# cPanel / VPS Deployment Checklist This app should be deployed with the Laravel project root outside the public web root whenever the host allows it. Only the `public` directory should be served by the web server. ## Required Production Environment Set these values in the server `.env` file. Do not commit real secrets. ```dotenv APP_ENV=production APP_DEBUG=false APP_URL=https://your-domain.example DB_CONNECTION=mysql DB_HOST=127.0.0.1 DB_PORT=3306 DB_DATABASE= DB_USERNAME= DB_PASSWORD= SESSION_DRIVER=database CACHE_STORE=database QUEUE_CONNECTION=database GOOGLE_CLIENT_ID= GOOGLE_CLIENT_SECRET= GOOGLE_REDIRECT_URI="${APP_URL}/auth/google/callback" RAZORPAY_KEY= RAZORPAY_SECRET= RAZORPAY_WEBHOOK_SECRET= RAZORPAY_CURRENCY=INR RAZORPAY_UNLOCK_AMOUNT_PAISE= OPENAI_API_KEY= OPENAI_RESUME_ANALYSIS_MODEL=gpt-4.1-mini RESUME_PDFTOTEXT_BINARY=pdftotext RESUME_ANTIWORD_BINARY=antiword RESUME_CATDOC_BINARY=catdoc RESUME_EXTRACTOR_TIMEOUT=20 ADMIN_EMAILS=admin@example.com ``` Verify the Google OAuth callback URL, Razorpay webhook secret, Razorpay key mode, and OpenAI model/API key in the provider dashboards before enabling live traffic. ## Build And Release Commands Run these from the project root on the server: ```bash composer install --no-dev --optimize-autoloader npm ci npm run build php artisan key:generate --force php artisan migrate --force php artisan db:seed --force php artisan storage:link php artisan optimize:clear php artisan optimize ``` Run `key:generate` only when creating the production `.env` for the first time. Rotating `APP_KEY` later can invalidate encrypted data. ## Scheduler Cron Laravel Scheduler must run every minute. In cPanel Cron Jobs or system crontab, adjust the project path and PHP binary: ```cron * * * * cd /home/account/remote-job-platform && /usr/local/bin/php artisan schedule:run >> /dev/null 2>&1 ``` The app currently schedules `jobs:sync-sources` hourly. ## Queue Worker On a VPS, use Supervisor or systemd to keep the queue worker alive: ```bash php artisan queue:work database --sleep=3 --tries=3 --timeout=180 ``` On shared cPanel without Supervisor, use a cron-safe worker that exits after draining available jobs: ```cron * * * * cd /home/account/remote-job-platform && /usr/bin/flock -n storage/framework/queue-worker.lock /usr/local/bin/php artisan queue:work database --stop-when-empty --sleep=3 --tries=3 --timeout=180 >> storage/logs/queue.log 2>&1 ``` ## Permissions The web server user must be able to write to: ```text storage bootstrap/cache ``` Do not make the entire project world-writable. Keep `.env`, `storage/app`, and logs outside direct web access. ## cPanel Web Root Preferred layout: ```text /home/account/apps/remote-job-platform /home/account/public_html -> points to /home/account/apps/remote-job-platform/public ``` If the host cannot point the domain directly to `public`, place only Laravel's public assets and `index.php` in the web root, then adjust the `require` paths in `index.php` to point back to the project root. Do not copy `.env`, `app`, `vendor`, `storage`, or database files into a public directory. ## Webhook URLs Configure Razorpay webhook URL: ```text https://your-domain.example/webhooks/razorpay ``` Configure Google OAuth redirect URL: ```text https://your-domain.example/auth/google/callback ``` ## Current Production Readiness Notes - TXT and DOCX resume extraction run in PHP. PDF extraction requires Poppler `pdftotext`; legacy DOC extraction requires `antiword` or `catdoc`. On shared hosting, verify these binaries exist or configure their absolute paths in `.env`. - Job imports support manual sources and generic JSON feeds. Third-party provider-specific adapters should only be added after verifying each provider's official API/feed documentation and usage terms. - Keep Razorpay live keys, Google OAuth secrets, OpenAI API keys, and database credentials server-side only.