Initial scaffold: push-to-deploy + auth-proxy + public-switch template

docker-compose.truenas.yml

@@ -0,0 +1,63 @@
+# TrueNAS homelab override — applied on top of docker-compose.yml for the
+# homelab deployment on TrueNAS.local. Proven on InspectFlow + CannaManage.
+#
+# Replace placeholders before first push:
+#   __PROJECT__         container prefix / compose project name
+#   __FRONTEND_PORT__   unique LAN host port for the frontend (registry §2)
+#   __BACKEND_PORT__    unique LAN host port for backend debug (or remove block)
+#   __SUBDOMAIN__       public hostname (only matters once you go public)
+#
+# Topology (public phase — additive, see runbook §4):
+#   browser ──HTTPS──> IONOS Apache (82.165.206.45, TLS via acme.sh/LE)
+#          ──ProxyPass──> VPS frps (85.214.154.199:<frpRemotePort>)
+#          ──frp tunnel──> TrueNAS frpc ──> frontend:__FRONTEND_PORT__ (this stack)
+#   frontend proxies /api/backend/* to backend:8080 via the server-side Route
+#   Handler (src/app/api/backend/[...path]/route.ts), so only the frontend port
+#   needs to be tunnelled — no separate API exposure.
+#
+# Usage (run by the Gitea act_runner on push to main):
+#   docker compose -f docker-compose.yml -f docker-compose.truenas.yml \
+#     -p __PROJECT__ up -d --build --remove-orphans
+services:
+  db:
+    # Internal-only: drop any host :5432 publish inherited from docker-compose.yml.
+    # Postgres must NOT be exposed to the LAN. The backend reaches it over the
+    # compose network (db:5432) and the deploy's ALTER USER reconcile uses
+    # `docker exec`, so no published host port is needed. (!override [] replaces
+    # the inherited ports list — compose otherwise concatenates lists.)
+    ports: !override []
+    # POSTGRES_PASSWORD only takes effect on FIRST volume init; an existing
+    # volume keeps its current role password (the deploy reconciles it via
+    # ALTER USER). This value seeds a fresh volume with the prod password.
+    environment:
+      POSTGRES_PASSWORD: ${DB_PASSWORD:-__PROJECT___dev}
+
+  backend:
+    # Remap host port to a unique value (8080 is taken by other stacks on TrueNAS).
+    # !override replaces the inherited ports list. Internal container port stays
+    # 8080 so frontend's BACKEND_URL=http://backend:8080 is unaffected.
+    # Remove this whole ports block if you don't need LAN debug access.
+    ports: !override
+      - "__BACKEND_PORT__:8080"
+    environment:
+      # Real production password (must match the live DB role; see ALTER USER).
+      SPRING_DATASOURCE_PASSWORD: ${DB_PASSWORD:-__PROJECT___dev}
+      # Rotated production JWT signing key (base64 — JwtService base64-decodes it).
+      # Rotating this invalidates all previously issued access/refresh tokens.
+      __PROJECT___SECURITY_JWT_SECRET: ${JWT_SECRET}
+
+  frontend:
+    ports: !override
+      - "__FRONTEND_PORT__:3000"
+    environment:
+      # Public origin so NextAuth callbacks/cookies resolve to the HTTPS host.
+      # For LOCAL-ONLY phase you can set these to http://192.168.188.119:__FRONTEND_PORT__
+      NEXTAUTH_URL: https://__SUBDOMAIN__
+      AUTH_URL: https://__SUBDOMAIN__
+      # NextAuth v5 (Auth.js) reads AUTH_SECRET. Rotating it invalidates sessions.
+      AUTH_SECRET: ${AUTH_SECRET}
+      # Trust the X-Forwarded-* headers from the Apache/frp chain (TLS terminates
+      # upstream; plain HTTP is proxied into the container).
+      AUTH_TRUST_HOST: "true"
+      # Server-side proxy target for /api/backend/* (internal compose DNS).
+      BACKEND_URL: http://backend:8080