Enhance Docker and backend configurations for improved deployment

- Updated docker-compose.yml to include environment variable support for services, enhancing flexibility in configuration. - Refactored Dockerfile to utilize build arguments for VITE environment variables, allowing for better customization during builds. - Improved Nginx configuration to handle larger video uploads by increasing client_max_body_size to 5GB. - Enhanced backend Dockerfile to include wget for health checks and improved startup logging for database migrations. - Added validation for critical environment variables in the backend to ensure necessary configurations are present before application startup. - Updated content streaming logic to support direct HLS URL construction, improving streaming reliability and user experience. - Refactored various components and services to streamline access checks and improve error handling during content playback.
2026-02-13 12:35:03 +00:00
parent 7e9a35a963
commit 3ca43b62e4
23 changed files with 799 additions and 244 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,21 +1,38 @@
+# ═══════════════════════════════════════════════════════════════
+# IndeeHub — Production Stack for Portainer
+# ═══════════════════════════════════════════════════════════════
+#
+# All ${VARIABLES} are resolved by Portainer at deploy time.
+# Configure them in Portainer → Stacks → Environment variables
+# before deploying.
+#
+# See .env.portainer for the full list of required variables.
+#
+# For local development, use: docker compose -f docker-compose.dev.yml up
+# ═══════════════════════════════════════════════════════════════
+
 version: '3.8'

 services:
-  # ── Frontend (nginx serving built Vue app) ───────────────────
+  # ── Frontend (nginx serving built Vue app) ──────────────────
  app:
    build:
      context: .
      dockerfile: Dockerfile
+      args:
+        VITE_USE_MOCK_DATA: "false"
+        VITE_CONTENT_ORIGIN: ${FRONTEND_URL}
+        VITE_INDEEHUB_API_URL: /api
+        VITE_INDEEHUB_CDN_URL: /storage
+        VITE_NOSTR_RELAYS: ""
    restart: unless-stopped
    ports:
-      - "7777:7777"
+      - "${APP_PORT:-7777}:7777"
    depends_on:
      - relay
      - api
    networks:
      - indeedhub-network
-    labels:
-      - "com.centurylinklabs.watchtower.enable=true"
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:7777/health"]
      interval: 30s
@@ -23,14 +40,106 @@ services:
      retries: 3
      start_period: 40s

-  # ── Backend API (NestJS) ─────────────────────────────────────
+  # ── Backend API (NestJS) ────────────────────────────────────
  api:
    build:
      context: ./backend
      dockerfile: Dockerfile
    restart: unless-stopped
-    env_file:
-      - ./backend/.env
+    environment:
+      # ── Core ─────────────────────────────────────────────
+      ENVIRONMENT: production
+      PORT: 4000
+      DOMAIN: ${DOMAIN}
+      FRONTEND_URL: ${FRONTEND_URL}
+
+      # ── Database ─────────────────────────────────────────
+      DATABASE_HOST: postgres
+      DATABASE_PORT: 5432
+      DATABASE_USER: ${POSTGRES_USER}
+      DATABASE_PASSWORD: ${POSTGRES_PASSWORD}
+      DATABASE_NAME: ${POSTGRES_DB}
+
+      # ── Redis / BullMQ ───────────────────────────────────
+      QUEUE_HOST: redis
+      QUEUE_PORT: 6379
+      QUEUE_PASSWORD: ${REDIS_PASSWORD:-}
+
+      # ── S3 / MinIO ──────────────────────────────────────
+      S3_ENDPOINT: ${S3_ENDPOINT:-http://minio:9000}
+      AWS_REGION: ${AWS_REGION:-us-east-1}
+      AWS_ACCESS_KEY: ${S3_ACCESS_KEY}
+      AWS_SECRET_KEY: ${S3_SECRET_KEY}
+      S3_PRIVATE_BUCKET_NAME: ${S3_PRIVATE_BUCKET:-indeedhub-private}
+      S3_PUBLIC_BUCKET_NAME: ${S3_PUBLIC_BUCKET:-indeedhub-public}
+      S3_PUBLIC_BUCKET_URL: ${S3_PUBLIC_BUCKET_URL}
+
+      # ── CloudFront (leave empty for MinIO/self-hosted) ──
+      CLOUDFRONT_PRIVATE_KEY: ${CLOUDFRONT_PRIVATE_KEY:-}
+      CLOUDFRONT_KEY_PAIR_ID: ${CLOUDFRONT_KEY_PAIR_ID:-}
+      CLOUDFRONT_DISTRIBUTION_URL: ${CLOUDFRONT_DISTRIBUTION_URL:-}
+
+      # ── BTCPay Server ───────────────────────────────────
+      BTCPAY_URL: ${BTCPAY_URL}
+      BTCPAY_API_KEY: ${BTCPAY_API_KEY}
+      BTCPAY_STORE_ID: ${BTCPAY_STORE_ID}
+      BTCPAY_WEBHOOK_SECRET: ${BTCPAY_WEBHOOK_SECRET}
+      BTCPAY_ROUTE_HINTS: ${BTCPAY_ROUTE_HINTS:-false}
+
+      # ── Nostr Auth / JWT ─────────────────────────────────
+      NOSTR_JWT_SECRET: ${NOSTR_JWT_SECRET}
+      NOSTR_JWT_EXPIRES_IN: ${NOSTR_JWT_EXPIRES_IN:-7d}
+
+      # ── AES-128 Content Encryption ──────────────────────
+      AES_MASTER_SECRET: ${AES_MASTER_SECRET}
+
+      # ── SMTP / Email ─────────────────────────────────────
+      SMTP_HOST: ${SMTP_HOST:-}
+      SMTP_PORT: ${SMTP_PORT:-587}
+      SMTP_USER: ${SMTP_USER:-}
+      SMTP_PASS: ${SMTP_PASS:-}
+      MAIL_FROM: ${MAIL_FROM:-noreply@indeedhub.local}
+
+      # ── SendGrid (optional -- alternative to SMTP) ──────
+      SENDGRID_API_KEY: ${SENDGRID_API_KEY:-}
+      SENDGRID_SENDER: ${SENDGRID_SENDER:-}
+
+      # ── Cognito (optional -- disabled with Nostr auth) ──
+      COGNITO_USER_POOL_ID: ${COGNITO_USER_POOL_ID:-}
+      COGNITO_CLIENT_ID: ${COGNITO_CLIENT_ID:-}
+
+      # ── Flash Subscription Secrets (optional) ───────────
+      FLASH_JWT_SECRET_ENTHUSIAST: ${FLASH_JWT_SECRET_ENTHUSIAST:-}
+      FLASH_JWT_SECRET_FILM_BUFF: ${FLASH_JWT_SECRET_FILM_BUFF:-}
+      FLASH_JWT_SECRET_CINEPHILE: ${FLASH_JWT_SECRET_CINEPHILE:-}
+      FLASH_JWT_SECRET_RSS_ADDON: ${FLASH_JWT_SECRET_RSS_ADDON:-}
+      FLASH_JWT_SECRET_VERIFICATION_ADDON: ${FLASH_JWT_SECRET_VERIFICATION_ADDON:-}
+
+      # ── Transcoding API (optional) ──────────────────────
+      TRANSCODING_API_KEY: ${TRANSCODING_API_KEY:-}
+      TRANSCODING_API_URL: ${TRANSCODING_API_URL:-}
+
+      # ── PostHog Analytics (optional) ────────────────────
+      POSTHOG_API_KEY: ${POSTHOG_API_KEY:-}
+
+      # ── Sentry Error Tracking (optional) ────────────────
+      SENTRY_ENVIRONMENT: ${SENTRY_ENVIRONMENT:-production}
+
+      # ── DRM (optional) ──────────────────────────────────
+      DRM_SECRET_NAME: ${DRM_SECRET_NAME:-}
+      PRIVATE_AUTH_CERTIFICATE_KEY_ID: ${PRIVATE_AUTH_CERTIFICATE_KEY_ID:-}
+
+      # ── Podping (optional) ──────────────────────────────
+      PODPING_URL: ${PODPING_URL:-}
+      PODPING_KEY: ${PODPING_KEY:-}
+      PODPING_USER_AGENT: ${PODPING_USER_AGENT:-}
+
+      # ── Admin API (optional) ────────────────────────────
+      ADMIN_API_KEY: ${ADMIN_API_KEY:-}
+
+      # ── Partner Content (optional) ──────────────────────
+      PARTNER_API_BASE_URL: ${PARTNER_API_BASE_URL:-}
+      PARTNER_API_KEY: ${PARTNER_API_KEY:-}
    depends_on:
      postgres:
        condition: service_healthy
@@ -47,50 +156,56 @@ services:
      retries: 5
      start_period: 60s

-  # ── PostgreSQL Database ──────────────────────────────────────
+  # ── PostgreSQL Database ─────────────────────────────────────
  postgres:
    image: postgres:16-alpine
    restart: unless-stopped
    environment:
-      POSTGRES_USER: indeedhub
-      POSTGRES_PASSWORD: indeedhub_dev_2026
-      POSTGRES_DB: indeedhub
+      POSTGRES_USER: ${POSTGRES_USER}
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
+      POSTGRES_DB: ${POSTGRES_DB}
    volumes:
      - postgres-data:/var/lib/postgresql/data
    networks:
      - indeedhub-network
    healthcheck:
-      test: ["CMD-SHELL", "pg_isready -U indeedhub"]
+      test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER}"]
      interval: 10s
      timeout: 5s
      retries: 5
      start_period: 30s

-  # ── Redis (BullMQ job queue) ─────────────────────────────────
+  # ── Redis (BullMQ job queue) ────────────────────────────────
  redis:
    image: redis:7-alpine
    restart: unless-stopped
+    command: >
+      sh -c "if [ -n '${REDIS_PASSWORD:-}' ]; then
+        redis-server --requirepass '${REDIS_PASSWORD}' --appendonly yes;
+      else
+        redis-server --appendonly yes;
+      fi"
    volumes:
      - redis-data:/data
    networks:
      - indeedhub-network

-  # ── MinIO (S3-compatible object storage) ─────────────────────
+  # ── MinIO (S3-compatible object storage) ────────────────────
  minio:
    image: minio/minio:latest
    restart: unless-stopped
    command: server /data --console-address ":9001"
    environment:
-      MINIO_ROOT_USER: minioadmin
-      MINIO_ROOT_PASSWORD: minioadmin123
+      MINIO_ROOT_USER: ${MINIO_ROOT_USER}
+      MINIO_ROOT_PASSWORD: ${MINIO_ROOT_PASSWORD}
    volumes:
      - minio-data:/data
    ports:
-      - "9001:9001"
+      - "${MINIO_CONSOLE_PORT:-9001}:9001"
    networks:
      - indeedhub-network

-  # ── MinIO bucket init (one-shot: creates required buckets) ───
+  # ── MinIO bucket init (one-shot: creates required buckets) ──
  minio-init:
    image: minio/mc:latest
    depends_on:
@@ -98,24 +213,41 @@ services:
    entrypoint: >
      /bin/sh -c "
      sleep 5;
-      mc alias set local http://minio:9000 minioadmin minioadmin123;
-      mc mb local/indeedhub-private --ignore-existing;
-      mc mb local/indeedhub-public --ignore-existing;
-      mc anonymous set download local/indeedhub-public;
+      mc alias set local http://minio:9000 ${MINIO_ROOT_USER} ${MINIO_ROOT_PASSWORD};
+      mc mb local/${S3_PRIVATE_BUCKET:-indeedhub-private} --ignore-existing;
+      mc mb local/${S3_PUBLIC_BUCKET:-indeedhub-public} --ignore-existing;
+      mc anonymous set download local/${S3_PUBLIC_BUCKET:-indeedhub-public};
      echo 'MinIO buckets initialized';
      "
    networks:
      - indeedhub-network
    restart: "no"

-  # ── FFmpeg Transcoding Worker ────────────────────────────────
+  # ── FFmpeg Transcoding Worker ───────────────────────────────
  ffmpeg-worker:
    build:
      context: ./backend
      dockerfile: Dockerfile.ffmpeg
    restart: unless-stopped
-    env_file:
-      - ./backend/.env
+    environment:
+      # Worker shares database + S3 + Redis config with the API
+      ENVIRONMENT: production
+      DATABASE_HOST: postgres
+      DATABASE_PORT: 5432
+      DATABASE_USER: ${POSTGRES_USER}
+      DATABASE_PASSWORD: ${POSTGRES_PASSWORD}
+      DATABASE_NAME: ${POSTGRES_DB}
+      QUEUE_HOST: redis
+      QUEUE_PORT: 6379
+      QUEUE_PASSWORD: ${REDIS_PASSWORD:-}
+      S3_ENDPOINT: ${S3_ENDPOINT:-http://minio:9000}
+      AWS_REGION: ${AWS_REGION:-us-east-1}
+      AWS_ACCESS_KEY: ${S3_ACCESS_KEY}
+      AWS_SECRET_KEY: ${S3_SECRET_KEY}
+      S3_PRIVATE_BUCKET_NAME: ${S3_PRIVATE_BUCKET:-indeedhub-private}
+      S3_PUBLIC_BUCKET_NAME: ${S3_PUBLIC_BUCKET:-indeedhub-public}
+      S3_PUBLIC_BUCKET_URL: ${S3_PUBLIC_BUCKET_URL}
+      AES_MASTER_SECRET: ${AES_MASTER_SECRET}
    depends_on:
      postgres:
        condition: service_healthy
@@ -126,16 +258,7 @@ services:
    networks:
      - indeedhub-network

-  # ── Mailpit (development email testing) ──────────────────────
-  mailpit:
-    image: axllent/mailpit:latest
-    restart: unless-stopped
-    ports:
-      - "8025:8025"
-    networks:
-      - indeedhub-network
-
-  # ── Nostr Relay (stores comments, reactions, profiles) ───────
+  # ── Nostr Relay ─────────────────────────────────────────────
  relay:
    image: scsibug/nostr-rs-relay:latest
    restart: unless-stopped
@@ -144,37 +267,6 @@ services:
    networks:
      - indeedhub-network

-  # ── Seeder (one-shot: seeds test data into relay, then exits)
-  seeder:
-    build:
-      context: .
-      dockerfile: Dockerfile.seed
-    depends_on:
-      - relay
-    environment:
-      - RELAY_URL=ws://relay:8080
-      - ORIGIN=http://localhost:7777
-    networks:
-      - indeedhub-network
-    restart: "no"
-
-  # ── DB Seeder (one-shot: seeds content into PostgreSQL) ──────
-  db-seeder:
-    build:
-      context: ./backend
-      dockerfile: Dockerfile
-    depends_on:
-      postgres:
-        condition: service_healthy
-      minio:
-        condition: service_started
-    env_file:
-      - ./backend/.env
-    command: ["node", "dist/scripts/seed-content.js"]
-    networks:
-      - indeedhub-network
-    restart: "no"
-
 networks:
  indeedhub-network:
    driver: bridge