Skip to content

Production Checklist

Use this checklist before launch. For field definitions, see Configuration Index. For deployment steps, see Docker Compose or Helm.

CheckAcceptance criteria
Config validationsynctv config validate --strict passes.
JWT secretjwt.secret comes from a secret or environment variable and is not an example value.
OPAQUE setup secretsecurity.opaque_server_setup_secret is generated, backed up, and stable across restarts.
Credential encryption keysecurity.credential_encryption_key is 64 hex characters and backed up.
Root passwordbootstrap.root_password or SYNCTV_BOOTSTRAP_ROOT_PASSWORD is not committed to Git.
PostgreSQLUses persistent storage.
Database backupAt least one restorable backup exists.
MigrationStartup logs or synctv db status show healthy migration state.
Readiness/health/ready succeeds.
TLSPublic entrypoints use HTTPS.
Managementmanagement gRPC is not exposed to normal public clients.
CheckAcceptance criteria
HTTP entrypointReverse proxy or Ingress supports WebSocket upgrade.
CORSWhen frontend and API use different origins, server.cors_allowed_origins contains only real origins.
Trusted proxiesserver.trusted_proxies contains only proxy networks you control.
gRPCPublic gRPC uses separate Service/Ingress resources from HTTP.
MetricsMetrics listener has authentication and is not exposed directly to the public internet.
STUN/RTMPRequired UDP/TCP ports are open when built-in STUN or livestreaming is enabled.
CheckAcceptance criteria
RedisRedis is configured for production; multi-replica mode requires Redis.
Redis key prefixredis.key_prefix is not shared with test, staging, or another production environment.
LogsLogs are collected and searchable in the existing logging system.
MetricsA Prometheus-compatible scraper is configured, with alerts based on Metrics Catalog.
CapacityWebSocket connections, database connections, Redis, proxy bandwidth, and livestream traffic are estimated.
FeatureAcceptance criteria
WebAuthn/passkeyswebauthn.rp_id and webauthn.rp_origin match the real HTTPS entrypoint.
EmailSMTP is configured and verified with synctv settings test-email.
OAuth2redirectUrl matches provider registration.
Provider credentialsCredentials are stored through secrets or controlled admin flows, not in the repository.
File-backed slice cacheCache directory has capacity planning and cleanup policy.
Livestream HLSSingle-node storage is confirmed; multi-replica mode uses publisher-node proxy, shared_file, or OSS.
Cluster modeAll replicas share PostgreSQL, Redis, redis.key_prefix, and cluster.secret.
OpenAPIProduction exposure of /swagger-ui/ and /api-docs/openapi.json has been decided.
Terminal window
synctv config validate --strict
synctv db status
curl -fsS http://localhost:8080/health/ready
Terminal window
docker compose config
docker compose up -d
docker compose ps
docker compose logs --tail=100 synctv
Terminal window
helm lint ./helm/synctv
helm template synctv ./helm/synctv --values values.yaml
kubectl -n synctv rollout status deploy/synctv
kubectl -n synctv get pods
CheckAcceptance criteria
Database backupPostgreSQL backup is complete before upgrade.
Secret continuityTarget version uses the same production secrets.
Test environmentTarget version has started in a test environment with migrations, login, room reads/writes, and Provider access verified.
Rolling updateserver.shutdown_drain_timeout_seconds is lower than Kubernetes termination grace period.
RollbackRollback version, database state, and config source are known.