pplate/cannamanage
1
0
Fork 0
Code Issues 9 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a686957b0958f0384c95ef69768e5eca1f91dbd3
cannamanage/docker-compose.truenas.yml
T
Patrick Plate a686957b09
CI — Build, Lint & Security Scan / backend (push) Failing after 1m4s
Details
CI — Build, Lint & Security Scan / frontend (push) Failing after 1m24s
Details
CI — Build, Lint & Security Scan / image-scan (push) Has been skipped
Details
CI — Build, Lint & Security Scan / secrets-scan (push) Failing after 21s
Details
Deploy to TrueNAS / deploy (push) Failing after 4m0s
Details
feat(deploy): public hosting at cannamanage.plate-software.de + fix systemic auth-token bug 
Auth fix (the real unblocker):
- Add server-side proxy Route Handler app/api/backend/[...path]/route.ts that
  reads the NextAuth session via auth() and injects Authorization: Bearer on
  every API call. Method-agnostic; streams raw request body (multipart uploads)
  and upstream response body (binary PDF/CSV downloads). Replaces the static
  next.config.mjs rewrite, which could not inject a header — the root cause of
  every authenticated browser fetch hitting the backend unauthenticated.
- Expose session.accessToken in the auth.ts session() callback (+ type aug).
  Uses auth() not getToken() so cookie handling is correct across the public
  HTTPS (Apache) -> internal HTTP (container) proxy boundary.
- No service files changed; all 24 services already call /api/backend/*.
  Verified live: NextAuth login -> GET /api/backend/members -> HTTP 200.

Public hosting (same proven chain as Gitea/InspectFlow):
- docker-compose.truenas.yml: NEXTAUTH_URL/AUTH_URL -> https public origin,
  rotate AUTH_SECRET + JWT_SECRET + DB_PASSWORD off the committed dev defaults.
- deploy.yml: inject AUTH_SECRET/JWT_SECRET/DB_PASSWORD from Gitea secrets;
  reconcile the live Postgres role password (volume keeps old pw on re-deploy).
- frpc on TrueNAS tunnels frontend :3000 -> VPS frps :30010; IONOS Apache
  terminates TLS for cannamanage.plate-software.de and proxies through frp.
2026-06-22 10:46:15 +02:00

49 lines
2.5 KiB
YAML
Raw Blame History

# TrueNAS homelab override — public hosting at https://cannamanage.plate-software.de
# Applied on top of docker-compose.yml for the homelab deployment on TrueNAS.local.
#
# Topology (same proven chain as Gitea + InspectFlow):
# browser ──HTTPS──> IONOS Apache (82.165.206.45, TLS via acme.sh)
# ──ProxyPass──> VPS frps (85.214.154.199:30010)
# ──frp tunnel──> TrueNAS frpc ──> frontend:3000 (this stack)
# frontend proxies /api/backend/* to backend:8080 via the server-side
# Route Handler (src/app/api/backend/[...path]/route.ts), so only the
# frontend port needs to be tunnelled — no separate API exposure.
#
# Usage (run by the Gitea act_runner on push to main):
# docker compose -f docker-compose.yml -f docker-compose.truenas.yml \
# -p cannamanage up -d --build --remove-orphans
services:
db:
# POSTGRES_PASSWORD only takes effect on FIRST volume init; the existing
# cannamanage_pgdata volume keeps its current role password. The live role
# password is rotated out-of-band via `ALTER USER` to match ${DB_PASSWORD}.
# This value is here so a fresh volume initialises with the prod password.
environment:
POSTGRES_PASSWORD: ${DB_PASSWORD:-cannamanage_dev}
backend:
# Host port 8080 is taken by odysseus-searxng-1; remap to 8081.
# !override replaces the inherited ports list (compose merges lists by concat otherwise).
# Internal container port stays 8080 so frontend's BACKEND_URL=http://backend:8080 is unaffected.
ports: !override
- "8081:8080"
environment:
# Real production password (must match the live DB role, see ALTER USER above).
SPRING_DATASOURCE_PASSWORD: ${DB_PASSWORD:-cannamanage_dev}
# Rotated production JWT signing key (base64 — JwtService base64-decodes it).
# Rotating this invalidates all previously issued access/refresh tokens.
CANNAMANAGE_SECURITY_JWT_SECRET: ${JWT_SECRET}
frontend:
environment:
# Public origin so NextAuth callbacks/cookies resolve to the HTTPS host.
NEXTAUTH_URL: https://cannamanage.plate-software.de
AUTH_URL: https://cannamanage.plate-software.de
# NextAuth v5 (Auth.js) reads AUTH_SECRET. Rotating it invalidates sessions.
AUTH_SECRET: ${AUTH_SECRET}
# Trust the X-Forwarded-* headers from the Apache/frp chain (we terminate
# TLS upstream and proxy plain HTTP into the container).
AUTH_TRUST_HOST: "true"
# Server-side proxy target for /api/backend/* (internal compose DNS).
BACKEND_URL: http://backend:8080
Reference in New Issue View Git Blame Copy Permalink