Skip to content

Define dedicated OK Folio Dockhand data stack#36

Merged
kossoy merged 2 commits into
mainfrom
feat/folio-11-18-define-the-dedicated-ok-folio-postgres--
Jun 26, 2026
Merged

Define dedicated OK Folio Dockhand data stack#36
kossoy merged 2 commits into
mainfrom
feat/folio-11-18-define-the-dedicated-ok-folio-postgres--

Conversation

@kossoy

@kossoy kossoy commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Add a public-safe Dockhand compose template for the dedicated OK Folio Postgres + Valkey + app stack.
  • Split Postgres bootstrap credentials from the least-privilege app role; initdb creates extensions as superuser and creates/grants the app role from DB_*.
  • Start Valkey through the image valkey-server entrypoint path with a rendered read-only config file, avoiding the password in long-running argv.
  • Require all legacy photo host-path variables with Compose :? guards and keep every legacy mount :ro.
  • Harden stack verification so missing/failing rg fails the gate, and document staging the rendered-mount assertion script independent of stack directory depth.
  • Add the operator runbook covering ZFS setup, Infisical .env keys, verified port block recording, Dockhand-only deploy contract, SSE proxy settings, and uid-1000 originals read smoke.

Refs #18

Verification

Ran after git fetch origin && git rebase origin/main:

$ ./scripts/product-verifier.sh
npm warn Unknown builtin config "globalignorefile". This will stop working in the next major version of npm. See `npm help npmrc` for supported config options.
npm warn deprecated glob@10.5.0: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version.

added 313 packages, and audited 314 packages in 4s
found 0 vulnerabilities
npm warn allow-scripts 1 package has install scripts not yet covered by allowScripts: esbuild@0.28.1

> dashboard@0.0.0 build
> tsc -b && vite build

vite v7.3.6 building client environment for production...
✓ 906 modules transformed.
✓ built in 3.72s
ok-folio stack template check passed
# github.com/mattn/go-sqlite3
sqlite3-binding.c:123133:9: warning: assignment discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers]
?    ok-folio/cmd/extractor [no test files]
?    ok-folio/dashboard/node_modules/flatted/golang/pkg/flatted [no test files]
ok   ok-folio/internal/api (cached)
ok   ok-folio/internal/config (cached)
?    ok-folio/internal/dashboard [no test files]
ok   ok-folio/internal/database (cached)
?    ok-folio/internal/exif [no test files]
ok   ok-folio/internal/gallery (cached)
?    ok-folio/internal/photoprism [no test files]
?    ok-folio/internal/provider [no test files]
ok   ok-folio/internal/provider/telegram (cached)
ok   ok-folio/internal/provider/webgallery (cached)
?    ok-folio/internal/scheduler [no test files]
ok   ok-folio/internal/scraper (cached)
ok   ok-folio/internal/testguard (cached)
ok   ok-folio/pkg/retry (cached)

The verifier exited 0.

Attempted an additional local docker compose -f deploy/dockhand/ok-folio/compose.yaml config interpolation check, but this environment's Docker CLI does not include the Compose plugin (unknown shorthand flag: 'f' in -f).

Live/runtime boundary

This PR does not deploy and does not include concrete host paths, ports, secrets, datasets, Dockhand auth, or live LAN values. The runbook records the required operator steps for the vault copy: concrete verified-free port block, ZFS dataset creation, Infisical values, Dockhand route/UI authorization, healthcheck/schema verification, SSE verification, and uid-1000 originals byte smoke.

Maestro-Backend: codex (0-17m); codex (17m-end, in_place_respawn)

Greptile Summary

This PR adds a dedicated OK Folio Dockhand stack. The main changes are:

  • A public-safe Compose template for Postgres, Valkey, and the app.
  • Postgres initdb setup for vector and vchord.
  • A rendered Valkey config template.
  • Checks for stack template rules and read-only legacy mounts.
  • Product verifier wiring for the new stack check.
  • Operator runbooks for Dockhand deployment and image usage.

Confidence Score: 5/5

The dedicated Dockhand stack changes look merge-safe based on the reviewed compose template, init scripts, validation scripts, and runbook updates.

The changes are configuration- and documentation-focused, include dedicated validation scripts, and the described verification covers template checks, build, and Go tests without exposing live host values or secrets.

T-Rex T-Rex Logs

What T-Rex did

  • Captured the stack-template before-state log showing missing files in base HEAD.
  • Captured the stack-template after-state log showing the head and all changed files present, and confirmed the stack checker exit code 0 with the product-verifier invoking the stack-template check script.
  • Captured the initdb-extensions before-state log showing absence of 010-vector-extensions.sh and related files and the compose initdb mount.
  • Captured the initdb-extensions after-state log showing head checkout, executable 010-vector-extensions.sh, its SQL body, compose image/mount/preload settings, and the verifier output ok-folio stack template check passed, plus app-code rg exit code 1 for no matches and Docker unavailable for DB runtime fallback.
  • Captured the legacy-mounts-ro before-state log showing base checkout succeeded and the assertion script exited with status 1.
  • Captured the legacy-mounts-ro after-state log showing the good fixture passed, the missing :ro fixture failed, the empty host-source fixture failed, and template validation passed.
  • Captured the runbook-contract before-state log showing the assertion script on base exiting 1, with missing dedicated runbook and missing registry handoff.
  • Captured the runbook-contract after-state log showing the same assertion script on head exiting 0, with all documentation contract checks passing and matching excerpts captured.
  • Noted that the runbook-contract-check.sh script contains the executed grep/assertion checks used for both before and after runs.

View all artifacts

T-Rex Ran code and verified through T-Rex

Reviews (2): Last reviewed commit: "Fix ok-folio stack review findings" | Re-trigger Greptile

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f8ca52ad30

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment on lines +76 to +78
DB_USER: ${DB_USER:?DB_USER is required}
DB_PASSWORD: ${DB_PASSWORD:?DB_PASSWORD is required}
DB_NAME: ${DB_NAME:?DB_NAME is required}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Use a non-superuser role for the app

This stack uses the same DB_USER/DB_PASSWORD for Postgres initialization as POSTGRES_USER/POSTGRES_PASSWORD above and then passes that role to the app here. The official Postgres entrypoint creates POSTGRES_USER with superuser power, so every production app connection can create/drop extensions and modify cluster-level state despite the runbook saying extension ownership belongs to initdb; use a separate bootstrap/admin user and create/grant a least-privilege app role in initdb.

Useful? React with 👍 / 👎.

Comment thread deploy/dockhand/ok-folio/compose.yaml Outdated
Comment on lines +44 to +46
- sh
- -c
- exec valkey-server --requirepass "$${VALKEY_PASSWORD:?VALKEY_PASSWORD is required}" --appendonly yes --maxmemory "$${VALKEY_MAXMEMORY:-0}" --maxmemory-policy "$${VALKEY_MAXMEMORY_POLICY:-noeviction}"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Keep Valkey on the image entrypoint's non-root path

I checked the valkey/valkey:8-alpine entrypoint: it only chowns /data and switches to the valkey user when the command starts as valkey-server. Starting the container with sh -c skips that branch, so this stack runs Valkey as root and writes root-owned AOF data; invoke valkey-server directly (or add an explicit non-root user/permission setup) so the persistent cache does not depend on root.

Useful? React with 👍 / 👎.

Comment thread deploy/dockhand/ok-folio/compose.yaml Outdated
Comment thread deploy/dockhand/ok-folio/compose.yaml Outdated
Comment thread scripts/check-ok-folio-stack-template.sh Outdated
Comment thread docs/dedicated-dockhand-stack-runbook.md Outdated
@kossoy kossoy merged commit f80dc97 into main Jun 26, 2026
4 checks passed
@kossoy kossoy deleted the feat/folio-11-18-define-the-dedicated-ok-folio-postgres-- branch June 26, 2026 01:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant