# TrueNAS homelab override — applied on top of docker-compose.yml for the # homelab deployment on TrueNAS.local. Proven on InspectFlow + CannaManage. # # Replace placeholders before first push: # __PROJECT__ container prefix / compose project name # __FRONTEND_PORT__ unique LAN host port for the frontend (registry §2) # __BACKEND_PORT__ unique LAN host port for backend debug (or remove block) # __SUBDOMAIN__ public hostname (only matters once you go public) # # Topology (public phase — additive, see runbook §4): # browser ──HTTPS──> IONOS Apache (82.165.206.45, TLS via acme.sh/LE) # ──ProxyPass──> VPS frps (85.214.154.199:) # ──frp tunnel──> TrueNAS frpc ──> frontend:__FRONTEND_PORT__ (this stack) # frontend proxies /api/backend/* to backend:8080 via the server-side Route # Handler (src/app/api/backend/[...path]/route.ts), so only the frontend port # needs to be tunnelled — no separate API exposure. # # Usage (run by the Gitea act_runner on push to main): # docker compose -f docker-compose.yml -f docker-compose.truenas.yml \ # -p __PROJECT__ up -d --build --remove-orphans services: db: # Internal-only: drop any host :5432 publish inherited from docker-compose.yml. # Postgres must NOT be exposed to the LAN. The backend reaches it over the # compose network (db:5432) and the deploy's ALTER USER reconcile uses # `docker exec`, so no published host port is needed. (!override [] replaces # the inherited ports list — compose otherwise concatenates lists.) ports: !override [] # POSTGRES_PASSWORD only takes effect on FIRST volume init; an existing # volume keeps its current role password (the deploy reconciles it via # ALTER USER). This value seeds a fresh volume with the prod password. environment: POSTGRES_PASSWORD: ${DB_PASSWORD:-__PROJECT___dev} backend: # Remap host port to a unique value (8080 is taken by other stacks on TrueNAS). # !override replaces the inherited ports list. Internal container port stays # 8080 so frontend's BACKEND_URL=http://backend:8080 is unaffected. # Remove this whole ports block if you don't need LAN debug access. ports: !override - "__BACKEND_PORT__:8080" environment: # Real production password (must match the live DB role; see ALTER USER). SPRING_DATASOURCE_PASSWORD: ${DB_PASSWORD:-__PROJECT___dev} # Rotated production JWT signing key (base64 — JwtService base64-decodes it). # Rotating this invalidates all previously issued access/refresh tokens. __PROJECT___SECURITY_JWT_SECRET: ${JWT_SECRET} frontend: ports: !override - "__FRONTEND_PORT__:3000" environment: # Public origin so NextAuth callbacks/cookies resolve to the HTTPS host. # For LOCAL-ONLY phase you can set these to http://192.168.188.119:__FRONTEND_PORT__ NEXTAUTH_URL: https://__SUBDOMAIN__ AUTH_URL: https://__SUBDOMAIN__ # NextAuth v5 (Auth.js) reads AUTH_SECRET. Rotating it invalidates sessions. AUTH_SECRET: ${AUTH_SECRET} # Trust the X-Forwarded-* headers from the Apache/frp chain (TLS terminates # upstream; plain HTTP is proxied into the container). AUTH_TRUST_HOST: "true" # Server-side proxy target for /api/backend/* (internal compose DNS). BACKEND_URL: http://backend:8080