marco/buildmymcpserver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
main
buildmymcpserver/docker-compose.prod.yml

176 lines
6.2 KiB
YAML
Raw Permalink Normal View History

fix(deploy): rework prod artifacts to match the actual Hetzner box Server recon (read-only SSH) showed the box already runs ~8 apps behind a host-level nginx, with Gitea + an Actions runner. The host-networking design collided with contentra on port 3001. - docker-compose.prod.yml: bridge networking + per-app network, house style; api/web/postgres/redis publish to 127.0.0.1 on verified-free ports (4000/4001/5440/6390); only the generator keeps host networking (no listening port, needs the host namespace for runner-port probing). - Drop the Traefik config; the box uses a host nginx. Add a ready nginx vhost in infra/nginx/buildmymcpserver.conf (listen 80, Cloudflare TLS). - Add .gitea/workflows/deploy.yml mirroring the buildmydiscord pipeline. - Narrow the generated-MCP port range to 4400-4900 (clear of screencraft on 4321). - .env.production.example + DEPLOY.md rewritten for buildmymcpserver.com and the real topology. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-21 17:48:57 +02:00
# Production stack for buildmymcpserver.com — Linux host only.
feat(deploy): production Dockerfiles, compose stack, and runbook - Multi-stage Dockerfiles for web/api/generator (pnpm workspace install, tsx runtime — workspace packages are raw TS, same model as runner-template). - docker-compose.prod.yml: postgres + redis + the three app services. api/generator/web use host networking so the generator's host-port probe is correct and every service shares one address space; api + generator mount the Docker socket. Binds nothing on 80/443 — safe beside other apps. - Optional Traefik reverse proxy in infra/traefik/ (heavily gated — only if the box has no existing proxy). - .env.production.example, .dockerignore, DEPLOY.md (Cloudflare zone, GoDaddy nameserver switch, server deploy, Google Cloud Console OAuth app). - api/generator `start` now runs via tsx; `node dist/index.js` could never resolve the raw-TS workspace imports. All three images verified building clean; the API container boots under tsx. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-21 00:37:02 +02:00
#
# Run with:
# docker compose --env-file .env.production -f docker-compose.prod.yml up -d --build
#
fix(deploy): rework prod artifacts to match the actual Hetzner box Server recon (read-only SSH) showed the box already runs ~8 apps behind a host-level nginx, with Gitea + an Actions runner. The host-networking design collided with contentra on port 3001. - docker-compose.prod.yml: bridge networking + per-app network, house style; api/web/postgres/redis publish to 127.0.0.1 on verified-free ports (4000/4001/5440/6390); only the generator keeps host networking (no listening port, needs the host namespace for runner-port probing). - Drop the Traefik config; the box uses a host nginx. Add a ready nginx vhost in infra/nginx/buildmymcpserver.conf (listen 80, Cloudflare TLS). - Add .gitea/workflows/deploy.yml mirroring the buildmydiscord pipeline. - Narrow the generated-MCP port range to 4400-4900 (clear of screencraft on 4321). - .env.production.example + DEPLOY.md rewritten for buildmymcpserver.com and the real topology. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-21 17:48:57 +02:00
# Topology — matches the house pattern on the shared Hetzner box:
# - Bridge networking + per-app network, like every other app on the box.
# - api / web / postgres / redis publish to 127.0.0.1 only. The host nginx
# reverse-proxies the public domains to these loopback ports. Nothing here
# binds 0.0.0.0:80/443 — the box's existing nginx owns those.
# - generator uses host networking: it has no listening port of its own (no
# collision risk) and it must allocate + probe host ports for the MCP
# containers it spawns, which is only correct in the host namespace.
# - api + generator mount the Docker socket: the API removes generated
# containers, the generator builds + runs them as host siblings.
#
# Ports are picked to not collide with the other apps already on this box.
feat(deploy): production Dockerfiles, compose stack, and runbook - Multi-stage Dockerfiles for web/api/generator (pnpm workspace install, tsx runtime — workspace packages are raw TS, same model as runner-template). - docker-compose.prod.yml: postgres + redis + the three app services. api/generator/web use host networking so the generator's host-port probe is correct and every service shares one address space; api + generator mount the Docker socket. Binds nothing on 80/443 — safe beside other apps. - Optional Traefik reverse proxy in infra/traefik/ (heavily gated — only if the box has no existing proxy). - .env.production.example, .dockerignore, DEPLOY.md (Cloudflare zone, GoDaddy nameserver switch, server deploy, Google Cloud Console OAuth app). - api/generator `start` now runs via tsx; `node dist/index.js` could never resolve the raw-TS workspace imports. All three images verified building clean; the API container boots under tsx. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-21 00:37:02 +02:00
fix(deploy): rework prod artifacts to match the actual Hetzner box Server recon (read-only SSH) showed the box already runs ~8 apps behind a host-level nginx, with Gitea + an Actions runner. The host-networking design collided with contentra on port 3001. - docker-compose.prod.yml: bridge networking + per-app network, house style; api/web/postgres/redis publish to 127.0.0.1 on verified-free ports (4000/4001/5440/6390); only the generator keeps host networking (no listening port, needs the host namespace for runner-port probing). - Drop the Traefik config; the box uses a host nginx. Add a ready nginx vhost in infra/nginx/buildmymcpserver.conf (listen 80, Cloudflare TLS). - Add .gitea/workflows/deploy.yml mirroring the buildmydiscord pipeline. - Narrow the generated-MCP port range to 4400-4900 (clear of screencraft on 4321). - .env.production.example + DEPLOY.md rewritten for buildmymcpserver.com and the real topology. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-21 17:48:57 +02:00
name: buildmymcpserver
feat(deploy): production Dockerfiles, compose stack, and runbook - Multi-stage Dockerfiles for web/api/generator (pnpm workspace install, tsx runtime — workspace packages are raw TS, same model as runner-template). - docker-compose.prod.yml: postgres + redis + the three app services. api/generator/web use host networking so the generator's host-port probe is correct and every service shares one address space; api + generator mount the Docker socket. Binds nothing on 80/443 — safe beside other apps. - Optional Traefik reverse proxy in infra/traefik/ (heavily gated — only if the box has no existing proxy). - .env.production.example, .dockerignore, DEPLOY.md (Cloudflare zone, GoDaddy nameserver switch, server deploy, Google Cloud Console OAuth app). - api/generator `start` now runs via tsx; `node dist/index.js` could never resolve the raw-TS workspace imports. All three images verified building clean; the API container boots under tsx. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-21 00:37:02 +02:00
services:
postgres:
image: postgres:16-alpine
fix(deploy): rework prod artifacts to match the actual Hetzner box Server recon (read-only SSH) showed the box already runs ~8 apps behind a host-level nginx, with Gitea + an Actions runner. The host-networking design collided with contentra on port 3001. - docker-compose.prod.yml: bridge networking + per-app network, house style; api/web/postgres/redis publish to 127.0.0.1 on verified-free ports (4000/4001/5440/6390); only the generator keeps host networking (no listening port, needs the host namespace for runner-port probing). - Drop the Traefik config; the box uses a host nginx. Add a ready nginx vhost in infra/nginx/buildmymcpserver.conf (listen 80, Cloudflare TLS). - Add .gitea/workflows/deploy.yml mirroring the buildmydiscord pipeline. - Narrow the generated-MCP port range to 4400-4900 (clear of screencraft on 4321). - .env.production.example + DEPLOY.md rewritten for buildmymcpserver.com and the real topology. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-21 17:48:57 +02:00
container_name: bmm-postgres
feat(deploy): production Dockerfiles, compose stack, and runbook - Multi-stage Dockerfiles for web/api/generator (pnpm workspace install, tsx runtime — workspace packages are raw TS, same model as runner-template). - docker-compose.prod.yml: postgres + redis + the three app services. api/generator/web use host networking so the generator's host-port probe is correct and every service shares one address space; api + generator mount the Docker socket. Binds nothing on 80/443 — safe beside other apps. - Optional Traefik reverse proxy in infra/traefik/ (heavily gated — only if the box has no existing proxy). - .env.production.example, .dockerignore, DEPLOY.md (Cloudflare zone, GoDaddy nameserver switch, server deploy, Google Cloud Console OAuth app). - api/generator `start` now runs via tsx; `node dist/index.js` could never resolve the raw-TS workspace imports. All three images verified building clean; the API container boots under tsx. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-21 00:37:02 +02:00
restart: unless-stopped
environment:
POSTGRES_USER: ${POSTGRES_USER:-bmm}
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:?set POSTGRES_PASSWORD in .env.production}
POSTGRES_DB: ${POSTGRES_DB:-bmm}
ports:
- "127.0.0.1:${POSTGRES_PORT:-5440}:5432"
volumes:
- bmm_pg:/var/lib/postgresql/data
fix(deploy): rework prod artifacts to match the actual Hetzner box Server recon (read-only SSH) showed the box already runs ~8 apps behind a host-level nginx, with Gitea + an Actions runner. The host-networking design collided with contentra on port 3001. - docker-compose.prod.yml: bridge networking + per-app network, house style; api/web/postgres/redis publish to 127.0.0.1 on verified-free ports (4000/4001/5440/6390); only the generator keeps host networking (no listening port, needs the host namespace for runner-port probing). - Drop the Traefik config; the box uses a host nginx. Add a ready nginx vhost in infra/nginx/buildmymcpserver.conf (listen 80, Cloudflare TLS). - Add .gitea/workflows/deploy.yml mirroring the buildmydiscord pipeline. - Narrow the generated-MCP port range to 4400-4900 (clear of screencraft on 4321). - .env.production.example + DEPLOY.md rewritten for buildmymcpserver.com and the real topology. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-21 17:48:57 +02:00
networks: [bmm-network]
feat(deploy): production Dockerfiles, compose stack, and runbook - Multi-stage Dockerfiles for web/api/generator (pnpm workspace install, tsx runtime — workspace packages are raw TS, same model as runner-template). - docker-compose.prod.yml: postgres + redis + the three app services. api/generator/web use host networking so the generator's host-port probe is correct and every service shares one address space; api + generator mount the Docker socket. Binds nothing on 80/443 — safe beside other apps. - Optional Traefik reverse proxy in infra/traefik/ (heavily gated — only if the box has no existing proxy). - .env.production.example, .dockerignore, DEPLOY.md (Cloudflare zone, GoDaddy nameserver switch, server deploy, Google Cloud Console OAuth app). - api/generator `start` now runs via tsx; `node dist/index.js` could never resolve the raw-TS workspace imports. All three images verified building clean; the API container boots under tsx. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-21 00:37:02 +02:00
healthcheck:
test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-bmm} -d ${POSTGRES_DB:-bmm}"]
interval: 5s
timeout: 5s
retries: 20
redis:
image: redis:7-alpine
fix(deploy): rework prod artifacts to match the actual Hetzner box Server recon (read-only SSH) showed the box already runs ~8 apps behind a host-level nginx, with Gitea + an Actions runner. The host-networking design collided with contentra on port 3001. - docker-compose.prod.yml: bridge networking + per-app network, house style; api/web/postgres/redis publish to 127.0.0.1 on verified-free ports (4000/4001/5440/6390); only the generator keeps host networking (no listening port, needs the host namespace for runner-port probing). - Drop the Traefik config; the box uses a host nginx. Add a ready nginx vhost in infra/nginx/buildmymcpserver.conf (listen 80, Cloudflare TLS). - Add .gitea/workflows/deploy.yml mirroring the buildmydiscord pipeline. - Narrow the generated-MCP port range to 4400-4900 (clear of screencraft on 4321). - .env.production.example + DEPLOY.md rewritten for buildmymcpserver.com and the real topology. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-21 17:48:57 +02:00
container_name: bmm-redis
feat(deploy): production Dockerfiles, compose stack, and runbook - Multi-stage Dockerfiles for web/api/generator (pnpm workspace install, tsx runtime — workspace packages are raw TS, same model as runner-template). - docker-compose.prod.yml: postgres + redis + the three app services. api/generator/web use host networking so the generator's host-port probe is correct and every service shares one address space; api + generator mount the Docker socket. Binds nothing on 80/443 — safe beside other apps. - Optional Traefik reverse proxy in infra/traefik/ (heavily gated — only if the box has no existing proxy). - .env.production.example, .dockerignore, DEPLOY.md (Cloudflare zone, GoDaddy nameserver switch, server deploy, Google Cloud Console OAuth app). - api/generator `start` now runs via tsx; `node dist/index.js` could never resolve the raw-TS workspace imports. All three images verified building clean; the API container boots under tsx. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-21 00:37:02 +02:00
restart: unless-stopped
command: ["redis-server", "--appendonly", "yes"]
ports:
- "127.0.0.1:${REDIS_PORT:-6390}:6379"
volumes:
- bmm_redis:/data
fix(deploy): rework prod artifacts to match the actual Hetzner box Server recon (read-only SSH) showed the box already runs ~8 apps behind a host-level nginx, with Gitea + an Actions runner. The host-networking design collided with contentra on port 3001. - docker-compose.prod.yml: bridge networking + per-app network, house style; api/web/postgres/redis publish to 127.0.0.1 on verified-free ports (4000/4001/5440/6390); only the generator keeps host networking (no listening port, needs the host namespace for runner-port probing). - Drop the Traefik config; the box uses a host nginx. Add a ready nginx vhost in infra/nginx/buildmymcpserver.conf (listen 80, Cloudflare TLS). - Add .gitea/workflows/deploy.yml mirroring the buildmydiscord pipeline. - Narrow the generated-MCP port range to 4400-4900 (clear of screencraft on 4321). - .env.production.example + DEPLOY.md rewritten for buildmymcpserver.com and the real topology. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-21 17:48:57 +02:00
networks: [bmm-network]
feat(deploy): production Dockerfiles, compose stack, and runbook - Multi-stage Dockerfiles for web/api/generator (pnpm workspace install, tsx runtime — workspace packages are raw TS, same model as runner-template). - docker-compose.prod.yml: postgres + redis + the three app services. api/generator/web use host networking so the generator's host-port probe is correct and every service shares one address space; api + generator mount the Docker socket. Binds nothing on 80/443 — safe beside other apps. - Optional Traefik reverse proxy in infra/traefik/ (heavily gated — only if the box has no existing proxy). - .env.production.example, .dockerignore, DEPLOY.md (Cloudflare zone, GoDaddy nameserver switch, server deploy, Google Cloud Console OAuth app). - api/generator `start` now runs via tsx; `node dist/index.js` could never resolve the raw-TS workspace imports. All three images verified building clean; the API container boots under tsx. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-21 00:37:02 +02:00
healthcheck:
test: ["CMD", "redis-cli", "ping"]
interval: 5s
timeout: 5s
retries: 20
@ feat(billing): in-app embedded Stripe checkout + webhook hardening Checkout previously used hosted ui_mode → window.location to checkout.stripe.com, which pops out of the installed PWA into the system browser. Switch to embedded: - API: ui_mode embedded_page (stripe-node v22 / API 2025-10 renamed the enum), return_url instead of success/cancel_url, returns client_secret. - web: @stripe/react-stripe-js EmbeddedCheckout mounted in an in-app modal; NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY baked at build (Dockerfile arg + compose arg). - .env.production.example: full Stripe section (was missing) + admin-email placeholder (INF-001). Also bundled (same files): BILL-002 invoice.paid resets quota only on subscription_cycle; BILL-003 webhook dedup rolled back on handler failure; BILL-001 change-plan writes plan locally; BILL-004 webhook cross-checks sub.customer before trusting metadata.orgId; INF-003 API routed off the raw docker.sock through a locked-down tecnativa/docker-socket-proxy (CONTAINERS+POST). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> @
2026-05-29 20:56:40 +02:00
# Restricted Docker API gateway for the control plane. The API only needs to
# stop/remove generated containers (`docker rm -f`), so it talks to this proxy
# — which exposes ONLY the containers endpoints + write methods — instead of
# mounting the raw root-equivalent /var/run/docker.sock. A compromised API can
# no longer build images, create privileged containers, exec, or mount host
# paths. (INF-003) NOTE: the generator still mounts the raw socket because it
# legitimately builds+runs containers (an inherently privileged operation);
# that residual is tracked in the audit backlog (rootless buildkit / build VM).
docker-socket-proxy:
image: tecnativa/docker-socket-proxy:0.2.0
container_name: bmm-docker-proxy
restart: unless-stopped
environment:
CONTAINERS: 1
POST: 1
# everything else stays at the image default (0 = blocked)
IMAGES: 0
BUILD: 0
NETWORKS: 0
VOLUMES: 0
EXEC: 0
INFO: 0
AUTH: 0
SECRETS: 0
SWARM: 0
SYSTEM: 0
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
networks: [bmm-network]
feat(deploy): production Dockerfiles, compose stack, and runbook - Multi-stage Dockerfiles for web/api/generator (pnpm workspace install, tsx runtime — workspace packages are raw TS, same model as runner-template). - docker-compose.prod.yml: postgres + redis + the three app services. api/generator/web use host networking so the generator's host-port probe is correct and every service shares one address space; api + generator mount the Docker socket. Binds nothing on 80/443 — safe beside other apps. - Optional Traefik reverse proxy in infra/traefik/ (heavily gated — only if the box has no existing proxy). - .env.production.example, .dockerignore, DEPLOY.md (Cloudflare zone, GoDaddy nameserver switch, server deploy, Google Cloud Console OAuth app). - api/generator `start` now runs via tsx; `node dist/index.js` could never resolve the raw-TS workspace imports. All three images verified building clean; the API container boots under tsx. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-21 00:37:02 +02:00
api:
build:
context: .
dockerfile: apps/api/Dockerfile
fix(deploy): rework prod artifacts to match the actual Hetzner box Server recon (read-only SSH) showed the box already runs ~8 apps behind a host-level nginx, with Gitea + an Actions runner. The host-networking design collided with contentra on port 3001. - docker-compose.prod.yml: bridge networking + per-app network, house style; api/web/postgres/redis publish to 127.0.0.1 on verified-free ports (4000/4001/5440/6390); only the generator keeps host networking (no listening port, needs the host namespace for runner-port probing). - Drop the Traefik config; the box uses a host nginx. Add a ready nginx vhost in infra/nginx/buildmymcpserver.conf (listen 80, Cloudflare TLS). - Add .gitea/workflows/deploy.yml mirroring the buildmydiscord pipeline. - Narrow the generated-MCP port range to 4400-4900 (clear of screencraft on 4321). - .env.production.example + DEPLOY.md rewritten for buildmymcpserver.com and the real topology. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-21 17:48:57 +02:00
container_name: bmm-api
feat(deploy): production Dockerfiles, compose stack, and runbook - Multi-stage Dockerfiles for web/api/generator (pnpm workspace install, tsx runtime — workspace packages are raw TS, same model as runner-template). - docker-compose.prod.yml: postgres + redis + the three app services. api/generator/web use host networking so the generator's host-port probe is correct and every service shares one address space; api + generator mount the Docker socket. Binds nothing on 80/443 — safe beside other apps. - Optional Traefik reverse proxy in infra/traefik/ (heavily gated — only if the box has no existing proxy). - .env.production.example, .dockerignore, DEPLOY.md (Cloudflare zone, GoDaddy nameserver switch, server deploy, Google Cloud Console OAuth app). - api/generator `start` now runs via tsx; `node dist/index.js` could never resolve the raw-TS workspace imports. All three images verified building clean; the API container boots under tsx. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-21 00:37:02 +02:00
restart: unless-stopped
env_file: .env.production
@ feat(billing): in-app embedded Stripe checkout + webhook hardening Checkout previously used hosted ui_mode → window.location to checkout.stripe.com, which pops out of the installed PWA into the system browser. Switch to embedded: - API: ui_mode embedded_page (stripe-node v22 / API 2025-10 renamed the enum), return_url instead of success/cancel_url, returns client_secret. - web: @stripe/react-stripe-js EmbeddedCheckout mounted in an in-app modal; NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY baked at build (Dockerfile arg + compose arg). - .env.production.example: full Stripe section (was missing) + admin-email placeholder (INF-001). Also bundled (same files): BILL-002 invoice.paid resets quota only on subscription_cycle; BILL-003 webhook dedup rolled back on handler failure; BILL-001 change-plan writes plan locally; BILL-004 webhook cross-checks sub.customer before trusting metadata.orgId; INF-003 API routed off the raw docker.sock through a locked-down tecnativa/docker-socket-proxy (CONTAINERS+POST). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> @
2026-05-29 20:56:40 +02:00
environment:
# Route docker CLI calls through the restricted proxy instead of a raw
# socket mount. (INF-003)
DOCKER_HOST: tcp://docker-socket-proxy:2375
fix(deploy): rework prod artifacts to match the actual Hetzner box Server recon (read-only SSH) showed the box already runs ~8 apps behind a host-level nginx, with Gitea + an Actions runner. The host-networking design collided with contentra on port 3001. - docker-compose.prod.yml: bridge networking + per-app network, house style; api/web/postgres/redis publish to 127.0.0.1 on verified-free ports (4000/4001/5440/6390); only the generator keeps host networking (no listening port, needs the host namespace for runner-port probing). - Drop the Traefik config; the box uses a host nginx. Add a ready nginx vhost in infra/nginx/buildmymcpserver.conf (listen 80, Cloudflare TLS). - Add .gitea/workflows/deploy.yml mirroring the buildmydiscord pipeline. - Narrow the generated-MCP port range to 4400-4900 (clear of screencraft on 4321). - .env.production.example + DEPLOY.md rewritten for buildmymcpserver.com and the real topology. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-21 17:48:57 +02:00
ports:
- "127.0.0.1:${API_PORT:-4000}:4000"
feat(deploy): production Dockerfiles, compose stack, and runbook - Multi-stage Dockerfiles for web/api/generator (pnpm workspace install, tsx runtime — workspace packages are raw TS, same model as runner-template). - docker-compose.prod.yml: postgres + redis + the three app services. api/generator/web use host networking so the generator's host-port probe is correct and every service shares one address space; api + generator mount the Docker socket. Binds nothing on 80/443 — safe beside other apps. - Optional Traefik reverse proxy in infra/traefik/ (heavily gated — only if the box has no existing proxy). - .env.production.example, .dockerignore, DEPLOY.md (Cloudflare zone, GoDaddy nameserver switch, server deploy, Google Cloud Console OAuth app). - api/generator `start` now runs via tsx; `node dist/index.js` could never resolve the raw-TS workspace imports. All three images verified building clean; the API container boots under tsx. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-21 00:37:02 +02:00
volumes:
- bmm_keys:/app/apps/api/keys
fix(runner): correct PUBLIC_URL + mount runner-map volume Two overlapping bugs were killing OAuth discovery for every external MCP client (Claude Desktop, Cursor, etc.): 1. worker.ts injected PUBLIC_URL=http://<RUNNER_HOST>:<port> into the runner container even when MCP_DOMAIN was set. Result: the runner's /.well-known/oauth-protected-resource advertised an unreachable URL and the WWW-Authenticate header pointed at a non-HTTPS loopback address. Claude Desktop refused to follow the discovery chain. Now derives PUBLIC_URL from the same computePublicUrl() helper that builds the user-visible URL stored in mcp_servers.public_url, so the container's self-reported resource matches its actual route. 2. docker-compose.prod.yml never mounted /opt/buildmymcpserver/runner-map into the api / generator containers. The .conf snippet written by the generator landed in an ephemeral container path; the host inotify watcher saw an empty directory and produced an empty runner-map.combined. Result: nginx 404'd every /<slug>/* request, the runner was unreachable from the public domain, and OAuth discovery couldn't even begin. Mount added to both services. Existing weather server has the wrong PUBLIC_URL baked in and must be recreated after deploy. No customers yet. export computePublicUrl from deploy.ts so worker.ts can call it.
2026-05-28 17:54:56 +02:00
# Per-runner nginx snippets — written by the generator, deleted by the
# api when a server is removed. The host-side systemd watcher combines
# them into runner-map.combined + reloads nginx. Without this mount the
# snippet files land in an ephemeral container path and the path-routed
# /<slug>/* endpoints return 404 from nginx — breaking OAuth discovery
# for every external MCP client.
- /opt/buildmymcpserver/runner-map:/var/runner-map
fix(deploy): rework prod artifacts to match the actual Hetzner box Server recon (read-only SSH) showed the box already runs ~8 apps behind a host-level nginx, with Gitea + an Actions runner. The host-networking design collided with contentra on port 3001. - docker-compose.prod.yml: bridge networking + per-app network, house style; api/web/postgres/redis publish to 127.0.0.1 on verified-free ports (4000/4001/5440/6390); only the generator keeps host networking (no listening port, needs the host namespace for runner-port probing). - Drop the Traefik config; the box uses a host nginx. Add a ready nginx vhost in infra/nginx/buildmymcpserver.conf (listen 80, Cloudflare TLS). - Add .gitea/workflows/deploy.yml mirroring the buildmydiscord pipeline. - Narrow the generated-MCP port range to 4400-4900 (clear of screencraft on 4321). - .env.production.example + DEPLOY.md rewritten for buildmymcpserver.com and the real topology. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-21 17:48:57 +02:00
networks: [bmm-network]
feat(deploy): production Dockerfiles, compose stack, and runbook - Multi-stage Dockerfiles for web/api/generator (pnpm workspace install, tsx runtime — workspace packages are raw TS, same model as runner-template). - docker-compose.prod.yml: postgres + redis + the three app services. api/generator/web use host networking so the generator's host-port probe is correct and every service shares one address space; api + generator mount the Docker socket. Binds nothing on 80/443 — safe beside other apps. - Optional Traefik reverse proxy in infra/traefik/ (heavily gated — only if the box has no existing proxy). - .env.production.example, .dockerignore, DEPLOY.md (Cloudflare zone, GoDaddy nameserver switch, server deploy, Google Cloud Console OAuth app). - api/generator `start` now runs via tsx; `node dist/index.js` could never resolve the raw-TS workspace imports. All three images verified building clean; the API container boots under tsx. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-21 00:37:02 +02:00
depends_on:
postgres:
condition: service_healthy
redis:
condition: service_healthy
@ feat(billing): in-app embedded Stripe checkout + webhook hardening Checkout previously used hosted ui_mode → window.location to checkout.stripe.com, which pops out of the installed PWA into the system browser. Switch to embedded: - API: ui_mode embedded_page (stripe-node v22 / API 2025-10 renamed the enum), return_url instead of success/cancel_url, returns client_secret. - web: @stripe/react-stripe-js EmbeddedCheckout mounted in an in-app modal; NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY baked at build (Dockerfile arg + compose arg). - .env.production.example: full Stripe section (was missing) + admin-email placeholder (INF-001). Also bundled (same files): BILL-002 invoice.paid resets quota only on subscription_cycle; BILL-003 webhook dedup rolled back on handler failure; BILL-001 change-plan writes plan locally; BILL-004 webhook cross-checks sub.customer before trusting metadata.orgId; INF-003 API routed off the raw docker.sock through a locked-down tecnativa/docker-socket-proxy (CONTAINERS+POST). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> @
2026-05-29 20:56:40 +02:00
docker-socket-proxy:
condition: service_started
feat(deploy): production Dockerfiles, compose stack, and runbook - Multi-stage Dockerfiles for web/api/generator (pnpm workspace install, tsx runtime — workspace packages are raw TS, same model as runner-template). - docker-compose.prod.yml: postgres + redis + the three app services. api/generator/web use host networking so the generator's host-port probe is correct and every service shares one address space; api + generator mount the Docker socket. Binds nothing on 80/443 — safe beside other apps. - Optional Traefik reverse proxy in infra/traefik/ (heavily gated — only if the box has no existing proxy). - .env.production.example, .dockerignore, DEPLOY.md (Cloudflare zone, GoDaddy nameserver switch, server deploy, Google Cloud Console OAuth app). - api/generator `start` now runs via tsx; `node dist/index.js` could never resolve the raw-TS workspace imports. All three images verified building clean; the API container boots under tsx. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-21 00:37:02 +02:00
fix(deploy): rework prod artifacts to match the actual Hetzner box Server recon (read-only SSH) showed the box already runs ~8 apps behind a host-level nginx, with Gitea + an Actions runner. The host-networking design collided with contentra on port 3001. - docker-compose.prod.yml: bridge networking + per-app network, house style; api/web/postgres/redis publish to 127.0.0.1 on verified-free ports (4000/4001/5440/6390); only the generator keeps host networking (no listening port, needs the host namespace for runner-port probing). - Drop the Traefik config; the box uses a host nginx. Add a ready nginx vhost in infra/nginx/buildmymcpserver.conf (listen 80, Cloudflare TLS). - Add .gitea/workflows/deploy.yml mirroring the buildmydiscord pipeline. - Narrow the generated-MCP port range to 4400-4900 (clear of screencraft on 4321). - .env.production.example + DEPLOY.md rewritten for buildmymcpserver.com and the real topology. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-21 17:48:57 +02:00
web:
build:
context: .
dockerfile: apps/web/Dockerfile
args:
NEXT_PUBLIC_API_URL: ${NEXT_PUBLIC_API_URL:?set NEXT_PUBLIC_API_URL in .env.production}
@ feat(billing): in-app embedded Stripe checkout + webhook hardening Checkout previously used hosted ui_mode → window.location to checkout.stripe.com, which pops out of the installed PWA into the system browser. Switch to embedded: - API: ui_mode embedded_page (stripe-node v22 / API 2025-10 renamed the enum), return_url instead of success/cancel_url, returns client_secret. - web: @stripe/react-stripe-js EmbeddedCheckout mounted in an in-app modal; NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY baked at build (Dockerfile arg + compose arg). - .env.production.example: full Stripe section (was missing) + admin-email placeholder (INF-001). Also bundled (same files): BILL-002 invoice.paid resets quota only on subscription_cycle; BILL-003 webhook dedup rolled back on handler failure; BILL-001 change-plan writes plan locally; BILL-004 webhook cross-checks sub.customer before trusting metadata.orgId; INF-003 API routed off the raw docker.sock through a locked-down tecnativa/docker-socket-proxy (CONTAINERS+POST). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> @
2026-05-29 20:56:40 +02:00
# Publishable (not secret) — baked into the client bundle for embedded
# checkout. Default empty so the build never fails when it's unset.
NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY: ${NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY:-}
fix(deploy): rework prod artifacts to match the actual Hetzner box Server recon (read-only SSH) showed the box already runs ~8 apps behind a host-level nginx, with Gitea + an Actions runner. The host-networking design collided with contentra on port 3001. - docker-compose.prod.yml: bridge networking + per-app network, house style; api/web/postgres/redis publish to 127.0.0.1 on verified-free ports (4000/4001/5440/6390); only the generator keeps host networking (no listening port, needs the host namespace for runner-port probing). - Drop the Traefik config; the box uses a host nginx. Add a ready nginx vhost in infra/nginx/buildmymcpserver.conf (listen 80, Cloudflare TLS). - Add .gitea/workflows/deploy.yml mirroring the buildmydiscord pipeline. - Narrow the generated-MCP port range to 4400-4900 (clear of screencraft on 4321). - .env.production.example + DEPLOY.md rewritten for buildmymcpserver.com and the real topology. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-21 17:48:57 +02:00
container_name: bmm-web
restart: unless-stopped
env_file: .env.production
ports:
- "127.0.0.1:${WEB_PORT:-4001}:3001"
networks: [bmm-network]
depends_on:
- api
feat(deploy): production Dockerfiles, compose stack, and runbook - Multi-stage Dockerfiles for web/api/generator (pnpm workspace install, tsx runtime — workspace packages are raw TS, same model as runner-template). - docker-compose.prod.yml: postgres + redis + the three app services. api/generator/web use host networking so the generator's host-port probe is correct and every service shares one address space; api + generator mount the Docker socket. Binds nothing on 80/443 — safe beside other apps. - Optional Traefik reverse proxy in infra/traefik/ (heavily gated — only if the box has no existing proxy). - .env.production.example, .dockerignore, DEPLOY.md (Cloudflare zone, GoDaddy nameserver switch, server deploy, Google Cloud Console OAuth app). - api/generator `start` now runs via tsx; `node dist/index.js` could never resolve the raw-TS workspace imports. All three images verified building clean; the API container boots under tsx. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-21 00:37:02 +02:00
generator:
build:
context: .
dockerfile: apps/generator/Dockerfile
fix(deploy): rework prod artifacts to match the actual Hetzner box Server recon (read-only SSH) showed the box already runs ~8 apps behind a host-level nginx, with Gitea + an Actions runner. The host-networking design collided with contentra on port 3001. - docker-compose.prod.yml: bridge networking + per-app network, house style; api/web/postgres/redis publish to 127.0.0.1 on verified-free ports (4000/4001/5440/6390); only the generator keeps host networking (no listening port, needs the host namespace for runner-port probing). - Drop the Traefik config; the box uses a host nginx. Add a ready nginx vhost in infra/nginx/buildmymcpserver.conf (listen 80, Cloudflare TLS). - Add .gitea/workflows/deploy.yml mirroring the buildmydiscord pipeline. - Narrow the generated-MCP port range to 4400-4900 (clear of screencraft on 4321). - .env.production.example + DEPLOY.md rewritten for buildmymcpserver.com and the real topology. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-21 17:48:57 +02:00
container_name: bmm-generator
feat(deploy): production Dockerfiles, compose stack, and runbook - Multi-stage Dockerfiles for web/api/generator (pnpm workspace install, tsx runtime — workspace packages are raw TS, same model as runner-template). - docker-compose.prod.yml: postgres + redis + the three app services. api/generator/web use host networking so the generator's host-port probe is correct and every service shares one address space; api + generator mount the Docker socket. Binds nothing on 80/443 — safe beside other apps. - Optional Traefik reverse proxy in infra/traefik/ (heavily gated — only if the box has no existing proxy). - .env.production.example, .dockerignore, DEPLOY.md (Cloudflare zone, GoDaddy nameserver switch, server deploy, Google Cloud Console OAuth app). - api/generator `start` now runs via tsx; `node dist/index.js` could never resolve the raw-TS workspace imports. All three images verified building clean; the API container boots under tsx. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-21 00:37:02 +02:00
restart: unless-stopped
network_mode: host
env_file: .env.production
fix(deploy): rework prod artifacts to match the actual Hetzner box Server recon (read-only SSH) showed the box already runs ~8 apps behind a host-level nginx, with Gitea + an Actions runner. The host-networking design collided with contentra on port 3001. - docker-compose.prod.yml: bridge networking + per-app network, house style; api/web/postgres/redis publish to 127.0.0.1 on verified-free ports (4000/4001/5440/6390); only the generator keeps host networking (no listening port, needs the host namespace for runner-port probing). - Drop the Traefik config; the box uses a host nginx. Add a ready nginx vhost in infra/nginx/buildmymcpserver.conf (listen 80, Cloudflare TLS). - Add .gitea/workflows/deploy.yml mirroring the buildmydiscord pipeline. - Narrow the generated-MCP port range to 4400-4900 (clear of screencraft on 4321). - .env.production.example + DEPLOY.md rewritten for buildmymcpserver.com and the real topology. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-21 17:48:57 +02:00
environment:
# Host networking — reach the DBs via their published loopback ports
# instead of the compose-network service names.
DATABASE_URL: postgresql://${POSTGRES_USER:-bmm}:${POSTGRES_PASSWORD}@127.0.0.1:${POSTGRES_PORT:-5440}/${POSTGRES_DB:-bmm}
REDIS_URL: redis://127.0.0.1:${REDIS_PORT:-6390}
feat(deploy): production Dockerfiles, compose stack, and runbook - Multi-stage Dockerfiles for web/api/generator (pnpm workspace install, tsx runtime — workspace packages are raw TS, same model as runner-template). - docker-compose.prod.yml: postgres + redis + the three app services. api/generator/web use host networking so the generator's host-port probe is correct and every service shares one address space; api + generator mount the Docker socket. Binds nothing on 80/443 — safe beside other apps. - Optional Traefik reverse proxy in infra/traefik/ (heavily gated — only if the box has no existing proxy). - .env.production.example, .dockerignore, DEPLOY.md (Cloudflare zone, GoDaddy nameserver switch, server deploy, Google Cloud Console OAuth app). - api/generator `start` now runs via tsx; `node dist/index.js` could never resolve the raw-TS workspace imports. All three images verified building clean; the API container boots under tsx. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-21 00:37:02 +02:00
volumes:
@ feat(billing): in-app embedded Stripe checkout + webhook hardening Checkout previously used hosted ui_mode → window.location to checkout.stripe.com, which pops out of the installed PWA into the system browser. Switch to embedded: - API: ui_mode embedded_page (stripe-node v22 / API 2025-10 renamed the enum), return_url instead of success/cancel_url, returns client_secret. - web: @stripe/react-stripe-js EmbeddedCheckout mounted in an in-app modal; NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY baked at build (Dockerfile arg + compose arg). - .env.production.example: full Stripe section (was missing) + admin-email placeholder (INF-001). Also bundled (same files): BILL-002 invoice.paid resets quota only on subscription_cycle; BILL-003 webhook dedup rolled back on handler failure; BILL-001 change-plan writes plan locally; BILL-004 webhook cross-checks sub.customer before trusting metadata.orgId; INF-003 API routed off the raw docker.sock through a locked-down tecnativa/docker-socket-proxy (CONTAINERS+POST). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> @
2026-05-29 20:56:40 +02:00
# SECURITY (INF-003): the generator mounts the RAW docker socket because it
# builds images and runs containers — inherently root-equivalent on this
# host, and a socket-proxy can't filter that (container-create with host
# binds is the dangerous primitive it legitimately needs). It is NOT
# internet-facing (driven only by the Redis build queue). Real remediation
# = rootless buildkit or a dedicated build VM; tracked in the audit backlog.
feat(deploy): production Dockerfiles, compose stack, and runbook - Multi-stage Dockerfiles for web/api/generator (pnpm workspace install, tsx runtime — workspace packages are raw TS, same model as runner-template). - docker-compose.prod.yml: postgres + redis + the three app services. api/generator/web use host networking so the generator's host-port probe is correct and every service shares one address space; api + generator mount the Docker socket. Binds nothing on 80/443 — safe beside other apps. - Optional Traefik reverse proxy in infra/traefik/ (heavily gated — only if the box has no existing proxy). - .env.production.example, .dockerignore, DEPLOY.md (Cloudflare zone, GoDaddy nameserver switch, server deploy, Google Cloud Console OAuth app). - api/generator `start` now runs via tsx; `node dist/index.js` could never resolve the raw-TS workspace imports. All three images verified building clean; the API container boots under tsx. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-21 00:37:02 +02:00
- /var/run/docker.sock:/var/run/docker.sock
- bmm_build_context:/app/build-context
fix(runner): correct PUBLIC_URL + mount runner-map volume Two overlapping bugs were killing OAuth discovery for every external MCP client (Claude Desktop, Cursor, etc.): 1. worker.ts injected PUBLIC_URL=http://<RUNNER_HOST>:<port> into the runner container even when MCP_DOMAIN was set. Result: the runner's /.well-known/oauth-protected-resource advertised an unreachable URL and the WWW-Authenticate header pointed at a non-HTTPS loopback address. Claude Desktop refused to follow the discovery chain. Now derives PUBLIC_URL from the same computePublicUrl() helper that builds the user-visible URL stored in mcp_servers.public_url, so the container's self-reported resource matches its actual route. 2. docker-compose.prod.yml never mounted /opt/buildmymcpserver/runner-map into the api / generator containers. The .conf snippet written by the generator landed in an ephemeral container path; the host inotify watcher saw an empty directory and produced an empty runner-map.combined. Result: nginx 404'd every /<slug>/* request, the runner was unreachable from the public domain, and OAuth discovery couldn't even begin. Mount added to both services. Existing weather server has the wrong PUBLIC_URL baked in and must be recreated after deploy. No customers yet. export computePublicUrl from deploy.ts so worker.ts can call it.
2026-05-28 17:54:56 +02:00
# Same runner-map mount as the api — generator drops the snippet on
# deploy, watcher concatenates, nginx reloads.
- /opt/buildmymcpserver/runner-map:/var/runner-map
feat(deploy): production Dockerfiles, compose stack, and runbook - Multi-stage Dockerfiles for web/api/generator (pnpm workspace install, tsx runtime — workspace packages are raw TS, same model as runner-template). - docker-compose.prod.yml: postgres + redis + the three app services. api/generator/web use host networking so the generator's host-port probe is correct and every service shares one address space; api + generator mount the Docker socket. Binds nothing on 80/443 — safe beside other apps. - Optional Traefik reverse proxy in infra/traefik/ (heavily gated — only if the box has no existing proxy). - .env.production.example, .dockerignore, DEPLOY.md (Cloudflare zone, GoDaddy nameserver switch, server deploy, Google Cloud Console OAuth app). - api/generator `start` now runs via tsx; `node dist/index.js` could never resolve the raw-TS workspace imports. All three images verified building clean; the API container boots under tsx. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-21 00:37:02 +02:00
depends_on:
postgres:
condition: service_healthy
redis:
condition: service_healthy
fix(deploy): rework prod artifacts to match the actual Hetzner box Server recon (read-only SSH) showed the box already runs ~8 apps behind a host-level nginx, with Gitea + an Actions runner. The host-networking design collided with contentra on port 3001. - docker-compose.prod.yml: bridge networking + per-app network, house style; api/web/postgres/redis publish to 127.0.0.1 on verified-free ports (4000/4001/5440/6390); only the generator keeps host networking (no listening port, needs the host namespace for runner-port probing). - Drop the Traefik config; the box uses a host nginx. Add a ready nginx vhost in infra/nginx/buildmymcpserver.conf (listen 80, Cloudflare TLS). - Add .gitea/workflows/deploy.yml mirroring the buildmydiscord pipeline. - Narrow the generated-MCP port range to 4400-4900 (clear of screencraft on 4321). - .env.production.example + DEPLOY.md rewritten for buildmymcpserver.com and the real topology. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-21 17:48:57 +02:00
networks:
bmm-network:
driver: bridge
feat(deploy): production Dockerfiles, compose stack, and runbook - Multi-stage Dockerfiles for web/api/generator (pnpm workspace install, tsx runtime — workspace packages are raw TS, same model as runner-template). - docker-compose.prod.yml: postgres + redis + the three app services. api/generator/web use host networking so the generator's host-port probe is correct and every service shares one address space; api + generator mount the Docker socket. Binds nothing on 80/443 — safe beside other apps. - Optional Traefik reverse proxy in infra/traefik/ (heavily gated — only if the box has no existing proxy). - .env.production.example, .dockerignore, DEPLOY.md (Cloudflare zone, GoDaddy nameserver switch, server deploy, Google Cloud Console OAuth app). - api/generator `start` now runs via tsx; `node dist/index.js` could never resolve the raw-TS workspace imports. All three images verified building clean; the API container boots under tsx. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-21 00:37:02 +02:00
volumes:
bmm_pg:
bmm_redis:
bmm_keys:
bmm_build_context:
Reference in New Issue Copy Permalink