On-Premise Deployment Checklist
Step-by-step checklist for GoSL IT teams deploying the Gender and Climate Finance Tagging Portal on government-owned servers. Covers Docker setup, Active Directory SSO, air-gap mode, and private blockchain node configuration.
Overall Progress
0%0 of 47 items completed
0/28
Critical items done
Provision a dedicated server or VM: minimum 8 vCPU, 32 GB RAM, 500 GB SSD (production); 4 vCPU, 16 GB RAM, 200 GB SSD (staging)
Install Ubuntu Server 22.04 LTS (recommended) or RHEL 8+ / CentOS Stream 9
Install Docker Engine 24.x and Docker Compose v2.x
Install kubectl and Helm 3.x (required only for Kubernetes deployment)
Open inbound ports: 443 (HTTPS), 80 (HTTP redirect), 5432 (PostgreSQL — internal only), 8545 (blockchain node — internal only)
Configure a static internal IP address and register a DNS A-record for the portal (e.g. gcbt.finance.gov.lc)
Provision a wildcard TLS certificate (e.g. *.finance.gov.lc) or use Let's Encrypt with internal CA
Configure NTP time synchronisation (required for blockchain timestamp integrity)
Pull the G &C Finance Docker image: docker pull oecs-ai/gcbt-portal:latest
Copy the provided docker-compose.yml and .env.template files to /opt/gcbt-portal/
Create .env from template and populate: DATABASE_URL, JWT_SECRET, BLOCKCHAIN_NODE_URL, SMTP_HOST, SMTP_PORT, SMTP_USER, SMTP_PASS
Set DEPLOYMENT_MODE=on-premise and DATA_RESIDENCY=local in .env
Run: docker compose up -d and verify all 6 containers are healthy (portal, db, blockchain, redis, nginx, backup)
Run database migrations: docker compose exec portal pnpm db:push
Run the health check script: docker compose exec portal node scripts/healthcheck.js
Verify the portal is accessible at https://[your-domain] and the login page loads correctly
Register the G &C Finance as an application in your Active Directory / Azure AD tenant
Set the OAuth 2.0 redirect URI to: https://[your-domain]/api/oauth/callback
Copy the Application (Client) ID and Client Secret into .env as OAUTH_CLIENT_ID and OAUTH_CLIENT_SECRET
Set OAUTH_PROVIDER=azure-ad (or OAUTH_PROVIDER=ldap for on-premise AD without Azure)
For LDAP: set LDAP_URL, LDAP_BIND_DN, LDAP_BIND_PASSWORD, LDAP_SEARCH_BASE in .env
Configure role mapping: map AD security groups to GCFT roles (Budget Officer, DoF Analyst, Administrator) in config/role-mapping.json
Test SSO login with a test account from each AD security group
Enable MFA enforcement for Administrator and DoF Analyst roles in AD Conditional Access policies
Set AIR_GAP_MODE=true in .env to disable all outbound internet connections
Download and bundle the AI tagging model weights (provided as gcbt-ai-model-v3.tar.gz) into /opt/gcbt-portal/models/
Set AI_MODEL_PATH=/opt/gcbt-portal/models/gcbt-ai-model-v3 in .env
Configure an internal NTP server address in .env as NTP_SERVER (required for blockchain timestamp integrity in air-gap mode)
Set up a local Docker registry mirror to serve container images without internet access
Configure SMTP relay to an internal mail server for notification emails
Test the full tagging workflow end-to-end with no internet connectivity to confirm air-gap mode is functioning
Document the manual update procedure: how to apply portal updates via USB/internal network in air-gap environments
The GCFT blockchain node uses a private Ethereum-compatible network (Hyperledger Besu). Confirm the blockchain container started successfully: docker compose ps blockchain
Generate the genesis block configuration: docker compose exec blockchain node scripts/init-genesis.js
Set BLOCKCHAIN_NETWORK=private and BLOCKCHAIN_CHAIN_ID=[your-unique-chain-id] in .env
For multi-government deployments: configure peer nodes at other Ministries by adding their node URLs to config/blockchain-peers.json
Verify the audit trail is recording: submit a test tag and confirm the transaction hash appears in the Blockchain Audit page (/blockchain-audit)
Configure automated blockchain backups to an encrypted external storage location
Document the node recovery procedure in case of hardware failure
Configure automated database backups: set BACKUP_SCHEDULE=0 2 * * * (daily at 2am) and BACKUP_RETENTION_DAYS=90 in .env
Test a full backup and restore cycle before going live
Set up monitoring alerts: configure ALERT_EMAIL in .env to receive notifications for disk usage > 80%, container restarts, and failed backups
Integrate with your existing monitoring stack (Prometheus/Grafana metrics are exposed at /metrics)
Create the first Administrator account: docker compose exec portal node scripts/create-admin.js --email=[[email protected]] --name=[Full Name]
Complete the post-deployment verification checklist: login, create a test budget item, tag it, approve it, generate a test MRV report
Schedule a 30-day post-deployment review call with the OECS AI Institute technical team
Provide IT staff with the on-premise administrator guide (available in the Training Hub under Full Manual)
Generate On-Premise API Key
Create a scoped bearer token to test the /api/docs endpoints against your local installation
Need Deployment Support?
The OECS AI Institute technical team provides remote deployment assistance for on-premise installations. Contact us at [email protected] or WhatsApp +1 (758) 488-1429 to schedule a guided deployment session.