hcengineering · youssefsala7 · Sep 14, 2025 · Sep 14, 2025 · Sep 14, 2025 · Sep 14, 2025
diff --git a/.gitignore b/.gitignore
@@ -4,6 +4,7 @@ nginx.conf
 nginx.conf.bak
 huly.conf
 huly_v7.conf
+!nginx/conf.d/huly.conf
 .huly.secret
 .cr.secret
 .rp.secret

diff --git a/compose.yml b/compose.yml
@@ -1,196 +1,197 @@
-name: ${DOCKER_NAME}
 services:
   nginx:
-    image: "nginx:1.21.3"
-    ports:
-      - "${HTTP_BIND}:${HTTP_PORT}:80"
+    image: nginx:1.21.3
+    expose:
+      - "80"                       # no host binding; Coolify’s proxy will handle 80/443
     volumes:
-      - ./.huly.nginx:/etc/nginx/conf.d/default.conf
+      - ./nginx/conf.d:/etc/nginx/conf.d  # mount a DIRECTORY that contains your .conf
     restart: unless-stopped
+    labels:
+      - traefik.enable=true
+
+      # HTTP -> HTTPS redirect
+      - traefik.http.routers.huly-nginx.entrypoints=http
+      - traefik.http.routers.huly-nginx.rule=Host(`portals.theosirislabs.com`) || Host(`portal.theosirislabs.com`)
+      - traefik.http.middlewares.huly-https-redirect.redirectscheme.scheme=https
+      - traefik.http.routers.huly-nginx.middlewares=huly-https-redirect
+
+      # Real HTTPS router
+      - traefik.http.routers.huly-nginx-secure.entrypoints=https
+      - traefik.http.routers.huly-nginx-secure.rule=Host(`portals.theosirislabs.com`) || Host(`portal.theosirislabs.com`)
+      - traefik.http.routers.huly-nginx-secure.tls.certresolver=letsencrypt
+
+      # Tell Traefik which port the service listens on inside the container
+      - traefik.http.services.huly-nginx.loadbalancer.server.port=80
 
   cockroach:
-    image: cockroachdb/cockroach:latest-v24.2
-    command: start-single-node --accept-sql-without-tls
-    environment:
-      - COCKROACH_DATABASE=${CR_DATABASE}
-      - COCKROACH_USER=${CR_USERNAME}
-      - COCKROACH_PASSWORD=${CR_USER_PASSWORD}
-    volumes:
-      - ${VOLUME_CR_DATA_PATH:-cr_data}:/cockroach/cockroach-data
-      - ${VOLUME_CR_CERTS_PATH:-cr_certs}:/cockroach/certs
+    image: 'cockroachdb/cockroach:latest-v24.2'
+    command: 'start-single-node --accept-sql-without-tls'
     restart: unless-stopped
+    volumes:
+      - 'cr-data:/cockroach/cockroach-data'
+      - 'cr-certs:/cockroach/certs'
 
   redpanda:
-    image: docker.redpanda.com/redpandadata/redpanda:v24.3.6
+    image: 'docker.redpanda.com/redpandadata/redpanda:v24.3.6'
     command:
       - redpanda
       - start
-      - --kafka-addr internal://0.0.0.0:9092,external://0.0.0.0:19092
-      - --advertise-kafka-addr internal://redpanda:9092,external://localhost:19092
-      - --pandaproxy-addr internal://0.0.0.0:8082,external://0.0.0.0:18082
-      - --advertise-pandaproxy-addr internal://redpanda:8082,external://localhost:18082
-      - --schema-registry-addr internal://0.0.0.0:8081,external://0.0.0.0:18081
-      - --rpc-addr redpanda:33145
-      - --advertise-rpc-addr redpanda:33145
-      - --mode dev-container
-      - --smp 1
-      - --default-log-level=info
-    container_name: redpanda
+      - '--kafka-addr=internal://0.0.0.0:9092,external://0.0.0.0:19092'
+      - '--advertise-kafka-addr=internal://redpanda:9092,external://localhost:19092'
+      - '--pandaproxy-addr=internal://0.0.0.0:8082,external://0.0.0.0:18082'
+      - '--advertise-pandaproxy-addr=internal://redpanda:8082,external://localhost:18082'
+      - '--schema-registry-addr=internal://0.0.0.0:8081,external://0.0.0.0:18081'
+      - '--rpc-addr=redpanda:33145'
+      - '--advertise-rpc-addr=redpanda:33145'
+      - '--mode=dev-container'
+      - '--smp=1'
+      - '--default-log-level=info'
+    restart: unless-stopped
     volumes:
-      - ${VOLUME_REDPANDA_PATH:-redpanda}:/var/lib/redpanda/data
-    environment:
-      - REDPANDA_SUPERUSER_USERNAME=${REDPANDA_ADMIN_USER}
-      - REDPANDA_SUPERUSER_PASSWORD=${REDPANDA_ADMIN_PWD}
-    healthcheck:
-      test: ['CMD', 'rpk', 'cluster', 'info', '-X', 'user=${REDPANDA_ADMIN_USER}', '-X', 'pass=${REDPANDA_ADMIN_PWD}']
-      interval: 10s
-      timeout: 5s
-      retries: 10
+      - 'redpanda:/var/lib/redpanda/data'
 
   minio:
-    image: "minio/minio"
-    command: server /data --address ":9000" --console-address ":9001"
-    volumes:
-      - ${VOLUME_FILES_PATH:-files}:/data
-    healthcheck:
-      test: ['CMD', 'mc', 'ready', 'local']
-      interval: 5s
-      retries: 10
+    image: 'minio/minio:latest'
+    command: 'server /data --address ":9000" --console-address ":9001"'
     restart: unless-stopped
+    volumes:
+      - 'files:/data'
 
   elastic:
-    image: "elasticsearch:7.14.2"
-    command: |
-      /bin/sh -c "./bin/elasticsearch-plugin list | grep -q ingest-attachment || yes | ./bin/elasticsearch-plugin install --silent ingest-attachment;
-      /usr/local/bin/docker-entrypoint.sh eswrapper"
-    volumes:
-      - ${VOLUME_ELASTIC_PATH:-elastic}:/usr/share/elasticsearch/data
-    environment:
-      - ELASTICSEARCH_PORT_NUMBER=9200
-      - BITNAMI_DEBUG=true
-      - discovery.type=single-node
-      - ES_JAVA_OPTS=-Xms1024m -Xmx1024m
-      - http.cors.enabled=true
-      - http.cors.allow-origin=http://localhost:8082
-    healthcheck:
-      interval: 20s
-      retries: 10
-      test: curl -s http://localhost:9200/_cluster/health | grep -vq '"status":"red"'
+    image: 'docker.elastic.co/elasticsearch/elasticsearch:7.17.9'
     restart: unless-stopped
+    environment:
+      discovery.type: single-node
+      ES_JAVA_OPTS: '-Xms1024m -Xmx1024m'
+    volumes:
+      - 'elastic:/usr/share/elasticsearch/data'
 
   rekoni:
-    image: hardcoreeng/rekoni-service:${HULY_VERSION}
-    environment:
-      - SECRET=${SECRET}
-    deploy:
-      resources:
-        limits:
-          memory: 500M
+    image: 'hardcoreeng/rekoni-service:v0.7.242'
     restart: unless-stopped
 
   transactor:
-    image: hardcoreeng/transactor:${HULY_VERSION}
-    environment:
-      - SERVER_PORT=3333
-      - SERVER_SECRET=${SECRET}
-      - DB_URL=${CR_DB_URL}
-      - STORAGE_CONFIG=minio|minio?accessKey=minioadmin&secretKey=minioadmin
-      - FRONT_URL=http://localhost:8087
-      - ACCOUNTS_URL=http://account:3000
-      - FULLTEXT_URL=http://fulltext:4700
-      - STATS_URL=http://stats:4900
-      - LAST_NAME_FIRST=${LAST_NAME_FIRST:-true}
-      - QUEUE_CONFIG=redpanda:9092
+    image: 'hardcoreeng/transactor:v0.7.242'
     restart: unless-stopped
+    environment:
+      SERVER_PORT: '3333'
+      SERVER_SECRET: '${SECRET}'
+      DB_URL: '${CR_DB_URL}'
+      STORAGE_CONFIG: 'minio|minio?accessKey=minioadmin&secretKey=minioadmin'
+      FRONT_URL: '${PUBLIC_FRONT_URL:-https://portals.theosirislabs.com}'
+      ACCOUNTS_URL: '${PUBLIC_ACCOUNTS_URL:-https://portals.theosirislabs.com/_account}'
+      FULLTEXT_URL: 'http://fulltext:4700'
+      STATS_URL: 'http://stats:4900'
+      LAST_NAME_FIRST: '${LAST_NAME_FIRST:-true}'
+      QUEUE_CONFIG: 'redpanda:9092'
+      SECRET: '${SECRET}'
+      CR_DB_URL: '${CR_DB_URL}'
 
   collaborator:
-    image: hardcoreeng/collaborator:${HULY_VERSION}
-    environment:
-      - COLLABORATOR_PORT=3078
-      - SECRET=${SECRET}
-      - ACCOUNTS_URL=http://account:3000
-      - STATS_URL=http://stats:4900
-      - STORAGE_CONFIG=minio|minio?accessKey=minioadmin&secretKey=minioadmin
+    image: 'hardcoreeng/collaborator:v0.7.242'
     restart: unless-stopped
+    environment:
+      COLLABORATOR_PORT: '3078'
+      SECRET: '${SECRET}'
+      ACCOUNTS_URL: '${PUBLIC_ACCOUNTS_URL:-https://portals.theosirislabs.com/_account}'
+      STATS_URL: 'http://stats:4900'
+      STORAGE_CONFIG: 'minio|minio?accessKey=minioadmin&secretKey=minioadmin'
 
   account:
-    image: hardcoreeng/account:${HULY_VERSION}
-    environment:
-      - SERVER_PORT=3000
-      - SERVER_SECRET=${SECRET}
-      - DB_URL=${CR_DB_URL}
-      - TRANSACTOR_URL=ws://transactor:3333;ws${SECURE:+s}://${HOST_ADDRESS}/_transactor
-      - STORAGE_CONFIG=minio|minio?accessKey=minioadmin&secretKey=minioadmin
-      - FRONT_URL=http${SECURE:+s}://${HOST_ADDRESS}
-      - STATS_URL=http${SECURE:+s}://${HOST_ADDRESS}/stats
-      - MODEL_ENABLED=*
-      - ACCOUNTS_URL=http${SECURE:+s}://${HOST_ADDRESS}
-      - ACCOUNT_PORT=3000
-      - QUEUE_CONFIG=redpanda:9092
+    image: 'hardcoreeng/account:v0.7.242'
     restart: unless-stopped
+    environment:
+      SERVER_PORT: '3000'
+      SERVER_SECRET: '${SECRET}'
+      DB_URL: '${CR_DB_URL}'
+      TRANSACTOR_URL: 'ws://transactor:3333;wss://portals.theosirislabs.com/_transactor'
+      STORAGE_CONFIG: 'minio|minio?accessKey=minioadmin&secretKey=minioadmin'
+      FRONT_URL: '${PUBLIC_FRONT_URL:-https://portals.theosirislabs.com}'
+      STATS_URL: 'http://stats:4900'
+      MODEL_ENABLED: '*'
+      ACCOUNTS_URL: '${PUBLIC_ACCOUNTS_URL:-https://portals.theosirislabs.com/_account}'
+      ACCOUNT_PORT: '3000'
+      QUEUE_CONFIG: 'redpanda:9092'
+      SECRET: '${SECRET}'
+      CR_DB_URL: '${CR_DB_URL}'
+      DISABLE_SIGNUP: '${DISABLE_SIGNUP:-false}'
+      DISABLE_LOCAL_LOGIN: '${DISABLE_LOCAL_LOGIN:-false}'
+      SMTP_HOST: '${SMTP_HOST:-}'
+      SMTP_PORT: '${SMTP_PORT:-587}'
+      SMTP_USER: '${SMTP_USER:-}'
+      SMTP_PASSWORD: '${SMTP_PASSWORD:-}'
+      SMTP_SECURE: '${SMTP_SECURE:-false}'
+      MAIL_FROM: '${MAIL_FROM:-Platform <[email protected]>}'
 
   workspace:
-    image: hardcoreeng/workspace:${HULY_VERSION}
-    environment:
-      - SERVER_SECRET=${SECRET}
-      - DB_URL=${CR_DB_URL}
-      - TRANSACTOR_URL=ws://transactor:3333;ws${SECURE:+s}://${HOST_ADDRESS}/_transactor
-      - STORAGE_CONFIG=minio|minio?accessKey=minioadmin&secretKey=minioadmin
-      - MODEL_ENABLED=*
-      - ACCOUNTS_URL=http://account:3000
-      - STATS_URL=http://stats:4900
-      - QUEUE_CONFIG=redpanda:9092
-      - ACCOUNTS_DB_URL=${CR_DB_URL}
+    image: 'hardcoreeng/workspace:v0.7.242'
     restart: unless-stopped
+    environment:
+      SERVER_SECRET: '${SECRET}'
+      DB_URL: '${CR_DB_URL}'
+      TRANSACTOR_URL: 'ws://transactor:3333;wss://portals.theosirislabs.com/_transactor'
+      STORAGE_CONFIG: 'minio|minio?accessKey=minioadmin&secretKey=minioadmin'
+      MODEL_ENABLED: '*'
+      ACCOUNTS_URL: '${PUBLIC_ACCOUNTS_URL:-https://portals.theosirislabs.com/_account}'
+      STATS_URL: 'http://stats:4900'
+      QUEUE_CONFIG: 'redpanda:9092'
+      ACCOUNTS_DB_URL: '${CR_DB_URL}'
+      SECRET: '${SECRET}'
+      CR_DB_URL: '${CR_DB_URL}'
 
   front:
-    image: hardcoreeng/front:${HULY_VERSION}
-    environment:
-      - SERVER_PORT=8080
-      - SERVER_SECRET=${SECRET}
-      - LOVE_ENDPOINT=http${SECURE:+s}://${HOST_ADDRESS}/_love
-      - ACCOUNTS_URL=http${SECURE:+s}://${HOST_ADDRESS}/_accounts
-      - ACCOUNTS_URL_INTERNAL=http://account:3000
-      - REKONI_URL=http${SECURE:+s}://${HOST_ADDRESS}/_rekoni
-      - CALENDAR_URL=http${SECURE:+s}://${HOST_ADDRESS}/_calendar
-      - GMAIL_URL=http${SECURE:+s}://${HOST_ADDRESS}/_gmail
-      - TELEGRAM_URL=http${SECURE:+s}://${HOST_ADDRESS}/_telegram
-      - STATS_URL=http${SECURE:+s}://${HOST_ADDRESS}/_stats
-      - UPLOAD_URL=/files
-      - ELASTIC_URL=http://elastic:9200
-      - COLLABORATOR_URL=ws${SECURE:+s}://${HOST_ADDRESS}/_collaborator
-      - STORAGE_CONFIG=minio|minio?accessKey=minioadmin&secretKey=minioadmin
-      - TITLE=${TITLE:-Huly Self Host}
-      - DEFAULT_LANGUAGE=${DEFAULT_LANGUAGE:-en}
-      - LAST_NAME_FIRST=${LAST_NAME_FIRST:-true}
-      - DESKTOP_UPDATES_CHANNEL=${HULY_VERSION}
+    image: 'hardcoreeng/front:v0.7.242'
     restart: unless-stopped
+    environment:
+      SERVER_PORT: '8080'
+      SERVER_SECRET: '${SECRET}'
+      LOVE_ENDPOINT: 'http://front:8080/_love'
+      ACCOUNTS_URL: '${PUBLIC_ACCOUNTS_URL:-https://portals.theosirislabs.com/_account}'
+      ACCOUNTS_URL_INTERNAL: 'http://account:3000'
+      REKONI_URL: '${PUBLIC_REKONI_URL:-https://portals.theosirislabs.com/_rekoni}'
+      CALENDAR_URL: 'http://front:8080/_calendar'
+      GMAIL_URL: 'http://front:8080/_gmail'
+      TELEGRAM_URL: 'http://front:8080/_telegram'
+      STATS_URL: '${PUBLIC_STATS_URL:-https://portals.theosirislabs.com/_stats}'
+      UPLOAD_URL: /files
+      ELASTIC_URL: 'http://elastic:9200'
+      COLLABORATOR_URL: '${PUBLIC_COLLABORATOR_URL:-wss://portals.theosirislabs.com/_collaborator}'
+      STORAGE_CONFIG: 'minio|minio?accessKey=minioadmin&secretKey=minioadmin'
+      TITLE: '${TITLE:-Huly Self Host}'
+      DEFAULT_LANGUAGE: '${DEFAULT_LANGUAGE:-en}'
+      LAST_NAME_FIRST: '${LAST_NAME_FIRST:-true}'
+      DESKTOP_UPDATES_CHANNEL: 'v0.7.242'
+      SECRET: '${SECRET}'
+      DISABLE_SIGNUP: '${DISABLE_SIGNUP:-false}'
+      DISABLE_LOCAL_LOGIN: '${DISABLE_LOCAL_LOGIN:-false}'
 
   fulltext:
-    image: hardcoreeng/fulltext:${HULY_VERSION}
-    environment:
-      - SERVER_SECRET=${SECRET}
-      - DB_URL=${CR_DB_URL}
-      - FULLTEXT_DB_URL=http://elastic:9200
-      - ELASTIC_INDEX_NAME=huly_storage_index
-      - STORAGE_CONFIG=minio|minio?accessKey=minioadmin&secretKey=minioadmin
-      - REKONI_URL=http://rekoni:4004
-      - ACCOUNTS_URL=http://account:3000
-      - STATS_URL=http://stats:4900
-      - QUEUE_CONFIG=redpanda:9092
+    image: 'hardcoreeng/fulltext:v0.7.242'
     restart: unless-stopped
+    environment:
+      SERVER_SECRET: '${SECRET}'
+      DB_URL: '${CR_DB_URL}'
+      FULLTEXT_DB_URL: 'http://elastic:9200'
+      ELASTIC_INDEX_NAME: 'huly_storage_index'
+      STORAGE_CONFIG: 'minio|minio?accessKey=minioadmin&secretKey=minioadmin'
+      REKONI_URL: 'http://rekoni:4004'
+      ACCOUNTS_URL: '${PUBLIC_ACCOUNTS_URL:-https://portals.theosirislabs.com/_account}'
+      STATS_URL: 'http://stats:4900'
+      QUEUE_CONFIG: 'redpanda:9092'
+      SECRET: '${SECRET}'
+      CR_DB_URL: '${CR_DB_URL}'
 
   stats:
-    image: hardcoreeng/stats:${HULY_VERSION}
-    environment:
-      - PORT=4900
-      - SERVER_SECRET=${SECRET}
+    image: 'hardcoreeng/stats:v0.7.242'
     restart: unless-stopped
+    environment:
+      PORT: '4900'
+      SERVER_SECRET: '${SECRET}'
+      SECRET: '${SECRET}'
+
 volumes:
-  # These named volumes are used when custom volume paths are not specified
-  # If VOLUME_*_PATH variables are set, these volumes will be ignored
-  elastic:
+  cr-data:
+  cr-certs:
+  redpanda:
   files:
-  cr_data:
-  cr_certs:
-  redpanda:
+  elastic: