I'm aware the project is young and that non-localhost deployment is already on the radar.
This is not a criticism — the architecture is clean and the developer experience on localhost is smooth.
The goal of this issue is to surface these friction points early, as fixing them would significantly lower the barrier for contributors and evaluators who want to test on a real server before getting involved.
Context
I deployed Calendars on a homelab server to evaluate it before contributing.
The experience surfaced several blockers that are not documented and would affect any team deploying on a real server.
Issues encountered :
-
Keycloak --hostname hardcoded in compose.yaml
--hostname=http://localhost:8935 is baked into the compose command, not an env variable. Any non-localhost deployment requires editing compose.yaml directly.
It should be configurable via an env var in keycloak.local.
-
CSRF_TRUSTED_ORIGINS hardcoded in settings.py
The Development class hardcodes:
pythonCSRF_TRUSTED_ORIGINS = [
"http://localhost:8930",
"http://localhost:3000",
]
This is not overridable via env var (unlike the Production class which uses values.ListValue). Any POST request from a non-localhost origin returns 403. Suggest converting to values.ListValue with localhost defaults.
-
crypto.randomUUID() requires secure context
Creating an event fails with crypto.randomUUID is not a function when accessing the app over plain HTTP on a non-localhost IP. Browsers restrict this API to HTTPS or localhost. Without a reverse proxy providing TLS, the app is non-functional for event creation on any real server.
-
No reverse proxy provided
There is no Nginx/Caddy/Traefik service in compose.yaml. Without one, deployers face the secure context issue above and have no guidance on TLS termination. A minimal Caddy or Nginx service with a self-signed cert for development would unblock non-localhost deployments entirely.
-
No deployment documentation for non-localhost
The existing docs cover k8s (Helm) and local Docker. There is nothing between "run on your laptop" and "deploy on Kubernetes". A simple docs/deployment-vm.md covering IP-based or domain-based deployment with a reverse proxy would fill this gap.
Proposed fixes (in order of effort)
- Make Keycloak --hostname configurable via env var
- Convert CSRF_TRUSTED_ORIGINS in Development to values.ListValue
- Add a minimal Caddy/Nginx reverse proxy service to compose.yaml
- Add docs/deployment-vm.md covering non-localhost setup
- Add polyfill or fallback for crypto.randomUUID() in insecure contexts
I'm aware the project is young and that non-localhost deployment is already on the radar.
This is not a criticism — the architecture is clean and the developer experience on localhost is smooth.
The goal of this issue is to surface these friction points early, as fixing them would significantly lower the barrier for contributors and evaluators who want to test on a real server before getting involved.
Context
I deployed Calendars on a homelab server to evaluate it before contributing.
The experience surfaced several blockers that are not documented and would affect any team deploying on a real server.
Issues encountered :
Keycloak --hostname hardcoded in compose.yaml
--hostname=http://localhost:8935 is baked into the compose command, not an env variable. Any non-localhost deployment requires editing compose.yaml directly.
It should be configurable via an env var in keycloak.local.
CSRF_TRUSTED_ORIGINS hardcoded in settings.py
The Development class hardcodes:
pythonCSRF_TRUSTED_ORIGINS = [
"http://localhost:8930",
"http://localhost:3000",
]
This is not overridable via env var (unlike the Production class which uses values.ListValue). Any POST request from a non-localhost origin returns 403. Suggest converting to values.ListValue with localhost defaults.
crypto.randomUUID() requires secure context
Creating an event fails with crypto.randomUUID is not a function when accessing the app over plain HTTP on a non-localhost IP. Browsers restrict this API to HTTPS or localhost. Without a reverse proxy providing TLS, the app is non-functional for event creation on any real server.
No reverse proxy provided
There is no Nginx/Caddy/Traefik service in compose.yaml. Without one, deployers face the secure context issue above and have no guidance on TLS termination. A minimal Caddy or Nginx service with a self-signed cert for development would unblock non-localhost deployments entirely.
No deployment documentation for non-localhost
The existing docs cover k8s (Helm) and local Docker. There is nothing between "run on your laptop" and "deploy on Kubernetes". A simple docs/deployment-vm.md covering IP-based or domain-based deployment with a reverse proxy would fill this gap.
Proposed fixes (in order of effort)