Auto-patch compose.yml for Coolify compatibility

Author: actions-user

.env.example

@@ -1,27 +1,11 @@
 # Use the below flags to enable the Analytics or ActivityPub containers as well
 # COMPOSE_PROFILES=analytics,activitypub
 
-# Ghost domain
-# Custom public domain Ghost will run on
-DOMAIN=example.com
-
 # Ghost Admin domain
-# If you have Ghost Admin setup on a separate domain uncomment the line below and add the domain
-# You also need to uncomment the corresponding block in your Caddyfile
+# If Ghost Admin lives on its own domain, add it as a second FQDN on the
+# `ghost` service in the Coolify UI, or uncomment the line below for local runs.
 # ADMIN_DOMAIN=
 
-# Ghost ports
-# Ports where Ghost will listen for HTTP traffic.
-# Change these if the default ports are in use, or if Ghost is behind a reverse proxy.
-HTTP_PORT=80
-HTTPS_PORT=443
-
-# Database settings
-# All database settings must not be changed once the database is initialised
-DATABASE_ROOT_PASSWORD=reallysecurerootpassword
-# DATABASE_USER=optionalusername
-DATABASE_PASSWORD=ghostpassword
-
 # ActivityPub
 # If you'd prefer to self-host ActivityPub yourself uncomment the line below
 # ACTIVITYPUB_TARGET=activitypub:8080

.github/README.coolify.md

@@ -0,0 +1,79 @@
+# Ghost on Coolify
+
+Ghost 6 CMS packaged for one-shot deploys on [Coolify](https://coolify.io), with
+optional Tinybird analytics and ActivityPub federation. Forked from
+[`TryGhost/ghost-docker`](https://github.com/TryGhost/ghost-docker) and synced
+daily; the Coolify-specific patch lives in
+[`.github/scripts/patch.py`](.github/scripts/patch.py).
+
+## Deploy
+
+1. In Coolify: **New Resource → Public Repository**, point at this repo,
+   build pack **Docker Compose**, compose file `compose.yml`.
+2. On the `ghost` service, set the primary **Domain (FQDN)** to the URL
+   you want (e.g. `https://blog.example.com`). Coolify fills in
+   `SERVICE_URL_GHOST` automatically and wires Traefik to port 2368.
+3. Set SMTP env vars on the resource: `mail__options__host`,
+   `mail__options__port`, `mail__options__auth__user`,
+   `mail__options__auth__pass`, `mail__from`. Transactional email is
+   required by Ghost for staff invites and password resets.
+4. **Deploy**. MySQL credentials generate on first boot via
+   `SERVICE_USER_MYSQL` / `SERVICE_PASSWORD_MYSQL` / `SERVICE_PASSWORD_MYSQLROOT` —
+   you don't enter them manually.
+
+## Optional: separate admin domain
+
+Set `ADMIN_DOMAIN=admin.example.com` on the resource and add the same value
+as a second FQDN on the `ghost` service in Coolify. Upstream's
+`${ADMIN_DOMAIN:+https://${ADMIN_DOMAIN}}` expression means Ghost sees
+`admin__url` only when the variable is non-empty.
+
+## Optional: analytics (Tinybird)
+
+Enable the `analytics` profile on the resource
+(`COMPOSE_PROFILES=analytics`). Set a second FQDN on the `traffic-analytics`
+service (e.g. `analytics.example.com`) — Coolify fills
+`SERVICE_URL_ANALYTICS` and proxies port 3000. Populate
+`TINYBIRD_*` env vars per [`TINYBIRD.md`](TINYBIRD.md).
+
+## Optional: ActivityPub
+
+Enable the `activitypub` profile (`COMPOSE_PROFILES=analytics,activitypub`
+if combined). Set a third FQDN on the `activitypub` service.
+
+Fediverse discovery via `@user@your-primary-domain` additionally requires
+routing `/.well-known/webfinger` on the Ghost FQDN to the ActivityPub
+service. In Coolify, add this custom label to the `ghost` service:
+
+```
+traefik.http.routers.ghost-webfinger.rule=Host(`blog.example.com`) && PathPrefix(`/.well-known/webfinger`)
+traefik.http.routers.ghost-webfinger.service=activitypub-http
+traefik.http.services.activitypub-http.loadbalancer.server.port=8080
+```
+
+## Upgrades
+
+Ghost's version floats on `${GHOST_VERSION:-6-alpine}`. Pin explicitly by
+setting `GHOST_VERSION=6.2-alpine` on the resource if you need a specific
+release. Renovate tracks MySQL patch updates within 8.0.x and the
+analytics/ActivityPub image digests; Ghost itself is not pinned.
+
+## Running locally (without Coolify)
+
+Because the patched `compose.yml` targets Coolify's magic vars, local
+`docker compose up` needs those vars set in `.env`:
+
+```
+SERVICE_URL_GHOST=http://localhost:2368
+SERVICE_USER_MYSQL=ghost
+SERVICE_PASSWORD_MYSQL=localdev
+SERVICE_PASSWORD_MYSQLROOT=localrootdev
+SERVICE_URL_ANALYTICS=http://localhost:3000
+```
+
+For a bare-metal Ghost CLI → Docker migration, see
+[`scripts/migrate.sh`](scripts/migrate.sh) (not intended for Coolify hosts).
+
+## License
+
+MIT — see [LICENSE](LICENSE).

.github/renovate.json5

@@ -8,6 +8,19 @@
 		":separatePatchReleases",
 	],
 	suppressNotifications: ["prIgnoreNotification"],
+	customManagers: [
+		{
+			// Bump GHOST_VERSION in .env.example when the user pins an explicit tag.
+			// The line is commented by default; this only fires once uncommented.
+			customType: "regex",
+			fileMatch: ["^\\.env\\.example$"],
+			matchStrings: [
+				"^GHOST_VERSION=(?<currentValue>\\S+)\\s*$",
+			],
+			datasourceTemplate: "docker",
+			depNameTemplate: "ghost",
+		},
+	],
 	packageRules: [
 		{
 			description: "Group ActivityPub containers together",

.github/scripts/patch.py

@@ -0,0 +1,235 @@
+#!/usr/bin/env python3
+"""Coolify compatibility patch for TryGhost/ghost-docker upstream.
+
+Runs after `git reset --hard upstream/main` in the daily sync workflow and
+rewrites the upstream compose.yml to deploy cleanly on Coolify:
+
+  - Removes the Caddy reverse proxy (Coolify's Traefik handles ingress)
+  - Switches Ghost URL / MySQL credentials to Coolify SERVICE_* magic vars
+  - Declares SERVICE_URL_<NAME>_<PORT> so Traefik discovers the right port
+  - Adds a Ghost healthcheck for Coolify's UI indicator
+  - Deletes caddy/ and strips Caddy refs from .env.example
+  - Overwrites README.md with the Coolify-specific README.coolify.md
+
+All edits are idempotent: re-running on already-patched input is a no-op.
+Each substitution fails loudly when the anchor is missing, so upstream
+restructuring surfaces as a nonzero exit rather than silent breakage.
+"""
+
+from __future__ import annotations
+
+import pathlib
+import re
+import shutil
+import sys
+
+
+def fail(msg: str) -> None:
+    print(f"patch.py: {msg}", file=sys.stderr)
+    sys.exit(1)
+
+
+def swap(content: str, old: str, new: str, label: str) -> str:
+    """Single-occurrence replacement with idempotency and loud failure.
+    Checks `new` before `old` so that superset replacements (where `old`
+    is a substring of `new`) don't double-apply."""
+    if new in content:
+        return content
+    if old in content:
+        n = content.count(old)
+        if n != 1:
+            fail(f"{label}: expected 1 occurrence of old anchor, found {n}")
+        return content.replace(old, new, 1)
+    fail(f"{label}: neither old nor new anchor present — upstream changed?")
+
+
+def swap_all(content: str, old: str, new: str, label: str, expected: int) -> str:
+    """Multi-occurrence replacement with idempotency and loud failure."""
+    n_new = content.count(new)
+    if n_new == expected and old not in content:
+        return content
+    if old in content:
+        n = content.count(old)
+        if n != expected:
+            fail(f"{label}: expected {expected} occurrences of old anchor, found {n}")
+        return content.replace(old, new)
+    fail(f"{label}: found {n_new} of new anchor, expected {expected} — upstream changed?")
+
+
+def patch_compose() -> None:
+    path = pathlib.Path("compose.yml")
+    if not path.exists():
+        fail("compose.yml not found — run from repo root")
+    c = path.read_text()
+
+    # Caddy service block (Coolify's Traefik replaces it)
+    c = re.sub(r"^  caddy:.*?(?=^  [a-z])", "", c, flags=re.MULTILINE | re.DOTALL)
+    c = c.replace("  caddy_data:\n", "")
+    c = c.replace("  caddy_config:\n", "")
+    c = re.sub(r"^\s+- caddy\n", "", c, flags=re.MULTILINE)
+
+    # Ghost URL → Coolify magic
+    c = swap(
+        c,
+        "url: https://${DOMAIN:?DOMAIN environment variable is required}\n",
+        "url: $SERVICE_URL_GHOST\n",
+        "ghost.url",
+    )
+
+    # MySQL credentials → Coolify magic
+    c = swap(
+        c,
+        "MYSQL_ROOT_PASSWORD: ${DATABASE_ROOT_PASSWORD:?DATABASE_ROOT_PASSWORD environment variable is required}",
+        "MYSQL_ROOT_PASSWORD: $SERVICE_PASSWORD_MYSQLROOT",
+        "MYSQL_ROOT_PASSWORD",
+    )
+    c = swap_all(
+        c,
+        "MYSQL_USER: ${DATABASE_USER:-ghost}",
+        "MYSQL_USER: $SERVICE_USER_MYSQL",
+        "MYSQL_USER",
+        expected=2,
+    )
+    c = swap(
+        c,
+        "database__connection__user: ${DATABASE_USER:-ghost}",
+        "database__connection__user: $SERVICE_USER_MYSQL",
+        "database__connection__user",
+    )
+    c = swap_all(
+        c,
+        "MYSQL_PASSWORD: ${DATABASE_PASSWORD:?DATABASE_PASSWORD environment variable is required}",
+        "MYSQL_PASSWORD: $SERVICE_PASSWORD_MYSQL",
+        "MYSQL_PASSWORD",
+        expected=2,
+    )
+    c = swap(
+        c,
+        "database__connection__password: ${DATABASE_PASSWORD:?DATABASE_PASSWORD environment variable is required}",
+        "database__connection__password: $SERVICE_PASSWORD_MYSQL",
+        "database__connection__password",
+    )
+    c = swap(
+        c,
+        "MYSQL_DB: mysql://${DATABASE_USER:-ghost}:${DATABASE_PASSWORD:?DATABASE_PASSWORD environment variable is required}@tcp(db:3306)/activitypub",
+        "MYSQL_DB: mysql://$SERVICE_USER_MYSQL:$SERVICE_PASSWORD_MYSQL@tcp(db:3306)/activitypub",
+        "activitypub-migrate.MYSQL_DB",
+    )
+
+    # Tinybird tracker endpoint → analytics FQDN (optional profile)
+    c = swap(
+        c,
+        "tinybird__tracker__endpoint: https://${DOMAIN:?DOMAIN environment variable is required}/.ghost/analytics/api/v1/page_hit",
+        "tinybird__tracker__endpoint: $SERVICE_URL_ANALYTICS/api/v1/page_hit",
+        "tinybird__tracker__endpoint",
+    )
+
+    # ActivityPub image storage URL → Ghost origin (images must stay on primary domain)
+    c = swap(
+        c,
+        "LOCAL_STORAGE_HOSTING_URL: https://${DOMAIN}/content/images/activitypub",
+        "LOCAL_STORAGE_HOSTING_URL: $SERVICE_URL_GHOST/content/images/activitypub",
+        "activitypub.LOCAL_STORAGE_HOSTING_URL",
+    )
+
+    # Ghost healthcheck (inserted between env_file and environment)
+    ghost_env_anchor = (
+        "    # This is required to import current config when migrating\n"
+        "    env_file:\n"
+        "      - .env\n"
+        "    environment:\n"
+    )
+    ghost_with_hc = (
+        "    # This is required to import current config when migrating\n"
+        "    env_file:\n"
+        "      - .env\n"
+        "    healthcheck:\n"
+        '      test: ["CMD", "wget", "-qO-", "http://localhost:2368/ghost/api/admin/site/"]\n'
+        "      interval: 30s\n"
+        "      timeout: 5s\n"
+        "      retries: 5\n"
+        "      start_period: 60s\n"
+        "    environment:\n"
+    )
+    c = swap(c, ghost_env_anchor, ghost_with_hc, "ghost.healthcheck")
+
+    # SERVICE_URL_<NAME>_<PORT> declarations — Coolify uses these to wire Traefik
+    c = swap(
+        c,
+        "      url: $SERVICE_URL_GHOST\n",
+        '      url: $SERVICE_URL_GHOST\n      SERVICE_URL_GHOST_2368: ""\n',
+        "ghost.SERVICE_URL_GHOST_2368",
+    )
+    c = swap(
+        c,
+        "    environment:\n      NODE_ENV: production\n      PROXY_TARGET:",
+        '    environment:\n      NODE_ENV: production\n      SERVICE_URL_ANALYTICS_3000: ""\n      PROXY_TARGET:',
+        "traffic-analytics.SERVICE_URL_ANALYTICS_3000",
+    )
+    c = swap(
+        c,
+        "      NODE_ENV: production\n      MYSQL_HOST: db\n",
+        '      NODE_ENV: production\n      SERVICE_URL_ACTIVITYPUB_8080: ""\n      MYSQL_HOST: db\n',
+        "activitypub.SERVICE_URL_ACTIVITYPUB_8080",
+    )
+
+    path.write_text(c)
+
+
+def patch_env_example() -> None:
+    path = pathlib.Path(".env.example")
+    if not path.exists():
+        return
+    e = path.read_text()
+
+    # DOMAIN is supplied by Coolify's SERVICE_URL_GHOST — no need to set here
+    e = re.sub(
+        r"# Ghost domain\n# Custom public domain Ghost will run on\nDOMAIN=example\.com\n\n",
+        "",
+        e,
+    )
+    # Drop the Caddyfile reference in the ADMIN_DOMAIN comment
+    e = e.replace(
+        "# If you have Ghost Admin setup on a separate domain uncomment the line below and add the domain\n"
+        "# You also need to uncomment the corresponding block in your Caddyfile\n",
+        "# If Ghost Admin lives on its own domain, add it as a second FQDN on the\n"
+        "# `ghost` service in the Coolify UI, or uncomment the line below for local runs.\n",
+    )
+    # Coolify owns ingress ports
+    e = re.sub(
+        r"# Ghost ports\n# Ports where Ghost will listen for HTTP traffic\.\n"
+        r"# Change these if the default ports are in use, or if Ghost is behind a reverse proxy\.\n"
+        r"HTTP_PORT=80\nHTTPS_PORT=443\n\n",
+        "",
+        e,
+    )
+    # Coolify auto-generates DB credentials via SERVICE_USER_MYSQL / SERVICE_PASSWORD_MYSQL
+    e = re.sub(
+        r"# Database settings\n# All database settings must not be changed once the database is initialised\n"
+        r"DATABASE_ROOT_PASSWORD=reallysecurerootpassword\n"
+        r"# DATABASE_USER=optionalusername\n"
+        r"DATABASE_PASSWORD=ghostpassword\n\n",
+        "",
+        e,
+    )
+
+    path.write_text(e)
+
+
+def overwrite_readme() -> None:
+    src = pathlib.Path(".github/README.coolify.md")
+    if not src.exists():
+        fail(f"{src} missing — the sync workflow should back it up under .github/")
+    pathlib.Path("README.md").write_text(src.read_text())
+
+
+def main() -> None:
+    patch_compose()
+    shutil.rmtree("caddy", ignore_errors=True)
+    patch_env_example()
+    overwrite_readme()
+    print("Patched compose.yml successfully")
+
+
+if __name__ == "__main__":
+    main()