chore: docker improvements

.gitignore

@@ -35,8 +35,11 @@ ui-debug.log
 /.vscode
 
 # env files
-server/.env
-deployment/.env
+server/**/.env
+deployment/**/.env
+
+# keys
+**/jwt.key
 
 # script output
 scripts/out

deployment/docker/.env.example

@@ -1,51 +1,63 @@
 # example environment variables
 # read more about all env vars at https://docs.scrumlr.io/self-hosting/env-vars/
 
-# Analytics (Plausible)
-ANALYTICS_DATA_DOMAIN=
-ANALYTICS_SRC=
-# Auth Providers
+## Scrumlr backend
+SCRUMLR_BACKEND_VERSION=3.10.2
+SCRUMLR_SERVER_PORT=8080
+SCRUMLR_BASE_PATH="/api"
+## Uses the hardcoded insecure key for development
+SCRUMLR_INSECURE=
+## JWT Private Key (ECDSA). Generate a new key for PRODUCTION
+SCRUMLR_PRIVATE_KEY=
+## NATS URL
+SCRUMLR_SERVER_NATS_URL="nats://nats:4222"
+## Redis if you use it instead of NATS
+REDIS_HOST=
+REDIS_USERNAME=
+REDIS_PASSWORD=
+## Webhook URL for feedback
+WEBHOOK_URL=
+## Auth Providers
 AUTH_CALLBACK_HOST=
-APPLE_CLIENT_ID=
-APPLE_CLIENT_SECRET=
-AZURE_AD_CLIENT_ID=
-AZURE_AD_CLIENT_SECRET=
-AZURE_AD_TENANT_ID=
-GITHUB_CLIENT_ID=
-GITHUB_CLIENT_SECRET=
 GOOGLE_CLIENT_ID=
 GOOGLE_CLIENT_SECRET=
 MICROSOFT_CLIENT_ID=
 MICROSOFT_CLIENT_SECRET=
+GITHUB_CLIENT_ID=
+GITHUB_CLIENT_SECRET=
+AZURE_AD_TENANT_ID=
+AZURE_AD_CLIENT_ID=
+AZURE_AD_CLIENT_SECRET=
+APPLE_CLIENT_ID=
+APPLE_CLIENT_SECRET=
 OIDC_CLIENT_ID=
 OIDC_CLIENT_SECRET=
 OIDC_DISCOVERY_URL=http://oidc.localhost:5556/dex/.well-known/openid-configuration
 # Session Secret
 SESSION_SECRET=
-# Your Postgres Password
-POSTGRES_PASSWORD=
-# Redis if you use it instead of NATS
-REDIS_HOST=
-REDIS_PASSWORD=
-REDIS_USERNAME=
-# API Base Path
-SCRUMLR_BASE_PATH="/api"
-# Uses the hardcoded insecure key for development
-SCRUMLR_INSECURE=
-# Frontend Port
+SCRUMLR_ENABLE_EXPERIMENTAL_AUTH_FILE_SYSTEM_STORE=
+
+## Scrumlr frontend
+SCRUMLR_FRONTEND_VERSION=3.10.2
 SCRUMLR_LISTEN_PORT=8080
-# JWT Private Key (ECDSA). Generate a new key for PRODUCTION
-SCRUMLR_PRIVATE_KEY=
-# NATS URL
-SCRUMLR_SERVER_NATS_URL="nats://nats:4222"
-# Server Port
-SCRUMLR_SERVER_PORT=8080
-# Server URL
 SCRUMLR_SERVER_URL="/api"
-# Show Legal Documents (Cookie Policy, Privacy Policy, Terms of Service)
-SCRUMLR_SHOW_LEGAL_DOCUMENTS=true
-# Websocket URL (wss:// or ws://)
+## Websocket URL (wss:// or ws://)
 # SCRUMLR_WEBSOCKET_URL="ws://localhost:8080/api"
-# Webhook URL for feedback
-WEBHOOK_URL=
+## Show Legal Documents (Cookie Policy, Privacy Policy, Terms of Service)
+SCRUMLR_SHOW_LEGAL_DOCUMENTS=true
+## Analytics (Plausible)
+ANALYTICS_DATA_DOMAIN=
+ANALYTICS_SRC=
 SCRUMLR_CLARITY_ID=
+
+## Postgres
+POSTGRES_VERSION=17.2
+POSTGRES_USER=
+POSTGRES_PASSWORD=
+POSTGRES_DB=
+
+## Nats
+NATS_VERSION=2.10.24
+
+## Caddy
+CADDY_VERSION=2.9.1

deployment/docker/Caddyfile

@@ -1,14 +1,14 @@
-0.0.0.0:80 {
-    log {
-        output stdout
-    }
-    @api {
-        path /api*
-    }
-    reverse_proxy @api scrumlr-backend:8080
+:80 {
+	log {
+		output stdout
+	}
+	@api {
+		path /api*
+	}
+	reverse_proxy @api scrumlr-backend:{$SCRUMLR_SERVER_PORT}
 
-    @frontend {
-        path / /static* /locales* /login* /board* /new* /timer_finished.mp3 /hotkeys.pdf /legal/* /manifest.json /service-worker.js
-    }
-    reverse_proxy @frontend scrumlr-frontend:8080
+	@frontend {
+		path / /static* /locales* /login* /board* /new* /timer_finished.mp3 /hotkeys.pdf /legal/* /manifest.json /service-worker.js
+	}
+	reverse_proxy @frontend scrumlr-frontend:{$SCRUMLR_LISTEN_PORT}
 }

deployment/docker/docker-compose.yml

@@ -1,25 +1,29 @@
-version: "3.8"
-
+---
 services:
   scrumlr-backend:
     restart: always
-    image: ghcr.io/inovex/scrumlr.io/scrumlr-server:3.10.1
+    image: "ghcr.io/inovex/scrumlr.io/scrumlr-server:${SCRUMLR_BACKEND_VERSION:-3.10.2}"
+    container_name: scrumlr-backend
     command:
       - "/app/main"
       - "-disable-check-origin"
     environment:
-      SCRUMLR_SERVER_PORT: "${SCRUMLR_SERVER_PORT}"
-      SCRUMLR_SERVER_NATS_URL: "${SCRUMLR_SERVER_NATS_URL}"
+      SCRUMLR_SERVER_PORT: "${SCRUMLR_SERVER_PORT:-8080}"
+      SCRUMLR_BASE_PATH: "${SCRUMLR_BASE_PATH}"
+      SCRUMLR_INSECURE: "${SCRUMLR_INSECURE}"
       SCRUMLR_PRIVATE_KEY: "${SCRUMLR_PRIVATE_KEY}"
-      SCRUMLR_SERVER_DATABASE_URL: "postgres://scrumlr:${POSTGRES_PASSWORD}@postgres:5432/scrumlr?sslmode=disable"
+      SCRUMLR_SERVER_DATABASE_URL: "postgres://${POSTGRES_USER:-scrumlr}:${POSTGRES_PASSWORD}@postgres:5432/${POSTGRES_DB:-scrumlr}?sslmode=disable"
+      SCRUMLR_SERVER_NATS_URL: "${SCRUMLR_SERVER_NATS_URL}"
+      # Redis variables (if you decide to use Redis instead of NATS)
+      SCRUMLR_SERVER_REDIS_HOST: "${REDIS_HOST}"
+      SCRUMLR_SERVER_REDIS_USERNAME: "${REDIS_USERNAME}"
+      SCRUMLR_SERVER_REDIS_PASSWORD: "${REDIS_PASSWORD}"
+      SCRUMLR_FEEDBACK_WEBHOOK_URL: "${WEBHOOK_URL}"
+      SCRUMLR_AUTH_CALLBACK_HOST: "${AUTH_CALLBACK_HOST}"
       SCRUMLR_AUTH_GOOGLE_CLIENT_ID: "${GOOGLE_CLIENT_ID}"
       SCRUMLR_AUTH_GOOGLE_CLIENT_SECRET: "${GOOGLE_CLIENT_SECRET}"
       SCRUMLR_AUTH_MICROSOFT_CLIENT_ID: "${MICROSOFT_CLIENT_ID}"
       SCRUMLR_AUTH_MICROSOFT_CLIENT_SECRET: "${MICROSOFT_CLIENT_SECRET}"
-      SCRUMLR_FEEDBACK_WEBHOOK_URL: "${WEBHOOK_URL}"
-      SCRUMLR_BASE_PATH: "${SCRUMLR_BASE_PATH}"
-      SCRUMLR_INSECURE: "${SCRUMLR_INSECURE}"
-      SCRUMLR_AUTH_CALLBACK_HOST: "${AUTH_CALLBACK_HOST}"
       SCRUMLR_AUTH_GITHUB_CLIENT_ID: "${GITHUB_CLIENT_ID}"
       SCRUMLR_AUTH_GITHUB_CLIENT_SECRET: "${GITHUB_CLIENT_SECRET}"
       SCRUMLR_AUTH_AZURE_AD_TENANT_ID: "${AZURE_AD_TENANT_ID}"
@@ -31,54 +35,62 @@ services:
       SCRUMLR_AUTH_OIDC_CLIENT_SECRET: "${OIDC_CLIENT_SECRET}"
       SCRUMLR_AUTH_OIDC_DISCOVERY_URL: "${OIDC_DISCOVERY_URL}"
       SESSION_SECRET: "${SESSION_SECRET}"
+      SCRUMLR_ENABLE_EXPERIMENTAL_AUTH_FILE_SYSTEM_STORE: "${SCRUMLR_ENABLE_EXPERIMENTAL_AUTH_FILE_SYSTEM_STORE}"
       # SCRUMLR_CONFIG_PATH: "${SCRUMRL_CONFIG_PATH}"
-      # Redis variables (if you decide to use Redis instead of NATS)
-      SCRUMLR_SERVER_REDIS_HOST: "${REDIS_HOST}"
-      SCRUMLR_SERVER_REDIS_USERNAME: "${REDIS_USERNAME}"
-      SCRUMLR_SERVER_REDIS_PASSWORD: "${REDIS_PASSWORD}"
-    ports:
-      - "8080:8080"
     depends_on:
-      - postgres
-      - nats
+      postgres:
+        condition: service_healthy
+      nats:
+        condition: service_started
+    healthcheck:
+      test: ["CMD-SHELL", "wget --no-verbose --tries=1 --spider http://localhost:${SCRUMLR_SERVER_PORT:-8080}/api/health || exit 1"]
+      start_period: 10s
+      interval: 10s
+      timeout: 5s
+      retries: 5
 
   scrumlr-frontend:
     restart: always
-    image: ghcr.io/inovex/scrumlr.io/scrumlr-frontend:3.10.1
+    image: "ghcr.io/inovex/scrumlr.io/scrumlr-frontend:${SCRUMLR_FRONTEND_VERSION:-3.10.2}"
+    container_name: scrumlr-frontend
     environment:
+      SCRUMLR_LISTEN_PORT: "${SCRUMLR_LISTEN_PORT:-8080}"
       SCRUMLR_SERVER_URL: "${SCRUMLR_SERVER_URL}"
       SCRUMLR_WEBSOCKET_URL: "${SCRUMLR_WEBSOCKET_URL}"
       SCRUMLR_SHOW_LEGAL_DOCUMENTS: "${SCRUMLR_SHOW_LEGAL_DOCUMENTS}"
-      # Add missing frontend environment variables here
-      SCRUMLR_LISTEN_PORT: "${SCRUMLR_LISTEN_PORT:-8080}"
       SCRUMLR_ANALYTICS_DATA_DOMAIN: "${ANALYTICS_DATA_DOMAIN}"
       SCRUMLR_ANALYTICS_SRC: "${ANALYTICS_SRC}"
       SCRUMLR_CLARITY_ID: "${SCRUMLR_CLARITY_ID}"
-    ports:
-      - "9090:8080"
+    depends_on:
+      scrumlr-backend:
+        condition: service_healthy
 
   postgres:
     restart: always
-    image: postgres:16.4
+    image: "postgres:${POSTGRES_VERSION:-17.2}"
+    container_name: postgres
     environment:
-      POSTGRES_DB: scrumlr
-      POSTGRES_USER: scrumlr
+      POSTGRES_DB: ${POSTGRES_DB:-scrumlr}
+      POSTGRES_USER: ${POSTGRES_USER:-scrumlr}
       POSTGRES_PASSWORD: "${POSTGRES_PASSWORD}"
     volumes:
       - postgres_data:/var/lib/postgresql/data
-    ports:
-      - "5432:5432"
+    healthcheck:
+      test: [ "CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-scrumlr} -d ${POSTGRES_DB:-scrumlr}" ]
+      start_period: 10s
+      interval: 10s
+      timeout: 5s
+      retries: 5
 
   nats:
     restart: always
-    image: nats:2.8.4
-    ports:
-      - "4222:4222"
-      - "8222:8222"
+    image: "nats:${NATS_VERSION:-2.10.24}"
+    container_name: nats
 
   # oidc.localhost:
   #   restart: always
   #   image: ghcr.io/dexidp/dex:v2.41.1-distroless
+  #   container_name: oidc.localhost
   #   volumes:
   #     - ./dex.yaml:/etc/dex/config.docker.yaml:ro
   #   ports:
@@ -87,8 +99,12 @@ services:
   #     - oidc
 
   caddy:
-    image: caddy
     restart: always
+    image: "caddy:${CADDY_VERSION:-2.9.1}"
+    container_name: caddy
+    environment:
+      SCRUMLR_SERVER_PORT: "${SCRUMLR_SERVER_PORT:-8080}"
+      SCRUMLR_LISTEN_PORT: "${SCRUMLR_LISTEN_PORT:-8080}"
     volumes:
       - ./Caddyfile:/etc/caddy/Caddyfile
     ports:

docs/src/content/docs/self-hosting/docker.md

@@ -31,6 +31,7 @@ Make sure to set the `POSTGRES_PASSWORD` variable in your `.env` file to a secur
 ```sh
 pwgen -s 64 1
 ```
+
 ### JWT Private Key
 We use an ECDSA private key to sign the JWT tokens.
 ***Make sure to keep this key secure as it can be used to decrypt the tokens and generate new ones, potentially compromising your users' accounts.***

docs/src/content/docs/self-hosting/ske.md

@@ -17,7 +17,7 @@ The following pre-requisites are required to deploy Scrumlr using SKE:
 git clone https://github.com/inovex/scrumlr.io.git
 ```
 ```sh
-cd scrumlr.io/deployment/ske
+cd scrumlr.io/deployment/SKE
 ```
 
 ### Deploy SKE and Postgres Flex using Terraform