pplate/cannamanage
1
0
Fork 0
Code Issues 9 Pull Requests Actions Packages Projects Releases Wiki Activity

harden(deploy): db internal-only + robust container-loopback frontend verify
CI — Build, Lint & Security Scan / backend (push) Failing after 1m3s
Details
CI — Build, Lint & Security Scan / frontend (push) Failing after 1m23s
Details
CI — Build, Lint & Security Scan / image-scan (push) Has been skipped
Details
CI — Build, Lint & Security Scan / secrets-scan (push) Failing after 37s
Details
Deploy to TrueNAS / deploy (push) Successful in 37s
Details

Browse Source 
- db: drop host :5432 publish (ports !override []) — no LAN exposure, reached
  via compose net (db:5432) + docker exec for the ALTER USER reconcile. Matches
  inspectflow isolation. backend :8081 kept (LAN-only, used by healthcheck).
- deploy verify-frontend: probe container loopback via bundled node instead of
  host :3000 wget. Network-namespace-independent; fixes the transient
  false-failure when polling mid-recreate. <500 = healthy (307->/login).
This commit is contained in:
Patrick Plate
2026-06-22 11:06:58 +02:00
parent a686957b09
commit 83b46c8cda
2 changed files with 22 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docker-compose.truenas.yml
+6
View File
@@ -14,6 +14,12 @@
# -p cannamanage up -d --build --remove-orphans
services:
db:
# Internal-only: drop the host :5432 publish inherited from docker-compose.yml.
# Postgres must not be exposed to the LAN. The backend reaches it over the
# compose network (db:5432) and the deploy's ALTER USER reconcile uses
# `docker exec`, so no published host port is needed. (!override [] replaces
# the inherited ports list — compose otherwise concatenates lists.)
ports: !override []
# POSTGRES_PASSWORD only takes effect on FIRST volume init; the existing
# cannamanage_pgdata volume keeps its current role password. The live role
# password is rotated out-of-band via `ALTER USER` to match ${DB_PASSWORD}.