKSTART.md** - For rapid deployment
2. **DEPLOYMENT.md** - For detailed deployment guide

## Need More Info?

- Architecture details → README.md
- Implementation steps → IMPLEMENTATION.md
- Testing procedures → TESTING.md

---

## Deployment Day Checklist

### Morning of deployment

- [ ] Verify servers are accessible
- [ ] Verify servers are up-to-date: `apt update && apt list --upgradable`
- [ ] Create snapshot/backup if available from hosting provider
- [ ] Notify anyone who might be affected

### During deployment

- [ ] Follow DEPLOYMENT.md step by step
- [ ] Don't skip verification steps
- [ ] Test after each major phase
- [ ] Document any issues or deviations

### After deployment

- [ ] Complete all tests from TESTING.md
- [ ] Verify client can connect
- [ ] Verify routing is correct
- [ ] Document any configuration changes made
- [ ] Save all keys securely

---

## Emergency Contacts

Document here:

- VDS provider support: _______________________
- Backup admin contact: _______________________
- Your remote access method: _______________________

---

**Date completed:** _______________

**Completed by:** _______________

**Ready to proceed:** ☐ Yes ☐ No

**If No, blockers:**
_________________________________
_________________________________
_________________________________