feat: update docker-compose for Proxmox/LXC environments with local persistence#70
feat: update docker-compose for Proxmox/LXC environments with local persistence#70Matheuscara wants to merge 1 commit into
Conversation
Replaced commented-out environment variables with active settings for production deployment.
ZimengXiong
requested review from
ZimengXiong and
Copilot
and removed request for
Copilot
There was a problem hiding this comment.
Pull request overview
This PR attempts to modify the production docker-compose configuration to support deployment in Proxmox/LXC environments with CasaOS. The changes aim to address CORS issues and enable proxy support for non-localhost access, but introduce several critical security and configuration issues.
Changes:
- Commented out original environment variable configuration and replaced with hardcoded values
- Set
TRUST_PROXY=trueunconditionally - Added
ALLOWED_ORIGINenvironment variable with placeholder syntax - Hardcoded placeholder secrets in Portuguese for JWT and CSRF
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - JWT_SECRET=sua_chave_secreta_aqui | ||
| - CSRF_SECRET=outra_chave_secreta_aqui |
There was a problem hiding this comment.
Hardcoded secret 'outra_chave_secreta_aqui' (Portuguese for 'another_secret_key_here') should not be committed to the repository. This is a production compose file and should use environment variables for secrets. The original file correctly used CSRF_SECRET=${CSRF_SECRET} to allow secrets to be provided externally via .env file or environment variables.
| - JWT_SECRET=sua_chave_secreta_aqui | |
| - CSRF_SECRET=outra_chave_secreta_aqui | |
| - JWT_SECRET=${JWT_SECRET} | |
| - CSRF_SECRET=${CSRF_SECRET} |
| - NODE_ENV=production | ||
| - AUTH_MODE=local | ||
| - TRUST_PROXY=true | ||
| - ALLOWED_ORIGIN=http://{{ip_server}}:6767 |
There was a problem hiding this comment.
The environment variable ALLOWED_ORIGIN is not used by the backend application. Based on the backend code (backend/src/config.ts and backend/src/index.ts), the correct variable name is FRONTEND_URL, not ALLOWED_ORIGIN. This variable will have no effect and CORS will not work as intended.
| - ALLOWED_ORIGIN=http://{{ip_server}}:6767 | |
| - FRONTEND_URL=http://{{ip_server}}:6767 |
| - NODE_ENV=production | ||
| - AUTH_MODE=local | ||
| - TRUST_PROXY=true | ||
| - ALLOWED_ORIGIN=http://{{ip_server}}:6767 |
There was a problem hiding this comment.
The placeholder '{{ip_server}}' is not valid syntax for docker-compose environment variables. This will be treated as a literal string, not interpolated. Users would need to manually edit this value to their actual IP address. Consider using ${SERVER_IP} syntax or removing this hardcoded value entirely and letting users provide it via environment variables.
| - ALLOWED_ORIGIN=http://{{ip_server}}:6767 | |
| - ALLOWED_ORIGIN=${ALLOWED_ORIGIN:-http://localhost:6767} |
| - PORT=8000 | ||
| - NODE_ENV=production | ||
| - AUTH_MODE=local | ||
| - TRUST_PROXY=true |
There was a problem hiding this comment.
Setting TRUST_PROXY=true unconditionally is potentially insecure for a production configuration file. The original docker-compose.prod.yml correctly set TRUST_PROXY=false by default with a comment explaining it should only be enabled when a trusted proxy sanitizes forwarded headers. The README documentation also recommends setting this to a specific hop count (like 1) only when using a reverse proxy. Enabling this without a proper reverse proxy setup could allow header spoofing attacks.
| - TRUST_PROXY=true | |
| - TRUST_PROXY=false |
| environment: | ||
| - DATABASE_URL=file:/app/prisma/dev.db | ||
| - PORT=8000 | ||
| - NODE_ENV=production | ||
| - AUTH_MODE=local | ||
| - TRUST_PROXY=true | ||
| - ALLOWED_ORIGIN=http://{{ip_server}}:6767 | ||
| - JWT_SECRET=sua_chave_secreta_aqui | ||
| - CSRF_SECRET=outra_chave_secreta_aqui |
There was a problem hiding this comment.
The environment variable NEXT_PUBLIC_BACKEND_URL mentioned in the PR description is not present in this docker-compose.prod.yml file and is not used anywhere in the codebase. The frontend uses BACKEND_URL (without the NEXT_PUBLIC_ prefix) for nginx proxy configuration, as shown in docker-compose.yml. If CORS issues were encountered, they should be resolved using the FRONTEND_URL variable on the backend, not a nonexistent frontend variable.
| #environment: | ||
| #- DATABASE_URL=file:/app/prisma/dev.db | ||
| #- PORT=8000 | ||
| #- NODE_ENV=production | ||
| #- AUTH_MODE=${AUTH_MODE:-local} | ||
| # Keep disabled by default; only enable when a trusted proxy sanitizes forwarded headers. | ||
| - TRUST_PROXY=false | ||
| #- TRUST_PROXY=false | ||
| # Optional for single-instance deployments: | ||
| # if unset, backend auto-generates and persists one in the volume. | ||
| # Recommended to set explicitly for portability and multi-instance setups. | ||
| - JWT_SECRET=${JWT_SECRET} | ||
| - CSRF_SECRET=${CSRF_SECRET} | ||
| #- JWT_SECRET=${JWT_SECRET} | ||
| #- CSRF_SECRET=${CSRF_SECRET} | ||
| # Optional OIDC settings (required for AUTH_MODE=hybrid or oidc_enforced) | ||
| # - OIDC_PROVIDER_NAME=Authentik | ||
| # - OIDC_ISSUER_URL=https://auth.example.com/application/o/excalidash/ | ||
| # - OIDC_CLIENT_ID=your-client-id | ||
| # - OIDC_CLIENT_SECRET=your-client-secret | ||
| # - OIDC_REDIRECT_URI=https://excalidash.example.com/api/auth/oidc/callback |
There was a problem hiding this comment.
The original environment variable configuration has been commented out and duplicated below. This creates maintainability issues as there are now two sets of configuration (one commented, one active). The recommended approach is to either use the original configuration with proper environment variable substitution (${VAR}) or remove the commented section entirely to avoid confusion.
| - DATABASE_URL=file:/app/prisma/dev.db | ||
| - PORT=8000 | ||
| - NODE_ENV=production | ||
| - AUTH_MODE=local |
There was a problem hiding this comment.
AUTH_MODE is hardcoded to 'local' instead of using the flexible default pattern AUTH_MODE=${AUTH_MODE:-local} from the original configuration. This removes the ability to override the auth mode via environment variables without editing the docker-compose file, which goes against the principle of configuration management and makes the setup less flexible for different deployment scenarios.
| - AUTH_MODE=local | |
| - AUTH_MODE=${AUTH_MODE:-local} |
| - JWT_SECRET=sua_chave_secreta_aqui | ||
| - CSRF_SECRET=outra_chave_secreta_aqui |
There was a problem hiding this comment.
Hardcoded secret 'sua_chave_secreta_aqui' (Portuguese for 'your_secret_key_here') should not be committed to the repository. This is a production compose file and should use environment variables for secrets. The original file correctly used JWT_SECRET=${JWT_SECRET} to allow secrets to be provided externally via .env file or environment variables.
| - JWT_SECRET=sua_chave_secreta_aqui | |
| - CSRF_SECRET=outra_chave_secreta_aqui | |
| - JWT_SECRET=${JWT_SECRET} | |
| - CSRF_SECRET=${CSRF_SECRET} |
ZimengXiong
added
enhancement
Hi there!
I’m running this project on my Home Lab (Proxmox/LXC with CasaOS) and I successfully managed to get it working with a few adjustments to the docker-compose.yml.
The main changes I made were:
Added ALLOWED_ORIGIN and NEXT_PUBLIC_BACKEND_URL environment variables to fix CORS issues when accessing via server IP instead of localhost.
Set TRUST_PROXY=true to ensure the backend correctly handles requests coming through the server's network interface.
Ensured volumes are mapped correctly for local data persistence on the host machine.
My setup:
CPU: Intel i5 6th Gen
RAM: 16GB DDR4
OS: CasaOS running on a Proxmox LXC
This configuration is working perfectly now, and I hope it helps other users with similar local server setups!
Best regards,