Production Checklist
Use this checklist before launch. For field definitions, see Configuration Index. For deployment steps, see Docker Compose or Helm.
Required
Section titled “Required”| Check | Acceptance criteria |
|---|---|
| Config validation | synctv config validate --strict passes. |
| JWT secret | jwt.secret comes from a secret or environment variable and is not an example value. |
| OPAQUE setup secret | security.opaque_server_setup_secret is generated, backed up, and stable across restarts. |
| Credential encryption key | security.credential_encryption_key is 64 hex characters and backed up. |
| Root password | bootstrap.root_password or SYNCTV_BOOTSTRAP_ROOT_PASSWORD is not committed to Git. |
| PostgreSQL | Uses persistent storage. |
| Database backup | At least one restorable backup exists. |
| Migration | Startup logs or synctv db status show healthy migration state. |
| Readiness | /health/ready succeeds. |
| TLS | Public entrypoints use HTTPS. |
| Management | management gRPC is not exposed to normal public clients. |
Network And Entry Points
Section titled “Network And Entry Points”| Check | Acceptance criteria |
|---|---|
| HTTP entrypoint | Reverse proxy or Ingress supports WebSocket upgrade. |
| CORS | When frontend and API use different origins, server.cors_allowed_origins contains only real origins. |
| Trusted proxies | server.trusted_proxies contains only proxy networks you control. |
| gRPC | Public gRPC uses separate Service/Ingress resources from HTTP. |
| Metrics | Metrics listener has authentication and is not exposed directly to the public internet. |
| STUN/RTMP | Required UDP/TCP ports are open when built-in STUN or livestreaming is enabled. |
Runtime Dependencies
Section titled “Runtime Dependencies”| Check | Acceptance criteria |
|---|---|
| Redis | Redis is configured for production; multi-replica mode requires Redis. |
| Redis key prefix | redis.key_prefix is not shared with test, staging, or another production environment. |
| Logs | Logs are collected and searchable in the existing logging system. |
| Metrics | A Prometheus-compatible scraper is configured, with alerts based on Metrics Catalog. |
| Capacity | WebSocket connections, database connections, Redis, proxy bandwidth, and livestream traffic are estimated. |
Feature Checks
Section titled “Feature Checks”| Feature | Acceptance criteria |
|---|---|
| WebAuthn/passkeys | webauthn.rp_id and webauthn.rp_origin match the real HTTPS entrypoint. |
SMTP is configured and verified with synctv settings test-email. | |
| OAuth2 | redirectUrl matches provider registration. |
| Provider credentials | Credentials are stored through secrets or controlled admin flows, not in the repository. |
| File-backed slice cache | Cache directory has capacity planning and cleanup policy. |
| Livestream HLS | Single-node storage is confirmed; multi-replica mode uses publisher-node proxy, shared_file, or OSS. |
| Cluster mode | All replicas share PostgreSQL, Redis, redis.key_prefix, and cluster.secret. |
| OpenAPI | Production exposure of /swagger-ui/ and /api-docs/openapi.json has been decided. |
Verification Commands
Section titled “Verification Commands”General
Section titled “General”synctv config validate --strictsynctv db statuscurl -fsS http://localhost:8080/health/readyDocker Compose
Section titled “Docker Compose”docker compose configdocker compose up -ddocker compose psdocker compose logs --tail=100 synctvhelm lint ./helm/synctvhelm template synctv ./helm/synctv --values values.yamlkubectl -n synctv rollout status deploy/synctvkubectl -n synctv get podsBefore Upgrade
Section titled “Before Upgrade”| Check | Acceptance criteria |
|---|---|
| Database backup | PostgreSQL backup is complete before upgrade. |
| Secret continuity | Target version uses the same production secrets. |
| Test environment | Target version has started in a test environment with migrations, login, room reads/writes, and Provider access verified. |
| Rolling update | server.shutdown_drain_timeout_seconds is lower than Kubernetes termination grace period. |
| Rollback | Rollback version, database state, and config source are known. |