Compare commits
7 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
7c3d0e102f | ||
|
|
a0eaddf994 | ||
|
|
30be967887 | ||
|
|
2b8d0b3f43 | ||
|
|
07b15c8e01 | ||
|
|
65cc0c7b6d | ||
|
|
f137ded5aa |
@@ -1,10 +1,11 @@
|
||||
FROM python:3.12-slim
|
||||
|
||||
# Install system dependencies required for python-ldap (needed by backend)
|
||||
# Install system dependencies
|
||||
RUN apt-get update && apt-get install -y \
|
||||
build-essential \
|
||||
libldap2-dev \
|
||||
libsasl2-dev \
|
||||
gosu \
|
||||
&& rm -rf /var/lib/apt/lists/*
|
||||
|
||||
WORKDIR /app
|
||||
@@ -26,14 +27,13 @@ COPY scripts ./scripts
|
||||
ENV DATA_DIR="/app/data"
|
||||
ENV LOGS_DIR="/app/logs"
|
||||
|
||||
# Ensure the appuser can write to data and logs if we pre-create them,
|
||||
# although Docker volumes will handle ownership context.
|
||||
# Pre-create directories and ensure they are writable
|
||||
RUN mkdir -p /app/data /app/logs && chown -R appuser:appuser /app
|
||||
|
||||
# Make initialization scripts executable
|
||||
RUN chmod +x /app/scripts/init_data.sh /app/backend/entrypoint.sh
|
||||
|
||||
USER appuser
|
||||
EXPOSE 8000
|
||||
|
||||
EXPOSE 8000
|
||||
|
||||
|
||||
@@ -23,6 +23,10 @@ export LOGS_DIR="${LOGS_DIR:-/app/logs}"
|
||||
echo "🐳 [Docker] Running data initialization..."
|
||||
bash /app/scripts/init_data.sh
|
||||
|
||||
# Hand off to the application server
|
||||
echo "🐳 [Docker] Starting uvicorn..."
|
||||
exec python -m uvicorn backend.main:app --host 0.0.0.0 --port 8000
|
||||
# Fix permissions for mounted volumes (which might be root-owned by the host)
|
||||
echo "🐳 [Docker] Fixing volume permissions..."
|
||||
chown -R appuser:appuser "${DATA_DIR}" "${LOGS_DIR}"
|
||||
|
||||
# Hand off to the application server as non-root user
|
||||
echo "🐳 [Docker] Starting uvicorn as appuser..."
|
||||
exec gosu appuser python -m uvicorn backend.main:app --host 0.0.0.0 --port 8000
|
||||
|
||||
@@ -19,14 +19,38 @@ log.info("Database tables verified.")
|
||||
app = FastAPI(title="TFM aInventory API", version="1.1.0")
|
||||
log.info("TFM aInventory API process started.")
|
||||
|
||||
# [SECURITY FIX M-01] CORS: allow_origins=["*"] + allow_credentials=True is invalid per spec.
|
||||
# Allowed origins are configured via ALLOWED_ORIGINS environment variable (comma-separated).
|
||||
# Secure fallback: localhost only for development.
|
||||
_raw_origins = os.environ.get(
|
||||
"ALLOWED_ORIGINS",
|
||||
"http://localhost:8907,https://localhost:8909"
|
||||
)
|
||||
# [SECURITY FIX M-01] CORS Configuration
|
||||
# We dynamically build allowed origins from environment variables to simplify deployment.
|
||||
_raw_origins = os.environ.get("ALLOWED_ORIGINS", "")
|
||||
ALLOWED_ORIGINS = [o.strip() for o in _raw_origins.split(",") if o.strip()]
|
||||
|
||||
# Automatically add origins based on network_config.env variables if present
|
||||
server_ip = os.environ.get("SERVER_IP")
|
||||
front_port = os.environ.get("FRONTEND_PORT", "8907")
|
||||
front_ssl_port = os.environ.get("FRONTEND_SSL_PORT", "8909")
|
||||
back_ssl_port = os.environ.get("BACKEND_SSL_PORT", "8908")
|
||||
|
||||
# Always allow localhost
|
||||
defaults = [
|
||||
f"http://localhost:{front_port}",
|
||||
f"https://localhost:{front_ssl_port}",
|
||||
f"https://localhost:{back_ssl_port}",
|
||||
]
|
||||
for d in defaults:
|
||||
if d not in ALLOWED_ORIGINS:
|
||||
ALLOWED_ORIGINS.append(d)
|
||||
|
||||
# Add IP-based origins if SERVER_IP is set
|
||||
if server_ip and server_ip != "localhost":
|
||||
ip_origins = [
|
||||
f"http://{server_ip}:{front_port}",
|
||||
f"https://{server_ip}:{front_ssl_port}",
|
||||
f"https://{server_ip}:{back_ssl_port}",
|
||||
]
|
||||
for ip_o in ip_origins:
|
||||
if ip_o not in ALLOWED_ORIGINS:
|
||||
ALLOWED_ORIGINS.append(ip_o)
|
||||
|
||||
log.info(f"CORS allowed origins: {ALLOWED_ORIGINS}")
|
||||
|
||||
# Add CORS middleware FIRST (before rate limiter)
|
||||
|
||||
@@ -1,28 +0,0 @@
|
||||
# =============================================================================
|
||||
# TFM aInventory - Central Network Configuration
|
||||
# =============================================================================
|
||||
# Use this file to customize the ports and IP address used by the application
|
||||
# without needing to modify the source code.
|
||||
#
|
||||
# IMPORTANT: After modifying this file, restart the application for changes
|
||||
# to take effect.
|
||||
# =============================================================================
|
||||
|
||||
# The primary IP address where the application will be accessed.
|
||||
# Used for CORS settings and documentation links.
|
||||
SERVER_IP=192.168.84.113
|
||||
|
||||
# --- BACKEND PORTS ---
|
||||
# Internal port for the FastAPI server (Backend)
|
||||
BACKEND_PORT=8906
|
||||
|
||||
# External port for the Backend HTTPS Proxy (Caddy/local-ssl-proxy)
|
||||
BACKEND_SSL_PORT=8908
|
||||
|
||||
# --- FRONTEND PORTS ---
|
||||
# Internal port for the Next.js dev/prod server
|
||||
FRONTEND_PORT=8907
|
||||
|
||||
# External port for the Frontend HTTPS Proxy (Caddy/local-ssl-proxy)
|
||||
# This is the port you will use in your browser (e.g. https://192.168.84.113:8909)
|
||||
FRONTEND_SSL_PORT=8909
|
||||
25
deploy.sh
Executable file
25
deploy.sh
Executable file
@@ -0,0 +1,25 @@
|
||||
#!/bin/bash
|
||||
# deploy.sh - Production Deployment Script for TFM aInventory
|
||||
# Forces Docker Compose to use the inventory.env file for both host and container.
|
||||
|
||||
echo "🐳 TFM aInventory - Starting Deployment..."
|
||||
|
||||
# 1. Check for configuration file
|
||||
if [ ! -f "inventory.env" ]; then
|
||||
echo "❌ ERROR: inventory.env not found!"
|
||||
echo "Please create it or use the template provided."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# 2. Source the env file for the current shell (helps some docker versions)
|
||||
export $(grep -v '^#' inventory.env | xargs)
|
||||
|
||||
# 3. Run Docker Compose with explicit env-file flag
|
||||
echo "🚀 Building and starting containers..."
|
||||
docker compose --env-file inventory.env up -d --build --remove-orphans
|
||||
|
||||
echo ""
|
||||
echo "✅ Deployment requested."
|
||||
echo " Access URL: https://${SERVER_IP:-localhost}:${FRONTEND_SSL_PORT:-8919}"
|
||||
echo " Run 'docker compose ps' to check status."
|
||||
echo ""
|
||||
@@ -8,7 +8,7 @@ services:
|
||||
ports:
|
||||
- ${BACKEND_PORT:-8000}:8000
|
||||
env_file:
|
||||
- ./config/network_config.env
|
||||
- inventory.env
|
||||
volumes:
|
||||
- ./data:/app/data
|
||||
- ./logs:/app/logs
|
||||
@@ -16,7 +16,6 @@ services:
|
||||
environment:
|
||||
- DATA_DIR=/app/data
|
||||
- LOGS_DIR=/app/logs
|
||||
- ALLOWED_ORIGINS=http://localhost:${FRONTEND_PORT:-3001},https://localhost:${FRONTEND_SSL_PORT:-3003},http://${SERVER_IP:-localhost}:${FRONTEND_PORT:-3001},https://${SERVER_IP:-localhost}:${FRONTEND_SSL_PORT:-3003},https://localhost:${BACKEND_SSL_PORT:-3002},https://${SERVER_IP:-localhost}:${BACKEND_SSL_PORT:-3002}
|
||||
# [C-01] JWT secret key — GENERATE A SECURE VALUE FOR PRODUCTION!
|
||||
- JWT_SECRET_KEY=${JWT_SECRET_KEY:-change_me_in_production}
|
||||
restart: unless-stopped
|
||||
@@ -29,7 +28,7 @@ services:
|
||||
ports:
|
||||
- ${FRONTEND_PORT:-3000}:3000
|
||||
env_file:
|
||||
- ./config/network_config.env
|
||||
- inventory.env
|
||||
volumes:
|
||||
- ./logs:/app/logs
|
||||
# Write Next.js logs to both stdout (docker logs) and file (mapped volume)
|
||||
@@ -44,7 +43,7 @@ services:
|
||||
- ${BACKEND_SSL_PORT:-3002}:${BACKEND_SSL_PORT:-3002}
|
||||
- ${FRONTEND_SSL_PORT:-3003}:${FRONTEND_SSL_PORT:-3003}
|
||||
env_file:
|
||||
- ./config/network_config.env
|
||||
- inventory.env
|
||||
volumes:
|
||||
- ./config/Caddyfile:/etc/caddy/Caddyfile
|
||||
# Persist the internal Caddy certificates so users don't get new certificate warnings constantly
|
||||
|
||||
@@ -29,6 +29,7 @@ cp install_service.sh "$PROD_DIR/"
|
||||
cp inventory.service.template "$PROD_DIR/"
|
||||
cp USER_GUIDE.md "$PROD_DIR/"
|
||||
cp README.md "$PROD_DIR/INSTALLATION_GUIDE.md"
|
||||
cp inventory.env "$PROD_DIR/"
|
||||
cp .git_path "$PROD_DIR/" 2>/dev/null || true
|
||||
cp frontend/VERSION.json "$PROD_DIR/"
|
||||
cp frontend/VERSION.json "$PROD_DIR/frontend/"
|
||||
|
||||
@@ -19,6 +19,7 @@ RUN npm run build
|
||||
|
||||
# Step 3: Production image
|
||||
FROM base AS runner
|
||||
RUN apk add --no-cache su-exec
|
||||
WORKDIR /app
|
||||
|
||||
ENV NODE_ENV production
|
||||
@@ -38,11 +39,13 @@ RUN chown nextjs:nodejs .next
|
||||
COPY --from=builder --chown=nextjs:nodejs /app/.next/standalone ./
|
||||
COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static
|
||||
|
||||
USER nextjs
|
||||
# Copy entrypoint script
|
||||
COPY entrypoint.sh /app/entrypoint.sh
|
||||
RUN chmod +x /app/entrypoint.sh
|
||||
|
||||
EXPOSE 3000
|
||||
ENV PORT 3000
|
||||
ENV HOSTNAME "0.0.0.0"
|
||||
|
||||
# Note: The server.js is created by next build from the standalone output
|
||||
CMD ["node", "server.js"]
|
||||
ENTRYPOINT ["/app/entrypoint.sh"]
|
||||
|
||||
|
||||
@@ -1,5 +1 @@
|
||||
{
|
||||
"version": "1.8.7",
|
||||
"last_build": "2026-04-13-1954",
|
||||
"codename": "TypeFix"
|
||||
}
|
||||
{"version": "1.9.5", "last_build": "2026-04-13-2132", "codename": "Bulletproof", "commit": "a0eaddf9"}
|
||||
|
||||
19
frontend/entrypoint.sh
Normal file
19
frontend/entrypoint.sh
Normal file
@@ -0,0 +1,19 @@
|
||||
#!/bin/sh
|
||||
# =============================================================================
|
||||
# frontend/entrypoint.sh
|
||||
# =============================================================================
|
||||
# Docker container entrypoint for TFM aInventory frontend.
|
||||
# Fixes permissions for the logs volume and starts the Node.js server.
|
||||
# =============================================================================
|
||||
|
||||
set -e
|
||||
|
||||
# Fix permissions for the logs directory (useful if mounted as a volume)
|
||||
if [ -d "/app/logs" ]; then
|
||||
echo "🐳 [Docker] Fixing /app/logs permissions..."
|
||||
chown -R nextjs:nodejs /app/logs
|
||||
fi
|
||||
|
||||
# Hand off to the application server as the nextjs user
|
||||
echo "🐳 [Docker] Starting Next.js standalone server as nextjs user..."
|
||||
exec su-exec nextjs node server.js
|
||||
File diff suppressed because one or more lines are too long
19
inventory.env
Normal file
19
inventory.env
Normal file
@@ -0,0 +1,19 @@
|
||||
# =============================================================================
|
||||
# TFM aInventory - Docker Compose Environment
|
||||
# =============================================================================
|
||||
# This file is used by Docker Compose for host-side port mapping.
|
||||
# It should match the values in config/network_config.env
|
||||
# =============================================================================
|
||||
|
||||
SERVER_IP=192.168.84.113
|
||||
|
||||
# Backend Ports
|
||||
BACKEND_PORT=8916
|
||||
BACKEND_SSL_PORT=8918
|
||||
|
||||
# Frontend Ports
|
||||
FRONTEND_PORT=8917
|
||||
FRONTEND_SSL_PORT=8919
|
||||
|
||||
# Security
|
||||
JWT_SECRET_KEY=change_me_in_production
|
||||
@@ -7,7 +7,7 @@ echo "🚀 Starting TFM aInventory in Standalone Mode..."
|
||||
# Trapping termination signals to clean up child processes
|
||||
trap "echo 'Stopping all processes...'; kill 0" SIGINT SIGTERM EXIT
|
||||
|
||||
# --- CONFIGURATION (Default values, overridden by network_config.env) ---
|
||||
# --- CONFIGURATION (Default values, overridden by network_configinventory.env) ---
|
||||
BACKEND_PORT=8000
|
||||
FRONTEND_PORT=3001
|
||||
BACKEND_SSL_PORT=3002
|
||||
@@ -15,7 +15,7 @@ FRONTEND_SSL_PORT=3003
|
||||
SERVER_IP="localhost"
|
||||
|
||||
# Load Configuration from file if it exists
|
||||
CONFIG_PATH="$(cd "$(dirname "$0")" && pwd)/config/network_config.env"
|
||||
CONFIG_PATH="$(cd "$(dirname "$0")" && pwd)/inventory.env"
|
||||
if [ -f "$CONFIG_PATH" ]; then
|
||||
echo "⚙️ Loading network configuration from $CONFIG_PATH..."
|
||||
export $(grep -v '^#' "$CONFIG_PATH" | xargs)
|
||||
|
||||
@@ -53,8 +53,15 @@ def main():
|
||||
data['version'] = new_version
|
||||
data['last_build'] = datetime.now().strftime("%Y-%m-%d-%H%M")
|
||||
|
||||
# Get current git commit (short)
|
||||
try:
|
||||
commit_hash = run_command([git, 'rev-parse', '--short', 'HEAD'])
|
||||
data['commit'] = commit_hash
|
||||
except Exception:
|
||||
data['commit'] = 'unknown'
|
||||
|
||||
# Optional: Rotate changelog if needed, but for now just update version
|
||||
print(f"Incrementing version: {old_version} -> {new_version}")
|
||||
print(f"Incrementing version: {old_version} -> {new_version} (commit: {data['commit']})")
|
||||
|
||||
with open(VERSION_FILE, 'w') as f:
|
||||
json.dump(data, f, indent=2)
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
#!/bin/bash
|
||||
|
||||
# --- CONFIGURATION (Default values, will be overridden by network_config.env) ---
|
||||
# --- CONFIGURATION (Default values, will be overridden by network_configinventory.env) ---
|
||||
BACKEND_PORT=8000
|
||||
FRONTEND_PORT=3001
|
||||
BACKEND_SSL_PORT=3002
|
||||
@@ -8,10 +8,10 @@ FRONTEND_SSL_PORT=3003
|
||||
SERVER_IP="localhost"
|
||||
|
||||
# Load Configuration from file if it exists
|
||||
CONFIG_PATH="$(cd "$(dirname "$0")" && pwd)/config/network_config.env"
|
||||
CONFIG_PATH="$(cd "$(dirname "$0")" && pwd)/inventory.env"
|
||||
if [ -f "$CONFIG_PATH" ]; then
|
||||
echo "⚙️ Loading network configuration from $CONFIG_PATH..."
|
||||
# Export variables from .env file (ignoring comments and empty lines)
|
||||
# Export variables from inventory.env file (ignoring comments and empty lines)
|
||||
export $(grep -v '^#' "$CONFIG_PATH" | xargs)
|
||||
fi
|
||||
|
||||
|
||||
Reference in New Issue
Block a user