feat: implement orphan container cleanup for idempotent stack deployment

.gitea/workflows/build.yml

@@ -10,28 +10,56 @@ jobs:
     name: Build And Publish Production Image
     runs-on: ubuntu-latest
     env:
-      REGISTRY: gitea.lab
+      REGISTRY: gitea.lab:80
       IMAGE_NAME: sancho41/condado-newsletter
+      REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
+      REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
     steps:
       - uses: actions/checkout@v4
         with:
           github-server-url: http://gitea.lab
 
+      - name: Build debug context
+        run: |
+          set -eu
+          echo "Build debug"
+          echo "Repository: ${GITEA_REPOSITORY:-unknown}"
+          echo "Ref: ${GITEA_REF:-unknown}"
+          echo "Sha: ${GITEA_SHA:-unknown}"
+          echo "Runner OS: ${RUNNER_OS:-unknown}"
+          echo "Registry: ${REGISTRY}"
+          echo "Image: ${IMAGE_NAME}"
+          echo "Image latest tag: ${REGISTRY}/${IMAGE_NAME}:latest"
+          echo "Image sha tag: ${REGISTRY}/${IMAGE_NAME}:${GITEA_SHA:-unknown}"
+          echo "HTTP_PROXY=${HTTP_PROXY:-<empty>}"
+          echo "HTTPS_PROXY=${HTTPS_PROXY:-<empty>}"
+          echo "NO_PROXY=${NO_PROXY:-<empty>}"
+
+          if command -v ip >/dev/null 2>&1; then
+            echo "Runner network info:"
+            ip -4 addr show || true
+            ip route || true
+          else
+            hostname -I || true
+          fi
+
       - name: Verify Docker CLI
         run: docker version
 
+      - name: Log in to Docker Hub (optional)
+        if: ${{ secrets.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '' }}
+        run: echo "${{ secrets.DOCKERHUB_TOKEN }}" | docker login docker.io -u "${{ secrets.DOCKERHUB_USERNAME }}" --password-stdin
+
+      - name: Log in to Gitea registry
+        run: echo "${REGISTRY_PASSWORD}" | docker login "${REGISTRY}" -u "${REGISTRY_USERNAME}" --password-stdin
+
       - name: Build all-in-one image
-        run: docker build -t condado-newsletter:latest -f Dockerfile.allinone .
-
-      - name: Log in to Gitea container registry
-        run: echo "${{ secrets.GITEA_REGISTRY_PASSWORD }}" | docker login ${REGISTRY} -u "${{ secrets.GITEA_REGISTRY_USERNAME }}" --password-stdin
-
-      - name: Tag registry images
         run: |
-          docker tag condado-newsletter:latest ${REGISTRY}/${IMAGE_NAME}:latest
+          docker build -t "${REGISTRY}/${IMAGE_NAME}:latest" -f Dockerfile.allinone .
-          docker tag condado-newsletter:latest ${REGISTRY}/${IMAGE_NAME}:${{ github.sha }}
+          docker tag "${REGISTRY}/${IMAGE_NAME}:latest" "${REGISTRY}/${IMAGE_NAME}:${{ gitea.sha }}"
 
-      - name: Push registry images
+      - name: Build result debug
         run: |
-          docker push ${REGISTRY}/${IMAGE_NAME}:latest
+          set -eu
-          docker push ${REGISTRY}/${IMAGE_NAME}:${{ github.sha }}
+          echo "Listing produced image tags"
+          docker image ls "${REGISTRY}/${IMAGE_NAME}" --format 'table {{.Repository}}\t{{.Tag}}\t{{.ID}}\t{{.CreatedSince}}' || true

.gitea/workflows/deploy.yml

@@ -0,0 +1,309 @@
+name: Deploy Production Stack
+
+on:
+  workflow_run:
+    workflows: ["Build And Publish Production Image"]
+    types: [completed]
+  workflow_dispatch:
+
+jobs:
+  deploy:
+    name: Deploy Stack Via Portainer
+    if: ${{ gitea.event_name == 'workflow_dispatch' || gitea.event.workflow_run.conclusion == 'success' }}
+    runs-on: ubuntu-latest
+    env:
+      STACK_NAME: condado-newsletter-stack
+      PORTAINER_URL: ${{ secrets.PORTAINER_URL }}
+      PORTAINER_API_KEY: ${{ secrets.PORTAINER_API_KEY }}
+      PORTAINER_ENDPOINT_ID: ${{ secrets.PORTAINER_ENDPOINT_ID }}
+      ENV_VARS: ${{ secrets.ENV_VARS }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          github-server-url: http://gitea.lab
+
+      - name: Validate ENV_VARS secret
+        run: |
+          set -eu
+          if [ -z "${ENV_VARS}" ]; then
+            echo "ENV_VARS secret is empty."
+            exit 1
+          fi
+
+      - name: Deploy stack via Portainer API
+        run: |
+          set -u
+          set +e
+
+          if ! command -v curl >/dev/null 2>&1; then
+            echo "curl is not available in this runner image"
+            exit 1
+          fi
+
+          if ! command -v jq >/dev/null 2>&1; then
+            echo "jq is not available in this runner image"
+            exit 1
+          fi
+
+          PORTAINER_BASE_URL=$(printf '%s' "${PORTAINER_URL:-http://portainer.lab/}" | sed -E 's/[[:space:]]+$//; s#/*$##')
+
+          echo "Portainer deploy debug"
+          echo "PORTAINER_URL=${PORTAINER_URL:-http://portainer.lab/}"
+          echo "PORTAINER_BASE_URL=${PORTAINER_BASE_URL}"
+          echo "STACK_NAME=${STACK_NAME}"
+          echo "PORTAINER_ENDPOINT_ID=${PORTAINER_ENDPOINT_ID}"
+          echo "HTTP_PROXY=${HTTP_PROXY:-<empty>}"
+          echo "HTTPS_PROXY=${HTTPS_PROXY:-<empty>}"
+          echo "NO_PROXY=${NO_PROXY:-<empty>}"
+
+          echo "Current runner network info:"
+          if command -v ip >/dev/null 2>&1; then
+            ip -4 addr show || true
+            ip route || true
+          else
+            hostname -I || true
+          fi
+
+          ENV_JSON=$(printf '%s\n' "${ENV_VARS}" | jq -R -s '
+            split("\n")
+            | map(gsub("\r$"; ""))
+            | map(select(length > 0))
+            | map(select(startswith("#") | not))
+            | map(select(test("^[A-Za-z_][A-Za-z0-9_]*=.*$")))
+            | map(capture("^(?<name>[A-Za-z_][A-Za-z0-9_]*)=(?<value>.*)$"))
+            | map({name: .name, value: .value})
+          ')
+
+          echo "Loaded $(printf '%s' "${ENV_JSON}" | jq 'length') env entries from ENV_VARS"
+          echo "ENV names preview:"
+          printf '%s' "${ENV_JSON}" | jq -r '.[0:10][]?.name' || true
+          echo "Portainer base URL: ${PORTAINER_BASE_URL}"
+          echo "Target stack: ${STACK_NAME}"
+          echo "Endpoint id set: $([ -n "${PORTAINER_ENDPOINT_ID}" ] && echo yes || echo no)"
+
+          PORTAINER_HOST=$(printf '%s' "${PORTAINER_BASE_URL}" | sed -E 's#^[a-zA-Z]+://##; s#/.*$##; s/:.*$//')
+          PORTAINER_IP=""
+          ACTIVE_PORTAINER_BASE_URL="${PORTAINER_BASE_URL}"
+
+          if command -v getent >/dev/null 2>&1; then
+            PORTAINER_IP=$(getent hosts "${PORTAINER_HOST}" | awk 'NR==1{print $1}')
+            if [ -n "${PORTAINER_IP}" ]; then
+              PORTAINER_IP_BASE_URL="${PORTAINER_BASE_URL/${PORTAINER_HOST}/${PORTAINER_IP}}"
+              echo "Portainer DNS resolved ${PORTAINER_HOST} -> ${PORTAINER_IP}"
+              echo "IP fallback URL: ${PORTAINER_IP_BASE_URL}"
+            else
+              echo "DNS lookup returned no IP for ${PORTAINER_HOST}"
+            fi
+          else
+            echo "getent not available; skipping DNS pre-check"
+          fi
+
+          STACKS_BODY=$(mktemp)
+          STACKS_HEADERS=$(mktemp)
+          STACKS_ERR=$(mktemp)
+
+          STACKS_HTTP_CODE=$(curl -sS \
+            --noproxy "*" \
+            -D "${STACKS_HEADERS}" \
+            -o "${STACKS_BODY}" \
+            -w "%{http_code}" \
+            "${ACTIVE_PORTAINER_BASE_URL}/api/stacks" \
+            -H "X-API-Key: ${PORTAINER_API_KEY}" \
+            2>"${STACKS_ERR}")
+          STACKS_CURL_EXIT=$?
+
+          echo "GET /api/stacks curl exit: ${STACKS_CURL_EXIT}"
+          echo "GET /api/stacks http code: ${STACKS_HTTP_CODE}"
+          echo "GET /api/stacks headers:"
+          cat "${STACKS_HEADERS}" || true
+
+          if [ "${STACKS_CURL_EXIT}" -eq 6 ] && [ -n "${PORTAINER_IP:-}" ]; then
+            echo "Retrying stack list with IP fallback due to DNS failure"
+            STACKS_HTTP_CODE=$(curl -sS \
+              --noproxy "*" \
+              -D "${STACKS_HEADERS}" \
+              -o "${STACKS_BODY}" \
+              -w "%{http_code}" \
+              "${PORTAINER_IP_BASE_URL}/api/stacks" \
+              -H "X-API-Key: ${PORTAINER_API_KEY}" \
+              2>"${STACKS_ERR}")
+            STACKS_CURL_EXIT=$?
+            if [ "${STACKS_CURL_EXIT}" -eq 0 ]; then
+              ACTIVE_PORTAINER_BASE_URL="${PORTAINER_IP_BASE_URL}"
+            fi
+            echo "Retry GET /api/stacks curl exit: ${STACKS_CURL_EXIT}"
+            echo "Retry GET /api/stacks http code: ${STACKS_HTTP_CODE}"
+          fi
+
+          if [ "${STACKS_CURL_EXIT}" -ne 0 ]; then
+            echo "GET /api/stacks stderr:"
+            cat "${STACKS_ERR}" || true
+            exit "${STACKS_CURL_EXIT}"
+          fi
+
+          if [ "${STACKS_HTTP_CODE}" -lt 200 ] || [ "${STACKS_HTTP_CODE}" -ge 300 ]; then
+            echo "GET /api/stacks body:"
+            cat "${STACKS_BODY}" || true
+            exit 1
+          fi
+
+          STACK_ID=$(jq -r --arg stack_name "${STACK_NAME}" '.[] | select(.Name == $stack_name) | .Id' "${STACKS_BODY}" | head -n 1)
+
+          APPLY_BODY=$(mktemp)
+          APPLY_HEADERS=$(mktemp)
+          APPLY_ERR=$(mktemp)
+
+          # If the stack does not exist yet, remove orphan containers with names defined in compose.
+          # This enables an idempotent create-or-recreate flow when old standalone containers exist.
+          if [ -z "${STACK_ID}" ]; then
+            echo "Stack not found in Portainer; checking for orphan containers with conflicting names"
+
+            mapfile -t CONTAINER_NAMES < <(awk '/container_name:/{print $2}' docker-compose.prod.yml | tr -d '"' | sed '/^$/d')
+
+            for CONTAINER_NAME in "${CONTAINER_NAMES[@]}"; do
+              FILTERS=$(jq -cn --arg n "^/${CONTAINER_NAME}$" '{name: [$n]}')
+              FILTERS_URLENC=$(printf '%s' "${FILTERS}" | jq -sRr @uri)
+              LIST_URL="${ACTIVE_PORTAINER_BASE_URL}/api/endpoints/${PORTAINER_ENDPOINT_ID}/docker/containers/json?all=1&filters=${FILTERS_URLENC}"
+
+              LIST_BODY=$(mktemp)
+              LIST_ERR=$(mktemp)
+              LIST_HTTP_CODE=$(curl -sS \
+                --noproxy "*" \
+                -o "${LIST_BODY}" \
+                -w "%{http_code}" \
+                "${LIST_URL}" \
+                -H "X-API-Key: ${PORTAINER_API_KEY}" \
+                2>"${LIST_ERR}")
+              LIST_CURL_EXIT=$?
+
+              echo "Container pre-check [${CONTAINER_NAME}] curl=${LIST_CURL_EXIT} http=${LIST_HTTP_CODE}"
+
+              if [ "${LIST_CURL_EXIT}" -ne 0 ]; then
+                echo "Container pre-check stderr for ${CONTAINER_NAME}:"
+                cat "${LIST_ERR}" || true
+                continue
+              fi
+
+              if [ "${LIST_HTTP_CODE}" -lt 200 ] || [ "${LIST_HTTP_CODE}" -ge 300 ]; then
+                echo "Container pre-check non-success response for ${CONTAINER_NAME}:"
+                cat "${LIST_BODY}" || true
+                continue
+              fi
+
+              mapfile -t MATCHING_IDS < <(jq -r '.[].Id' "${LIST_BODY}")
+              if [ "${#MATCHING_IDS[@]}" -eq 0 ]; then
+                echo "No conflicting container found for ${CONTAINER_NAME}"
+                continue
+              fi
+
+              for CONTAINER_ID in "${MATCHING_IDS[@]}"; do
+                DELETE_URL="${ACTIVE_PORTAINER_BASE_URL}/api/endpoints/${PORTAINER_ENDPOINT_ID}/docker/containers/${CONTAINER_ID}?force=1"
+                DELETE_BODY=$(mktemp)
+                DELETE_ERR=$(mktemp)
+                DELETE_HTTP_CODE=$(curl -sS -X DELETE \
+                  --noproxy "*" \
+                  -o "${DELETE_BODY}" \
+                  -w "%{http_code}" \
+                  "${DELETE_URL}" \
+                  -H "X-API-Key: ${PORTAINER_API_KEY}" \
+                  2>"${DELETE_ERR}")
+                DELETE_CURL_EXIT=$?
+
+                echo "Removed conflicting container ${CONTAINER_NAME} (${CONTAINER_ID}) curl=${DELETE_CURL_EXIT} http=${DELETE_HTTP_CODE}"
+                if [ "${DELETE_CURL_EXIT}" -ne 0 ]; then
+                  echo "Delete stderr:"
+                  cat "${DELETE_ERR}" || true
+                fi
+                if [ "${DELETE_HTTP_CODE}" -lt 200 ] || [ "${DELETE_HTTP_CODE}" -ge 300 ]; then
+                  echo "Delete response body:"
+                  cat "${DELETE_BODY}" || true
+                fi
+              done
+            done
+          fi
+
+          if [ -n "${STACK_ID}" ]; then
+            echo "Updating existing stack id=${STACK_ID}"
+            REQUEST_URL="${ACTIVE_PORTAINER_BASE_URL}/api/stacks/${STACK_ID}?endpointId=${PORTAINER_ENDPOINT_ID}"
+            PAYLOAD=$(jq -n \
+              --rawfile stack_file docker-compose.prod.yml \
+              --argjson env_vars "${ENV_JSON}" \
+              '{StackFileContent: $stack_file, Env: $env_vars, Prune: false, PullImage: true}')
+
+            echo "Apply request URL: ${REQUEST_URL}"
+            echo "Apply payload summary:"
+            printf '%s' "${PAYLOAD}" | jq -r '{stackFileLength: (.StackFileContent | length), envCount: (.Env | length), prune: .Prune, pullImage: .PullImage}' || true
+
+            APPLY_HTTP_CODE=$(curl -sS -X PUT \
+              --noproxy "*" \
+              -D "${APPLY_HEADERS}" \
+              -o "${APPLY_BODY}" \
+              -w "%{http_code}" \
+              "${REQUEST_URL}" \
+              -H "X-API-Key: ${PORTAINER_API_KEY}" \
+              -H "Content-Type: application/json" \
+              -d "${PAYLOAD}" \
+              2>"${APPLY_ERR}")
+            APPLY_CURL_EXIT=$?
+          else
+            echo "Creating new stack ${STACK_NAME}"
+            REQUEST_URL="${ACTIVE_PORTAINER_BASE_URL}/api/stacks/create/standalone/string?endpointId=${PORTAINER_ENDPOINT_ID}"
+            PAYLOAD=$(jq -n \
+              --arg name "${STACK_NAME}" \
+              --rawfile stack_file docker-compose.prod.yml \
+              --argjson env_vars "${ENV_JSON}" \
+              '{Name: $name, StackFileContent: $stack_file, Env: $env_vars, FromAppTemplate: false}')
+
+            echo "Apply request URL: ${REQUEST_URL}"
+            echo "Apply payload summary:"
+            printf '%s' "${PAYLOAD}" | jq -r '{name: .Name, stackFileLength: (.StackFileContent | length), envCount: (.Env | length), fromAppTemplate: .FromAppTemplate}' || true
+
+            APPLY_HTTP_CODE=$(curl -sS -X POST \
+              --noproxy "*" \
+              -D "${APPLY_HEADERS}" \
+              -o "${APPLY_BODY}" \
+              -w "%{http_code}" \
+              "${REQUEST_URL}" \
+              -H "X-API-Key: ${PORTAINER_API_KEY}" \
+              -H "Content-Type: application/json" \
+              -d "${PAYLOAD}" \
+              2>"${APPLY_ERR}")
+            APPLY_CURL_EXIT=$?
+          fi
+
+          echo "Apply curl exit: ${APPLY_CURL_EXIT}"
+          echo "Apply http code: ${APPLY_HTTP_CODE}"
+          echo "Apply response headers:"
+          cat "${APPLY_HEADERS}" || true
+
+          if [ "${APPLY_CURL_EXIT}" -ne 0 ]; then
+            echo "Apply stderr:"
+            cat "${APPLY_ERR}" || true
+            exit "${APPLY_CURL_EXIT}"
+          fi
+
+          if [ "${APPLY_HTTP_CODE}" -lt 200 ] || [ "${APPLY_HTTP_CODE}" -ge 300 ]; then
+            echo "Apply response body:"
+            cat "${APPLY_BODY}" || true
+            echo "Apply response parsed as JSON (if possible):"
+            jq -r '.' "${APPLY_BODY}" 2>/dev/null || echo "<non-json or empty body>"
+
+            if [ ! -s "${APPLY_BODY}" ]; then
+              echo "Apply body is empty; retrying once with verbose curl for diagnostics"
+              curl -v -X "$( [ -n "${STACK_ID}" ] && echo PUT || echo POST )" \
+                --noproxy "*" \
+                -o /tmp/portainer-debug-body.txt \
+                "${REQUEST_URL}" \
+                -H "X-API-Key: ${PORTAINER_API_KEY}" \
+                -H "Content-Type: application/json" \
+                -d "${PAYLOAD}" \
+                2>/tmp/portainer-debug-stderr.txt || true
+              echo "Verbose retry stderr:"
+              cat /tmp/portainer-debug-stderr.txt || true
+              echo "Verbose retry body:"
+              cat /tmp/portainer-debug-body.txt || true
+            fi
+            exit 1
+          fi
+
+          echo "Portainer deploy completed successfully"

.github/workflows/ci.yml

@@ -1,57 +0,0 @@
-name: CI
-
-on:
-  pull_request:
-    branches: ["develop"]
-
-jobs:
-  backend-test:
-    name: Backend Tests
-    runs-on: ubuntu-latest
-    defaults:
-      run:
-        working-directory: backend
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Set up JDK 21
-        uses: actions/setup-java@v4
-        with:
-          java-version: "21"
-          distribution: temurin
-          cache: gradle
-
-      - name: Make Gradle wrapper executable
-        run: chmod +x gradlew
-
-      - name: Run tests
-        run: ./gradlew test --no-daemon
-
-      - name: Upload test results
-        if: always()
-        uses: actions/upload-artifact@v4
-        with:
-          name: backend-test-results
-          path: backend/build/reports/tests/
-
-  frontend-test:
-    name: Frontend Tests
-    runs-on: ubuntu-latest
-    defaults:
-      run:
-        working-directory: frontend
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Set up Node 20
-        uses: actions/setup-node@v4
-        with:
-          node-version: "20"
-          cache: npm
-          cache-dependency-path: frontend/package-lock.json
-
-      - name: Install dependencies
-        run: npm ci
-
-      - name: Run tests
-        run: npm run test

Dockerfile.allinone

@@ -29,14 +29,10 @@ ENV DEBIAN_FRONTEND=noninteractive
 
 RUN apt-get update && apt-get install -y \
     nginx \
-    postgresql \
     supervisor \
     openjdk-21-jre-headless \
     && rm -rf /var/lib/apt/lists/*
 
-# PostgreSQL data directory
-RUN mkdir -p /var/lib/postgresql/data && chown -R postgres:postgres /var/lib/postgresql
-
 # Copy frontend static files
 COPY --from=frontend-build /app/frontend/dist /usr/share/nginx/html
 

backend/src/main/kotlin/com/condado/newsletter/service/JwtService.kt

@@ -14,8 +14,10 @@ import java.util.Date
 @Service
 class JwtService(
     @Value("\${app.jwt.secret}") val secret: String,
-    @Value("\${app.jwt.expiration-ms}") val expirationMs: Long
+    @Value("\${app.jwt.expiration-ms:86400000}") expirationMsRaw: String
 ) {
+    private val expirationMs: Long = expirationMsRaw.toLongOrNull() ?: 86400000L
+
     private val signingKey by lazy {
         Keys.hmacShaKeyFor(secret.toByteArray(Charsets.UTF_8))
     }

backend/src/main/resources/application.yml

@@ -10,7 +10,7 @@ spring:
 
   jpa:
     hibernate:
-      ddl-auto: validate
+      ddl-auto: ${SPRING_JPA_HIBERNATE_DDL_AUTO:validate}
     show-sql: false
     properties:
       hibernate:

backend/src/test/kotlin/com/condado/newsletter/service/AuthServiceTest.kt

@@ -40,7 +40,7 @@ class AuthServiceTest {
     fun should_returnValidClaims_when_jwtTokenParsed() {
         val realJwtService = JwtService(
             secret = "test-secret-key-for-testing-only-must-be-at-least-32-characters",
-            expirationMs = 86400000L
+            expirationMsRaw = "86400000"
         )
         val token = realJwtService.generateToken()
 
@@ -51,7 +51,7 @@ class AuthServiceTest {
     fun should_returnFalse_when_expiredTokenValidated() {
         val realJwtService = JwtService(
             secret = "test-secret-key-for-testing-only-must-be-at-least-32-characters",
-            expirationMs = 1L
+            expirationMsRaw = "1"
         )
         val token = realJwtService.generateToken()
 

backend/src/test/kotlin/com/condado/newsletter/service/JwtServiceTest.kt

@@ -0,0 +1,26 @@
+package com.condado.newsletter.service
+
+import io.jsonwebtoken.Jwts
+import io.jsonwebtoken.security.Keys
+import org.junit.jupiter.api.Assertions.assertTrue
+import org.junit.jupiter.api.Test
+
+class JwtServiceTest {
+
+    private val secret = "12345678901234567890123456789012"
+
+    @Test
+    fun should_generate_token_when_expiration_is_empty() {
+        val jwtService = JwtService(secret, "")
+
+        val token = jwtService.generateToken()
+
+        val claims = Jwts.parser()
+            .verifyWith(Keys.hmacShaKeyFor(secret.toByteArray(Charsets.UTF_8)))
+            .build()
+            .parseSignedClaims(token)
+            .payload
+
+        assertTrue(claims.expiration.after(claims.issuedAt))
+    }
+}

docker-compose.prod.yml

@@ -1,15 +1,41 @@
 services:
-  condado-newsletter:
+  condado-newsletter-postgres:
-    image: gitea.lab/sancho41/condado-newsletter:latest
+    image: postgres:16
-    container_name: condado-newsletter
+    container_name: condado-newsletter-postgres
     restart: unless-stopped
+    environment:
+      POSTGRES_DB: ${APP_DB_NAME:-condado}
+      POSTGRES_USER: ${POSTGRES_USER:-condado}
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-condado}
+    volumes:
+      - postgres-data:/var/lib/postgresql/data
+    networks:
+      - default
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -h localhost -U $${POSTGRES_USER:-postgres}"]
+      interval: 10s
+      timeout: 5s
+      retries: 10
+      start_period: 10s
+
+  condado-newsletter:
+    image: sancho41/condado-newsletter:latest
+    container_name: condado-newsletter
+    restart: unless-stopped
+    depends_on:
+      condado-newsletter-postgres:
+        condition: service_healthy
+    networks:
+      - external
+      - default
     environment:
       SPRING_PROFILES_ACTIVE: prod
-      SPRING_DATASOURCE_USERNAME: ${SPRING_DATASOURCE_USERNAME}
+      SPRING_JPA_HIBERNATE_DDL_AUTO: ${SPRING_JPA_HIBERNATE_DDL_AUTO:-update}
-      SPRING_DATASOURCE_PASSWORD: ${SPRING_DATASOURCE_PASSWORD}
+      SPRING_DATASOURCE_URL: jdbc:postgresql://condado-newsletter-postgres:5432/${APP_DB_NAME:-condado}
-      APP_PASSWORD: ${APP_PASSWORD}
+      SPRING_DATASOURCE_USERNAME: ${SPRING_DATASOURCE_USERNAME:-condado}
+      SPRING_DATASOURCE_PASSWORD: ${SPRING_DATASOURCE_PASSWORD:-condado}
       JWT_SECRET: ${JWT_SECRET}
-      JWT_EXPIRATION_MS: ${JWT_EXPIRATION_MS}
+      JWT_EXPIRATION_MS: ${JWT_EXPIRATION_MS:-86400000}
       MAIL_HOST: ${MAIL_HOST}
       MAIL_PORT: ${MAIL_PORT}
       MAIL_USERNAME: ${MAIL_USERNAME}
@@ -25,22 +51,24 @@ services:
     extra_hosts:
       - "celtinha.desktop:host-gateway"
       - "host.docker.internal:host-gateway"
-    volumes:
-      - postgres-data:/var/lib/postgresql/data
     labels:
       - "traefik.enable=true"
       - "traefik.http.routers.condado.rule=Host(`condado-newsletter.lab`)"
       - "traefik.http.services.condado.loadbalancer.server.port=80"
+      - "traefik.docker.network=traefik"
       - "homepage.group=Hyperlink"
       - "homepage.name=Condado Newsletter"
       - "homepage.description=Automated newsletter generator using AI"
-      - "homepage.logo=https://raw.githubusercontent.com/celtinha/condado-newsletter/main/docs/logo.png"
+      - "homepage.logo=claude-ai.png"
-      - "homepage.url=http://condado-newsletter.lab"
+      - "homepage.href=http://condado-newsletter.lab"
 
 volumes:
   postgres-data:
 
 networks:
   default:
+    driver: bridge
+  
+  external:
     name: traefik
     external: true

docker-compose.yml

@@ -4,14 +4,13 @@ services:
   postgres:
     image: postgres:16-alpine
     restart: unless-stopped
+    container_name: condado-newsletter-postgres
     environment:
       POSTGRES_DB: condado
       POSTGRES_USER: ${SPRING_DATASOURCE_USERNAME}
       POSTGRES_PASSWORD: ${SPRING_DATASOURCE_PASSWORD}
     volumes:
       - postgres-data:/var/lib/postgresql/data
-    networks:
-      - condado-net
     healthcheck:
       test: ["CMD-SHELL", "pg_isready -U ${SPRING_DATASOURCE_USERNAME} -d condado"]
       interval: 10s
@@ -20,6 +19,7 @@ services:
 
   # ── Backend (Spring Boot) ────────────────────────────────────────────────────
   backend:
+    container_name: condado-newsletter-backend
     build:
       context: ./backend
       dockerfile: Dockerfile
@@ -29,7 +29,7 @@ services:
         condition: service_healthy
     environment:
       SPRING_PROFILES_ACTIVE: dev
-      SPRING_DATASOURCE_URL: ${SPRING_DATASOURCE_URL}
+      SPRING_DATASOURCE_URL: jdbc:postgresql://postgres:5432/condado
       SPRING_DATASOURCE_USERNAME: ${SPRING_DATASOURCE_USERNAME}
       SPRING_DATASOURCE_PASSWORD: ${SPRING_DATASOURCE_PASSWORD}
       APP_PASSWORD: ${APP_PASSWORD}
@@ -50,36 +50,42 @@ services:
     extra_hosts:
       - "celtinha.desktop:host-gateway"
       - "host.docker.internal:host-gateway"
-    networks:
-      - condado-net
 
   # ── Frontend + Nginx ─────────────────────────────────────────────────────────
   nginx:
+    container_name: condado-newsletter-frontend
     build:
       context: ./frontend
       dockerfile: Dockerfile
       args:
         VITE_API_BASE_URL: ${VITE_API_BASE_URL}
     restart: unless-stopped
-    ports:
-      - "80:80"
     depends_on:
       - backend
     networks:
-      - condado-net
+      - traefik
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.condado.rule=Host(`condado-newsletter.lab`)"
+      - "traefik.http.services.condado.loadbalancer.server.port=80"
+      - "homepage.group=Hyperlink"
+      - "homepage.name=Condado Newsletter"
+      - "homepage.description=Automated newsletter generator using AI"  
+      - "homepage.logo=claude-dark.png"
+      - "homepage.href=http://condado-newsletter.lab"
 
   # ── Mailhog (DEV ONLY — SMTP trap) ───────────────────────────────────────────
   mailhog:
+    container_name: condado-newsletter-mailhog
     image: mailhog/mailhog:latest
     restart: unless-stopped
     ports:
       - "8025:8025"
-    networks:
-      - condado-net
 
 volumes:
   postgres-data:
 
 networks:
-  condado-net:
+  traefik:
-    driver: bridge
+    external: true
+    name: traefik

docker/entrypoint.sh

@@ -5,28 +5,29 @@ APP_DB_NAME=${APP_DB_NAME:-condado}
 APP_DB_USER=${SPRING_DATASOURCE_USERNAME:-condado}
 APP_DB_PASSWORD=${SPRING_DATASOURCE_PASSWORD:-condado}
 
-# ── Initialise PostgreSQL data directory on first run ─────────────────────────
-if [ ! -f /var/lib/postgresql/data/PG_VERSION ]; then
-    echo "Initialising PostgreSQL data directory..."
-    su -c "/usr/lib/postgresql/16/bin/initdb -D /var/lib/postgresql/data --encoding=UTF8 --locale=C" postgres
-
-    # Start postgres temporarily to create the app database and user
-    su -c "/usr/lib/postgresql/16/bin/pg_ctl -D /var/lib/postgresql/data -w start" postgres
-
-    su -c "psql -v ON_ERROR_STOP=1 -c \"CREATE USER ${APP_DB_USER} WITH PASSWORD '${APP_DB_PASSWORD}';\"" postgres
-    su -c "psql -v ON_ERROR_STOP=1 -c \"CREATE DATABASE ${APP_DB_NAME} OWNER ${APP_DB_USER};\"" postgres
-
-    su -c "/usr/lib/postgresql/16/bin/pg_ctl -D /var/lib/postgresql/data -w stop" postgres
-    echo "PostgreSQL initialised."
-fi
-
 # ── Ensure supervisor log directory exists ────────────────────────────────────
 mkdir -p /var/log/supervisor
 
-# ── Defaults for all-in-one local PostgreSQL ─────────────────────────────────
+# ── Defaults for external PostgreSQL service in production compose ───────────
-export SPRING_DATASOURCE_URL=${SPRING_DATASOURCE_URL:-jdbc:postgresql://localhost:5432/${APP_DB_NAME}}
+export SPRING_DATASOURCE_URL=${SPRING_DATASOURCE_URL:-jdbc:postgresql://condado-newsletter-postgres:5432/${APP_DB_NAME}}
 export SPRING_DATASOURCE_USERNAME=${SPRING_DATASOURCE_USERNAME:-${APP_DB_USER}}
 export SPRING_DATASOURCE_PASSWORD=${SPRING_DATASOURCE_PASSWORD:-${APP_DB_PASSWORD}}
+export JWT_EXPIRATION_MS=${JWT_EXPIRATION_MS:-86400000}
+
+# ── Log all Spring Boot environment variables for debugging ──────────────────
+echo "========================================"
+echo "Spring Boot Configuration:"
+echo "========================================"
+echo "SPRING_DATASOURCE_URL=${SPRING_DATASOURCE_URL}"
+echo "SPRING_DATASOURCE_USERNAME=${SPRING_DATASOURCE_USERNAME}"
+echo "SPRING_DATASOURCE_PASSWORD=${SPRING_DATASOURCE_PASSWORD}"
+echo "JWT_EXPIRATION_MS=${JWT_EXPIRATION_MS}"
+echo "JAVA_OPTS=${JAVA_OPTS:-not set}"
+echo "OPENAI_API_KEY=${OPENAI_API_KEY:-not set}"
+echo "========================================"
 
 # ── Start all services via supervisord ───────────────────────────────────────
+# Export unbuffered output for both Python and Java
+export PYTHONUNBUFFERED=1
+export JAVA_OPTS="${JAVA_OPTS} -Dfile.encoding=UTF-8 -Djava.awt.headless=true"
 exec /usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf

docker/supervisord.conf

@@ -1,27 +1,26 @@
 [supervisord]
 nodaemon=true
-logfile=/var/log/supervisor/supervisord.log
+silent=false
+logfile=/dev/stdout
+logfile_maxbytes=0
 pidfile=/var/run/supervisord.pid
-
+loglevel=info
-[program:postgres]
-command=/usr/lib/postgresql/16/bin/postgres -D /var/lib/postgresql/data
-user=postgres
-autostart=true
-autorestart=true
-stdout_logfile=/var/log/supervisor/postgres.log
-stderr_logfile=/var/log/supervisor/postgres.err.log
 
 [program:backend]
-command=java -jar /app/app.jar
+command=java -Dspring.output.ansi.enabled=always -Dlogging.level.root=DEBUG -jar /app/app.jar
 autostart=true
 autorestart=true
 startsecs=15
-stdout_logfile=/var/log/supervisor/backend.log
+stdout_logfile=/dev/stdout
-stderr_logfile=/var/log/supervisor/backend.err.log
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
 
 [program:nginx]
 command=/usr/sbin/nginx -g "daemon off;"
 autostart=true
 autorestart=true
-stdout_logfile=/var/log/supervisor/nginx.log
+stdout_logfile=/dev/stdout
-stderr_logfile=/var/log/supervisor/nginx.err.log
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0

nginx/nginx.allinone.conf

@@ -15,6 +15,9 @@ http {
     gzip_types    text/plain text/css application/json application/javascript
                   text/xml application/xml application/xml+rss text/javascript;
 
+    access_log /dev/stdout;
+    error_log  /dev/stderr;
+
     server {
         listen 80;
         server_name _;