fix: remove unnecessary env_file entries and correct OPENAI_API_KEY format

Reviewed-on: #8

.env.example

@@ -33,5 +33,5 @@ LLAMA_MODEL=gemma3:4b
 # ── Application ───────────────────────────────────────────────────────────────
 APP_RECIPIENTS=friend1@example.com,friend2@example.com
 
-# ── Frontend (Vite build-time) ────────────────────────────────────────────────
+# ── Frontend (Vite dev proxy) ─────────────────────────────────────────────────
 VITE_API_BASE_URL=http://localhost

.gitea/workflows/build.yml

@@ -0,0 +1,180 @@
+name: Build And Publish Production Image
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  build:
+    name: Build And Publish Production Image
+    runs-on: ubuntu-latest
+    env:
+      REGISTRY: gitea.lab:80
+      IMAGE_NAME: sancho41/condado-newsletter
+      REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
+      REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          github-server-url: http://gitea.lab
+
+      - name: Verify Docker CLI
+        run: docker version
+
+      - name: Log in to Docker Hub (optional)
+        if: ${{ secrets.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '' }}
+        run: echo "${{ secrets.DOCKERHUB_TOKEN }}" | docker login docker.io -u "${{ secrets.DOCKERHUB_USERNAME }}" --password-stdin
+
+      - name: Build all-in-one image
+        run: docker build -t sancho41/condado-newsletter:latest -f Dockerfile.allinone .
+        
+      - name: Deploy stack via Portainer API
+        env:
+          STACK_NAME: codado-newsletter-stack
+          PORTAINER_URL: http://portainer.lab/  
+          PORTAINER_API_KEY: ${{ secrets.PORTAINER_API_KEY }}
+          PORTAINER_ENDPOINT_ID: ${{ secrets.PORTAINER_ENDPOINT_ID }}
+        run: |
+          set -u
+          set +e
+
+          PORTAINER_BASE_URL=$(printf '%s' "${PORTAINER_URL}" | sed -E 's/[[:space:]]+$//; s#/*$##')
+
+          echo "Portainer deploy debug"
+          echo "PORTAINER_URL=${PORTAINER_URL}"
+          echo "PORTAINER_BASE_URL=${PORTAINER_BASE_URL}"
+          echo "STACK_NAME=${STACK_NAME}"
+          echo "PORTAINER_ENDPOINT_ID=${PORTAINER_ENDPOINT_ID}"
+          echo "HTTP_PROXY=${HTTP_PROXY:-<empty>}"
+          echo "HTTPS_PROXY=${HTTPS_PROXY:-<empty>}"
+          echo "NO_PROXY=${NO_PROXY:-<empty>}"
+
+          echo "Current runner network info:"
+          if command -v ip >/dev/null 2>&1; then
+            ip -4 addr show || true
+            ip route || true
+          else
+            hostname -I || true
+          fi
+
+          PORTAINER_HOST=$(printf '%s' "${PORTAINER_BASE_URL}" | sed -E 's#^[a-zA-Z]+://##; s#/.*$##; s/:.*$//')
+          echo "Resolved host target: ${PORTAINER_HOST}"
+
+          PORTAINER_IP=""
+          ACTIVE_PORTAINER_BASE_URL="${PORTAINER_BASE_URL}"
+
+          if command -v getent >/dev/null 2>&1; then
+            echo "Host lookup (getent):"
+            getent hosts "${PORTAINER_HOST}" || true
+            PORTAINER_IP=$(getent hosts "${PORTAINER_HOST}" | awk 'NR==1{print $1}')
+            if [ -n "${PORTAINER_IP}" ]; then
+              PORTAINER_IP_BASE_URL="${PORTAINER_BASE_URL/${PORTAINER_HOST}/${PORTAINER_IP}}"
+              echo "Portainer IP fallback URL: ${PORTAINER_IP_BASE_URL}"
+            fi
+          fi
+
+          STACKS_BODY=$(mktemp)
+          STACKS_ERR=$(mktemp)
+
+          STACKS_HTTP_CODE=$(curl -sS \
+            --noproxy "*" \
+            -o "${STACKS_BODY}" \
+            -w "%{http_code}" \
+            "${ACTIVE_PORTAINER_BASE_URL}/api/stacks" \
+            -H "X-API-Key: ${PORTAINER_API_KEY}" \
+            2>"${STACKS_ERR}")
+          STACKS_CURL_EXIT=$?
+
+          if [ "${STACKS_CURL_EXIT}" -eq 6 ] && [ -n "${PORTAINER_IP:-}" ]; then
+            echo "Retrying GET /api/stacks with IP fallback due to DNS failure"
+            STACKS_HTTP_CODE=$(curl -sS \
+              --noproxy "*" \
+              -o "${STACKS_BODY}" \
+              -w "%{http_code}" \
+              "${PORTAINER_IP_BASE_URL}/api/stacks" \
+              -H "X-API-Key: ${PORTAINER_API_KEY}" \
+              2>"${STACKS_ERR}")
+            STACKS_CURL_EXIT=$?
+            if [ "${STACKS_CURL_EXIT}" -eq 0 ]; then
+              ACTIVE_PORTAINER_BASE_URL="${PORTAINER_IP_BASE_URL}"
+            fi
+          fi
+
+          echo "GET /api/stacks curl exit: ${STACKS_CURL_EXIT}"
+          echo "GET /api/stacks http code: ${STACKS_HTTP_CODE}"
+          echo "GET /api/stacks stderr:"
+          cat "${STACKS_ERR}" || true
+          echo "GET /api/stacks response (sanitized):"
+          jq -r '.[] | "Id=\(.Id) Name=\(.Name) EndpointId=\(.EndpointId)"' "${STACKS_BODY}" || true
+
+          if [ "${STACKS_CURL_EXIT}" -ne 0 ]; then
+            echo "Failed to reach Portainer API while listing stacks."
+            exit "${STACKS_CURL_EXIT}"
+          fi
+
+          if [ "${STACKS_HTTP_CODE}" -lt 200 ] || [ "${STACKS_HTTP_CODE}" -ge 300 ]; then
+            echo "Portainer returned a non-success status for stack listing."
+            exit 1
+          fi
+
+          STACK_ID=$(jq -r --arg stack_name "${STACK_NAME}" '.[] | select(.Name == $stack_name) | .Id' "${STACKS_BODY}" | head -n 1)
+
+          APPLY_BODY=$(mktemp)
+          APPLY_ERR=$(mktemp)
+
+          if [ -n "${STACK_ID}" ]; then
+            echo "Existing stack found with id=${STACK_ID}; sending update request"
+
+            PAYLOAD=$(jq -n \
+              --rawfile stack_file docker-compose.prod.yml \
+              '{StackFileContent: $stack_file, Env: [], Prune: false, PullImage: false}')
+
+            APPLY_HTTP_CODE=$(curl -sS -X PUT \
+              --noproxy "*" \
+              -o "${APPLY_BODY}" \
+              -w "%{http_code}" \
+              "${ACTIVE_PORTAINER_BASE_URL}/api/stacks/${STACK_ID}?endpointId=${PORTAINER_ENDPOINT_ID}" \
+              -H "X-API-Key: ${PORTAINER_API_KEY}" \
+              -H "Content-Type: application/json" \
+              -d "${PAYLOAD}" \
+              2>"${APPLY_ERR}")
+            APPLY_CURL_EXIT=$?
+          else
+            echo "Stack not found; sending create request"
+
+            PAYLOAD=$(jq -n \
+              --arg name "${STACK_NAME}" \
+              --rawfile stack_file docker-compose.prod.yml \
+              '{Name: $name, StackFileContent: $stack_file, Env: [], FromAppTemplate: false}')
+
+            APPLY_HTTP_CODE=$(curl -sS -X POST \
+              --noproxy "*" \
+              -o "${APPLY_BODY}" \
+              -w "%{http_code}" \
+              "${ACTIVE_PORTAINER_BASE_URL}/api/stacks/create/standalone/string?endpointId=${PORTAINER_ENDPOINT_ID}" \
+              -H "X-API-Key: ${PORTAINER_API_KEY}" \
+              -H "Content-Type: application/json" \
+              -d "${PAYLOAD}" \
+              2>"${APPLY_ERR}")
+            APPLY_CURL_EXIT=$?
+          fi
+
+          echo "Apply curl exit: ${APPLY_CURL_EXIT}"
+          echo "Apply http code: ${APPLY_HTTP_CODE}"
+          echo "Apply stderr:"
+          cat "${APPLY_ERR}" || true
+          echo "Apply response body:"
+          cat "${APPLY_BODY}" || true
+
+          if [ "${APPLY_CURL_EXIT}" -ne 0 ]; then
+            echo "Failed to reach Portainer API while applying stack changes."
+            exit "${APPLY_CURL_EXIT}"
+          fi
+
+          if [ "${APPLY_HTTP_CODE}" -lt 200 ] || [ "${APPLY_HTTP_CODE}" -ge 300 ]; then
+            echo "Portainer returned a non-success status while applying stack changes."
+            exit 1
+          fi
+
+          echo "Portainer deploy step completed successfully"

.gitea/workflows/ci.yml

@@ -13,6 +13,8 @@ jobs:
         working-directory: backend
     steps:
       - uses: actions/checkout@v4
+        with:
+          github-server-url: http://gitea.lab
 
       - name: Set up JDK 21
         uses: actions/setup-java@v4
@@ -42,6 +44,8 @@ jobs:
         working-directory: frontend
     steps:
       - uses: actions/checkout@v4
+        with:
+          github-server-url: http://gitea.lab
 
       - name: Set up Node 20
         uses: actions/setup-node@v4

.github/agents/infra.agent.md

@@ -1,6 +1,6 @@
 ---
 name: infra
-description: "Use when working on Docker configuration, Docker Compose files, Dockerfiles, Nginx config, Supervisor config, Gitea Actions workflows, CI/CD pipelines, environment variables, or overall project architecture in the condado-news-letter project. Trigger phrases: docker, dockerfile, compose, nginx, ci/cd, gitea actions, build fails, infra, architecture, environment variables, container, supervisor, allinone image."
+description: "Use when working on Docker configuration, Docker Compose files, Dockerfiles, Nginx config, Supervisor config, Gitea Actions workflows, CI/CD pipelines, deploy flows, environment variables, or overall project architecture in the condado-news-letter project. Trigger phrases: docker, dockerfile, compose, nginx, ci/cd, gitea actions, deploy, build fails, infra, architecture, environment variables, container, supervisor, allinone image."
 tools: [read, edit, search, execute, todo]
 argument-hint: "Describe the infrastructure change or Docker/CI task to implement."
 ---
@@ -15,13 +15,14 @@ You are a senior DevOps / infrastructure engineer and software architect for the
 | `backend/Dockerfile` | Backend-only multi-stage build image |
 | `frontend/Dockerfile` | Frontend build + Nginx image |
 | `docker-compose.yml` | Dev stack (postgres + backend + nginx + mailhog) |
-| `docker-compose.prod.yml` | Prod stack (postgres + backend + nginx, no mailhog) |
+| `docker-compose.prod.yml` | Prod stack (single all-in-one image) |
 | `nginx/nginx.conf` | Nginx config for multi-container compose flavours |
 | `nginx/nginx.allinone.conf` | Nginx config for the all-in-one image (localhost backend) |
 | `frontend/nginx.docker.conf` | Nginx config embedded in frontend image |
 | `docker/supervisord.conf` | Supervisor config (manages postgres + java + nginx inside allinone) |
 | `docker/entrypoint.sh` | Allinone container entrypoint (DB init, env wiring, supervisord start) |
 | `.gitea/workflows/ci.yml` | CI: backend tests + frontend tests on pull requests to `develop` |
+| `.gitea/workflows/build.yml` | Build: create and publish the all-in-one image on approved PRs to `main` |
 | `.env.example` | Template for all environment variables |
 
 ## System Topology
@@ -53,7 +54,7 @@ Docker volume → /var/lib/postgresql/data
 | Flavour | Command | Notes |
 |---|---|---|
 | Dev | `docker compose up --build` | Includes Mailhog on :1025/:8025 |
-| Prod (compose) | `docker compose -f docker-compose.prod.yml up --build` | External DB/SMTP |
+| Prod (compose) | `docker compose -f docker-compose.prod.yml up -d` | Prebuilt all-in-one image with internal PostgreSQL |
 | All-in-one | `docker run -p 80:80 -e APP_PASSWORD=... <image>` | Everything in one container |
 
 ## Key Environment Variables
@@ -73,15 +74,16 @@ All injected at runtime — never hardcoded in images.
 | `IMAP_HOST` / `IMAP_PORT` / `IMAP_INBOX_FOLDER` | Backend | IMAP server |
 | `OPENAI_API_KEY` / `OPENAI_MODEL` | Backend | OpenAI credentials |
 | `APP_RECIPIENTS` | Backend | Comma-separated recipient emails |
-| `VITE_API_BASE_URL` | Frontend (build-time ARG) | Backend API base URL |
+| `VITE_API_BASE_URL` | Frontend dev server | Backend API base URL for Vite proxy |
 
 ## CI/CD Pipeline
 
 | Workflow | Trigger | What it does |
 |---|---|---|
 | `ci.yml` | Pull request to `develop` | Backend `./gradlew test` + Frontend `npm run test` |
+| `build.yml` | Approved PR review to `main` | Builds `condado-newsletter` on the target Docker host, then pushes `latest` and `${github.sha}` tags to Gitea container registry |
 
-Legacy publish/version workflows were removed from in-repo automation.
+The runner shares the target Docker host, so this workflow builds the image locally, tags it for `gitea.lab/sancho41/condado-newsletter`, and pushes it to Gitea container registry. `docker-compose.prod.yml` must reference that published image and not local build directives.
 
 ## Implementation Rules
 

.github/workflows/ci.yml

@@ -1,57 +0,0 @@
-name: CI
-
-on:
-  pull_request:
-    branches: ["develop"]
-
-jobs:
-  backend-test:
-    name: Backend Tests
-    runs-on: ubuntu-latest
-    defaults:
-      run:
-        working-directory: backend
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Set up JDK 21
-        uses: actions/setup-java@v4
-        with:
-          java-version: "21"
-          distribution: temurin
-          cache: gradle
-
-      - name: Make Gradle wrapper executable
-        run: chmod +x gradlew
-
-      - name: Run tests
-        run: ./gradlew test --no-daemon
-
-      - name: Upload test results
-        if: always()
-        uses: actions/upload-artifact@v4
-        with:
-          name: backend-test-results
-          path: backend/build/reports/tests/
-
-  frontend-test:
-    name: Frontend Tests
-    runs-on: ubuntu-latest
-    defaults:
-      run:
-        working-directory: frontend
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Set up Node 20
-        uses: actions/setup-node@v4
-        with:
-          node-version: "20"
-          cache: npm
-          cache-dependency-path: frontend/package-lock.json
-
-      - name: Install dependencies
-        run: npm ci
-
-      - name: Run tests
-        run: npm run test

CLAUDE.md

@@ -83,8 +83,8 @@ The cycle for every step is:
 | Reverse Proxy     | Nginx (serves frontend + proxies `/api` to backend)          |
 | Dev Mail          | Mailhog (SMTP trap + web UI)                                 |
 | All-in-one image  | Single Docker image: Nginx + Spring Boot + PostgreSQL + Supervisor |
-| Image registry    | Not configured (legacy Docker Hub publish workflow removed)   |
-| CI/CD             | Gitea Actions — run backend/frontend tests on pull requests to `develop` |
+| Image registry    | Gitea container registry (`gitea.lab/sancho41/condado-newsletter`) |
+| CI/CD             | Gitea Actions — test PRs to `develop`, build and publish the production image on approved PRs targeting `main` |
 
 ## Deployment Flavours
 
@@ -93,7 +93,7 @@ There are **three ways to run the project**:
 | Flavour             | Command                         | When to use                                    |
 |---------------------|---------------------------------|------------------------------------------------|
 | **Dev**             | `docker compose up`             | Local development — includes Mailhog           |
-| **Prod (compose)**  | `docker compose -f docker-compose.prod.yml up` | Production with external DB/SMTP |
+| **Prod (compose)**  | `docker compose -f docker-compose.prod.yml up -d` | Production with the prebuilt all-in-one image |
 | **All-in-one**      | `docker run ...`                | Simplest deploy — everything in one container  |
 
 ### All-in-one Image
@@ -104,7 +104,7 @@ The all-in-one image (`Dockerfile.allinone`) bundles **everything** into a singl
 - **PostgreSQL** — embedded database
 - **Supervisor** — process manager that starts and supervises all three processes
 
-The all-in-one image is built locally or in external pipelines as needed (no default registry publish workflow in-repo).
+The all-in-one image is built on the runner host and then published to the Gitea container registry.
 
 **Minimal `docker run` command:**
 ```bash
@@ -121,7 +121,7 @@ docker run -d \
   -e IMAP_PORT=993 \
   -e APP_RECIPIENTS=friend1@example.com,friend2@example.com \
   -v condado-data:/var/lib/postgresql/data \
-  <registry-or-local-image>/condado-newsletter:latest
+  gitea.lab/sancho41/condado-newsletter:latest
 ```
 
 The app is then available at `http://localhost`.
@@ -213,7 +213,7 @@ condado-news-letter/               ← repo root
 ├── .env.example                   ← template for all env vars
 ├── .gitignore
 ├── docker-compose.yml             ← dev stack (Nginx + Backend + PostgreSQL + Mailhog)
-├── docker-compose.prod.yml        ← prod stack (Nginx + Backend + PostgreSQL)
+├── docker-compose.prod.yml        ← prod stack (single all-in-one image)
 ├── Dockerfile.allinone            ← all-in-one image (Nginx + Backend + PostgreSQL + Supervisor)
 │
 ├── .github/
@@ -312,7 +312,7 @@ npm run test
 docker compose up --build
 
 # Prod
-docker compose -f docker-compose.prod.yml up --build
+docker compose -f docker-compose.prod.yml up -d
 
 # Stop
 docker compose down
@@ -456,7 +456,7 @@ Never hardcode any of these values.
 | `OPENAI_API_KEY`             | Backend  | OpenAI API key                                       |
 | `OPENAI_MODEL`               | Backend  | OpenAI model (default: `gpt-4o`)                     |
 | `APP_RECIPIENTS`             | Backend  | Comma-separated list of recipient emails             |
-| `VITE_API_BASE_URL`          | Frontend | Backend API base URL (used by Vite at build time)    |
+| `VITE_API_BASE_URL`          | Frontend | Backend API base URL for the Vite dev server proxy   |
 
 > ⚠️ Never hardcode credentials. Always use environment variables or a `.env` file (gitignored).
 
@@ -575,8 +575,9 @@ Good examples:
 | Workflow file              | Trigger                    | What it does                                              |
 |----------------------------|----------------------------|-----------------------------------------------------------|
 | `.gitea/workflows/ci.yml`  | PR to `develop`            | Backend tests (`./gradlew test`) + Frontend tests (`npm run test`) |
+| `.gitea/workflows/build.yml` | Approved PR review on `main` | Build `condado-newsletter`, then publish `latest` and `${github.sha}` tags to Gitea container registry |
 
-Current policy: old publish/version automation workflows were removed during the Gitea migration.
+Build policy: the runner shares the target Docker host, so the build workflow produces the image locally, tags it for `gitea.lab/sancho41/condado-newsletter`, and pushes it to Gitea container registry. `docker-compose.prod.yml` references that published image.
 
 ---
 

Dockerfile.allinone

@@ -15,6 +15,7 @@ FROM gradle:8-jdk21-alpine AS backend-build
 WORKDIR /app/backend
 
 COPY backend/build.gradle.kts backend/settings.gradle.kts ./
+COPY backend/gradle.properties ./
 COPY backend/gradle ./gradle
 RUN gradle dependencies --no-daemon --quiet || true
 
@@ -28,14 +29,10 @@ ENV DEBIAN_FRONTEND=noninteractive
 
 RUN apt-get update && apt-get install -y \
     nginx \
-    postgresql \
     supervisor \
     openjdk-21-jre-headless \
     && rm -rf /var/lib/apt/lists/*
 
-# PostgreSQL data directory
-RUN mkdir -p /var/lib/postgresql/data && chown -R postgres:postgres /var/lib/postgresql
-
 # Copy frontend static files
 COPY --from=frontend-build /app/frontend/dist /usr/share/nginx/html
 

backend/src/main/kotlin/com/condado/newsletter/service/JwtService.kt

@@ -14,8 +14,10 @@ import java.util.Date
 @Service
 class JwtService(
     @Value("\${app.jwt.secret}") val secret: String,
-    @Value("\${app.jwt.expiration-ms}") val expirationMs: Long
+    @Value("\${app.jwt.expiration-ms:86400000}") expirationMsRaw: String
 ) {
+    private val expirationMs: Long = expirationMsRaw.toLongOrNull() ?: 86400000L
+
     private val signingKey by lazy {
         Keys.hmacShaKeyFor(secret.toByteArray(Charsets.UTF_8))
     }

backend/src/main/resources/application.yml

@@ -10,7 +10,7 @@ spring:
 
   jpa:
     hibernate:
-      ddl-auto: validate
+      ddl-auto: ${SPRING_JPA_HIBERNATE_DDL_AUTO:validate}
     show-sql: false
     properties:
       hibernate:

backend/src/test/kotlin/com/condado/newsletter/service/AuthServiceTest.kt

@@ -40,7 +40,7 @@ class AuthServiceTest {
     fun should_returnValidClaims_when_jwtTokenParsed() {
         val realJwtService = JwtService(
             secret = "test-secret-key-for-testing-only-must-be-at-least-32-characters",
-            expirationMs = 86400000L
+            expirationMsRaw = "86400000"
         )
         val token = realJwtService.generateToken()
 
@@ -51,7 +51,7 @@ class AuthServiceTest {
     fun should_returnFalse_when_expiredTokenValidated() {
         val realJwtService = JwtService(
             secret = "test-secret-key-for-testing-only-must-be-at-least-32-characters",
-            expirationMs = 1L
+            expirationMsRaw = "1"
         )
         val token = realJwtService.generateToken()
 

backend/src/test/kotlin/com/condado/newsletter/service/JwtServiceTest.kt

@@ -0,0 +1,26 @@
+package com.condado.newsletter.service
+
+import io.jsonwebtoken.Jwts
+import io.jsonwebtoken.security.Keys
+import org.junit.jupiter.api.Assertions.assertTrue
+import org.junit.jupiter.api.Test
+
+class JwtServiceTest {
+
+    private val secret = "12345678901234567890123456789012"
+
+    @Test
+    fun should_generate_token_when_expiration_is_empty() {
+        val jwtService = JwtService(secret, "")
+
+        val token = jwtService.generateToken()
+
+        val claims = Jwts.parser()
+            .verifyWith(Keys.hmacShaKeyFor(secret.toByteArray(Charsets.UTF_8)))
+            .build()
+            .parseSignedClaims(token)
+            .payload
+
+        assertTrue(claims.expiration.after(claims.issuedAt))
+    }
+}

docker-compose.prod.yml

@@ -1,40 +1,41 @@
 services:
-
-  # ── PostgreSQL ───────────────────────────────────────────────────────────────
-  postgres:
-    image: postgres:16-alpine
-    restart: always
+  condado-newsletter-postgres:
+    image: postgres:16
+    container_name: condado-newsletter-postgres
+    restart: unless-stopped
     environment:
-      POSTGRES_DB: condado
-      POSTGRES_USER: ${SPRING_DATASOURCE_USERNAME}
-      POSTGRES_PASSWORD: ${SPRING_DATASOURCE_PASSWORD}
+      POSTGRES_DB: ${APP_DB_NAME:-condado}
+      POSTGRES_USER: ${POSTGRES_USER:-condado}
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-condado}
     volumes:
       - postgres-data:/var/lib/postgresql/data
     networks:
-      - condado-net
+      - default
     healthcheck:
-      test: ["CMD-SHELL", "pg_isready -U ${SPRING_DATASOURCE_USERNAME} -d condado"]
+      test: ["CMD-SHELL", "pg_isready -h localhost -U $${POSTGRES_USER:-postgres}"]
       interval: 10s
       timeout: 5s
-      retries: 5
+      retries: 10
+      start_period: 10s
 
-  # ── Backend (Spring Boot) ────────────────────────────────────────────────────
-  backend:
-    build:
-      context: ./backend
-      dockerfile: Dockerfile
-    restart: always
+  condado-newsletter:
+    image: sancho41/condado-newsletter:latest
+    container_name: condado-newsletter
+    restart: unless-stopped
     depends_on:
-      postgres:
+      condado-newsletter-postgres:
         condition: service_healthy
+    networks:
+      - external
+      - default
     environment:
       SPRING_PROFILES_ACTIVE: prod
-      SPRING_DATASOURCE_URL: ${SPRING_DATASOURCE_URL}
-      SPRING_DATASOURCE_USERNAME: ${SPRING_DATASOURCE_USERNAME}
-      SPRING_DATASOURCE_PASSWORD: ${SPRING_DATASOURCE_PASSWORD}
-      APP_PASSWORD: ${APP_PASSWORD}
+      SPRING_JPA_HIBERNATE_DDL_AUTO: ${SPRING_JPA_HIBERNATE_DDL_AUTO:-update}
+      SPRING_DATASOURCE_URL: jdbc:postgresql://condado-newsletter-postgres:5432/${APP_DB_NAME:-condado}
+      SPRING_DATASOURCE_USERNAME: ${SPRING_DATASOURCE_USERNAME:-condado}
+      SPRING_DATASOURCE_PASSWORD: ${SPRING_DATASOURCE_PASSWORD:-condado}
       JWT_SECRET: ${JWT_SECRET}
-      JWT_EXPIRATION_MS: ${JWT_EXPIRATION_MS}
+      JWT_EXPIRATION_MS: ${JWT_EXPIRATION_MS:-86400000}
       MAIL_HOST: ${MAIL_HOST}
       MAIL_PORT: ${MAIL_PORT}
       MAIL_USERNAME: ${MAIL_USERNAME}
@@ -50,27 +51,24 @@ services:
     extra_hosts:
       - "celtinha.desktop:host-gateway"
       - "host.docker.internal:host-gateway"
-    networks:
-      - condado-net
-
-  # ── Frontend + Nginx ─────────────────────────────────────────────────────────
-  nginx:
-    build:
-      context: ./frontend
-      dockerfile: Dockerfile
-      args:
-        VITE_API_BASE_URL: ${VITE_API_BASE_URL}
-    restart: always
-    ports:
-      - "80:80"
-    depends_on:
-      - backend
-    networks:
-      - condado-net
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.condado.rule=Host(`condado-newsletter.lab`)"
+      - "traefik.http.services.condado.loadbalancer.server.port=80"
+      - "traefik.docker.network=traefik"
+      - "homepage.group=Hyperlink"
+      - "homepage.name=Condado Newsletter"
+      - "homepage.description=Automated newsletter generator using AI"
+      - "homepage.logo=claude-dark.png"
+      - "homepage.href=http://condado-newsletter.lab"
 
 volumes:
   postgres-data:
 
 networks:
-  condado-net:
+  default:
     driver: bridge
+  
+  external:
+    name: traefik
+    external: true

docker-compose.yml

@@ -4,14 +4,13 @@ services:
   postgres:
     image: postgres:16-alpine
     restart: unless-stopped
+    container_name: condado-newsletter-postgres
     environment:
       POSTGRES_DB: condado
       POSTGRES_USER: ${SPRING_DATASOURCE_USERNAME}
       POSTGRES_PASSWORD: ${SPRING_DATASOURCE_PASSWORD}
     volumes:
       - postgres-data:/var/lib/postgresql/data
-    networks:
-      - condado-net
     healthcheck:
       test: ["CMD-SHELL", "pg_isready -U ${SPRING_DATASOURCE_USERNAME} -d condado"]
       interval: 10s
@@ -20,6 +19,7 @@ services:
 
   # ── Backend (Spring Boot) ────────────────────────────────────────────────────
   backend:
+    container_name: condado-newsletter-backend
     build:
       context: ./backend
       dockerfile: Dockerfile
@@ -29,7 +29,7 @@ services:
         condition: service_healthy
     environment:
       SPRING_PROFILES_ACTIVE: dev
-      SPRING_DATASOURCE_URL: ${SPRING_DATASOURCE_URL}
+      SPRING_DATASOURCE_URL: jdbc:postgresql://postgres:5432/condado
       SPRING_DATASOURCE_USERNAME: ${SPRING_DATASOURCE_USERNAME}
       SPRING_DATASOURCE_PASSWORD: ${SPRING_DATASOURCE_PASSWORD}
       APP_PASSWORD: ${APP_PASSWORD}
@@ -50,36 +50,42 @@ services:
     extra_hosts:
       - "celtinha.desktop:host-gateway"
       - "host.docker.internal:host-gateway"
-    networks:
-      - condado-net
 
   # ── Frontend + Nginx ─────────────────────────────────────────────────────────
   nginx:
+    container_name: condado-newsletter-frontend
     build:
       context: ./frontend
       dockerfile: Dockerfile
       args:
         VITE_API_BASE_URL: ${VITE_API_BASE_URL}
     restart: unless-stopped
-    ports:
-      - "80:80"
     depends_on:
       - backend
     networks:
-      - condado-net
+      - traefik
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.condado.rule=Host(`condado-newsletter.lab`)"
+      - "traefik.http.services.condado.loadbalancer.server.port=80"
+      - "homepage.group=Hyperlink"
+      - "homepage.name=Condado Newsletter"
+      - "homepage.description=Automated newsletter generator using AI"  
+      - "homepage.logo=claude-dark.png"
+      - "homepage.href=http://condado-newsletter.lab"
 
   # ── Mailhog (DEV ONLY — SMTP trap) ───────────────────────────────────────────
   mailhog:
+    container_name: condado-newsletter-mailhog
     image: mailhog/mailhog:latest
     restart: unless-stopped
     ports:
       - "8025:8025"
-    networks:
-      - condado-net
 
 volumes:
   postgres-data:
 
 networks:
-  condado-net:
-    driver: bridge
+  traefik:
+    external: true
+    name: traefik

docker/entrypoint.sh

@@ -1,28 +1,33 @@
 #!/bin/bash
 set -e
 
-# ── Initialise PostgreSQL data directory on first run ─────────────────────────
-if [ ! -f /var/lib/postgresql/data/PG_VERSION ]; then
-    echo "Initialising PostgreSQL data directory..."
-    su -c "/usr/lib/postgresql/16/bin/initdb -D /var/lib/postgresql/data --encoding=UTF8 --locale=C" postgres
-
-    # Start postgres temporarily to create the app database and user
-    su -c "/usr/lib/postgresql/16/bin/pg_ctl -D /var/lib/postgresql/data -w start" postgres
-
-    su -c "psql -c \"CREATE USER condado WITH PASSWORD 'condado';\"" postgres
-    su -c "psql -c \"CREATE DATABASE condado OWNER condado;\"" postgres
-
-    su -c "/usr/lib/postgresql/16/bin/pg_ctl -D /var/lib/postgresql/data -w stop" postgres
-    echo "PostgreSQL initialised."
-fi
+APP_DB_NAME=${APP_DB_NAME:-condado}
+APP_DB_USER=${SPRING_DATASOURCE_USERNAME:-condado}
+APP_DB_PASSWORD=${SPRING_DATASOURCE_PASSWORD:-condado}
 
 # ── Ensure supervisor log directory exists ────────────────────────────────────
 mkdir -p /var/log/supervisor
 
-# ── Defaults for all-in-one local PostgreSQL ─────────────────────────────────
-export SPRING_DATASOURCE_URL=${SPRING_DATASOURCE_URL:-jdbc:postgresql://localhost:5432/condado}
-export SPRING_DATASOURCE_USERNAME=${SPRING_DATASOURCE_USERNAME:-condado}
-export SPRING_DATASOURCE_PASSWORD=${SPRING_DATASOURCE_PASSWORD:-condado}
+# ── Defaults for external PostgreSQL service in production compose ───────────
+export SPRING_DATASOURCE_URL=${SPRING_DATASOURCE_URL:-jdbc:postgresql://condado-newsletter-postgres:5432/${APP_DB_NAME}}
+export SPRING_DATASOURCE_USERNAME=${SPRING_DATASOURCE_USERNAME:-${APP_DB_USER}}
+export SPRING_DATASOURCE_PASSWORD=${SPRING_DATASOURCE_PASSWORD:-${APP_DB_PASSWORD}}
+export JWT_EXPIRATION_MS=${JWT_EXPIRATION_MS:-86400000}
+
+# ── Log all Spring Boot environment variables for debugging ──────────────────
+echo "========================================"
+echo "Spring Boot Configuration:"
+echo "========================================"
+echo "SPRING_DATASOURCE_URL=${SPRING_DATASOURCE_URL}"
+echo "SPRING_DATASOURCE_USERNAME=${SPRING_DATASOURCE_USERNAME}"
+echo "SPRING_DATASOURCE_PASSWORD=${SPRING_DATASOURCE_PASSWORD}"
+echo "JWT_EXPIRATION_MS=${JWT_EXPIRATION_MS}"
+echo "JAVA_OPTS=${JAVA_OPTS:-not set}"
+echo "OPENAI_API_KEY=${OPENAI_API_KEY:-not set}"
+echo "========================================"
 
 # ── Start all services via supervisord ───────────────────────────────────────
+# Export unbuffered output for both Python and Java
+export PYTHONUNBUFFERED=1
+export JAVA_OPTS="${JAVA_OPTS} -Dfile.encoding=UTF-8 -Djava.awt.headless=true"
 exec /usr/bin/supervisord -c /etc/supervisor/conf.d/supervisord.conf

docker/supervisord.conf

@@ -1,27 +1,26 @@
 [supervisord]
 nodaemon=true
-logfile=/var/log/supervisor/supervisord.log
+silent=false
+logfile=/dev/stdout
+logfile_maxbytes=0
 pidfile=/var/run/supervisord.pid
-
-[program:postgres]
-command=/usr/lib/postgresql/16/bin/postgres -D /var/lib/postgresql/data
-user=postgres
-autostart=true
-autorestart=true
-stdout_logfile=/var/log/supervisor/postgres.log
-stderr_logfile=/var/log/supervisor/postgres.err.log
+loglevel=info
 
 [program:backend]
-command=java -jar /app/app.jar
+command=java -Dspring.output.ansi.enabled=always -Dlogging.level.root=DEBUG -jar /app/app.jar
 autostart=true
 autorestart=true
 startsecs=15
-stdout_logfile=/var/log/supervisor/backend.log
-stderr_logfile=/var/log/supervisor/backend.err.log
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
 
 [program:nginx]
 command=/usr/sbin/nginx -g "daemon off;"
 autostart=true
 autorestart=true
-stdout_logfile=/var/log/supervisor/nginx.log
-stderr_logfile=/var/log/supervisor/nginx.err.log
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0

frontend/src/pages/DashboardPage.tsx

@@ -27,7 +27,7 @@ export default function DashboardPage() {
 
       <div className="grid gap-4 md:grid-cols-2">
         <div className="rounded-xl border border-slate-800 bg-slate-900/70 p-5 shadow-sm">
-          <p className="text-sm text-slate-400">Active Entities</p>
+          <p className="text-sm text-slate-400">Active Entities:</p>
           <p className="mt-1 text-2xl font-bold">{activeCount} active {activeCount === 1 ? 'entity' : 'entities'}</p>
         </div>
         <div className="rounded-xl border border-slate-800 bg-slate-900/70 p-5 shadow-sm">

nginx/nginx.allinone.conf

@@ -15,6 +15,9 @@ http {
     gzip_types    text/plain text/css application/json application/javascript
                   text/xml application/xml application/xml+rss text/javascript;
 
+    access_log /dev/stdout;
+    error_log  /dev/stderr;
+
     server {
         listen 80;
         server_name _;