pplate/cannamanage
1
0
Fork 0
Code Issues 9 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
83b46c8cda7c089d8a9660769cd320bbeae5c480
cannamanage/docker-compose.truenas.yml
T
Patrick Plate 83b46c8cda
CI — Build, Lint & Security Scan / backend (push) Failing after 1m3s
Details
CI — Build, Lint & Security Scan / frontend (push) Failing after 1m23s
Details
CI — Build, Lint & Security Scan / image-scan (push) Has been skipped
Details
CI — Build, Lint & Security Scan / secrets-scan (push) Failing after 37s
Details
Deploy to TrueNAS / deploy (push) Successful in 37s
Details
harden(deploy): db internal-only + robust container-loopback frontend verify 
- db: drop host :5432 publish (ports !override []) — no LAN exposure, reached
  via compose net (db:5432) + docker exec for the ALTER USER reconcile. Matches
  inspectflow isolation. backend :8081 kept (LAN-only, used by healthcheck).
- deploy verify-frontend: probe container loopback via bundled node instead of
  host :3000 wget. Network-namespace-independent; fixes the transient
  false-failure when polling mid-recreate. <500 = healthy (307->/login).
2026-06-22 11:06:58 +02:00

55 lines
2.9 KiB
YAML
Raw Blame History

# TrueNAS homelab override — public hosting at https://cannamanage.plate-software.de
# Applied on top of docker-compose.yml for the homelab deployment on TrueNAS.local.
#
# Topology (same proven chain as Gitea + InspectFlow):
# browser ──HTTPS──> IONOS Apache (82.165.206.45, TLS via acme.sh)
# ──ProxyPass──> VPS frps (85.214.154.199:30010)
# ──frp tunnel──> TrueNAS frpc ──> frontend:3000 (this stack)
# frontend proxies /api/backend/* to backend:8080 via the server-side
# Route Handler (src/app/api/backend/[...path]/route.ts), so only the
# frontend port needs to be tunnelled — no separate API exposure.
#
# Usage (run by the Gitea act_runner on push to main):
# docker compose -f docker-compose.yml -f docker-compose.truenas.yml \
# -p cannamanage up -d --build --remove-orphans
services:
db:
# Internal-only: drop the host :5432 publish inherited from docker-compose.yml.
# Postgres must not be exposed to the LAN. The backend reaches it over the
# compose network (db:5432) and the deploy's ALTER USER reconcile uses
# `docker exec`, so no published host port is needed. (!override [] replaces
# the inherited ports list — compose otherwise concatenates lists.)
ports: !override []
# POSTGRES_PASSWORD only takes effect on FIRST volume init; the existing
# cannamanage_pgdata volume keeps its current role password. The live role
# password is rotated out-of-band via `ALTER USER` to match ${DB_PASSWORD}.
# This value is here so a fresh volume initialises with the prod password.
environment:
POSTGRES_PASSWORD: ${DB_PASSWORD:-cannamanage_dev}
backend:
# Host port 8080 is taken by odysseus-searxng-1; remap to 8081.
# !override replaces the inherited ports list (compose merges lists by concat otherwise).
# Internal container port stays 8080 so frontend's BACKEND_URL=http://backend:8080 is unaffected.
ports: !override
- "8081:8080"
environment:
# Real production password (must match the live DB role, see ALTER USER above).
SPRING_DATASOURCE_PASSWORD: ${DB_PASSWORD:-cannamanage_dev}
# Rotated production JWT signing key (base64 — JwtService base64-decodes it).
# Rotating this invalidates all previously issued access/refresh tokens.
CANNAMANAGE_SECURITY_JWT_SECRET: ${JWT_SECRET}
frontend:
environment:
# Public origin so NextAuth callbacks/cookies resolve to the HTTPS host.
NEXTAUTH_URL: https://cannamanage.plate-software.de
AUTH_URL: https://cannamanage.plate-software.de
# NextAuth v5 (Auth.js) reads AUTH_SECRET. Rotating it invalidates sessions.
AUTH_SECRET: ${AUTH_SECRET}
# Trust the X-Forwarded-* headers from the Apache/frp chain (we terminate
# TLS upstream and proxy plain HTTP into the container).
AUTH_TRUST_HOST: "true"
# Server-side proxy target for /api/backend/* (internal compose DNS).
BACKEND_URL: http://backend:8080
Reference in New Issue View Git Blame Copy Permalink