Make self-hosting turnkey: pullable multi-arch image + one-click deploy recipes#73
Merged
Merged
Conversation
- docker-compose.yml: use prebuilt ghcr.io/largerio/secret image instead of build:. (commented build kept for contributors); load config via env_file - .env.example: neutral APP_URL default + clarify exposed vs internal port - docs/self-hosting.md: new guide (VPS no-clone deploy, Synology Container Manager, reverse proxy, backup/restore) - README: two-path Quick Start + link to the self-hosting guide https://claude.ai/code/session_01WkTWZvbmaA6aUT5hQSTz9m
The compose/docs reference ghcr.io/largerio/secret:latest, but CI only tagged latest on semver releases (none exist) and built amd64 only — so the image was unpullable and ARM hosts unsupported. Fix both, then document turnkey deploys. - deploy.yml: tag latest on default-branch pushes; build linux/amd64+arm64 (adds setup-qemu-action for cross-build) - docs/self-hosting.md: one-liner docker run, Coolify, Portainer, Railway/Render recipes + multi-arch note - render.yaml: Render blueprint for one-click deploy https://claude.ai/code/session_01WkTWZvbmaA6aUT5hQSTz9m
- docker-compose.yml: drop the env_file approach and restore the explicit environment allowlist. env_file injected PORT=3000 from .env into the container, overriding the Dockerfile's PORT=3001 for the API, so both API and web bound to 3000 (collision). It also dropped the BODY_SIZE_LIMIT default. - entrypoint.sh: default BODY_SIZE_LIMIT to ~101MB for the web server so the image accepts uploads out of the box for docker run / Render / Coolify-image deploys (adapter-node otherwise caps bodies at 512K). - docs/self-hosting.md: fix backup/restore — compose prefixes the volume with the project name (secret_secret-data), so document discovering the real name instead of the unprefixed secret-data. https://claude.ai/code/session_01WkTWZvbmaA6aUT5hQSTz9m
louisbels
changed the title
…lation-setup-E0dyn
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Makes Secret genuinely self-hostable: a real, pullable multi-arch image, a no-clone deploy path, and fixes for the port/upload regressions that broke the prebuilt-image flow.
Why
The compose file and docs referenced
ghcr.io/largerio/secret:latest, but CI only taggedlateston semver releases (none exist) and builtamd64only — so the image was effectively unpullable and ARM hosts (Apple Silicon, many NAS/Pi) were unsupported. This PR fixes the publishing pipeline first, then documents turnkey deploys on top of it.Changes
CI / image publishing (
deploy.yml):lateston default-branch pushes (not just semver releases) so the documented image actually exists.linux/amd64+linux/arm64(addssetup-qemu-actionfor cross-build) so ARM hosts work.Compose / runtime (
docker-compose.yml,entrypoint.sh)ghcr.io/largerio/secretimage instead ofbuild:(commented build kept for contributors).environmentallowlist rather thanenv_file—env_fileinjectedPORT=3000into the container, overriding the API'sPORT=3001so both API and web bound to:3000(collision). It also silently dropped theBODY_SIZE_LIMITdefault.BODY_SIZE_LIMITto ~101 MB inentrypoint.shso uploads work out of the box fordocker run/ Render / image-based deploys (adapter-node otherwise caps bodies at 512 KB).Docs & one-click deploy (
docs/self-hosting.md,README.md,render.yaml,.env.example)docker run, Coolify, Portainer, Railway/Render, reverse proxy, backup/restore, multi-arch note.secret_secret-data) instead of the unprefixedsecret-data.render.yamlblueprint for one-click Render deploy..env.exampleneutralAPP_URLdefault + exposed-vs-internal port clarification.Commits
docs: make self-hosting turnkey on Synology/VPSci: publish :latest + multi-arch image; add one-click deploy recipesfix: correct regressions found while reviewing self-host changesDeploy pipeline note
The
docker→deployjobs run only onmain/tags.deployhasneeds: docker, and the prod step runsdocker compose pull && docker compose up -d, so the freshly-pushed image is the one deployed (no stale/previous image). Prod's compose references a moving tag (:main/:latest), both of which this PR ensures are published.https://claude.ai/code/session_01WkTWZvbmaA6aUT5hQSTz9m