- db: drop host :5432 publish (ports !override []) — no LAN exposure, reached
via compose net (db:5432) + docker exec for the ALTER USER reconcile. Matches
inspectflow isolation. backend :8081 kept (LAN-only, used by healthcheck).
- deploy verify-frontend: probe container loopback via bundled node instead of
host :3000 wget. Network-namespace-independent; fixes the transient
false-failure when polling mid-recreate. <500 = healthy (307->/login).
Auth fix (the real unblocker):
- Add server-side proxy Route Handler app/api/backend/[...path]/route.ts that
reads the NextAuth session via auth() and injects Authorization: Bearer on
every API call. Method-agnostic; streams raw request body (multipart uploads)
and upstream response body (binary PDF/CSV downloads). Replaces the static
next.config.mjs rewrite, which could not inject a header — the root cause of
every authenticated browser fetch hitting the backend unauthenticated.
- Expose session.accessToken in the auth.ts session() callback (+ type aug).
Uses auth() not getToken() so cookie handling is correct across the public
HTTPS (Apache) -> internal HTTP (container) proxy boundary.
- No service files changed; all 24 services already call /api/backend/*.
Verified live: NextAuth login -> GET /api/backend/members -> HTTP 200.
Public hosting (same proven chain as Gitea/InspectFlow):
- docker-compose.truenas.yml: NEXTAUTH_URL/AUTH_URL -> https public origin,
rotate AUTH_SECRET + JWT_SECRET + DB_PASSWORD off the committed dev defaults.
- deploy.yml: inject AUTH_SECRET/JWT_SECRET/DB_PASSWORD from Gitea secrets;
reconcile the live Postgres role password (volume keeps old pw on re-deploy).
- frpc on TrueNAS tunnels frontend :3000 -> VPS frps :30010; IONOS Apache
terminates TLS for cannamanage.plate-software.de and proxies through frp.
Testcontainers can't network properly on TrueNAS act-runner (host network vs bridge). Added postgres:16-alpine service container to CI workflow and made AbstractIntegrationTest conditionally skip Testcontainers when CI_POSTGRES_URL env var is present.
New CI workflow (.gitea/workflows/ci.yml) runs on every push to main:
- Backend: Maven compile + test + OWASP Dependency-Check (fails on CVSS>=7)
- Frontend: pnpm lint + type-check + pnpm audit (fails on High/Critical)
- Docker image scan: Trivy for both backend/frontend images (High/Critical)
- Secrets detection: Gitleaks full-repo scan
Deploy workflow remains independent (self-hosted runner limitation).
Both workflows run in parallel on push to main.
- Replace VPS SSH deploy workflow with a self-contained job that runs on the
TrueNAS act_runner (host docker socket mounted). Checks out the pushed commit,
builds, and rolls out the cannamanage compose stack in-place (project=cannamanage),
then health-checks backend :8081 + frontend :3000.
- Commit docker-compose.truenas.yml (port remap 8081 + AUTH_SECRET) into the repo;
it was previously host-only, so a fresh checkout could not reproduce the deploy.
Use the !override tag for the backend ports list.
Patrick Plate