Seprated env variables for specific app containers and added SSL feature using caddy

.github/workflows/build-branch.yml

@@ -330,8 +330,8 @@ jobs:
       - name: Build and Push Plane-Proxy to Docker Hub
         uses: docker/[email protected]
         with:
-          context: ./nginx
-          file: ./nginx/Dockerfile
+          context: ./caddy
+          file: ./caddy/Dockerfile
           platforms: ${{ env.BUILDX_PLATFORMS }}
           tags: ${{ env.PROXY_TAG }}
           push: true

caddy/Caddyfile.template

@@ -0,0 +1,32 @@
+(plane_proxy) {
+	request_body {
+		max_size {$FILE_SIZE_LIMIT}
+	}
+
+	reverse_proxy /spaces/* space:3000
+
+	reverse_proxy /god-mode/* admin:3000
+
+	reverse_proxy /api/* api:8000
+
+	reverse_proxy /auth/* api:8000
+
+	reverse_proxy /{$BUCKET_NAME}/* plane-minio:9000
+
+	reverse_proxy /* web:3000
+}
+
+{
+	email {$CERT_EMAIL:[email protected]}
+	acme_ca {$CERT_ACME_CA} 
+	{$CERT_ACME_DNS}
+	servers {
+		max_header_size 5MB
+		client_ip_headers X-Forwarded-For X-Real-IP
+		trusted_proxies static {$TRUSTED_PROXIES:0.0.0.0/0}
+	}
+}
+
+{$SITE_ADDRESS} {
+	import plane_proxy
+}

caddy/Dockerfile

@@ -0,0 +1,9 @@
+FROM makeplane/caddy:latest
+
+COPY ./Caddyfile.template /etc/caddy/Caddyfile
+
+COPY ./caddy.sh /docker-entrypoint.sh
+
+RUN chmod +x /docker-entrypoint.sh
+
+CMD ["/docker-entrypoint.sh"]

caddy/caddy.sh

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+if [ "$APP_DOMAIN" == "localhost" ]; then
+    export SITE_ADDRESS=":${LISTEN_HTTP_PORT}"
+elif [ "$SSL" == "true" ]; then
+    export SITE_ADDRESS="${APP_DOMAIN}:${LISTEN_HTTPS_PORT}"
+else
+    export SITE_ADDRESS="http://${APP_DOMAIN}:${LISTEN_HTTP_PORT}"
+fi
+
+exec caddy run --config /etc/caddy/Caddyfile

deploy/selfhost/docker-compose.yml

@@ -1,47 +1,52 @@
+x-db-env: &db-env
+  PGHOST: ${PGHOST:-plane-db}
+  PGDATABASE: ${PGDATABASE:-plane}
+  POSTGRES_USER: ${POSTGRES_USER:-plane}
+  POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-plane}
+  POSTGRES_DB: ${POSTGRES_DB:-plane}
+  POSTGRES_PORT: ${POSTGRES_PORT:-5432}
+  PGDATA: ${PGDATA:-/var/lib/postgresql/data}
+
+x-redis-env: &redis-env
+  REDIS_HOST: ${REDIS_HOST:-plane-redis}
+  REDIS_PORT: ${REDIS_PORT:-6379}
+  REDIS_URL: ${REDIS_URL:-redis://plane-redis:6379/}
+
+x-data-store-env: &data-store-env
+  USE_MINIO: ${USE_MINIO:-1}
+  MINIO_ROOT_USER: ${MINIO_ROOT_USER:-access-key}
+  MINIO_ROOT_PASSWORD: ${MINIO_ROOT_PASSWORD:-secret-key}
+  AWS_REGION: ${AWS_REGION:-}
+  AWS_ACCESS_KEY_ID: ${AWS_ACCESS_KEY_ID:-access-key}
+  AWS_SECRET_ACCESS_KEY: ${AWS_SECRET_ACCESS_KEY:-secret-key}
+  AWS_S3_ENDPOINT_URL: ${AWS_S3_ENDPOINT_URL:-http://plane-minio:9000}
+  AWS_S3_BUCKET_NAME: ${AWS_S3_BUCKET_NAME:-uploads}
+  BUCKET_NAME: ${BUCKET_NAME:-uploads}
+
+x-proxy-env: &proxy-env
+  SSL: ${SSL:-false}
+  APP_DOMAIN: ${APP_DOMAIN:-localhost}
+  FILE_SIZE_LIMIT: ${FILE_SIZE_LIMIT:-5242880}
+  CERT_EMAIL: ${CERT_EMAIL:[email protected]}
+  CERT_ACME_CA: ${CERT_ACME_CA:-}
+  LISTEN_HTTP_PORT: ${LISTEN_PORT:-80}
+  LISTEN_HTTPS_PORT: ${LISTEN_SSL_PORT}
+
 x-app-env: &app-env
-  environment:
-    - NGINX_PORT=${NGINX_PORT:-80}
-    - WEB_URL=${WEB_URL:-http://localhost}
-    - DEBUG=${DEBUG:-0}
-    - SENTRY_DSN=${SENTRY_DSN}
-    - SENTRY_ENVIRONMENT=${SENTRY_ENVIRONMENT:-"production"}
-    - CORS_ALLOWED_ORIGINS=${CORS_ALLOWED_ORIGINS}
-    # Gunicorn Workers
-    - GUNICORN_WORKERS=${GUNICORN_WORKERS:-1}
-    #DB SETTINGS
-    - PGHOST=${PGHOST:-plane-db}
-    - PGDATABASE=${PGDATABASE:-plane}
-    - POSTGRES_USER=${POSTGRES_USER:-plane}
-    - POSTGRES_PASSWORD=${POSTGRES_PASSWORD:-plane}
-    - POSTGRES_DB=${POSTGRES_DB:-plane}
-    - POSTGRES_PORT=${POSTGRES_PORT:-5432}
-    - PGDATA=${PGDATA:-/var/lib/postgresql/data}
-    - DATABASE_URL=${DATABASE_URL:-postgresql://plane:plane@plane-db/plane}
-    # REDIS SETTINGS
-    - REDIS_HOST=${REDIS_HOST:-plane-redis}
-    - REDIS_PORT=${REDIS_PORT:-6379}
-    - REDIS_URL=${REDIS_URL:-redis://plane-redis:6379/}
-    # Application secret
-    - SECRET_KEY=${SECRET_KEY:-60gp0byfz2dvffa45cxl20p1scy9xbpf6d8c5y0geejgkyp1b5}
-    # DATA STORE SETTINGS
-    - USE_MINIO=${USE_MINIO:-1}
-    - AWS_REGION=${AWS_REGION:-""}
-    - AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID:-"access-key"}
-    - AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY:-"secret-key"}
-    - AWS_S3_ENDPOINT_URL=${AWS_S3_ENDPOINT_URL:-http://plane-minio:9000}
-    - AWS_S3_BUCKET_NAME=${AWS_S3_BUCKET_NAME:-uploads}
-    - MINIO_ROOT_USER=${MINIO_ROOT_USER:-"access-key"}
-    - MINIO_ROOT_PASSWORD=${MINIO_ROOT_PASSWORD:-"secret-key"}
-    - BUCKET_NAME=${BUCKET_NAME:-uploads}
-    - FILE_SIZE_LIMIT=${FILE_SIZE_LIMIT:-5242880}
-    # Admin and Space URLs
-    - ADMIN_BASE_URL=${ADMIN_BASE_URL}
-    - SPACE_BASE_URL=${SPACE_BASE_URL}
-    - APP_BASE_URL=${APP_BASE_URL}
+  WEB_URL: ${WEB_URL:-http://localhost}
+  DEBUG: ${DEBUG:-0}
+  SENTRY_DSN: ${SENTRY_DSN}
+  SENTRY_ENVIRONMENT: ${SENTRY_ENVIRONMENT:-production}
+  CORS_ALLOWED_ORIGINS: ${CORS_ALLOWED_ORIGINS}
+  GUNICORN_WORKERS: 1
+  DATABASE_URL: ${DATABASE_URL:-postgresql://plane:plane@plane-db/plane}
+  SECRET_KEY: ${SECRET_KEY:-60gp0byfz2dvffa45cxl20p1scy9xbpf6d8c5y0geejgkyp1b5}
+  ADMIN_BASE_URL: ${ADMIN_BASE_URL}
+  SPACE_BASE_URL: ${SPACE_BASE_URL}
+  APP_BASE_URL: ${APP_BASE_URL}
 
 services:
   web:
-    <<: *app-env
     image: ${DOCKERHUB_USER:-makeplane}/plane-frontend:${APP_RELEASE:-stable}
     platform: ${DOCKER_PLATFORM:-}
     pull_policy: if_not_present
@@ -54,7 +59,6 @@ services:
       - worker
 
   space:
-    <<: *app-env
     image: ${DOCKERHUB_USER:-makeplane}/plane-space:${APP_RELEASE:-stable}
     platform: ${DOCKER_PLATFORM:-}
     pull_policy: if_not_present
@@ -68,7 +72,6 @@ services:
       - web
 
   admin:
-    <<: *app-env
     image: ${DOCKERHUB_USER:-makeplane}/plane-admin:${APP_RELEASE:-stable}
     platform: ${DOCKER_PLATFORM:-}
     pull_policy: if_not_present
@@ -81,7 +84,6 @@ services:
       - web
 
   api:
-    <<: *app-env
     image: ${DOCKERHUB_USER:-makeplane}/plane-backend:${APP_RELEASE:-stable}
     platform: ${DOCKER_PLATFORM:-}
     pull_policy: if_not_present
@@ -91,86 +93,99 @@ services:
       replicas: ${API_REPLICAS:-1}
     volumes:
       - logs_api:/code/plane/logs
+    environment:
+      <<: [ *app-env, *db-env, *redis-env, *data-store-env, *proxy-env ]
     depends_on:
       - plane-db
       - plane-redis
 
   worker:
-    <<: *app-env
     image: ${DOCKERHUB_USER:-makeplane}/plane-backend:${APP_RELEASE:-stable}
     platform: ${DOCKER_PLATFORM:-}
     pull_policy: if_not_present
     restart: unless-stopped
     command: ./bin/docker-entrypoint-worker.sh
     volumes:
       - logs_worker:/code/plane/logs
+    environment:
+      <<: [ *app-env, *db-env, *redis-env, *data-store-env, *proxy-env ]
     depends_on:
       - api
       - plane-db
       - plane-redis
 
   beat-worker:
-    <<: *app-env
     image: ${DOCKERHUB_USER:-makeplane}/plane-backend:${APP_RELEASE:-stable}
     platform: ${DOCKER_PLATFORM:-}
     pull_policy: if_not_present
     restart: unless-stopped
     command: ./bin/docker-entrypoint-beat.sh
     volumes:
       - logs_beat-worker:/code/plane/logs
+    environment:
+      <<: [ *app-env, *db-env, *redis-env, *data-store-env, *proxy-env ]
     depends_on:
       - api
       - plane-db
       - plane-redis
 
   migrator:
-    <<: *app-env
     image: ${DOCKERHUB_USER:-makeplane}/plane-backend:${APP_RELEASE:-stable}
     platform: ${DOCKER_PLATFORM:-}
     pull_policy: if_not_present
     restart: "no"
     command: ./bin/docker-entrypoint-migrator.sh
     volumes:
       - logs_migrator:/code/plane/logs
+    environment:
+      <<: [ *app-env, *db-env, *redis-env, *data-store-env, *proxy-env ]
     depends_on:
       - plane-db
       - plane-redis
 
   plane-db:
-    <<: *app-env
     image: postgres:15.7-alpine
     pull_policy: if_not_present
     restart: unless-stopped
     command: postgres -c 'max_connections=1000'
+    environment:
+      <<: *db-env
     volumes:
       - pgdata:/var/lib/postgresql/data
 
   plane-redis:
-    <<: *app-env
     image: valkey/valkey:7.2.5-alpine
     pull_policy: if_not_present
     restart: unless-stopped
+    environment:
+      <<: *redis-env
     volumes:
       - redisdata:/data
 
   plane-minio:
-    <<: *app-env
     image: minio/minio:latest
     pull_policy: if_not_present
     restart: unless-stopped
     command: server /export --console-address ":9090"
+    environment:
+      <<: *data-store-env
     volumes:
       - uploads:/export
 
   # Comment this if you already have a reverse proxy running
   proxy:
-    <<: *app-env
     image: ${DOCKERHUB_USER:-makeplane}/plane-proxy:${APP_RELEASE:-stable}
     platform: ${DOCKER_PLATFORM:-}
     pull_policy: if_not_present
     restart: unless-stopped
     ports:
-      - ${NGINX_PORT}:80
+      - ${LISTEN_HTTP_PORT:-80}:${LISTEN_HTTP_PORT:-80}
+      - ${LISTEN_HTTPS_PORT:-443}:${LISTEN_HTTPS_PORT:-443}
+    volumes:
+      - caddy_config:/config
+      - caddy_data:/data
+    environment:
+      <<: *proxy-env
     depends_on:
       - web
       - api
@@ -184,3 +199,6 @@ volumes:
   logs_worker:
   logs_beat-worker:
   logs_migrator:
+  caddy_config:
+  caddy_data:
+

deploy/selfhost/variables.env

@@ -1,12 +1,14 @@
 APP_DOMAIN=localhost
 APP_RELEASE=stable
+SSL=false
 
 WEB_REPLICAS=1
 SPACE_REPLICAS=1
 ADMIN_REPLICAS=1
 API_REPLICAS=1
 
-NGINX_PORT=80
+LISTEN_PORT=80
+LISTEN_SSL_PORT=443
 WEB_URL=http://${APP_DOMAIN}
 DEBUG=0
 SENTRY_DSN=
@@ -28,6 +30,11 @@ REDIS_HOST=plane-redis
 REDIS_PORT=6379
 REDIS_URL=
 
+# If SSL Cert to be generated, set CERT_EMAIL and APP_PROTOCOL to https
+[email protected]
+CERT_ACME_CA=https://acme-v02.api.letsencrypt.org/directory
+TRUSTED_PROXIES=0.0.0.0/0
+
 # Secret Key
 SECRET_KEY=60gp0byfz2dvffa45cxl20p1scy9xbpf6d8c5y0geejgkyp1b5