feat: auto-create bucket on startup, production compose, setup script (Step 3)

storageInit.ts
- ensureBucketExists(): HeadBucket → CreateBucket if missing
- Uses same env vars as storageProvider.ts (no new config)
- forcePathStyle=true for MinIO compatibility
- Fails gracefully — startup succeeds even if bucket creation fails
  (deploys will fail with a clear error rather than crashing the node)
- Skips if storage not configured (development without S3)
- Called in index.ts after loadBlocklist(), before bootstrapSeed

docker-compose.production.yml
- Overlay file: docker compose -f docker-compose.yml -f docker-compose.production.yml up -d
- restart: always on all services
- Memory limits: app=1g, proxy=256m, db=512m, redis=128m, minio=512m
- PostgreSQL tuned: shared_buffers, wal_buffers, work_mem, checkpoint settings
- Redis: AOF persistence (appendonly yes), maxmemory 100mb, allkeys-lru eviction
- JSON log driver with rotation on all services

setup.sh — interactive node setup script
- Checks prerequisites: docker, docker compose v2, openssl
- 6 questions: domain, node name/region, operator info, OIDC provider, storage capacity
- OIDC-specific guidance per provider (Authentik/Keycloak/Auth0/other)
- Generates secrets: COOKIE_SECRET, POSTGRES_PASSWORD, MINIO_PASSWORD (openssl rand)
- Writes complete .env with all required variables
- Skips config if .env already exists (safe to re-run)
- docker compose pull + up -d
- Waits for DB readiness (pg_isready loop)
- Runs migrations
- Health check + summary with next steps

Author: The No Hands Company

artifacts/api-server/src/index.ts

@@ -36,6 +36,7 @@ import { startRetentionJob, stopRetentionJob } from "./lib/retentionCleanup";
 import { startEmailQueue, stopEmailQueue } from "./lib/email";
 import { startOrphanCleanup, stopOrphanCleanup } from "./lib/orphanCleanup";
 import { runBootstrapSeed } from "./lib/bootstrapSeed";
+import { ensureBucketExists } from "./lib/storageInit";
 import { db, sessionsTable } from "@workspace/db";
 import { lt } from "drizzle-orm";
 import { seedBundledSites } from "./lib/seedBundledSites";
@@ -132,6 +133,9 @@ ensureLocalNode()
     startHealthMonitor();
     await loadBlocklist();
     startAnalyticsFlusher();
+
+    // Ensure S3 bucket exists (creates it if missing — makes docker compose up work without manual MinIO setup)
+    await ensureBucketExists();
     startGossipPusher();
     startSyncRetryQueue();
     startAcmeRenewalScheduler();

artifacts/api-server/src/lib/storageInit.ts

@@ -0,0 +1,72 @@
+/**
+ * Storage initialisation — ensures the configured bucket exists.
+ *
+ * Called once at startup. Creates the bucket if it doesn't exist yet,
+ * which means `docker compose up` just works without manual MinIO setup.
+ *
+ * Safe to call on every start — no-op if bucket already exists.
+ * Fails gracefully if the storage provider doesn't support bucket creation
+ * (e.g. AWS S3 where buckets are created via IAM/console).
+ */
+
+import logger from "./logger.js";
+
+const ENDPOINT   = process.env.OBJECT_STORAGE_ENDPOINT ?? "";
+const ACCESS_KEY = process.env.OBJECT_STORAGE_ACCESS_KEY ?? "";
+const SECRET_KEY = process.env.OBJECT_STORAGE_SECRET_KEY ?? "";
+const BUCKET     = process.env.DEFAULT_OBJECT_STORAGE_BUCKET_ID
+                ?? process.env.OBJECT_STORAGE_BUCKET
+                ?? "nexus-sites";
+const REGION     = process.env.OBJECT_STORAGE_REGION ?? "us-east-1";
+
+export async function ensureBucketExists(): Promise<void> {
+  if (!ENDPOINT || !ACCESS_KEY || !SECRET_KEY) {
+    logger.debug("[storage-init] Skipping bucket check — storage not fully configured");
+    return;
+  }
+
+  try {
+    const { S3Client, HeadBucketCommand, CreateBucketCommand } = await import("@aws-sdk/client-s3");
+
+    const client = new S3Client({
+      endpoint:         ENDPOINT,
+      region:           REGION,
+      credentials:      { accessKeyId: ACCESS_KEY, secretAccessKey: SECRET_KEY },
+      forcePathStyle:   true, // required for MinIO
+    });
+
+    // Check if bucket exists
+    try {
+      await client.send(new HeadBucketCommand({ Bucket: BUCKET }));
+      logger.info({ bucket: BUCKET }, "[storage-init] Bucket exists ✓");
+      return;
+    } catch (err: any) {
+      // 404 / NoSuchBucket = doesn't exist, create it
+      // 403 / AccessDenied = exists but no access (don't try to create)
+      if (err?.name === "AccessDenied" || err?.$metadata?.httpStatusCode === 403) {
+        logger.warn({ bucket: BUCKET }, "[storage-init] Bucket exists but access denied — check credentials");
+        return;
+      }
+    }
+
+    // Create the bucket
+    await client.send(new CreateBucketCommand({ Bucket: BUCKET }));
+    logger.info({ bucket: BUCKET }, "[storage-init] Bucket created ✓");
+
+    // Set bucket to private (block public access) — objects served via presigned URLs
+    try {
+      const { PutBucketPolicyCommand } = await import("@aws-sdk/client-s3");
+      // Leave as default private — no public policy needed
+      logger.debug({ bucket: BUCKET }, "[storage-init] Bucket policy: private (default)");
+    } catch { /* optional — skip if S3 API subset doesn't support it */ }
+
+  } catch (err: any) {
+    // Non-fatal — if bucket creation fails, deploys will fail with a clear error
+    // rather than crashing the server on startup
+    logger.warn(
+      { bucket: BUCKET, endpoint: ENDPOINT, err: err.message },
+      "[storage-init] Could not verify/create bucket — storage may not be ready yet. " +
+      "Deploys will fail until the bucket exists."
+    );
+  }
+}

docker-compose.production.yml

@@ -0,0 +1,106 @@
+# docker-compose.production.yml
+#
+# Production hardening overlay for Nexus Hosting.
+# Use with:
+#   docker compose -f docker-compose.yml -f docker-compose.production.yml up -d
+#
+# Or add to your .env:
+#   COMPOSE_FILE=docker-compose.yml:docker-compose.production.yml
+
+version: "3.9"
+
+services:
+  app:
+    restart: always
+    deploy:
+      resources:
+        limits:
+          memory: 1g
+          cpus: "1.0"
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "50m"
+        max-file: "5"
+    healthcheck:
+      test: ["CMD-SHELL", "wget -qO- http://localhost:8080/api/health/ready || exit 1"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 30s
+    environment:
+      NODE_ENV: production
+
+  proxy:
+    restart: always
+    deploy:
+      resources:
+        limits:
+          memory: 256m
+          cpus: "0.5"
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "20m"
+        max-file: "3"
+
+  db:
+    restart: always
+    deploy:
+      resources:
+        limits:
+          memory: 512m
+    # Tune PostgreSQL for production
+    command: >
+      postgres
+        -c max_connections=100
+        -c shared_buffers=128MB
+        -c effective_cache_size=384MB
+        -c maintenance_work_mem=64MB
+        -c checkpoint_completion_target=0.9
+        -c wal_buffers=16MB
+        -c default_statistics_target=100
+        -c random_page_cost=1.1
+        -c effective_io_concurrency=200
+        -c work_mem=2621kB
+        -c min_wal_size=1GB
+        -c max_wal_size=4GB
+        -c log_min_duration_statement=200
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "20m"
+        max-file: "3"
+
+  redis:
+    restart: always
+    deploy:
+      resources:
+        limits:
+          memory: 128m
+    # Enable persistence so rate limit / session data survives restarts
+    command: >
+      redis-server
+        --appendonly yes
+        --appendfsync everysec
+        --maxmemory 100mb
+        --maxmemory-policy allkeys-lru
+        --save 900 1
+        --save 300 10
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "10m"
+        max-file: "2"
+
+  minio:
+    restart: always
+    deploy:
+      resources:
+        limits:
+          memory: 512m
+    logging:
+      driver: "json-file"
+      options:
+        max-size: "20m"
+        max-file: "3"