User-Based Installation Guide

Secure installation approach with dedicated user account and restricted permissions (Recommended for Production)

System Requirements & Prerequisites
Why User-Based Installation?
User-Based Preparation Steps
Download & Run Installer
Post-Installation Verification

System Requirements & Prerequisites

Minimum Production Specifications

RAM: 4 GB
Disk: 20 GB available space
OS: Ubuntu 20.04 LTS or later (x86_64 architecture)
Network: Internet connectivity for package installation

Required Open Ports

Port 80 (HTTP)
Port 443 (HTTPS)
Port 3000 (Next.js application, if not proxied)

Unsupported Environments

Non-Ubuntu distributions (Debian, CentOS, RHEL, etc.)
ARM architectures (ARM64, ARMv7)
Ubuntu versions prior to 20.04

Prerequisites

Before starting the installation, ensure you have the following:

Domain Name (Required): A valid domain name that points to your server's IP address
- The domain must have DNS A record configured to point to your server's public IP
- Example: app.yourcompany.com or hiretrack.yourdomain.com
- The installer will prompt for this domain name during Nginx setup
- SSL certificate generation (Let's Encrypt) requires the domain to resolve correctly
Root or Sudo Access: Initial root or sudo access to the server for user setup
SSH Access: Ability to connect to the server via SSH
Email Address: Verified email address to get the license for Hiretrack

Why User-Based Installation?

User-based installation is the recommended and more secure approach for production environments.

User-Based Installation Benefits

Better security isolation
Restricted sudo permissions
Follows principle of least privilege
Better audit trail
Reduced attack surface
Requires initial root access for user setup

If you prefer a simpler but less secure approach, you can use Root-Based Installation instead.

User-Based Preparation Steps

This section covers creating a dedicated user, setting up SSH key authentication, and configuring restricted sudo permissions.

Step 1: Local Machine Setup (Generate SSH Key)

Perform these steps on your local machine (not on the server).

Generate SSH Key Pair

ssh-keygen -t ed25519 -f ~/.ssh/id_ed25519_hiretrack

Follow the prompts. You can set a passphrase or leave it empty.

Display Public Key

cat ~/.ssh/id_ed25519_hiretrack.pub

Copy the entire output - you will need to paste it on the server in the next step.

Step 2: Server Setup (Root Access Required)

Perform these steps on the server as the root user (or with sudo privileges).

Step 2.1: Create Dedicated User

Create the dedicated hiretrack user:

sudo useradd -m -s /bin/bash hiretrack

Verify the user was created:

id hiretrack

Step 2.2: Setup SSH Public Key Authentication

Create the SSH directory and set permissions:

sudo mkdir -p /home/hiretrack/.ssh
sudo chmod 700 /home/hiretrack/.ssh
sudo chown hiretrack:hiretrack /home/hiretrack/.ssh

Create the authorized_keys file:

sudo nano ~/.ssh/authorized_keys

Paste the public key you copied from your local machine, then save and exit (Ctrl+X, Y, Enter).

Set correct permissions:

sudo chmod 600 ~/.ssh/authorized_keys

Step 2.3: Harden SSH Configuration (Recommended)

Edit SSH configuration:

sudo nano /etc/ssh/sshd_config

Find and modify these lines (remove '#' if present at the start):

Port 22                    # Or use a custom port like 54321
PubkeyAuthentication yes
PermitRootLogin prohibit-password
PasswordAuthentication no  # WARNING: Ensure you have an active SSH session before disabling

Important: Before setting PasswordAuthentication no, ensure you have successfully tested SSH key authentication and have an active SSH session open.

Test SSH configuration:

sudo sshd -t

If the test passes, restart SSH:

sudo systemctl restart ssh

Important: Test SSH Access Before Proceeding

Keep your current root session open and open a new terminal window on your local machine to test SSH key authentication. This ensures you can still access the server if something goes wrong.

Test SSH access using your private key (replace the IP address and port with your server details):

ssh -p 54321 -i ~/.ssh/id_ed25519_hiretrack root@123.123.123.123

If the connection succeeds without a password prompt, your SSH key authentication is working correctly. You can now proceed with the next steps. If it fails, check your SSH configuration and ensure the public key was correctly added to the server.

Step 2.4: Install Fail2Ban (Recommended)

Add SSH brute-force protection:

sudo apt-get update
sudo apt-get install -y fail2ban
sudo systemctl enable --now fail2ban

Step 2.5: Grant Restricted Sudo Permissions

Configure restricted sudo permissions for the hiretrack user:

sudo visudo -f /etc/sudoers.d/hiretrack

Paste the following restricted sudo rules:

Defaults:hiretrack !authenticate
Defaults:hiretrack env_reset
Defaults:hiretrack secure_path=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
Defaults:hiretrack noexec

hiretrack ALL=(root) NOPASSWD: \
  /usr/bin/apt-get *, \
  /bin/systemctl *, \
  /usr/bin/tee /etc/nginx/sites-available/*, \
  /usr/bin/ln -sf /etc/nginx/sites-available/* /etc/nginx/sites-enabled/*, \
  /usr/sbin/nginx -t, \
  /usr/bin/certbot *, \
  /usr/bin/crontab *, \
  /usr/bin/fail2ban-client *

Save and exit. Set the correct permissions on the sudoers file (required for security):

sudo chmod 0440 /etc/sudoers.d/hiretrack

Verify the file permissions:

ls -l /etc/sudoers.d/hiretrack

Expected output should show -r--r----- (0440 permissions).

Verify the sudoers file syntax:

sudo visudo -c

Expected output: /etc/sudoers.d/hiretrack: parsed OK

Step 3: Switch to User Account

Switch to the hiretrack user:

su - hiretrack

Verify you're now the hiretrack user:

whoami

Expected output: hiretrack

Step 4: Download Installer

While logged in as hiretrack, download the installer to your home directory:

Download installer:

curl -L https://your-domain.com/hiretrack-installer -o ~/hiretrack-installer

Make executable:

chmod +x ~/hiretrack-installer

Verify download:

ls -l ~/hiretrack-installer

Next: Continue to Run Installer.

Run Installer

Note: If you haven't downloaded the installer yet, go back to Step 4: Download Installer in the preparation steps.

Run the Installer

Ensure you're logged in as the hiretrack user:

whoami

Expected output: hiretrack

Run the installer:

./hiretrack-installer

Installation Process

The installer will:

Check and install system dependencies (Node.js, npm, PM2, Nginx, MongoDB)
Register or validate your license
Download and extract the latest HireTrack application
Configure the application environment
Set up PM2 process management
Configure Nginx reverse proxy
Set up SSL certificates (Let's Encrypt)
Configure automatic updates via cron
Start the application

Monitor the output for any errors or warnings. Installation typically takes 5-15 minutes depending on system resources and network speed.

Installation Output

At the end of installation, you'll see a prominent registration URL:

════════════════════════════════════════════════
  🎯 REGISTRATION URL
════════════════════════════════════════════════

You can register the first organization from the URL below:

   ╔═══════════════════════════════════════════════════════════╗
   ║                                                           ║
   ║   https://your-domain.com/register/org                    ║
   ║                                                           ║
   ╚═══════════════════════════════════════════════════════════╝

Copy this URL and access it in your browser to complete the organization registration.

Post-Installation Verification

Check PM2 Process Status

pm2 list

Expected output should show the HireTrack application process in online status.

Check Nginx Service Status

sudo systemctl status nginx

Expected output should show active (running).

Check Application Accessibility

curl -I http://localhost

Expected output should show HTTP 200 or 301/302 redirect status.

View Application Logs

pm2 logs

Check Cron Jobs

crontab -l

Expected output should show auto-update and snapshot cron jobs.

Verify SSL Certificate

sudo certbot certificates