homelab-app-template/docker-compose.truenas.yml

# TrueNAS homelab override — applied on top of docker-compose.yml for the
# homelab deployment on TrueNAS.local. Proven on InspectFlow + CannaManage.
#
# Replace placeholders before first push:
#   __PROJECT__         container prefix / compose project name
#   __FRONTEND_PORT__   unique LAN host port for the frontend (registry §2)
#   __BACKEND_PORT__    unique LAN host port for backend debug (or remove block)
#   __SUBDOMAIN__       public hostname (only matters once you go public)
#
# Topology (public phase — additive, see runbook §4):
#   browser ──HTTPS──> IONOS Apache (82.165.206.45, TLS via acme.sh/LE)
#          ──ProxyPass──> VPS frps (85.214.154.199:<frpRemotePort>)
#          ──frp tunnel──> TrueNAS frpc ──> frontend:__FRONTEND_PORT__ (this stack)
#   frontend proxies /api/backend/* to backend:8080 via the server-side Route
#   Handler (src/app/api/backend/[...path]/route.ts), so only the frontend port
#   needs to be tunnelled — no separate API exposure.
#
# Usage (run by the Gitea act_runner on push to main):
#   docker compose -f docker-compose.yml -f docker-compose.truenas.yml \
#     -p __PROJECT__ up -d --build --remove-orphans
services:
  db:
    # Internal-only: drop any host :5432 publish inherited from docker-compose.yml.
    # Postgres must NOT be exposed to the LAN. The backend reaches it over the
    # compose network (db:5432) and the deploy's ALTER USER reconcile uses
    # `docker exec`, so no published host port is needed. (!override [] replaces
    # the inherited ports list — compose otherwise concatenates lists.)
    ports: !override []
    # POSTGRES_PASSWORD only takes effect on FIRST volume init; an existing
    # volume keeps its current role password (the deploy reconciles it via
    # ALTER USER). This value seeds a fresh volume with the prod password.
    environment:
      POSTGRES_PASSWORD: ${DB_PASSWORD:-__PROJECT___dev}

  backend:
    # Remap host port to a unique value (8080 is taken by other stacks on TrueNAS).
    # !override replaces the inherited ports list. Internal container port stays
    # 8080 so frontend's BACKEND_URL=http://backend:8080 is unaffected.
    # Remove this whole ports block if you don't need LAN debug access.
    ports: !override
      - "__BACKEND_PORT__:8080"
    environment:
      # Real production password (must match the live DB role; see ALTER USER).
      SPRING_DATASOURCE_PASSWORD: ${DB_PASSWORD:-__PROJECT___dev}
      # Rotated production JWT signing key (base64 — JwtService base64-decodes it).
      # Rotating this invalidates all previously issued access/refresh tokens.
      __PROJECT___SECURITY_JWT_SECRET: ${JWT_SECRET}

  frontend:
    ports: !override
      - "__FRONTEND_PORT__:3000"
    environment:
      # Public origin so NextAuth callbacks/cookies resolve to the HTTPS host.
      # For LOCAL-ONLY phase you can set these to http://192.168.188.119:__FRONTEND_PORT__
      NEXTAUTH_URL: https://__SUBDOMAIN__
      AUTH_URL: https://__SUBDOMAIN__
      # NextAuth v5 (Auth.js) reads AUTH_SECRET. Rotating it invalidates sessions.
      AUTH_SECRET: ${AUTH_SECRET}
      # Trust the X-Forwarded-* headers from the Apache/frp chain (TLS terminates
      # upstream; plain HTTP is proxied into the container).
      AUTH_TRUST_HOST: "true"
      # Server-side proxy target for /api/backend/* (internal compose DNS).
      BACKEND_URL: http://backend:8080