Make container more robust #95

Merged

lukas merged 5 commits from container-improvements into main 2026-05-12 16:29:35 +00:00

Conversation 2 Commits 5 Files Changed 12

+149 -66

lukas commented 2026-05-12 15:48:11 +00:00

Owner

Copy Link

Copy Source

No description provided.

lukas added 1 commit 2026-05-12 15:48:12 +00:00

Make container more robust 0a52c4da7b

opencode-mcp-server commented 2026-05-12 15:58:23 +00:00

First-time contributor

Copy Link

Copy Source

Good direction consolidating Caddy and Django into a single container. Here are a few things to consider:

1. Unpinned Caddy download (Dockerfile:33)
Downloading Caddy from the API without a version or checksum is a reproducibility and supply-chain concern. Consider pinning to a specific version via URL (e.g., ...v2.9.1/...) or verifying the download.

2. /home/timetracker/app permissions in entrypoint (entrypoint.sh:14-15)
chmod 755 on the app directory and .venv are part of the image and should already have correct permissions from the build step. The entrypoint should only adjust paths/volumes.

3. Undocumented environment variables
DATA_DIR, PUID, PGID, and DOCKER_STORAGE_PATH are introduced across the Dockerfile/docker-compose/entrypoint but aren't documented (e.g., no .env.example).

4. supervisor.conf path (Dockerfile:39)
The supervisor config is copied to /etc/supervisor/conf.d/supervisor.conf, but supervisord typically expects separate .conf files in the conf.d/ directory. Consider whether the COPY should target /etc/supervisord.conf instead, with files = /etc/supervisor/conf.d/*.conf in the main config.

5. Database path (settings.py:113)
The database now uses DATA_DIR env var, which is good for backups. The volume mount for /home/timetracker/data in docker-compose.yml makes this work — just worth noting for anyone reading the PR.

Good direction consolidating Caddy and Django into a single container. Here are a few things to consider: **1. Unpinned Caddy download** (`Dockerfile:33`) Downloading Caddy from the API without a version or checksum is a reproducibility and supply-chain concern. Consider pinning to a specific version via URL (e.g., `...v2.9.1/...`) or verifying the download. **2. `/home/timetracker/app` permissions in entrypoint** (`entrypoint.sh:14-15`) `chmod 755` on the app directory and `.venv` are part of the image and should already have correct permissions from the build step. The entrypoint should only adjust paths/volumes. **3. Undocumented environment variables** `DATA_DIR`, `PUID`, `PGID`, and `DOCKER_STORAGE_PATH` are introduced across the Dockerfile/docker-compose/entrypoint but aren't documented (e.g., no `.env.example`). **4. `supervisor.conf` path** (`Dockerfile:39`) The supervisor config is copied to `/etc/supervisor/conf.d/supervisor.conf`, but supervisord typically expects separate `.conf` files in the `conf.d/` directory. Consider whether the COPY should target `/etc/supervisord.conf` instead, with `files = /etc/supervisor/conf.d/*.conf` in the main config. **5. Database path** (`settings.py:113`) The database now uses `DATA_DIR` env var, which is good for backups. The volume mount for `/home/timetracker/data` in docker-compose.yml makes this work — just worth noting for anyone reading the PR.

opencode-mcp-server commented 2026-05-12 16:00:34 +00:00

First-time contributor

Copy Link

Copy Source

Regarding #1 (unpinned Caddy download), here's a proposed fix:

Current (Dockerfile:35-36):

RUN curl -sL "https://caddyserver.com/api/download?os=linux&arch=amd64" \
    -o /usr/local/bin/caddy && chmod +x /usr/local/bin/caddy

Proposed:

ARG CADDY_VERSION=2.9.1
RUN curl -sL "https://github.com/caddyserver/caddy/releases/download/v${CADDY_VERSION}/caddy_${CADDY_VERSION}_linux_amd64.tar.gz" \
    -o /tmp/caddy.tar.gz && \
    tar -xzf /tmp/caddy.tar.gz -C /tmp && \
    mv /tmp/caddy /usr/local/bin/caddy && \
    rm /tmp/caddy.tar.gz && \
    chmod +x /usr/local/bin/caddy

Why:

• Reproducible builds — same binary every time
• Traceable — GitHub release tag links to changelog
• Easy to extend with SHA256 verification if desired
• ARG makes it trivial to bump the version later

Happy to open a separate PR with this fix if you'd like.

Regarding #1 (unpinned Caddy download), here's a proposed fix: **Current** (`Dockerfile:35-36`): ```dockerfile RUN curl -sL "https://caddyserver.com/api/download?os=linux&arch=amd64" \ -o /usr/local/bin/caddy && chmod +x /usr/local/bin/caddy ``` **Proposed**: ```dockerfile ARG CADDY_VERSION=2.9.1 RUN curl -sL "https://github.com/caddyserver/caddy/releases/download/v${CADDY_VERSION}/caddy_${CADDY_VERSION}_linux_amd64.tar.gz" \ -o /tmp/caddy.tar.gz && \ tar -xzf /tmp/caddy.tar.gz -C /tmp && \ mv /tmp/caddy /usr/local/bin/caddy && \ rm /tmp/caddy.tar.gz && \ chmod +x /usr/local/bin/caddy ``` **Why**: - Reproducible builds — same binary every time - Traceable — GitHub release tag links to changelog - Easy to extend with SHA256 verification if desired - `ARG` makes it trivial to bump the version later Happy to open a separate PR with this fix if you'd like.

lukas added 1 commit 2026-05-12 16:04:53 +00:00

Pin Caddy version bf6d20ca58

lukas added 1 commit 2026-05-12 16:08:00 +00:00

Add .env.example documenting environment variables 2b43e9a848

lukas added 1 commit 2026-05-12 16:23:58 +00:00

Make default database location more robust 00f84fee9b

lukas added 1 commit 2026-05-12 16:25:29 +00:00

Re-enable tests d96066e625

lukas merged commit 360e8f9eaf into main 2026-05-12 16:29:35 +00:00

lukas deleted branch container-improvements 2026-05-12 16:29:35 +00:00

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

No items

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

lukas (Lukáš Kucharczyk)

No Assignees

2 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: lukas/timetracker#95