feat(deploy): add Docker self-hosting and CI publish workflow

Add complete self-hosting support with Dockerfile, three compose files
(pre-built image, build-from-source, dev services), GitHub Actions
workflow for publishing to GHCR, Railway config, .env.example, release
module with auto-migrations, and self-hosting documentation page.

Author: puemos

.dockerignore

@@ -0,0 +1,35 @@
+# Build artifacts
+_build/
+deps/
+
+# Node
+node_modules/
+docs/node_modules/
+
+# Git
+.git
+.gitignore
+
+# Docker
+.dockerignore
+Dockerfile
+
+# Dev/test
+.env*
+!.env.example
+.postgres/
+.minio/
+
+# IDE
+.elixir_ls/
+.vscode/
+.idea/
+
+# Docs source (not needed in image)
+docs/
+
+# Misc
+*.md
+!CLAUDE.md
+screenshots/
+tmp/

.env.example

@@ -0,0 +1,86 @@
+# =============================================================================
+# Craftplan — Environment Configuration
+# =============================================================================
+# Copy this file to .env and fill in the required values.
+#
+#   cp .env.example .env
+#
+# Works with both docker-compose.yml (pre-built image) and standalone docker run.
+# Then generate the secrets below before starting the app.
+
+# -----------------------------------------------------------------------------
+# Required Secrets
+# -----------------------------------------------------------------------------
+
+# Phoenix secret key (min 64 bytes). Generate with:
+#   mix phx.gen.secret
+# Or without Elixir installed:
+#   docker run --rm hexpm/elixir:1.18.3-erlang-27.2.4-debian-bookworm-20260112-slim \
+#     sh -c "mix local.hex --force --if-missing >/dev/null 2>&1 && mix phx.gen.secret"
+SECRET_KEY_BASE=
+
+# Token signing secret for API authentication. Generate the same way:
+#   mix phx.gen.secret
+TOKEN_SIGNING_SECRET=
+
+# Cloak encryption key (32-byte AES key, base64-encoded). Generate with:
+#   elixir -e ":crypto.strong_rand_bytes(32) |> Base.encode64() |> IO.puts()"
+# Or without Elixir installed:
+#   docker run --rm hexpm/elixir:1.18.3-erlang-27.2.4-debian-bookworm-20260112-slim \
+#     elixir -e ":crypto.strong_rand_bytes(32) |> Base.encode64() |> IO.puts()"
+CLOAK_KEY=
+
+# PostgreSQL password for the bundled database container.
+POSTGRES_PASSWORD=
+
+# -----------------------------------------------------------------------------
+# Host & Networking
+# -----------------------------------------------------------------------------
+
+# The public hostname of your Craftplan instance (used for URLs, CORS, etc.)
+HOST=localhost
+
+# Port the web server listens on (default: 4000)
+PORT=4000
+
+# -----------------------------------------------------------------------------
+# File Storage (S3 / MinIO)
+# -----------------------------------------------------------------------------
+# The bundled MinIO service works out of the box with the defaults below.
+# To use an external S3 provider, set these values accordingly.
+
+# MINIO_ROOT_USER=minioadmin
+# MINIO_ROOT_PASSWORD=minioadmin
+# AWS_S3_BUCKET=craftplan
+
+# For external S3 (uncomment and set):
+# AWS_ACCESS_KEY_ID=
+# AWS_SECRET_ACCESS_KEY=
+# AWS_S3_SCHEME=https://
+# AWS_S3_HOST=s3.amazonaws.com
+# AWS_REGION=us-east-1
+# AWS_ASSET_HOST=https://your-bucket.s3.amazonaws.com
+
+# -----------------------------------------------------------------------------
+# Email (Optional)
+# -----------------------------------------------------------------------------
+# Email is primarily configured from the Settings UI inside the app.
+# These environment variables are a fallback for automated/headless setups.
+#
+# Supported providers: sendgrid, postmark, brevo, mailgun, amazon_ses
+#
+# EMAIL_PROVIDER=
+# EMAIL_API_KEY=
+#
+# Mailgun only:
+# EMAIL_API_DOMAIN=
+#
+# Amazon SES only:
+# EMAIL_API_SECRET=
+# EMAIL_API_REGION=us-east-1
+#
+# SMTP (alternative to API providers):
+# SMTP_HOST=
+# SMTP_PORT=587
+# SMTP_USERNAME=
+# SMTP_PASSWORD=

.github/workflows/docker-publish.yml

@@ -0,0 +1,54 @@
+name: Docker
+
+on:
+  push:
+    branches: [main]
+  release:
+    types: [published]
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: docker/setup-qemu-action@v3
+
+      - uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=ref,event=branch
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=raw,value=latest,enable={{is_default_branch}}
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

Dockerfile

@@ -0,0 +1,63 @@
+# === Build stage ===
+ARG ELIXIR_VERSION=1.18.3
+ARG OTP_VERSION=27.2.4
+ARG DEBIAN_VERSION=bookworm-20260112-slim
+
+ARG BUILDER_IMAGE="hexpm/elixir:${ELIXIR_VERSION}-erlang-${OTP_VERSION}-debian-${DEBIAN_VERSION}"
+ARG RUNNER_IMAGE="debian:${DEBIAN_VERSION}"
+
+FROM ${BUILDER_IMAGE} AS builder
+
+RUN apt-get update -y && \
+    apt-get install -y build-essential git curl && \
+    apt-get clean && rm -f /var/lib/apt/lists/*_*
+
+WORKDIR /app
+
+RUN mix local.hex --force && mix local.rebar --force
+
+ENV MIX_ENV=prod
+
+COPY mix.exs mix.lock ./
+RUN mix deps.get --only $MIX_ENV
+RUN mkdir config
+
+COPY config/config.exs config/${MIX_ENV}.exs config/
+RUN mix deps.compile
+
+COPY priv priv
+COPY lib lib
+COPY assets assets
+
+RUN mix assets.setup
+RUN mix assets.deploy
+
+# Copy runtime config last so earlier layers are cached
+COPY config/runtime.exs config/
+
+COPY rel rel
+RUN mix release
+
+# === Runtime stage ===
+FROM ${RUNNER_IMAGE}
+
+RUN apt-get update -y && \
+    apt-get install -y libstdc++6 openssl libncurses5 locales ca-certificates && \
+    apt-get clean && rm -f /var/lib/apt/lists/*_*
+
+RUN sed -i '/en_US.UTF-8/s/^# //g' /etc/locale.gen && locale-gen
+
+ENV LANG=en_US.UTF-8
+ENV LANGUAGE=en_US:en
+ENV LC_ALL=en_US.UTF-8
+
+WORKDIR /app
+
+RUN chown nobody /app
+ENV MIX_ENV=prod
+
+COPY --from=builder --chown=nobody:root /app/_build/${MIX_ENV}/rel/craftplan ./
+
+USER nobody
+
+CMD ["bin/server"]

README.md

@@ -89,13 +89,30 @@ Elixir · [Ash Framework](https://ash-hq.org/) · Phoenix LiveView · PostgreSQL
 > **Prerequisites:** Docker, Elixir ~> 1.15, Erlang/OTP 27
 
 ```bash
-docker-compose up -d    # Start PostgreSQL + MinIO
+docker compose -f docker-compose.dev.yml up -d   # Start PostgreSQL + MinIO + Mailpit
 mix setup               # Install deps, migrate, build assets, seed
 mix phx.server          # Start at localhost:4000
 ```
 
 See the [setup guide](https://puemos.github.io/craftplan/docs/getting-started/) for detailed instructions.
 
+## Self-Hosting with Docker
+
+Deploy Craftplan on your own server — no need to clone the repo:
+
+```bash
+curl -O https://raw.githubusercontent.com/puemos/craftplan/main/docker-compose.yml
+curl -O https://raw.githubusercontent.com/puemos/craftplan/main/.env.example
+cp .env.example .env   # Fill in the required secrets (see .env.example)
+docker compose up -d
+```
+
+This starts Craftplan, PostgreSQL, and MinIO with migrations running automatically.
+
+[![Deploy on Railway](https://railway.com/button.svg)](https://railway.com/template/craftplan)
+
+See the [self-hosting guide](https://puemos.github.io/craftplan/docs/self-hosting/) for single-container mode, Railway deployment, reverse proxy setup, and more.
+
 ## Why Craftplan?
 
 - **Purpose-built for artisanal manufacturing** — not a generic ERP adapted to fit; workflows are designed around small-batch, made-to-order production

config/runtime.exs

@@ -44,7 +44,7 @@ if config_env() == :prod do
       You can generate one by calling: mix phx.gen.secret
       """
 
-  host = System.get_env("PHX_HOST") || "example.com"
+  host = System.get_env("HOST") || System.get_env("PHX_HOST") || "example.com"
   port = String.to_integer(System.get_env("PORT") || "4000")
 
   config :craftplan, Craftplan.Repo,
@@ -86,7 +86,7 @@ if config_env() == :prod do
       secret_access_key: System.get_env("AWS_SECRET_ACCESS_KEY"),
       region: System.get_env("AWS_REGION") || "us-east-1",
       s3: [
-        scheme: "https://",
+        scheme: System.get_env("AWS_S3_SCHEME") || "https://",
         host: System.get_env("AWS_S3_HOST") || "s3.amazonaws.com",
         region: System.get_env("AWS_REGION") || "us-east-1"
       ]

docker-compose.dev.yml

@@ -0,0 +1,41 @@
+# Development services — PostgreSQL, MinIO, and Mailpit for local development.
+# Usage: docker compose -f docker-compose.dev.yml up -d
+
+services:
+  postgres:
+    container_name: craftplan-postgres
+    image: postgres:16
+    ports:
+      - 5432:5432
+    environment:
+      - POSTGRES_DB=craftplan_dev
+      - POSTGRES_USER=postgres
+      - POSTGRES_PASSWORD=postgres
+      - PGDATA=/var/lib/postgresql/data/pgdata
+    volumes:
+      - ./.postgres:/var/lib/postgresql/data
+  minio:
+    container_name: craftplan-minio
+    image: minio/minio:latest
+    entrypoint: sh
+    command: -c 'mkdir -p /data/craftplan && /usr/bin/minio server /data --console-address ":9001"'
+    hostname: minio
+    ports:
+      - 9000:9000
+      - 9001:9001
+    environment:
+      MINIO_ROOT_USER: minioadmin
+      MINIO_ROOT_PASSWORD: minioadmin
+      MINIO_ACCESS_KEY: "minio"
+      MINIO_SECRET_KEY: "minio123"
+    volumes:
+      - .minio:/data
+    deploy:
+      restart_policy:
+        condition: on-failure
+  mailpit:
+    container_name: craftplan-mailpit
+    image: axllent/mailpit
+    ports:
+      - 1025:1025
+      - 8025:8025