fixes

Signed-off-by: Menno van Leeuwen <menno@vleeuwen.me>

ansible/tasks/servers/services/cloudreve/docker-compose.yml.j2

@@ -46,6 +46,10 @@ services:
     networks:
       - cloudreve
       - caddy_network
+    deploy:
+      resources:
+        limits:
+          memory: 1G
 
   redis:
     image: redis:latest

ansible/tasks/servers/services/sathub/.env.j2

@@ -0,0 +1,47 @@
+# Production Environment Variables
+# Copy this to .env and fill in your values
+
+# Database configuration (PostgreSQL)
+DB_TYPE=postgres
+DB_HOST=postgres
+DB_PORT=5432
+DB_USER=sathub
+DB_PASSWORD={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='DB_PASSWORD') }}
+DB_NAME=sathub
+
+# Required: JWT secret for token signing
+JWT_SECRET={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='JWT_SECRET') }}
+
+# Required: Two-factor authentication encryption key
+TWO_FA_ENCRYPTION_KEY={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='TWO_FA_ENCRYPTION_KEY') }}
+
+# Email configuration (required for password resets)
+SMTP_HOST={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='SMTP_HOST') }}
+SMTP_PORT={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='SMTP_PORT') }}
+SMTP_USERNAME={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='SMTP_USERNAME') }}
+SMTP_PASSWORD={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='SMTP_PASSWORD') }}
+SMTP_FROM_EMAIL={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='SMTP_FROM_EMAIL') }}
+
+# MinIO Object Storage configuration
+MINIO_ROOT_USER={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='MINIO_ROOT_USER') }}
+MINIO_ROOT_PASSWORD={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='MINIO_ROOT_PASSWORD') }}
+# Basically the same as the above
+MINIO_ACCESS_KEY={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='MINIO_ROOT_USER') }}
+MINIO_SECRET_KEY={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='MINIO_ROOT_PASSWORD') }}
+
+# GitHub credentials for Watchtower (auto-updates)
+GITHUB_USER={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='GITHUB_USER') }}
+GITHUB_PAT={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='GITHUB_PAT') }}
+REPO_USER={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='GITHUB_USER') }}
+REPO_PASS={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='GITHUB_PAT') }}
+
+# Optional: Override defaults if needed
+# GIN_MODE=release (set automatically)
+FRONTEND_URL=https://sathub.de
+
+# CORS configuration (optional - additional allowed origins)
+CORS_ALLOWED_ORIGINS=https://sathub.de,https://sathub.nl,https://api.sathub.de
+
+# Frontend configuration (optional - defaults are provided)
+VITE_API_BASE_URL=https://api.sathub.de
+VITE_ALLOWED_HOSTS=sathub.de,sathub.nl

ansible/tasks/servers/services/sathub/docker-compose.yml.j2

@@ -1,43 +1,108 @@
 services:
-  backend:
+  # Migration service - runs once on stack startup
+  migrate:
     image: ghcr.io/vleeuwenmenno/sathub/backend:latest
-    container_name: sathub-backend
-    restart: unless-stopped
+    container_name: sathub-migrate
+    restart: "no"
+    command: ["./main", "auto-migrate"]
     environment:
       - GIN_MODE=release
-      - FRONTEND_URL=${FRONTEND_URL:-https://sathub.de}
-      - CORS_ALLOWED_ORIGINS={{ cors_allowed_origins | default('') }}
 
       # Database settings
       - DB_TYPE=postgres
       - DB_HOST=postgres
       - DB_PORT=5432
       - DB_USER=${DB_USER:-sathub}
-      - DB_PASSWORD={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='DB_PASSWORD') }}
+      - DB_PASSWORD=${DB_PASSWORD}
       - DB_NAME=${DB_NAME:-sathub}
 
-      # Security settings
-      - JWT_SECRET={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='JWT_SECRET') }}
-      - TWO_FA_ENCRYPTION_KEY={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='TWO_FA_ENCRYPTION_KEY') }}
-
-      # SMTP settings
-      - SMTP_HOST={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='SMTP_HOST') }}
-      - SMTP_PORT={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='SMTP_PORT') }}
-      - SMTP_USERNAME={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='SMTP_USERNAME') }}
-      - SMTP_PASSWORD={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='SMTP_PASSWORD') }}
-      - SMTP_FROM_EMAIL={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='SMTP_FROM_EMAIL') }}
-
       # MinIO settings
       - MINIO_ENDPOINT=http://minio:9000
       - MINIO_BUCKET=sathub-images
-      - MINIO_ACCESS_KEY={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='MINIO_ROOT_USER') }}
-      - MINIO_SECRET_KEY={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='MINIO_ROOT_PASSWORD') }}
+      - MINIO_ACCESS_KEY=${MINIO_ACCESS_KEY}
+      - MINIO_SECRET_KEY=${MINIO_SECRET_KEY}
+      - MINIO_EXTERNAL_URL=https://obj.sathub.de
+    networks:
+      - sathub
+    depends_on:
+      - postgres
+
+  backend:
+    image: ghcr.io/vleeuwenmenno/sathub/backend:latest
+    container_name: sathub-backend
+    restart: unless-stopped
+    command: ["./main", "api"]
+    environment:
+      - GIN_MODE=release
+      - FRONTEND_URL=${FRONTEND_URL:-https://sathub.de}
+      - CORS_ALLOWED_ORIGINS=${CORS_ALLOWED_ORIGINS:-https://sathub.de}
+
+      # Database settings
+      - DB_TYPE=postgres
+      - DB_HOST=postgres
+      - DB_PORT=5432
+      - DB_USER=${DB_USER:-sathub}
+      - DB_PASSWORD=${DB_PASSWORD}
+      - DB_NAME=${DB_NAME:-sathub}
+
+      # Security settings
+      - JWT_SECRET=${JWT_SECRET}
+      - TWO_FA_ENCRYPTION_KEY=${TWO_FA_ENCRYPTION_KEY}
+
+      # SMTP settings
+      - SMTP_HOST=${SMTP_HOST}
+      - SMTP_PORT=${SMTP_PORT}
+      - SMTP_USERNAME=${SMTP_USERNAME}
+      - SMTP_PASSWORD=${SMTP_PASSWORD}
+      - SMTP_FROM_EMAIL=${SMTP_FROM_EMAIL}
+
+      # MinIO settings
+      - MINIO_ENDPOINT=http://minio:9000
+      - MINIO_BUCKET=sathub-images
+      - MINIO_ACCESS_KEY=${MINIO_ACCESS_KEY}
+      - MINIO_SECRET_KEY=${MINIO_SECRET_KEY}
       - MINIO_EXTERNAL_URL=https://obj.sathub.de
     networks:
       - sathub
       - caddy_network
     depends_on:
-      - postgres
+      migration:
+        condition: service_completed_successfully
+
+  worker:
+    image: ghcr.io/vleeuwenmenno/sathub/backend:latest
+    container_name: sathub-worker
+    restart: unless-stopped
+    command: ["./main", "worker"]
+    environment:
+      - GIN_MODE=release
+
+      # Database settings
+      - DB_TYPE=postgres
+      - DB_HOST=postgres
+      - DB_PORT=5432
+      - DB_USER=${DB_USER:-sathub}
+      - DB_PASSWORD=${DB_PASSWORD}
+      - DB_NAME=${DB_NAME:-sathub}
+
+      # SMTP settings (needed for notifications)
+      - SMTP_HOST=${SMTP_HOST}
+      - SMTP_PORT=${SMTP_PORT}
+      - SMTP_USERNAME=${SMTP_USERNAME}
+      - SMTP_PASSWORD=${SMTP_PASSWORD}
+      - SMTP_FROM_EMAIL=${SMTP_FROM_EMAIL}
+
+      # MinIO settings
+      - MINIO_ENDPOINT=http://minio:9000
+      - MINIO_BUCKET=sathub-images
+      - MINIO_ACCESS_KEY=${MINIO_ACCESS_KEY}
+      - MINIO_SECRET_KEY=${MINIO_SECRET_KEY}
+      - MINIO_EXTERNAL_URL=https://obj.sathub.de
+    networks:
+      - sathub
+    depends_on:
+      migration:
+        condition: service_completed_successfully
 
   postgres:
     image: postgres:15-alpine
@@ -45,10 +110,10 @@ services:
     restart: unless-stopped
     environment:
       - POSTGRES_USER=${DB_USER:-sathub}
-      - POSTGRES_PASSWORD={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='DB_PASSWORD') }}
+      - POSTGRES_PASSWORD=${DB_PASSWORD}
       - POSTGRES_DB=${DB_NAME:-sathub}
     volumes:
-      - {{ sathub_data_dir }}/postgres:/var/lib/postgresql/data
+      - postgres_data:/var/lib/postgresql/data
     networks:
       - sathub
 
@@ -57,8 +122,8 @@ services:
     container_name: sathub-frontend
     restart: unless-stopped
     environment:
-      - VITE_API_BASE_URL={{ frontend_api_base_url | default('https://api.sathub.de') }}
-      - VITE_ALLOWED_HOSTS={{ frontend_allowed_hosts | default('sathub.de,sathub.nl') }}
+      - VITE_API_BASE_URL=${VITE_API_BASE_URL:-https://api.sathub.de}
+      - VITE_ALLOWED_HOSTS=${VITE_ALLOWED_HOSTS:-sathub.de,sathub.nl}
     networks:
       - sathub
       - caddy_network
@@ -68,10 +133,10 @@ services:
     container_name: sathub-minio
     restart: unless-stopped
     environment:
-      - MINIO_ROOT_USER={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='MINIO_ROOT_USER') }}
-      - MINIO_ROOT_PASSWORD={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='MINIO_ROOT_PASSWORD') }}
+      - MINIO_ROOT_USER=${MINIO_ROOT_USER}
+      - MINIO_ROOT_PASSWORD=${MINIO_ROOT_PASSWORD}
     volumes:
-      - {{ sathub_data_dir }}/minio:/data
+      - minio_data:/data
     command: server /data --console-address :9001
     networks:
       - sathub
@@ -87,15 +152,25 @@ services:
     environment:
       - WATCHTOWER_CLEANUP=true
       - WATCHTOWER_INCLUDE_STOPPED=false
-      - REPO_USER={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='GITHUB_USER') }}
-      - REPO_PASS={{ lookup('community.general.onepassword', 'sathub', vault='Dotfiles', field='GITHUB_PAT') }}
-    command: --interval 30 --cleanup --include-stopped=false sathub-backend sathub-frontend
+      - REPO_USER=${REPO_USER}
+      - REPO_PASS=${REPO_PASS}
+    command: --interval 30 --cleanup --include-stopped=false sathub-backend sathub-worker sathub-frontend
     networks:
       - sathub
 
+volumes:
+  minio_data:
+    driver: local
+  postgres_data:
+    driver: local
+
 networks:
   sathub:
     driver: bridge
+
+  # We assume you're running a Caddy instance in a separate compose file with this network
+  # If not, you can remove this network and the related depends_on in the services above
+  # But the stack is designed to run behind a Caddy reverse proxy for SSL termination and routing
   caddy_network:
     external: true
     name: caddy_default

ansible/tasks/servers/services/sathub/sathub.yml

@@ -24,6 +24,13 @@
         state: directory
         mode: "0755"
 
+    - name: Deploy SatHub .env
+      ansible.builtin.template:
+        src: .env.j2
+        dest: "{{ sathub_service_dir }}/.env"
+        mode: "0644"
+      register: sathub_env
+
     - name: Deploy SatHub docker-compose.yml
       ansible.builtin.template:
         src: docker-compose.yml.j2
@@ -33,11 +40,11 @@
 
     - name: Stop SatHub service
       ansible.builtin.command: docker compose -f "{{ sathub_service_dir }}/docker-compose.yml" down --remove-orphans
-      when: sathub_compose.changed
+      when: sathub_compose.changed or sathub_env.changed
 
     - name: Start SatHub service
       ansible.builtin.command: docker compose -f "{{ sathub_service_dir }}/docker-compose.yml" up -d
-      when: sathub_compose.changed
+      when: sathub_compose.changed or sathub_env.changed
   tags:
     - services
     - sathub