Folder Structure
Stack Naming (Portainer)
- Format:
[env]-[service]-stack
- Examples:
dev-n8n-stack
prod-n8n-stack
staging-traefik-stack
Environments
dev/
- Used for experiments, rapid iteration, test credentials only.
- Safe to break.
- Only accessible to internal team.
staging/
- Used for internal QA.
- Should mirror
prod
config and infrastructure 1:1 as closely as possible. - Uses real integration endpoints (e.g., SMTP, OAuth), but not production data.
prod/
- Production-only.
- Zero downtime expectation.
- Code and config
must flow from staging
, not directly fromdev
.
Workflow Summary
Develop in dev/
- Work with live containers locally or via Portainer Stack.
- Debug, test new features, iterate quickly.
Promote to staging/
- Use
rsync
orgit
to copy the working config. - Replace test
.env
values with real sandbox/QA credentials. - Run end-to-end test flows.
- Use
Promote to prod/
- Only after staging passes.
- Tag commit (
v1.2.0-prod
), deploy via CI/CD or Portainer Git Stack. - Document changes and review logs post-deploy.
Secrets Management
Current State
.env
files are stored in Git — this is not secure.
Immediate Fix
- Move
.env
values to Portainer Secrets (per environment). - Reference them in
docker-compose.yml
like this:
Near-Future Upgrade Path
- Use dotenv-vault or [SOPS + Git-crypt] for OSS secret encryption.
- Alternative: GitHub Actions + [secrets manager] for automated secure injection.
CI/CD Plan
Goals
- Push to
environments/prod/**
requires PR approval and triggers deploy toprod
- Push to
environments¸/staging/**
triggers deploy tostaging
Tool: GitHub Actions
prod
.
Backup & Rollback Plan
For PostgreSQL (n8n, mautic):
- Use
pg_dump
andpg_restore
. - Set up nightly cron-based backup containers.
For Volumes:
- Use [bind mounts] to make data externally accessible.
- Snapshot
/var/lib/docker/volumes
regularly using rsync or Btrfs/ZFS snapshots.
Best Practices
- Never deploy to
prod
directly. - Never store
.env
with secrets in Git. - Always test in
staging
before production. - Always prefix stacks/networks/containers with
[env]-[service]
. - Always document new services in their
README.md
. - Avoid floating Docker image tags in
prod
(e.g., usen8nio/n8n:1.27.1
not:latest
).
Future Improvements
- Central secrets manager
- Automated rollback script
- Infra diagram / dependency map
- Multi-server orchestration (Docker Swarm or K8s)
- Terraform/Ansible for provisioning VPSes
Questions? Ping Jordan or Joe. Otherwise: build, test, promote. Stay sharp. git config —global pull.rebase true