github/TREK
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: infrastructure hardening and documentation improvements

Browse Source 
- Add *.sqlite* patterns to .gitignore
- Expand .dockerignore to exclude chart/, docs/, .github/, etc.
- Add HEALTHCHECK instruction to Dockerfile
- Fix Helm chart: preserve JWT secret across upgrades (lookup),
  add securityContext, conditional PVC creation, resource defaults
- Remove hardcoded demo credentials from MCP.md
- Complete .env.example with all configurable environment variables

https://claude.ai/code/session_01SoQKcF5Rz9Y8Nzo4PzkxY8
This commit is contained in:
Claude
2026-03-30 23:35:12 +00:00
parent 2288f9d2fc
commit 643504d89b
9 changed files with 77 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
.dockerignore
View File

@@ -5,6 +5,24 @@ client/dist
data data
uploads uploads
.git .git
.github
.env .env
.env.*
*.log *.log
*.md *.md
!client/**/*.md
chart/
docs/
docker-compose.yml
unraid-template.xml
*.sqlite
*.sqlite-shm
*.sqlite-wal
*.db
*.db-shm
*.db-wal
coverage
.DS_Store
Thumbs.db
.vscode
.idea

3
.gitignore vendored
View File

@@ -11,6 +11,9 @@ client/public/icons/*.png
*.db *.db
*.db-shm *.db-shm
*.db-wal *.db-wal
*.sqlite
*.sqlite-shm
*.sqlite-wal
# User data # User data
server/data/ server/data/

3
Dockerfile
View File

@@ -39,5 +39,8 @@ ENV PORT=3000
EXPOSE 3000 EXPOSE 3000
HEALTHCHECK --interval=30s --timeout=5s --start-period=15s --retries=3 \
CMD wget -qO- http://localhost:3000/api/health || exit 1
# Entrypoint: fix volume permissions then start as node # Entrypoint: fix volume permissions then start as node
CMD ["sh", "-c", "chown -R node:node /app/data /app/uploads 2>/dev/null; exec su-exec node node --import tsx src/index.ts"] CMD ["sh", "-c", "chown -R node:node /app/data /app/uploads 2>/dev/null; exec su-exec node node --import tsx src/index.ts"]

5
MCP.md
View File

@@ -229,11 +229,6 @@ Currency: CHF. Use get_trip_summary at the end and give me a quick recap
of everything that was added. of everything that was added.
``` ```
Database file: https://share.jubnl.ch/s/S7bBpj42mB
Email: admin@admin.com \
Password: admin123
PDF of the generated trip: [./docs/TREK-Generated-by-MCP.pdf](./docs/TREK-Generated-by-MCP.pdf) PDF of the generated trip: [./docs/TREK-Generated-by-MCP.pdf](./docs/TREK-Generated-by-MCP.pdf)
![trip](./docs/screenshot-trip-mcp.png) ![trip](./docs/screenshot-trip-mcp.png)

6
chart/templates/deployment.yaml
View File

@@ -20,10 +20,16 @@ spec:
- name: {{ .name }} - name: {{ .name }}
{{- end }} {{- end }}
{{- end }} {{- end }}
securityContext:
fsGroup: 1000
containers: containers:
- name: trek - name: trek
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }} imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- with .Values.resources }}
resources:
{{- toYaml . | nindent 12 }}
{{- end }}
ports: ports:
- containerPort: 3000 - containerPort: 3000
envFrom: envFrom:

2
chart/templates/pvc.yaml
View File

@@ -1,3 +1,4 @@
{{- if .Values.persistence.enabled }}
apiVersion: v1 apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
metadata: metadata:
@@ -23,3 +24,4 @@ spec:
resources: resources:
requests: requests:
storage: {{ .Values.persistence.uploads.size }} storage: {{ .Values.persistence.uploads.size }}
{{- end }}

8
chart/templates/secret.yaml
View File

@@ -11,13 +11,19 @@ data:
{{- end }} {{- end }}
{{- if and (not .Values.existingSecret) (.Values.generateJwtSecret) }} {{- if and (not .Values.existingSecret) (.Values.generateJwtSecret) }}
{{- $secretName := printf "%s-secret" (include "trek.fullname" .) }}
{{- $existingSecret := (lookup "v1" "Secret" .Release.Namespace $secretName) }}
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
metadata: metadata:
name: {{ include "trek.fullname" . }}-secret name: {{ $secretName }}
labels: labels:
app: {{ include "trek.name" . }} app: {{ include "trek.name" . }}
type: Opaque type: Opaque
stringData: stringData:
{{- if and $existingSecret $existingSecret.data }}
{{ .Values.existingSecretKey | default "JWT_SECRET" }}: {{ index $existingSecret.data (.Values.existingSecretKey | default "JWT_SECRET") | b64dec }}
{{- else }}
{{ .Values.existingSecretKey | default "JWT_SECRET" }}: {{ randAlphaNum 32 }} {{ .Values.existingSecretKey | default "JWT_SECRET" }}: {{ randAlphaNum 32 }}
{{- end }} {{- end }}
{{- end }}

8
chart/values.yaml
View File

@@ -38,7 +38,13 @@ persistence:
uploads: uploads:
size: 1Gi size: 1Gi
resources: {} resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 500m
memory: 512Mi
ingress: ingress:
enabled: false enabled: false

33
server/.env.example
View File

@@ -1,4 +1,33 @@
PORT=3001 PORT=3000
JWT_SECRET=your-super-secret-jwt-key-change-in-production
NODE_ENV=development NODE_ENV=development
DEBUG=false DEBUG=false
# REQUIRED for production — generate with: openssl rand -hex 32
JWT_SECRET=CHANGEME_GENERATE_WITH_openssl_rand_hex_32
# Timezone (defaults to system timezone)
# TZ=UTC
# CORS — comma-separated origins (leave unset for same-origin in production, allow-all in development)
# ALLOWED_ORIGINS=https://trek.example.com
# Force HTTPS redirect (set to true behind TLS-terminating proxy)
# FORCE_HTTPS=true
# Trust proxy (set to number of proxy hops, e.g. 1 for single reverse proxy)
# TRUST_PROXY=1
# Application URL (used for OIDC callback validation)
# APP_URL=https://trek.example.com
# Demo mode (enables demo login, disables registration)
# DEMO_MODE=false
# --- OIDC / SSO ---
# OIDC_ISSUER=https://auth.example.com
# OIDC_CLIENT_ID=
# OIDC_CLIENT_SECRET=
# OIDC_DISPLAY_NAME=SSO
# OIDC_ONLY=false
# OIDC_ADMIN_CLAIM=groups
# OIDC_ADMIN_VALUE=app-trek-admins