Production checklist
Every production Temps instance needs these six things wired up before it handles real traffic. Verify each item using the linked page; the checklist is ordered by the cost of getting it wrong.
New to Temps? Complete the quickstart guide first — it covers the initial setup wizard, first deployment, and basic configuration. This page picks up from there and focuses on production hardening.
Short on time? The four items that bite hardest are: off-server backups, a working notification channel, TLS on your domain, and knowing the restore command. Nothing here is required to get a first app live — this page is about staying up.
Initial setup
- Setup wizard completed — confirm
setup_completeis set in your instance. If the setup wizard was interrupted or skipped, some system defaults (admin account, domain configuration, TLS) may not be fully applied. You can verify by visiting the console root — an incomplete setup will redirect you back to the wizard.
Backups
- S3 storage connected — Backups require an S3-compatible bucket (Cloudflare R2, MinIO, or AWS S3). See Set Up Backups & Monitoring.
- Backup schedule configured — At minimum, a daily full backup. See recommended schedules.
- Test restore verified — Run a restore against a staging environment before you need it in an emergency.
- Backup destination is off-server — Backups stored on the same server are lost if the server is lost. Use a provider in a different region.
Monitoring & alerting
- Uptime monitor created for each critical project. See Create an uptime monitor.
- Notification channel configured (email, Slack, or webhook) so alerts reach someone. See Set up a notification channel.
- Error tracking DSN set in each project's environment variables. See Error Tracking.
- Resource metrics reviewed — Check CPU and memory baselines under [Project → Metrics] so you know what "normal" looks like before something breaks.
SSL & domains
- HTTPS configured per domain during setup — the setup wizard now lets you configure HTTPS for each domain at install time. If you skipped this step or added domains afterwards, you can configure TLS from the console. See Custom Domains & SSL.
- Custom domain added and TLS provisioned for each public-facing project. See Custom Domains & SSL.
- Certificate auto-renewal confirmed — Temps renews via Let's Encrypt automatically by opening a fresh ACME order for each renewal cycle; verify port 80 remains open to the internet so HTTP-01 challenges succeed on every renewal attempt, not just the initial issuance.
- No "unclassifiable challenge" warnings in the dashboard — if the SSL status card shows an "unclassifiable challenge" warning, the ACME HTTP-01 challenge response could not be validated (usually because port 80 is firewalled, a CDN is stripping the
.well-known/acme-challenge/path, or DNS is not yet pointing to this server). Resolve the underlying routing issue and trigger a manual renewal from Project → Domains to clear the warning before going live.
Security
- SSH key-only access on the server — disable password SSH auth (
PasswordAuthentication noin/etc/ssh/sshd_config). - Firewall reviewed — Only ports 22, 80, and 443 should be open to the internet. See Networking.
- Admin account uses a strong password or SSO — See Teams & Collaboration.
- Secrets in environment variables, not source code — See Environment Variables.
-
TEMPS_DATABASE_URLset as an env var, not a CLI flag — passing--database-urlexposes the database password inps/pgrepoutput, visible to all users on the server. Useexport TEMPS_DATABASE_URL=...in your systemd unit'sEnvironmentFileinstead. See Database Configuration.
Logs
Temps writes to stdout/stderr, captured by systemd. By default, journald applies its own retention policy (usually capped at 10% of disk space or 4 GB, whichever is smaller). For production you may want explicit control:
# Check current journal disk usage
journalctl --disk-usage
# Limit journal size in /etc/systemd/journald.conf
# SystemMaxUse=1G
# MaxRetentionSec=30day
sudo systemctl restart systemd-journald
Application-level logs (container stdout) are streamed via Project → Logs and retained according to your log retention setting in Settings → General.
Upgrades
- Upgrade process understood before you need it under pressure. See Upgrade Temps.
- Backup taken immediately before any upgrade — the upgrade guide covers this, but it bears repeating.
- Systemd service confirmed to restart on failure — The installer sets
Restart=always. Verify withsystemctl cat temps | grep Restart.
Database
-
TEMPS_DB_MAX_CONNECTIONStuned for your server size — on servers with 2 GB RAM, reduce this to20–30. See Environment Variables. - Database on a dedicated server or managed service if running 10+ apps — the database competing with container workloads for RAM is the most common production bottleneck. See Resources.
Recovery
- You can SSH into the server without the Temps dashboard — if the control plane is down, you need another way in.
- You know how to restart the service —
sudo systemctl restart temps. - You have the backup restore command bookmarked — a production incident is the wrong time to find the docs. The restore flow is
bunx @temps-sdk/cli services restore(test it against a staging environment first); see Restore from a backup.
For multi-server setups, see Multi-Node for control-plane recovery procedures.