Set up shared hosting

# ZajLibrary — implementation playbook

You are a **senior implementation assistant** working inside the user’s real development environment (terminal, editor, git repo). You are **not** a documentation writer, tutor, or library editor.

**Mission:** Execute the procedure described below in the user’s real project workspace — create or modify the files and run the commands it specifies. Do not just summarize it.

## Metadata
- title: Set up shared hosting
- url: https://library.zajapps.com/infrastructure/hosting/shared-hosting/build/playbooks/setup-shared-hosting/
- shelf: Build & Create
- doc_type: implementation playbook
- status: current
- kind: playbook
- category: infrastructure
- subcategory: hosting
- topic: shared-hosting
- phase: 0
- step_number: 1
- est_time: ~2 min verify · ~15–25 min first install
- description: Once-per-account Admin-Server bootstrap — monitoring cron, ops/deploys/backups webhooks, MD5 baselines, and server.env before any Laravel deploy.
- tags: servers, shared-hosting, admin-server, hostinger, monitoring

## Execution rules (binding)
- This is step 1 of phase 0 (~2 min verify · ~15–25 min first install) — do only this step, then stop at its `## Checklist`.
- Follow `## Steps` in order. Do not skip steps or declare the work complete early.
- Respect `:::note[Who does this]`: 👤 **User** steps (browser, downloads, OAuth, moving files) need the human — wait for or instruct them; 🤖 **Agent** steps you run in the shell.
- After every command, compare its output to the `# Expected:` comment or ✅ bullet beneath it. If it differs, **stop, show what you got, and ask how to proceed** — do not guess or rewrite the procedure.
- Honor `:::caution` / `:::note` callouts as hard gates (a step may forbid a command at this stage).
- Do not mark the step done until every `## Checklist` item is genuinely satisfied.
- Scope: implement only what this page describes — no refactors, added features, or later-phase work unless the page says so.
- When reporting progress, cite the `##` / `###` headings you completed or got blocked on.

---

# Set up shared hosting

## TL;DR

**Objective** — bootstrap the per-server **Admin-Server** toolkit on a fresh hosting account so config drift detection, MD5 integrity checks, disk/inode alerts, PHP error-log scanning, domain inventory, log rotation, and three alert channels (`ops` · `deploys` · `backups`) are wired **once** for every app on that account.

:::note[For beginners and agents]
**Gate — done when** — `~/Admin-Server/scripts/status.sh` reports a clean identity and ✅ for at least one webhook channel, and one synthetic alert arrives in Discord/Slack with the correct env prefix: **`[STAGING] 🟡`** or **`[PRODUCTION] 🔴`**.

**Once per server, not per project.** Re-run only when you add a **new** hosting account. If scripts already exist, detect-and-skip — verify, do not reinstall.

**⏱ ~2 min** (verify) · **~15–25 min** (first install) · **🔀** all work over SSH on the server; **👤** hPanel cron UI + webhook paste in `nano` on the server.

Sources: `_Sources/laravel/codecanyon/server-setup/admin-server-cross-phase-integration-proposal.md` · `_Sources/laravel/codecanyon/corpus/From_Residoro/Guides-v2/A-Consolidated/Phase-00-Server-Setup.md`
:::

---

This playbook is **Phase 0** in the Residoro corpus — account-scoped server setup before [CodeCanyon setup-new](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/). Conceptual companion: [Three-tier admin (handbook)](/tech-stack/laravel/codecanyon/learn/handbooks/02-three-tier-admin/).

<StageFlow
  title="Once per account, then every app"
  stages={[
    { label: 'This account', sub: 'Admin-Server (Phase 0)', tone: 'core' },
    { label: 'App #1', sub: 'setup-new', tone: 'good' },
    { label: 'App #N', sub: 'reuse server tier', tone: 'muted' },
  ]}
/>

```mermaid
flowchart LR
  A["New hosting account"] --> B["Phase 0 · this playbook"]
  B --> C["setup-new · app 1"]
  B --> D["setup-new · app N"]
```

## Operating rules

Every task in this phase follows four rules from the Phase 0 stub:

| Rule | Meaning |
| --- | --- |
| **Runs on the server** | SSH into `~/Admin-Server/` on the hosting account — zero toolkit binaries on your laptop |
| **Secrets stay server-side** | No webhook URL or SA token in laptop argv or agent chat — see [Secrets discipline](#secrets-discipline) |
| **Idempotent** | Re-run safe: `git pull`-friendly; baselines non-destructive; cron lines detected before duplicate add |
| **P9C-1 target** | Future: webhooks in 1Password vault, only `OP_SERVICE_ACCOUNT_TOKEN` on disk — interim: URLs in `server.env` at `chmod 600` |

## Before you start

| Prerequisite | Verify |
| --- | --- |
| SSH public-key auth to the account | `ssh <SSH_ALIAS> 'echo ok'` — no password prompt |
| Private GitHub repo `Admin-Hostinger-<account>` | Empty repo OK for first push |
| Discord or Slack ops channel | Webhook ready — configure only on server via `nano` |
| *(After P9C-1)* 1Password vault + SA token | Not required for interim flow |

## Detect and skip

Run before any install work:

```bash
ssh <SSH_ALIAS> 'ls ~/Admin-Server/scripts/*.sh 2>/dev/null | head -10'
```

| Output | Action |
| --- | --- |
| Scripts listed | Jump to [Verify existing](#verify-existing) — skip tasks 0.1–0.5 |
| No such file | Continue with [Tasks 0.1–0.10](#tasks) |
| Scripts but no `lib/init.sh` | Legacy layout — resolve before cron (see Admin-Server repo docs) |

---

## Tasks

Eight-step flow from the cross-phase proposal: **Clone → op CLI (P9C-1) → `server.env` → verify → baseline → smoke test → cron → commit/push**. Below maps to tasks **0.1–0.10** from the Phase 0 stub.

### 0.1 · Clone Admin-Server toolkit

<Steps>

1. **Clone the per-server private repo** into `~/Admin-Server/`.

   ```bash
   ssh <SSH_ALIAS> '
     git clone git@github.com-<GITHUB_USER>:<GITHUB_USER>/Admin-Hostinger-<account>.git ~/Admin-Server
     cd ~/Admin-Server && git remote -v
   '
   # Expected: origin → your Admin-Hostinger-<account> repo
   ```

2. **If the directory already exists**, update instead of re-cloning.

   ```bash
   ssh <SSH_ALIAS> 'cd ~/Admin-Server && git fetch && git pull'
   ```

</Steps>

### 0.2 · `op` CLI *(deferred — P9C-1)*

Task **0.2** (download `op` 1Password CLI, no root) is **MUST after P9C-1**, not part of the interim bootstrap. For forward compatibility only, add an empty placeholder when editing `server.env` in task 0.3:

```bash
OP_SERVICE_ACCOUNT_TOKEN=""
```

Do not run `op signin` from an agent session.

### 0.3 · Bootstrap `config/server.env`

<Steps>

1. **Create `server.env` from the template** on the server only.

   ```bash
   ssh <SSH_ALIAS> '
     cd ~/Admin-Server
     cp config/server.env.example config/server.env
     chmod 600 config/server.env
     nano config/server.env
   '
   ```

2. **Set identity and at least one ops webhook** (paste URL in `nano` on server — never into chat).

   Minimum fields: `SERVER_NAME`, `SERVER_LABEL`, `SERVER_ENV` (`staging` \| `production`), `DISCORD_WEBHOOK_OPS` (or `SLACK_WEBHOOK_OPS`). Optional channel slots: `DISCORD_WEBHOOK_DEPLOYS`, `DISCORD_WEBHOOK_BACKUPS`.

</Steps>

### 0.4 · Executable scripts + `server.env` permissions

<Steps>

1. **chmod scripts and confirm `server.env` stays private.**

   ```bash
   ssh <SSH_ALIAS> '
     chmod +x ~/Admin-Server/scripts/*.sh
     chmod 600 ~/Admin-Server/config/server.env
     ls -l ~/Admin-Server/scripts/status.sh ~/Admin-Server/config/server.env
   '
   # Expected: scripts -rwx; server.env -rw------- 
   ```

</Steps>

### 0.5 · Generate initial MD5 baseline

<Steps>

1. **Generate and commit the integrity baseline.**

   ```bash
   ssh <SSH_ALIAS> '
     ~/Admin-Server/scripts/generate-baseline.sh
     cd ~/Admin-Server
     git add baselines/checksums.md5
     git commit -m "Initial integrity baseline"
   '
   # Expected: checksums.md5 with ≥4 monitored paths
   ```

</Steps>

### 0.6 · Run `status.sh` smoke test

<Steps>

1. **Run the health snapshot** — this is the **verify** step in the eight-step flow.

   ```bash
   ssh <SSH_ALIAS> '~/Admin-Server/scripts/status.sh'
   ```

   Expected: clean `SERVER_LABEL` / `SERVER_ENV`; baseline ✅; webhook slots show ✅/❌ (at least one ✅ before you leave Phase 0); **cron schedule printed** — use that output for task 0.8.

</Steps>

### 0.7 · Fire one synthetic alert (`ops` channel)

<Steps>

1. **Send a test alert** through the ops channel.

   ```bash
   ssh <SSH_ALIAS> '
     ~/Admin-Server/scripts/alert-helper.sh INFO "Phase 0 smoke test" "Hello from $(hostname)" ops
   '
   ```

   **Expected:** Discord/Slack message with **`[STAGING] 🟡`** or **`[PRODUCTION] 🔴`** prefix (gate condition from Phase 0 stub).

</Steps>

### 0.8 · Register six hPanel cron entries

Hostinger has **no** `crontab` CLI — use hPanel → Advanced → Cron Jobs.

| Cron job | Typical script | Watches |
| --- | --- | --- |
| Config snapshot | `snapshot-config.sh` | Tracked config drift |
| MD5 integrity | `integrity-check.sh` | Baseline mutations |
| Disk / inode | `resource-check.sh` | Space and inode exhaustion |
| PHP error log | `error-log-check.sh` | New PHP errors across domains |
| Domain inventory | `domain-inventory.sh` | Apps/domains on account |
| Log rotation | `rotate-logs.sh` | Log volume |

<Steps>

1. **Copy cron expressions from `status.sh` output** (task 0.6) — do not guess schedules.

2. **Add six lines in hPanel** using `/bin/bash $HOME/Admin-Server/scripts/<script>.sh` and verify **five-field** syntax (`min hour dom mon dow`).

3. **Confirm log files update** after the first interval (or check mtimes).

   ```bash
   ssh <SSH_ALIAS> 'ls -la ~/Admin-Server/logs/*.log 2>/dev/null'
   ```

</Steps>

### 0.9 · First commit + push

<Steps>

1. **Push the Admin-Server repo** (baseline + any committed config such as `server-environment.conf` if your deploy template needs PHP/Node paths).

   ```bash
   ssh <SSH_ALIAS> '
     cd ~/Admin-Server
     git status
     git push
   '
   ```

</Steps>

### 0.10 · Document the server *(SHOULD)*

Record in the project's **`CLAUDE.local.md`** (or equivalent local-only notes): SSH alias, `Admin-Hostinger-<account>` repo name, last baseline date, last webhook rotation — not in git-tracked secrets.

---

## Verify existing

When detect-and-skip found scripts already installed:

```bash
ssh <SSH_ALIAS> '
  ~/Admin-Server/scripts/status.sh
  ls -la ~/Admin-Server/logs/*.log 2>/dev/null
'
```

Fix only failed checks (missing baseline → 0.5; stale logs → 0.8; unset webhooks → 0.3 + 0.7). Then return to your app playbook.

## Idempotent re-run

| Concern | On second run |
| --- | --- |
| Repo | `git fetch && git pull` — no re-clone |
| Cron | Detected before add — no duplicates |
| Baseline | Regeneration non-destructive |
| Health | `status.sh` + `ls ~/Admin-Server/scripts/*.sh` |

## Secrets discipline

- Webhook URLs are **credentials** — revoke immediately if leaked (2026-04-29 incident).  
- **`server.env`**: `chmod 600`, gitignored — interim SoT for `ops` / `deploys` / `backups`.  
- Prefer **server-to-server** copy or **clipboard bridge** at keyboard — never through agent chat.  
- **P9C-1 (future):** 1Password SA fetch replaces plaintext URLs — see [Hardening](#hardening-serverenv).

## Hardening `server.env`

| Weakness | Interim | After P9C-1 |
| --- | --- | --- |
| Plaintext webhooks on disk | `chmod 600` + gitignore | SA fetch at runtime |
| No audit trail | Rotation log in monitoring state | 1Password activity log |
| Per-server manual rotation | Operator checklist | Rotate vault once; servers pull fresh |

P9C-1 unblocks after Phase 6 Task 62 proves `op` on Hostinger CloudLinux.

---

## Checklist

Nine-item verification (cross-phase proposal):

- [ ] SSH alias works passwordlessly from laptop
- [ ] Server GitHub auth: `ssh -T git@github.com-<GITHUB_USER>` succeeds
- [ ] `~/Admin-Server/` present; `git remote -v` correct
- [ ] All monitoring scripts executable (`-rwx`)
- [ ] `config/server.env` exists at `chmod 600`, gitignored
- [ ] Six cron entries in hPanel (five-field syntax verified against `status.sh`)
- [ ] `baselines/checksums.md5` exists with ≥4 entries
- [ ] Test alert received with `[STAGING] 🟡` or `[PRODUCTION] 🔴` prefix
- [ ] `config/server-environment.conf` committed with PHP/Node/Composer paths *(if deploy template uses it)*
- [ ] Server documented in `CLAUDE.local.md` *(task 0.10)*

## What's next

<CardGrid>
  <LinkCard title="CodeCanyon setup-new" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/" description="Per-app playbook — run after this account gate passes." />
  <LinkCard title="Three-tier admin model" href="/tech-stack/laravel/codecanyon/learn/handbooks/02-three-tier-admin/" description="Admin-Local · Admin-Domain · Admin-Server + cascade resolver." />
  <LinkCard title="Deploy pipeline · step 1" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/01-deployer/" description="Assumes Admin-Server paths resolve for deploys/backups webhooks." />
</CardGrid>

:::next[Next: start a CodeCanyon project]
When the gate passes, continue with [CodeCanyon setup-new](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/) — Phase 1 workspace setup on your laptop.
:::

# Set up shared hosting

> Source: https://library.zajapps.com/infrastructure/hosting/shared-hosting/build/playbooks/setup-shared-hosting/

## TL;DR

**Objective** — bootstrap the per-server **Admin-Server** toolkit on a fresh hosting account so config drift detection, MD5 integrity checks, disk/inode alerts, PHP error-log scanning, domain inventory, log rotation, and three alert channels (`ops` · `deploys` · `backups`) are wired **once** for every app on that account.

:::note[For beginners and agents]
**Gate — done when** — `~/Admin-Server/scripts/status.sh` reports a clean identity and ✅ for at least one webhook channel, and one synthetic alert arrives in Discord/Slack with the correct env prefix: **`[STAGING] 🟡`** or **`[PRODUCTION] 🔴`**.

**Once per server, not per project.** Re-run only when you add a **new** hosting account. If scripts already exist, detect-and-skip — verify, do not reinstall.

**⏱ ~2 min** (verify) · **~15–25 min** (first install) · **🔀** all work over SSH on the server; **👤** hPanel cron UI + webhook paste in `nano` on the server.

Sources: `_Sources/laravel/codecanyon/server-setup/admin-server-cross-phase-integration-proposal.md` · `_Sources/laravel/codecanyon/corpus/From_Residoro/Guides-v2/A-Consolidated/Phase-00-Server-Setup.md`
:::

---

This playbook is **Phase 0** in the Residoro corpus — account-scoped server setup before [CodeCanyon setup-new](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/). Conceptual companion: [Three-tier admin (handbook)](/tech-stack/laravel/codecanyon/learn/handbooks/02-three-tier-admin/).

<StageFlow
  title="Once per account, then every app"
  stages={[
    { label: 'This account', sub: 'Admin-Server (Phase 0)', tone: 'core' },
    { label: 'App #1', sub: 'setup-new', tone: 'good' },
    { label: 'App #N', sub: 'reuse server tier', tone: 'muted' },
  ]}
/>

```mermaid
flowchart LR
  A["New hosting account"] --> B["Phase 0 · this playbook"]
  B --> C["setup-new · app 1"]
  B --> D["setup-new · app N"]
```

## Operating rules

Every task in this phase follows four rules from the Phase 0 stub:

| Rule | Meaning |
| --- | --- |
| **Runs on the server** | SSH into `~/Admin-Server/` on the hosting account — zero toolkit binaries on your laptop |
| **Secrets stay server-side** | No webhook URL or SA token in laptop argv or agent chat — see [Secrets discipline](#secrets-discipline) |
| **Idempotent** | Re-run safe: `git pull`-friendly; baselines non-destructive; cron lines detected before duplicate add |
| **P9C-1 target** | Future: webhooks in 1Password vault, only `OP_SERVICE_ACCOUNT_TOKEN` on disk — interim: URLs in `server.env` at `chmod 600` |

## Before you start

| Prerequisite | Verify |
| --- | --- |
| SSH public-key auth to the account | `ssh <SSH_ALIAS> 'echo ok'` — no password prompt |
| Private GitHub repo `Admin-Hostinger-<account>` | Empty repo OK for first push |
| Discord or Slack ops channel | Webhook ready — configure only on server via `nano` |
| *(After P9C-1)* 1Password vault + SA token | Not required for interim flow |

## Detect and skip

Run before any install work:

```bash
ssh <SSH_ALIAS> 'ls ~/Admin-Server/scripts/*.sh 2>/dev/null | head -10'
```

| Output | Action |
| --- | --- |
| Scripts listed | Jump to [Verify existing](#verify-existing) — skip tasks 0.1–0.5 |
| No such file | Continue with [Tasks 0.1–0.10](#tasks) |
| Scripts but no `lib/init.sh` | Legacy layout — resolve before cron (see Admin-Server repo docs) |

---

## Tasks

Eight-step flow from the cross-phase proposal: **Clone → op CLI (P9C-1) → `server.env` → verify → baseline → smoke test → cron → commit/push**. Below maps to tasks **0.1–0.10** from the Phase 0 stub.

### 0.1 · Clone Admin-Server toolkit

<Steps>

1. **Clone the per-server private repo** into `~/Admin-Server/`.

   ```bash
   ssh <SSH_ALIAS> '
     git clone git@github.com-<GITHUB_USER>:<GITHUB_USER>/Admin-Hostinger-<account>.git ~/Admin-Server
     cd ~/Admin-Server && git remote -v
   '
   # Expected: origin → your Admin-Hostinger-<account> repo
   ```

2. **If the directory already exists**, update instead of re-cloning.

   ```bash
   ssh <SSH_ALIAS> 'cd ~/Admin-Server && git fetch && git pull'
   ```

</Steps>

### 0.2 · `op` CLI *(deferred — P9C-1)*

Task **0.2** (download `op` 1Password CLI, no root) is **MUST after P9C-1**, not part of the interim bootstrap. For forward compatibility only, add an empty placeholder when editing `server.env` in task 0.3:

```bash
OP_SERVICE_ACCOUNT_TOKEN=""
```

Do not run `op signin` from an agent session.

### 0.3 · Bootstrap `config/server.env`

<Steps>

1. **Create `server.env` from the template** on the server only.

   ```bash
   ssh <SSH_ALIAS> '
     cd ~/Admin-Server
     cp config/server.env.example config/server.env
     chmod 600 config/server.env
     nano config/server.env
   '
   ```

2. **Set identity and at least one ops webhook** (paste URL in `nano` on server — never into chat).

   Minimum fields: `SERVER_NAME`, `SERVER_LABEL`, `SERVER_ENV` (`staging` \| `production`), `DISCORD_WEBHOOK_OPS` (or `SLACK_WEBHOOK_OPS`). Optional channel slots: `DISCORD_WEBHOOK_DEPLOYS`, `DISCORD_WEBHOOK_BACKUPS`.

</Steps>

### 0.4 · Executable scripts + `server.env` permissions

<Steps>

1. **chmod scripts and confirm `server.env` stays private.**

   ```bash
   ssh <SSH_ALIAS> '
     chmod +x ~/Admin-Server/scripts/*.sh
     chmod 600 ~/Admin-Server/config/server.env
     ls -l ~/Admin-Server/scripts/status.sh ~/Admin-Server/config/server.env
   '
   # Expected: scripts -rwx; server.env -rw------- 
   ```

</Steps>

### 0.5 · Generate initial MD5 baseline

<Steps>

1. **Generate and commit the integrity baseline.**

   ```bash
   ssh <SSH_ALIAS> '
     ~/Admin-Server/scripts/generate-baseline.sh
     cd ~/Admin-Server
     git add baselines/checksums.md5
     git commit -m "Initial integrity baseline"
   '
   # Expected: checksums.md5 with ≥4 monitored paths
   ```

</Steps>

### 0.6 · Run `status.sh` smoke test

<Steps>

1. **Run the health snapshot** — this is the **verify** step in the eight-step flow.

   ```bash
   ssh <SSH_ALIAS> '~/Admin-Server/scripts/status.sh'
   ```

   Expected: clean `SERVER_LABEL` / `SERVER_ENV`; baseline ✅; webhook slots show ✅/❌ (at least one ✅ before you leave Phase 0); **cron schedule printed** — use that output for task 0.8.

</Steps>

### 0.7 · Fire one synthetic alert (`ops` channel)

<Steps>

1. **Send a test alert** through the ops channel.

   ```bash
   ssh <SSH_ALIAS> '
     ~/Admin-Server/scripts/alert-helper.sh INFO "Phase 0 smoke test" "Hello from $(hostname)" ops
   '
   ```

   **Expected:** Discord/Slack message with **`[STAGING] 🟡`** or **`[PRODUCTION] 🔴`** prefix (gate condition from Phase 0 stub).

</Steps>

### 0.8 · Register six hPanel cron entries

Hostinger has **no** `crontab` CLI — use hPanel → Advanced → Cron Jobs.

| Cron job | Typical script | Watches |
| --- | --- | --- |
| Config snapshot | `snapshot-config.sh` | Tracked config drift |
| MD5 integrity | `integrity-check.sh` | Baseline mutations |
| Disk / inode | `resource-check.sh` | Space and inode exhaustion |
| PHP error log | `error-log-check.sh` | New PHP errors across domains |
| Domain inventory | `domain-inventory.sh` | Apps/domains on account |
| Log rotation | `rotate-logs.sh` | Log volume |

<Steps>

1. **Copy cron expressions from `status.sh` output** (task 0.6) — do not guess schedules.

2. **Add six lines in hPanel** using `/bin/bash $HOME/Admin-Server/scripts/<script>.sh` and verify **five-field** syntax (`min hour dom mon dow`).

3. **Confirm log files update** after the first interval (or check mtimes).

   ```bash
   ssh <SSH_ALIAS> 'ls -la ~/Admin-Server/logs/*.log 2>/dev/null'
   ```

</Steps>

### 0.9 · First commit + push

<Steps>

1. **Push the Admin-Server repo** (baseline + any committed config such as `server-environment.conf` if your deploy template needs PHP/Node paths).

   ```bash
   ssh <SSH_ALIAS> '
     cd ~/Admin-Server
     git status
     git push
   '
   ```

</Steps>

### 0.10 · Document the server *(SHOULD)*

Record in the project's **`CLAUDE.local.md`** (or equivalent local-only notes): SSH alias, `Admin-Hostinger-<account>` repo name, last baseline date, last webhook rotation — not in git-tracked secrets.

---

## Verify existing

When detect-and-skip found scripts already installed:

```bash
ssh <SSH_ALIAS> '
  ~/Admin-Server/scripts/status.sh
  ls -la ~/Admin-Server/logs/*.log 2>/dev/null
'
```

Fix only failed checks (missing baseline → 0.5; stale logs → 0.8; unset webhooks → 0.3 + 0.7). Then return to your app playbook.

## Idempotent re-run

| Concern | On second run |
| --- | --- |
| Repo | `git fetch && git pull` — no re-clone |
| Cron | Detected before add — no duplicates |
| Baseline | Regeneration non-destructive |
| Health | `status.sh` + `ls ~/Admin-Server/scripts/*.sh` |

## Secrets discipline

- Webhook URLs are **credentials** — revoke immediately if leaked (2026-04-29 incident).  
- **`server.env`**: `chmod 600`, gitignored — interim SoT for `ops` / `deploys` / `backups`.  
- Prefer **server-to-server** copy or **clipboard bridge** at keyboard — never through agent chat.  
- **P9C-1 (future):** 1Password SA fetch replaces plaintext URLs — see [Hardening](#hardening-serverenv).

## Hardening `server.env`

| Weakness | Interim | After P9C-1 |
| --- | --- | --- |
| Plaintext webhooks on disk | `chmod 600` + gitignore | SA fetch at runtime |
| No audit trail | Rotation log in monitoring state | 1Password activity log |
| Per-server manual rotation | Operator checklist | Rotate vault once; servers pull fresh |

P9C-1 unblocks after Phase 6 Task 62 proves `op` on Hostinger CloudLinux.

---

## Checklist

Nine-item verification (cross-phase proposal):

- [ ] SSH alias works passwordlessly from laptop
- [ ] Server GitHub auth: `ssh -T git@github.com-<GITHUB_USER>` succeeds
- [ ] `~/Admin-Server/` present; `git remote -v` correct
- [ ] All monitoring scripts executable (`-rwx`)
- [ ] `config/server.env` exists at `chmod 600`, gitignored
- [ ] Six cron entries in hPanel (five-field syntax verified against `status.sh`)
- [ ] `baselines/checksums.md5` exists with ≥4 entries
- [ ] Test alert received with `[STAGING] 🟡` or `[PRODUCTION] 🔴` prefix
- [ ] `config/server-environment.conf` committed with PHP/Node/Composer paths *(if deploy template uses it)*
- [ ] Server documented in `CLAUDE.local.md` *(task 0.10)*

## What's next

<CardGrid>
  <LinkCard title="CodeCanyon setup-new" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/" description="Per-app playbook — run after this account gate passes." />
  <LinkCard title="Three-tier admin model" href="/tech-stack/laravel/codecanyon/learn/handbooks/02-three-tier-admin/" description="Admin-Local · Admin-Domain · Admin-Server + cascade resolver." />
  <LinkCard title="Deploy pipeline · step 1" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/01-deployer/" description="Assumes Admin-Server paths resolve for deploys/backups webhooks." />
</CardGrid>

:::next[Next: start a CodeCanyon project]
When the gate passes, continue with [CodeCanyon setup-new](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/) — Phase 1 workspace setup on your laptop.
:::

TL;DR

Objective — bootstrap the per-server Admin-Server toolkit on a fresh hosting account so config drift detection, MD5 integrity checks, disk/inode alerts, PHP error-log scanning, domain inventory, log rotation, and three alert channels (ops · deploys · backups) are wired once for every app on that account.

This playbook is Phase 0 in the Residoro corpus — account-scoped server setup before CodeCanyon setup-new. Conceptual companion: Three-tier admin (handbook).

Once per account, then every app

flowchart LR
  A["New hosting account"] --> B["Phase 0 · this playbook"]
  B --> C["setup-new · app 1"]
  B --> D["setup-new · app N"]

Operating rules

Every task in this phase follows four rules from the Phase 0 stub:

Rule	Meaning
Runs on the server	SSH into `~/Admin-Server/` on the hosting account — zero toolkit binaries on your laptop
Secrets stay server-side	No webhook URL or SA token in laptop argv or agent chat — see Secrets discipline
Idempotent	Re-run safe: `git pull`-friendly; baselines non-destructive; cron lines detected before duplicate add
P9C-1 target	Future: webhooks in 1Password vault, only `OP_SERVICE_ACCOUNT_TOKEN` on disk — interim: URLs in `server.env` at `chmod 600`

Before you start

Prerequisite	Verify
SSH public-key auth to the account	`ssh <SSH_ALIAS> 'echo ok'` — no password prompt
Private GitHub repo `Admin-Hostinger-<account>`	Empty repo OK for first push
Discord or Slack ops channel	Webhook ready — configure only on server via `nano`
(After P9C-1) 1Password vault + SA token	Not required for interim flow

Detect and skip

Run before any install work:

ssh <SSH_ALIAS> 'ls ~/Admin-Server/scripts/*.sh 2>/dev/null | head -10'

Output	Action
Scripts listed	Jump to Verify existing — skip tasks 0.1–0.5
No such file	Continue with Tasks 0.1–0.10
Scripts but no `lib/init.sh`	Legacy layout — resolve before cron (see Admin-Server repo docs)

Tasks

Eight-step flow from the cross-phase proposal: Clone → op CLI (P9C-1) → server.env → verify → baseline → smoke test → cron → commit/push. Below maps to tasks 0.1–0.10 from the Phase 0 stub.

0.1 · Clone Admin-Server toolkit

Clone the per-server private repo into ~/Admin-Server/.

ssh <SSH_ALIAS> '
  git clone git@github.com-<GITHUB_USER>:<GITHUB_USER>/Admin-Hostinger-<account>.git ~/Admin-Server
  cd ~/Admin-Server && git remote -v
'
# Expected: origin → your Admin-Hostinger-<account> repo

If the directory already exists, update instead of re-cloning.
Terminal window
```
ssh <SSH_ALIAS> 'cd ~/Admin-Server && git fetch && git pull'
```

0.2 · `op` CLI (deferred — P9C-1)

Task 0.2 (download op 1Password CLI, no root) is MUST after P9C-1, not part of the interim bootstrap. For forward compatibility only, add an empty placeholder when editing server.env in task 0.3:

OP_SERVICE_ACCOUNT_TOKEN=""

Do not run op signin from an agent session.

0.3 · Bootstrap `config/server.env`

Create server.env from the template on the server only.

ssh <SSH_ALIAS> '
  cd ~/Admin-Server
  cp config/server.env.example config/server.env
  chmod 600 config/server.env
  nano config/server.env
'

Set identity and at least one ops webhook (paste URL in nano on server — never into chat).

Minimum fields: SERVER_NAME, SERVER_LABEL, SERVER_ENV (staging | production), DISCORD_WEBHOOK_OPS (or SLACK_WEBHOOK_OPS). Optional channel slots: DISCORD_WEBHOOK_DEPLOYS, DISCORD_WEBHOOK_BACKUPS.

0.4 · Executable scripts + `server.env` permissions

chmod scripts and confirm server.env stays private.

ssh <SSH_ALIAS> '
  chmod +x ~/Admin-Server/scripts/*.sh
  chmod 600 ~/Admin-Server/config/server.env
  ls -l ~/Admin-Server/scripts/status.sh ~/Admin-Server/config/server.env
'
# Expected: scripts -rwx; server.env -rw-------

0.5 · Generate initial MD5 baseline

Generate and commit the integrity baseline.

ssh <SSH_ALIAS> '
  ~/Admin-Server/scripts/generate-baseline.sh
  cd ~/Admin-Server
  git add baselines/checksums.md5
  git commit -m "Initial integrity baseline"
'
# Expected: checksums.md5 with ≥4 monitored paths

0.6 · Run `status.sh` smoke test

Run the health snapshot — this is the verify step in the eight-step flow.
Terminal window
```
ssh <SSH_ALIAS> '~/Admin-Server/scripts/status.sh'
```
Expected: clean SERVER_LABEL / SERVER_ENV; baseline ✅; webhook slots show ✅/❌ (at least one ✅ before you leave Phase 0); cron schedule printed — use that output for task 0.8.

0.7 · Fire one synthetic alert (`ops` channel)

Send a test alert through the ops channel.
Terminal window
```
ssh <SSH_ALIAS> '
  ~/Admin-Server/scripts/alert-helper.sh INFO "Phase 0 smoke test" "Hello from $(hostname)" ops
'
```
Expected: Discord/Slack message with [STAGING] 🟡 or [PRODUCTION] 🔴 prefix (gate condition from Phase 0 stub).

0.8 · Register six hPanel cron entries

Hostinger has no crontab CLI — use hPanel → Advanced → Cron Jobs.

Cron job	Typical script	Watches
Config snapshot	`snapshot-config.sh`	Tracked config drift
MD5 integrity	`integrity-check.sh`	Baseline mutations
Disk / inode	`resource-check.sh`	Space and inode exhaustion
PHP error log	`error-log-check.sh`	New PHP errors across domains
Domain inventory	`domain-inventory.sh`	Apps/domains on account
Log rotation	`rotate-logs.sh`	Log volume

Copy cron expressions from status.sh output (task 0.6) — do not guess schedules.
Add six lines in hPanel using /bin/bash $HOME/Admin-Server/scripts/<script>.sh and verify five-field syntax (min hour dom mon dow).
Confirm log files update after the first interval (or check mtimes).
Terminal window
```
ssh <SSH_ALIAS> 'ls -la ~/Admin-Server/logs/*.log 2>/dev/null'
```

0.9 · First commit + push

Push the Admin-Server repo (baseline + any committed config such as server-environment.conf if your deploy template needs PHP/Node paths).
Terminal window
```
ssh <SSH_ALIAS> '
  cd ~/Admin-Server
  git status
  git push
'
```

0.10 · Document the server (SHOULD)

Record in the project’s CLAUDE.local.md (or equivalent local-only notes): SSH alias, Admin-Hostinger-<account> repo name, last baseline date, last webhook rotation — not in git-tracked secrets.

Verify existing

When detect-and-skip found scripts already installed:

ssh <SSH_ALIAS> '
  ~/Admin-Server/scripts/status.sh
  ls -la ~/Admin-Server/logs/*.log 2>/dev/null
'

Fix only failed checks (missing baseline → 0.5; stale logs → 0.8; unset webhooks → 0.3 + 0.7). Then return to your app playbook.

Idempotent re-run

Concern	On second run
Repo	`git fetch && git pull` — no re-clone
Cron	Detected before add — no duplicates
Baseline	Regeneration non-destructive
Health	`status.sh` + `ls ~/Admin-Server/scripts/*.sh`

Secrets discipline

Webhook URLs are credentials — revoke immediately if leaked (2026-04-29 incident).
server.env: chmod 600, gitignored — interim SoT for ops / deploys / backups.
Prefer server-to-server copy or clipboard bridge at keyboard — never through agent chat.
P9C-1 (future): 1Password SA fetch replaces plaintext URLs — see Hardening.

Hardening `server.env`

Weakness	Interim	After P9C-1
Plaintext webhooks on disk	`chmod 600` + gitignore	SA fetch at runtime
No audit trail	Rotation log in monitoring state	1Password activity log
Per-server manual rotation	Operator checklist	Rotate vault once; servers pull fresh

P9C-1 unblocks after Phase 6 Task 62 proves op on Hostinger CloudLinux.

Checklist

Nine-item verification (cross-phase proposal):

What’s next

CodeCanyon setup-new Per-app playbook — run after this account gate passes.

Three-tier admin model Admin-Local · Admin-Domain · Admin-Server + cascade resolver.

Deploy pipeline · step 1 Assumes Admin-Server paths resolve for deploys/backups webhooks.

When the gate passes, continue with CodeCanyon setup-new — Phase 1 workspace setup on your laptop.

# ZajLibrary — implementation playbook

You are a **senior implementation assistant** working inside the user’s real development environment (terminal, editor, git repo). You are **not** a documentation writer, tutor, or library editor.

**Mission:** Execute the procedure described below in the user’s real project workspace — create or modify the files and run the commands it specifies. Do not just summarize it.

## Metadata
- title: Set up shared hosting
- url: https://library.zajapps.com/infrastructure/hosting/shared-hosting/build/playbooks/setup-shared-hosting/
- shelf: Build & Create
- doc_type: implementation playbook
- status: current
- kind: playbook
- category: infrastructure
- subcategory: hosting
- topic: shared-hosting
- phase: 0
- step_number: 1
- est_time: ~2 min verify · ~15–25 min first install
- description: Once-per-account Admin-Server bootstrap — monitoring cron, ops/deploys/backups webhooks, MD5 baselines, and server.env before any Laravel deploy.
- tags: servers, shared-hosting, admin-server, hostinger, monitoring

## Execution rules (binding)
- This is step 1 of phase 0 (~2 min verify · ~15–25 min first install) — do only this step, then stop at its `## Checklist`.
- Follow `## Steps` in order. Do not skip steps or declare the work complete early.
- Respect `:::note[Who does this]`: 👤 **User** steps (browser, downloads, OAuth, moving files) need the human — wait for or instruct them; 🤖 **Agent** steps you run in the shell.
- After every command, compare its output to the `# Expected:` comment or ✅ bullet beneath it. If it differs, **stop, show what you got, and ask how to proceed** — do not guess or rewrite the procedure.
- Honor `:::caution` / `:::note` callouts as hard gates (a step may forbid a command at this stage).
- Do not mark the step done until every `## Checklist` item is genuinely satisfied.
- Scope: implement only what this page describes — no refactors, added features, or later-phase work unless the page says so.
- When reporting progress, cite the `##` / `###` headings you completed or got blocked on.

---

# Set up shared hosting

## TL;DR

**Objective** — bootstrap the per-server **Admin-Server** toolkit on a fresh hosting account so config drift detection, MD5 integrity checks, disk/inode alerts, PHP error-log scanning, domain inventory, log rotation, and three alert channels (`ops` · `deploys` · `backups`) are wired **once** for every app on that account.

:::note[For beginners and agents]
**Gate — done when** — `~/Admin-Server/scripts/status.sh` reports a clean identity and ✅ for at least one webhook channel, and one synthetic alert arrives in Discord/Slack with the correct env prefix: **`[STAGING] 🟡`** or **`[PRODUCTION] 🔴`**.

**Once per server, not per project.** Re-run only when you add a **new** hosting account. If scripts already exist, detect-and-skip — verify, do not reinstall.

**⏱ ~2 min** (verify) · **~15–25 min** (first install) · **🔀** all work over SSH on the server; **👤** hPanel cron UI + webhook paste in `nano` on the server.

Sources: `_Sources/laravel/codecanyon/server-setup/admin-server-cross-phase-integration-proposal.md` · `_Sources/laravel/codecanyon/corpus/From_Residoro/Guides-v2/A-Consolidated/Phase-00-Server-Setup.md`
:::

---

This playbook is **Phase 0** in the Residoro corpus — account-scoped server setup before [CodeCanyon setup-new](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/). Conceptual companion: [Three-tier admin (handbook)](/tech-stack/laravel/codecanyon/learn/handbooks/02-three-tier-admin/).

<StageFlow
  title="Once per account, then every app"
  stages={[
    { label: 'This account', sub: 'Admin-Server (Phase 0)', tone: 'core' },
    { label: 'App #1', sub: 'setup-new', tone: 'good' },
    { label: 'App #N', sub: 'reuse server tier', tone: 'muted' },
  ]}
/>

```mermaid
flowchart LR
  A["New hosting account"] --> B["Phase 0 · this playbook"]
  B --> C["setup-new · app 1"]
  B --> D["setup-new · app N"]
```

## Operating rules

Every task in this phase follows four rules from the Phase 0 stub:

| Rule | Meaning |
| --- | --- |
| **Runs on the server** | SSH into `~/Admin-Server/` on the hosting account — zero toolkit binaries on your laptop |
| **Secrets stay server-side** | No webhook URL or SA token in laptop argv or agent chat — see [Secrets discipline](#secrets-discipline) |
| **Idempotent** | Re-run safe: `git pull`-friendly; baselines non-destructive; cron lines detected before duplicate add |
| **P9C-1 target** | Future: webhooks in 1Password vault, only `OP_SERVICE_ACCOUNT_TOKEN` on disk — interim: URLs in `server.env` at `chmod 600` |

## Before you start

| Prerequisite | Verify |
| --- | --- |
| SSH public-key auth to the account | `ssh <SSH_ALIAS> 'echo ok'` — no password prompt |
| Private GitHub repo `Admin-Hostinger-<account>` | Empty repo OK for first push |
| Discord or Slack ops channel | Webhook ready — configure only on server via `nano` |
| *(After P9C-1)* 1Password vault + SA token | Not required for interim flow |

## Detect and skip

Run before any install work:

```bash
ssh <SSH_ALIAS> 'ls ~/Admin-Server/scripts/*.sh 2>/dev/null | head -10'
```

| Output | Action |
| --- | --- |
| Scripts listed | Jump to [Verify existing](#verify-existing) — skip tasks 0.1–0.5 |
| No such file | Continue with [Tasks 0.1–0.10](#tasks) |
| Scripts but no `lib/init.sh` | Legacy layout — resolve before cron (see Admin-Server repo docs) |

---

## Tasks

Eight-step flow from the cross-phase proposal: **Clone → op CLI (P9C-1) → `server.env` → verify → baseline → smoke test → cron → commit/push**. Below maps to tasks **0.1–0.10** from the Phase 0 stub.

### 0.1 · Clone Admin-Server toolkit

<Steps>

1. **Clone the per-server private repo** into `~/Admin-Server/`.

   ```bash
   ssh <SSH_ALIAS> '
     git clone git@github.com-<GITHUB_USER>:<GITHUB_USER>/Admin-Hostinger-<account>.git ~/Admin-Server
     cd ~/Admin-Server && git remote -v
   '
   # Expected: origin → your Admin-Hostinger-<account> repo
   ```

2. **If the directory already exists**, update instead of re-cloning.

   ```bash
   ssh <SSH_ALIAS> 'cd ~/Admin-Server && git fetch && git pull'
   ```

</Steps>

### 0.2 · `op` CLI *(deferred — P9C-1)*

Task **0.2** (download `op` 1Password CLI, no root) is **MUST after P9C-1**, not part of the interim bootstrap. For forward compatibility only, add an empty placeholder when editing `server.env` in task 0.3:

```bash
OP_SERVICE_ACCOUNT_TOKEN=""
```

Do not run `op signin` from an agent session.

### 0.3 · Bootstrap `config/server.env`

<Steps>

1. **Create `server.env` from the template** on the server only.

   ```bash
   ssh <SSH_ALIAS> '
     cd ~/Admin-Server
     cp config/server.env.example config/server.env
     chmod 600 config/server.env
     nano config/server.env
   '
   ```

2. **Set identity and at least one ops webhook** (paste URL in `nano` on server — never into chat).

   Minimum fields: `SERVER_NAME`, `SERVER_LABEL`, `SERVER_ENV` (`staging` \| `production`), `DISCORD_WEBHOOK_OPS` (or `SLACK_WEBHOOK_OPS`). Optional channel slots: `DISCORD_WEBHOOK_DEPLOYS`, `DISCORD_WEBHOOK_BACKUPS`.

</Steps>

### 0.4 · Executable scripts + `server.env` permissions

<Steps>

1. **chmod scripts and confirm `server.env` stays private.**

   ```bash
   ssh <SSH_ALIAS> '
     chmod +x ~/Admin-Server/scripts/*.sh
     chmod 600 ~/Admin-Server/config/server.env
     ls -l ~/Admin-Server/scripts/status.sh ~/Admin-Server/config/server.env
   '
   # Expected: scripts -rwx; server.env -rw------- 
   ```

</Steps>

### 0.5 · Generate initial MD5 baseline

<Steps>

1. **Generate and commit the integrity baseline.**

   ```bash
   ssh <SSH_ALIAS> '
     ~/Admin-Server/scripts/generate-baseline.sh
     cd ~/Admin-Server
     git add baselines/checksums.md5
     git commit -m "Initial integrity baseline"
   '
   # Expected: checksums.md5 with ≥4 monitored paths
   ```

</Steps>

### 0.6 · Run `status.sh` smoke test

<Steps>

1. **Run the health snapshot** — this is the **verify** step in the eight-step flow.

   ```bash
   ssh <SSH_ALIAS> '~/Admin-Server/scripts/status.sh'
   ```

   Expected: clean `SERVER_LABEL` / `SERVER_ENV`; baseline ✅; webhook slots show ✅/❌ (at least one ✅ before you leave Phase 0); **cron schedule printed** — use that output for task 0.8.

</Steps>

### 0.7 · Fire one synthetic alert (`ops` channel)

<Steps>

1. **Send a test alert** through the ops channel.

   ```bash
   ssh <SSH_ALIAS> '
     ~/Admin-Server/scripts/alert-helper.sh INFO "Phase 0 smoke test" "Hello from $(hostname)" ops
   '
   ```

   **Expected:** Discord/Slack message with **`[STAGING] 🟡`** or **`[PRODUCTION] 🔴`** prefix (gate condition from Phase 0 stub).

</Steps>

### 0.8 · Register six hPanel cron entries

Hostinger has **no** `crontab` CLI — use hPanel → Advanced → Cron Jobs.

| Cron job | Typical script | Watches |
| --- | --- | --- |
| Config snapshot | `snapshot-config.sh` | Tracked config drift |
| MD5 integrity | `integrity-check.sh` | Baseline mutations |
| Disk / inode | `resource-check.sh` | Space and inode exhaustion |
| PHP error log | `error-log-check.sh` | New PHP errors across domains |
| Domain inventory | `domain-inventory.sh` | Apps/domains on account |
| Log rotation | `rotate-logs.sh` | Log volume |

<Steps>

1. **Copy cron expressions from `status.sh` output** (task 0.6) — do not guess schedules.

2. **Add six lines in hPanel** using `/bin/bash $HOME/Admin-Server/scripts/<script>.sh` and verify **five-field** syntax (`min hour dom mon dow`).

3. **Confirm log files update** after the first interval (or check mtimes).

   ```bash
   ssh <SSH_ALIAS> 'ls -la ~/Admin-Server/logs/*.log 2>/dev/null'
   ```

</Steps>

### 0.9 · First commit + push

<Steps>

1. **Push the Admin-Server repo** (baseline + any committed config such as `server-environment.conf` if your deploy template needs PHP/Node paths).

   ```bash
   ssh <SSH_ALIAS> '
     cd ~/Admin-Server
     git status
     git push
   '
   ```

</Steps>

### 0.10 · Document the server *(SHOULD)*

Record in the project's **`CLAUDE.local.md`** (or equivalent local-only notes): SSH alias, `Admin-Hostinger-<account>` repo name, last baseline date, last webhook rotation — not in git-tracked secrets.

---

## Verify existing

When detect-and-skip found scripts already installed:

```bash
ssh <SSH_ALIAS> '
  ~/Admin-Server/scripts/status.sh
  ls -la ~/Admin-Server/logs/*.log 2>/dev/null
'
```

Fix only failed checks (missing baseline → 0.5; stale logs → 0.8; unset webhooks → 0.3 + 0.7). Then return to your app playbook.

## Idempotent re-run

| Concern | On second run |
| --- | --- |
| Repo | `git fetch && git pull` — no re-clone |
| Cron | Detected before add — no duplicates |
| Baseline | Regeneration non-destructive |
| Health | `status.sh` + `ls ~/Admin-Server/scripts/*.sh` |

## Secrets discipline

- Webhook URLs are **credentials** — revoke immediately if leaked (2026-04-29 incident).  
- **`server.env`**: `chmod 600`, gitignored — interim SoT for `ops` / `deploys` / `backups`.  
- Prefer **server-to-server** copy or **clipboard bridge** at keyboard — never through agent chat.  
- **P9C-1 (future):** 1Password SA fetch replaces plaintext URLs — see [Hardening](#hardening-serverenv).

## Hardening `server.env`

| Weakness | Interim | After P9C-1 |
| --- | --- | --- |
| Plaintext webhooks on disk | `chmod 600` + gitignore | SA fetch at runtime |
| No audit trail | Rotation log in monitoring state | 1Password activity log |
| Per-server manual rotation | Operator checklist | Rotate vault once; servers pull fresh |

P9C-1 unblocks after Phase 6 Task 62 proves `op` on Hostinger CloudLinux.

---

## Checklist

Nine-item verification (cross-phase proposal):

- [ ] SSH alias works passwordlessly from laptop
- [ ] Server GitHub auth: `ssh -T git@github.com-<GITHUB_USER>` succeeds
- [ ] `~/Admin-Server/` present; `git remote -v` correct
- [ ] All monitoring scripts executable (`-rwx`)
- [ ] `config/server.env` exists at `chmod 600`, gitignored
- [ ] Six cron entries in hPanel (five-field syntax verified against `status.sh`)
- [ ] `baselines/checksums.md5` exists with ≥4 entries
- [ ] Test alert received with `[STAGING] 🟡` or `[PRODUCTION] 🔴` prefix
- [ ] `config/server-environment.conf` committed with PHP/Node/Composer paths *(if deploy template uses it)*
- [ ] Server documented in `CLAUDE.local.md` *(task 0.10)*

## What's next

<CardGrid>
  <LinkCard title="CodeCanyon setup-new" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/" description="Per-app playbook — run after this account gate passes." />
  <LinkCard title="Three-tier admin model" href="/tech-stack/laravel/codecanyon/learn/handbooks/02-three-tier-admin/" description="Admin-Local · Admin-Domain · Admin-Server + cascade resolver." />
  <LinkCard title="Deploy pipeline · step 1" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/01-deployer/" description="Assumes Admin-Server paths resolve for deploys/backups webhooks." />
</CardGrid>

:::next[Next: start a CodeCanyon project]
When the gate passes, continue with [CodeCanyon setup-new](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/) — Phase 1 workspace setup on your laptop.
:::

# Set up shared hosting

> Source: https://library.zajapps.com/infrastructure/hosting/shared-hosting/build/playbooks/setup-shared-hosting/

## TL;DR

**Objective** — bootstrap the per-server **Admin-Server** toolkit on a fresh hosting account so config drift detection, MD5 integrity checks, disk/inode alerts, PHP error-log scanning, domain inventory, log rotation, and three alert channels (`ops` · `deploys` · `backups`) are wired **once** for every app on that account.

:::note[For beginners and agents]
**Gate — done when** — `~/Admin-Server/scripts/status.sh` reports a clean identity and ✅ for at least one webhook channel, and one synthetic alert arrives in Discord/Slack with the correct env prefix: **`[STAGING] 🟡`** or **`[PRODUCTION] 🔴`**.

**Once per server, not per project.** Re-run only when you add a **new** hosting account. If scripts already exist, detect-and-skip — verify, do not reinstall.

**⏱ ~2 min** (verify) · **~15–25 min** (first install) · **🔀** all work over SSH on the server; **👤** hPanel cron UI + webhook paste in `nano` on the server.

Sources: `_Sources/laravel/codecanyon/server-setup/admin-server-cross-phase-integration-proposal.md` · `_Sources/laravel/codecanyon/corpus/From_Residoro/Guides-v2/A-Consolidated/Phase-00-Server-Setup.md`
:::

---

This playbook is **Phase 0** in the Residoro corpus — account-scoped server setup before [CodeCanyon setup-new](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/). Conceptual companion: [Three-tier admin (handbook)](/tech-stack/laravel/codecanyon/learn/handbooks/02-three-tier-admin/).

<StageFlow
  title="Once per account, then every app"
  stages={[
    { label: 'This account', sub: 'Admin-Server (Phase 0)', tone: 'core' },
    { label: 'App #1', sub: 'setup-new', tone: 'good' },
    { label: 'App #N', sub: 'reuse server tier', tone: 'muted' },
  ]}
/>

```mermaid
flowchart LR
  A["New hosting account"] --> B["Phase 0 · this playbook"]
  B --> C["setup-new · app 1"]
  B --> D["setup-new · app N"]
```

## Operating rules

Every task in this phase follows four rules from the Phase 0 stub:

| Rule | Meaning |
| --- | --- |
| **Runs on the server** | SSH into `~/Admin-Server/` on the hosting account — zero toolkit binaries on your laptop |
| **Secrets stay server-side** | No webhook URL or SA token in laptop argv or agent chat — see [Secrets discipline](#secrets-discipline) |
| **Idempotent** | Re-run safe: `git pull`-friendly; baselines non-destructive; cron lines detected before duplicate add |
| **P9C-1 target** | Future: webhooks in 1Password vault, only `OP_SERVICE_ACCOUNT_TOKEN` on disk — interim: URLs in `server.env` at `chmod 600` |

## Before you start

| Prerequisite | Verify |
| --- | --- |
| SSH public-key auth to the account | `ssh <SSH_ALIAS> 'echo ok'` — no password prompt |
| Private GitHub repo `Admin-Hostinger-<account>` | Empty repo OK for first push |
| Discord or Slack ops channel | Webhook ready — configure only on server via `nano` |
| *(After P9C-1)* 1Password vault + SA token | Not required for interim flow |

## Detect and skip

Run before any install work:

```bash
ssh <SSH_ALIAS> 'ls ~/Admin-Server/scripts/*.sh 2>/dev/null | head -10'
```

| Output | Action |
| --- | --- |
| Scripts listed | Jump to [Verify existing](#verify-existing) — skip tasks 0.1–0.5 |
| No such file | Continue with [Tasks 0.1–0.10](#tasks) |
| Scripts but no `lib/init.sh` | Legacy layout — resolve before cron (see Admin-Server repo docs) |

---

## Tasks

Eight-step flow from the cross-phase proposal: **Clone → op CLI (P9C-1) → `server.env` → verify → baseline → smoke test → cron → commit/push**. Below maps to tasks **0.1–0.10** from the Phase 0 stub.

### 0.1 · Clone Admin-Server toolkit

<Steps>

1. **Clone the per-server private repo** into `~/Admin-Server/`.

   ```bash
   ssh <SSH_ALIAS> '
     git clone git@github.com-<GITHUB_USER>:<GITHUB_USER>/Admin-Hostinger-<account>.git ~/Admin-Server
     cd ~/Admin-Server && git remote -v
   '
   # Expected: origin → your Admin-Hostinger-<account> repo
   ```

2. **If the directory already exists**, update instead of re-cloning.

   ```bash
   ssh <SSH_ALIAS> 'cd ~/Admin-Server && git fetch && git pull'
   ```

</Steps>

### 0.2 · `op` CLI *(deferred — P9C-1)*

Task **0.2** (download `op` 1Password CLI, no root) is **MUST after P9C-1**, not part of the interim bootstrap. For forward compatibility only, add an empty placeholder when editing `server.env` in task 0.3:

```bash
OP_SERVICE_ACCOUNT_TOKEN=""
```

Do not run `op signin` from an agent session.

### 0.3 · Bootstrap `config/server.env`

<Steps>

1. **Create `server.env` from the template** on the server only.

   ```bash
   ssh <SSH_ALIAS> '
     cd ~/Admin-Server
     cp config/server.env.example config/server.env
     chmod 600 config/server.env
     nano config/server.env
   '
   ```

2. **Set identity and at least one ops webhook** (paste URL in `nano` on server — never into chat).

   Minimum fields: `SERVER_NAME`, `SERVER_LABEL`, `SERVER_ENV` (`staging` \| `production`), `DISCORD_WEBHOOK_OPS` (or `SLACK_WEBHOOK_OPS`). Optional channel slots: `DISCORD_WEBHOOK_DEPLOYS`, `DISCORD_WEBHOOK_BACKUPS`.

</Steps>

### 0.4 · Executable scripts + `server.env` permissions

<Steps>

1. **chmod scripts and confirm `server.env` stays private.**

   ```bash
   ssh <SSH_ALIAS> '
     chmod +x ~/Admin-Server/scripts/*.sh
     chmod 600 ~/Admin-Server/config/server.env
     ls -l ~/Admin-Server/scripts/status.sh ~/Admin-Server/config/server.env
   '
   # Expected: scripts -rwx; server.env -rw------- 
   ```

</Steps>

### 0.5 · Generate initial MD5 baseline

<Steps>

1. **Generate and commit the integrity baseline.**

   ```bash
   ssh <SSH_ALIAS> '
     ~/Admin-Server/scripts/generate-baseline.sh
     cd ~/Admin-Server
     git add baselines/checksums.md5
     git commit -m "Initial integrity baseline"
   '
   # Expected: checksums.md5 with ≥4 monitored paths
   ```

</Steps>

### 0.6 · Run `status.sh` smoke test

<Steps>

1. **Run the health snapshot** — this is the **verify** step in the eight-step flow.

   ```bash
   ssh <SSH_ALIAS> '~/Admin-Server/scripts/status.sh'
   ```

   Expected: clean `SERVER_LABEL` / `SERVER_ENV`; baseline ✅; webhook slots show ✅/❌ (at least one ✅ before you leave Phase 0); **cron schedule printed** — use that output for task 0.8.

</Steps>

### 0.7 · Fire one synthetic alert (`ops` channel)

<Steps>

1. **Send a test alert** through the ops channel.

   ```bash
   ssh <SSH_ALIAS> '
     ~/Admin-Server/scripts/alert-helper.sh INFO "Phase 0 smoke test" "Hello from $(hostname)" ops
   '
   ```

   **Expected:** Discord/Slack message with **`[STAGING] 🟡`** or **`[PRODUCTION] 🔴`** prefix (gate condition from Phase 0 stub).

</Steps>

### 0.8 · Register six hPanel cron entries

Hostinger has **no** `crontab` CLI — use hPanel → Advanced → Cron Jobs.

| Cron job | Typical script | Watches |
| --- | --- | --- |
| Config snapshot | `snapshot-config.sh` | Tracked config drift |
| MD5 integrity | `integrity-check.sh` | Baseline mutations |
| Disk / inode | `resource-check.sh` | Space and inode exhaustion |
| PHP error log | `error-log-check.sh` | New PHP errors across domains |
| Domain inventory | `domain-inventory.sh` | Apps/domains on account |
| Log rotation | `rotate-logs.sh` | Log volume |

<Steps>

1. **Copy cron expressions from `status.sh` output** (task 0.6) — do not guess schedules.

2. **Add six lines in hPanel** using `/bin/bash $HOME/Admin-Server/scripts/<script>.sh` and verify **five-field** syntax (`min hour dom mon dow`).

3. **Confirm log files update** after the first interval (or check mtimes).

   ```bash
   ssh <SSH_ALIAS> 'ls -la ~/Admin-Server/logs/*.log 2>/dev/null'
   ```

</Steps>

### 0.9 · First commit + push

<Steps>

1. **Push the Admin-Server repo** (baseline + any committed config such as `server-environment.conf` if your deploy template needs PHP/Node paths).

   ```bash
   ssh <SSH_ALIAS> '
     cd ~/Admin-Server
     git status
     git push
   '
   ```

</Steps>

### 0.10 · Document the server *(SHOULD)*

Record in the project's **`CLAUDE.local.md`** (or equivalent local-only notes): SSH alias, `Admin-Hostinger-<account>` repo name, last baseline date, last webhook rotation — not in git-tracked secrets.

---

## Verify existing

When detect-and-skip found scripts already installed:

```bash
ssh <SSH_ALIAS> '
  ~/Admin-Server/scripts/status.sh
  ls -la ~/Admin-Server/logs/*.log 2>/dev/null
'
```

Fix only failed checks (missing baseline → 0.5; stale logs → 0.8; unset webhooks → 0.3 + 0.7). Then return to your app playbook.

## Idempotent re-run

| Concern | On second run |
| --- | --- |
| Repo | `git fetch && git pull` — no re-clone |
| Cron | Detected before add — no duplicates |
| Baseline | Regeneration non-destructive |
| Health | `status.sh` + `ls ~/Admin-Server/scripts/*.sh` |

## Secrets discipline

- Webhook URLs are **credentials** — revoke immediately if leaked (2026-04-29 incident).  
- **`server.env`**: `chmod 600`, gitignored — interim SoT for `ops` / `deploys` / `backups`.  
- Prefer **server-to-server** copy or **clipboard bridge** at keyboard — never through agent chat.  
- **P9C-1 (future):** 1Password SA fetch replaces plaintext URLs — see [Hardening](#hardening-serverenv).

## Hardening `server.env`

| Weakness | Interim | After P9C-1 |
| --- | --- | --- |
| Plaintext webhooks on disk | `chmod 600` + gitignore | SA fetch at runtime |
| No audit trail | Rotation log in monitoring state | 1Password activity log |
| Per-server manual rotation | Operator checklist | Rotate vault once; servers pull fresh |

P9C-1 unblocks after Phase 6 Task 62 proves `op` on Hostinger CloudLinux.

---

## Checklist

Nine-item verification (cross-phase proposal):

- [ ] SSH alias works passwordlessly from laptop
- [ ] Server GitHub auth: `ssh -T git@github.com-<GITHUB_USER>` succeeds
- [ ] `~/Admin-Server/` present; `git remote -v` correct
- [ ] All monitoring scripts executable (`-rwx`)
- [ ] `config/server.env` exists at `chmod 600`, gitignored
- [ ] Six cron entries in hPanel (five-field syntax verified against `status.sh`)
- [ ] `baselines/checksums.md5` exists with ≥4 entries
- [ ] Test alert received with `[STAGING] 🟡` or `[PRODUCTION] 🔴` prefix
- [ ] `config/server-environment.conf` committed with PHP/Node/Composer paths *(if deploy template uses it)*
- [ ] Server documented in `CLAUDE.local.md` *(task 0.10)*

## What's next

<CardGrid>
  <LinkCard title="CodeCanyon setup-new" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/" description="Per-app playbook — run after this account gate passes." />
  <LinkCard title="Three-tier admin model" href="/tech-stack/laravel/codecanyon/learn/handbooks/02-three-tier-admin/" description="Admin-Local · Admin-Domain · Admin-Server + cascade resolver." />
  <LinkCard title="Deploy pipeline · step 1" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/01-deployer/" description="Assumes Admin-Server paths resolve for deploys/backups webhooks." />
</CardGrid>

:::next[Next: start a CodeCanyon project]
When the gate passes, continue with [CodeCanyon setup-new](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/) — Phase 1 workspace setup on your laptop.
:::