Define dedicated OK Folio Dockhand data stack#36
Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: f8ca52ad30
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| DB_USER: ${DB_USER:?DB_USER is required} | ||
| DB_PASSWORD: ${DB_PASSWORD:?DB_PASSWORD is required} | ||
| DB_NAME: ${DB_NAME:?DB_NAME is required} |
There was a problem hiding this comment.
Use a non-superuser role for the app
This stack uses the same DB_USER/DB_PASSWORD for Postgres initialization as POSTGRES_USER/POSTGRES_PASSWORD above and then passes that role to the app here. The official Postgres entrypoint creates POSTGRES_USER with superuser power, so every production app connection can create/drop extensions and modify cluster-level state despite the runbook saying extension ownership belongs to initdb; use a separate bootstrap/admin user and create/grant a least-privilege app role in initdb.
Useful? React with 👍 / 👎.
| - sh | ||
| - -c | ||
| - exec valkey-server --requirepass "$${VALKEY_PASSWORD:?VALKEY_PASSWORD is required}" --appendonly yes --maxmemory "$${VALKEY_MAXMEMORY:-0}" --maxmemory-policy "$${VALKEY_MAXMEMORY_POLICY:-noeviction}" |
There was a problem hiding this comment.
Keep Valkey on the image entrypoint's non-root path
I checked the valkey/valkey:8-alpine entrypoint: it only chowns /data and switches to the valkey user when the command starts as valkey-server. Starting the container with sh -c skips that branch, so this stack runs Valkey as root and writes root-owned AOF data; invoke valkey-server directly (or add an explicit non-root user/permission setup) so the persistent cache does not depend on root.
Useful? React with 👍 / 👎.
Summary
DB_*.valkey-serverentrypoint path with a rendered read-only config file, avoiding the password in long-running argv.:?guards and keep every legacy mount:ro.rgfails the gate, and document staging the rendered-mount assertion script independent of stack directory depth..envkeys, verified port block recording, Dockhand-only deploy contract, SSE proxy settings, and uid-1000 originals read smoke.Refs #18
Verification
Ran after
git fetch origin && git rebase origin/main:The verifier exited 0.
Attempted an additional local
docker compose -f deploy/dockhand/ok-folio/compose.yaml configinterpolation check, but this environment's Docker CLI does not include the Compose plugin (unknown shorthand flag: 'f' in -f).Live/runtime boundary
This PR does not deploy and does not include concrete host paths, ports, secrets, datasets, Dockhand auth, or live LAN values. The runbook records the required operator steps for the vault copy: concrete verified-free port block, ZFS dataset creation, Infisical values, Dockhand route/UI authorization, healthcheck/schema verification, SSE verification, and uid-1000 originals byte smoke.
Maestro-Backend: codex (0-17m); codex (17m-end, in_place_respawn)
Greptile Summary
This PR adds a dedicated OK Folio Dockhand stack. The main changes are:
vectorandvchord.Confidence Score: 5/5
The dedicated Dockhand stack changes look merge-safe based on the reviewed compose template, init scripts, validation scripts, and runbook updates.
The changes are configuration- and documentation-focused, include dedicated validation scripts, and the described verification covers template checks, build, and Go tests without exposing live host values or secrets.
What T-Rex did
Reviews (2): Last reviewed commit: "Fix ok-folio stack review findings" | Re-trigger Greptile