BetterFrame/deploy/docker/docker-compose.yml

# BetterFrame stack: server + Angie proxy + Node-RED.
# Kiosk runs on the Pi natively (not in Docker, needs Wayland/HDMI).
#
# Usage:
#   docker compose -f deploy/docker/docker-compose.yml up -d --build
#
# Volumes (override per-deployment via env — see Coolify "Environment"):
#   BF_DATA_VOLUME_NAME       default "betterframe-data"
#   NODERED_DATA_VOLUME_NAME  default "nodered-data"
#   BF_HOST_PORT              default 80 (host edge port mapped to angie)
#
# Coolify ops: set these env vars on the resource so each deployment owns its
# own named volumes (e.g. "bf-prod-data" vs "bf-staging-data"). For host bind
# mounts or NFS / S3-CSI volumes, use Coolify's per-service "Storage" UI
# rather than templating driver_opts here — JSON injection via env is brittle.
#
# Only ${BF_HOST_PORT}:80 is published on the host. Backend services and
# Node-RED are reachable only from within the Docker network.
version: "3.8"

services:
  server:
    build:
      context: ../..
      dockerfile: deploy/docker/Dockerfile.server
    container_name: betterframe-server
    restart: unless-stopped
    # Env overrides win over sec-config.yaml — Coolify / k8s inject these.
    environment:
      - TZ=UTC
      - BF_DATA_DIR=/var/lib/betterframe
      - BF_SQLITE_PATH=/var/lib/betterframe/betterframe.db
      - BF_NODERED_URL=http://nodered:1880
      - BF_SELF_URL=http://server:18080
      # Optional: paste Ed25519 PEM private key here for firmware signing.
      # - BF_FIRMWARE_SIGNING_KEY=
      # Optional MQTT telemetry bridge (ThingsBoard / HA / Influx / etc).
      # - BF_MQTT_URL=mqtt://broker:1883
      # - BF_MQTT_USERNAME=
      # - BF_MQTT_PASSWORD=
      # - BF_MQTT_TOPIC_PREFIX=betterframe
    volumes:
      - betterframe-data:/var/lib/betterframe
      - ./sec-config.yaml:/app/server/sec-config.yaml:ro
    expose:
      - "18080"
      - "18081"
      - "18082"
    healthcheck:
      test: ["CMD-SHELL", "wget -qO- http://localhost:18080/healthz || exit 1"]
      interval: 30s
      timeout: 5s
      retries: 3
      start_period: 30s
    networks:
      - betterframe

  angie:
    image: nginx:alpine
    container_name: betterframe-angie
    restart: unless-stopped
    depends_on:
      - server
      - nodered
    ports:
      - "${BF_HOST_PORT:-80}:80"
    volumes:
      - ../angie/betterframe.docker.conf:/etc/nginx/conf.d/default.conf:ro
    networks:
      - betterframe

  nodered:
    build:
      context: ../..
      dockerfile: deploy/docker/Dockerfile.nodered
    container_name: betterframe-nodered
    restart: unless-stopped
    environment:
      - TZ=UTC
    volumes:
      - nodered-data:/data
      - ./nodered-settings.js:/data/settings.js:ro
    expose:
      - "1880"
    healthcheck:
      test: ["CMD-SHELL", "wget -qO- http://localhost:1880/nrdp/auth/login >/dev/null || exit 1"]
      interval: 30s
      timeout: 5s
      retries: 3
      start_period: 60s
    networks:
      - betterframe

volumes:
  # Top-level keys are the in-compose references used above. `name:` sets the
  # actual docker volume name on the host so multiple Coolify deployments on
  # the same host can share machine without name collisions. Default keeps
  # backward compat with existing single-host deployments.
  betterframe-data:
    name: ${BF_DATA_VOLUME_NAME:-betterframe-data}
  nodered-data:
    name: ${NODERED_DATA_VOLUME_NAME:-nodered-data}

networks:
  betterframe:
    driver: bridge
fix(deploy): make Docker the service runtime Remove host daemon deployment for server, proxy, and Node-RED so Node-RED is only reachable through the Compose proxy boundary. 2026-05-11 08:08:33 +00:00			`# BetterFrame stack: server + Angie proxy + Node-RED.`
feat: deployment artifacts + CEC relay + auth-check endpoint Deployment (deploy/): - systemd units for server (system) and kiosk (user session) - Angie/nginx proxy config — routes admin, api, ws, node-red - Dockerfile + docker-compose for containerized deployment - deploy/README.md with install instructions Auth: - /api/admin/_check endpoint for proxy auth_request subrequest - Returns 200 if admin session valid, 401/403 otherwise - Sets X-BetterFrame-User header for upstream CEC (Pi5 HDMI control): - kiosk/src/cec.rs wraps cec-ctl subprocess - Standby/wake/active-source commands - WS message types "standby" / "wake" dispatched to CEC - Admin UI: Wake/Standby buttons on kiosk edit page - Server sendToKiosk via coordinator 2026-05-10 20:45:56 +00:00			`# Kiosk runs on the Pi natively (not in Docker, needs Wayland/HDMI).`
			`#`
			`# Usage:`
fix(deploy): make Docker the service runtime Remove host daemon deployment for server, proxy, and Node-RED so Node-RED is only reachable through the Compose proxy boundary. 2026-05-11 08:08:33 +00:00			`# docker compose -f deploy/docker/docker-compose.yml up -d --build`
feat: deployment artifacts + CEC relay + auth-check endpoint Deployment (deploy/): - systemd units for server (system) and kiosk (user session) - Angie/nginx proxy config — routes admin, api, ws, node-red - Dockerfile + docker-compose for containerized deployment - deploy/README.md with install instructions Auth: - /api/admin/_check endpoint for proxy auth_request subrequest - Returns 200 if admin session valid, 401/403 otherwise - Sets X-BetterFrame-User header for upstream CEC (Pi5 HDMI control): - kiosk/src/cec.rs wraps cec-ctl subprocess - Standby/wake/active-source commands - WS message types "standby" / "wake" dispatched to CEC - Admin UI: Wake/Standby buttons on kiosk edit page - Server sendToKiosk via coordinator 2026-05-10 20:45:56 +00:00			`#`
feat(deploy): env-overridable volume names + host port for Coolify BF_DATA_VOLUME_NAME, NODERED_DATA_VOLUME_NAME, BF_HOST_PORT keep the compose public while letting per-deployment specifics (host paths, multiple staging/prod instances on one host, alternate edge ports) land in Coolify's env tab. Defaults preserve current behaviour. 2026-05-18 09:50:51 +00:00			`# Volumes (override per-deployment via env — see Coolify "Environment"):`
			`# BF_DATA_VOLUME_NAME default "betterframe-data"`
			`# NODERED_DATA_VOLUME_NAME default "nodered-data"`
			`# BF_HOST_PORT default 80 (host edge port mapped to angie)`
feat: deployment artifacts + CEC relay + auth-check endpoint Deployment (deploy/): - systemd units for server (system) and kiosk (user session) - Angie/nginx proxy config — routes admin, api, ws, node-red - Dockerfile + docker-compose for containerized deployment - deploy/README.md with install instructions Auth: - /api/admin/_check endpoint for proxy auth_request subrequest - Returns 200 if admin session valid, 401/403 otherwise - Sets X-BetterFrame-User header for upstream CEC (Pi5 HDMI control): - kiosk/src/cec.rs wraps cec-ctl subprocess - Standby/wake/active-source commands - WS message types "standby" / "wake" dispatched to CEC - Admin UI: Wake/Standby buttons on kiosk edit page - Server sendToKiosk via coordinator 2026-05-10 20:45:56 +00:00			`#`
feat(deploy): env-overridable volume names + host port for Coolify BF_DATA_VOLUME_NAME, NODERED_DATA_VOLUME_NAME, BF_HOST_PORT keep the compose public while letting per-deployment specifics (host paths, multiple staging/prod instances on one host, alternate edge ports) land in Coolify's env tab. Defaults preserve current behaviour. 2026-05-18 09:50:51 +00:00			`# Coolify ops: set these env vars on the resource so each deployment owns its`
			`# own named volumes (e.g. "bf-prod-data" vs "bf-staging-data"). For host bind`
			`# mounts or NFS / S3-CSI volumes, use Coolify's per-service "Storage" UI`
			`# rather than templating driver_opts here — JSON injection via env is brittle.`
			`#`
			`# Only ${BF_HOST_PORT}:80 is published on the host. Backend services and`
			`# Node-RED are reachable only from within the Docker network.`
feat: deployment artifacts + CEC relay + auth-check endpoint Deployment (deploy/): - systemd units for server (system) and kiosk (user session) - Angie/nginx proxy config — routes admin, api, ws, node-red - Dockerfile + docker-compose for containerized deployment - deploy/README.md with install instructions Auth: - /api/admin/_check endpoint for proxy auth_request subrequest - Returns 200 if admin session valid, 401/403 otherwise - Sets X-BetterFrame-User header for upstream CEC (Pi5 HDMI control): - kiosk/src/cec.rs wraps cec-ctl subprocess - Standby/wake/active-source commands - WS message types "standby" / "wake" dispatched to CEC - Admin UI: Wake/Standby buttons on kiosk edit page - Server sendToKiosk via coordinator 2026-05-10 20:45:56 +00:00			`version: "3.8"`

			`services:`
			`server:`
			`build:`
			`context: ../..`
			`dockerfile: deploy/docker/Dockerfile.server`
			`container_name: betterframe-server`
			`restart: unless-stopped`
feat(server): env-var overrides for sec-config keys + docker healthchecks 2026-05-14 05:33:10 +00:00			`# Env overrides win over sec-config.yaml — Coolify / k8s inject these.`
			`environment:`
			`- TZ=UTC`
			`- BF_DATA_DIR=/var/lib/betterframe`
			`- BF_SQLITE_PATH=/var/lib/betterframe/betterframe.db`
			`- BF_NODERED_URL=http://nodered:1880`
			`- BF_SELF_URL=http://server:18080`
			`# Optional: paste Ed25519 PEM private key here for firmware signing.`
			`# - BF_FIRMWARE_SIGNING_KEY=`
feat(server): generic MQTT telemetry bridge (off by default) 2026-05-14 05:46:56 +00:00			`# Optional MQTT telemetry bridge (ThingsBoard / HA / Influx / etc).`
			`# - BF_MQTT_URL=mqtt://broker:1883`
			`# - BF_MQTT_USERNAME=`
			`# - BF_MQTT_PASSWORD=`
			`# - BF_MQTT_TOPIC_PREFIX=betterframe`
feat: deployment artifacts + CEC relay + auth-check endpoint Deployment (deploy/): - systemd units for server (system) and kiosk (user session) - Angie/nginx proxy config — routes admin, api, ws, node-red - Dockerfile + docker-compose for containerized deployment - deploy/README.md with install instructions Auth: - /api/admin/_check endpoint for proxy auth_request subrequest - Returns 200 if admin session valid, 401/403 otherwise - Sets X-BetterFrame-User header for upstream CEC (Pi5 HDMI control): - kiosk/src/cec.rs wraps cec-ctl subprocess - Standby/wake/active-source commands - WS message types "standby" / "wake" dispatched to CEC - Admin UI: Wake/Standby buttons on kiosk edit page - Server sendToKiosk via coordinator 2026-05-10 20:45:56 +00:00			`volumes:`
			`- betterframe-data:/var/lib/betterframe`
fix(deploy): require proxied local services Bind native backend services and Node-RED to loopback so Angie remains the public auth boundary. Keep Docker on an internal compose network and stop kiosk fallback to a layout when display default is none. 2026-05-11 07:51:00 +00:00			`- ./sec-config.yaml:/app/server/sec-config.yaml:ro`
feat: deployment artifacts + CEC relay + auth-check endpoint Deployment (deploy/): - systemd units for server (system) and kiosk (user session) - Angie/nginx proxy config — routes admin, api, ws, node-red - Dockerfile + docker-compose for containerized deployment - deploy/README.md with install instructions Auth: - /api/admin/_check endpoint for proxy auth_request subrequest - Returns 200 if admin session valid, 401/403 otherwise - Sets X-BetterFrame-User header for upstream CEC (Pi5 HDMI control): - kiosk/src/cec.rs wraps cec-ctl subprocess - Standby/wake/active-source commands - WS message types "standby" / "wake" dispatched to CEC - Admin UI: Wake/Standby buttons on kiosk edit page - Server sendToKiosk via coordinator 2026-05-10 20:45:56 +00:00			`expose:`
			`- "18080"`
			`- "18081"`
			`- "18082"`
feat(server): env-var overrides for sec-config keys + docker healthchecks 2026-05-14 05:33:10 +00:00			`healthcheck:`
			`test: ["CMD-SHELL", "wget -qO- http://localhost:18080/healthz \|\| exit 1"]`
			`interval: 30s`
			`timeout: 5s`
			`retries: 3`
			`start_period: 30s`
feat: deployment artifacts + CEC relay + auth-check endpoint Deployment (deploy/): - systemd units for server (system) and kiosk (user session) - Angie/nginx proxy config — routes admin, api, ws, node-red - Dockerfile + docker-compose for containerized deployment - deploy/README.md with install instructions Auth: - /api/admin/_check endpoint for proxy auth_request subrequest - Returns 200 if admin session valid, 401/403 otherwise - Sets X-BetterFrame-User header for upstream CEC (Pi5 HDMI control): - kiosk/src/cec.rs wraps cec-ctl subprocess - Standby/wake/active-source commands - WS message types "standby" / "wake" dispatched to CEC - Admin UI: Wake/Standby buttons on kiosk edit page - Server sendToKiosk via coordinator 2026-05-10 20:45:56 +00:00			`networks:`
			`- betterframe`

			`angie:`
			`image: nginx:alpine`
			`container_name: betterframe-angie`
			`restart: unless-stopped`
			`depends_on:`
			`- server`
			`- nodered`
			`ports:`
feat(deploy): env-overridable volume names + host port for Coolify BF_DATA_VOLUME_NAME, NODERED_DATA_VOLUME_NAME, BF_HOST_PORT keep the compose public while letting per-deployment specifics (host paths, multiple staging/prod instances on one host, alternate edge ports) land in Coolify's env tab. Defaults preserve current behaviour. 2026-05-18 09:50:51 +00:00			`- "${BF_HOST_PORT:-80}:80"`
feat: deployment artifacts + CEC relay + auth-check endpoint Deployment (deploy/): - systemd units for server (system) and kiosk (user session) - Angie/nginx proxy config — routes admin, api, ws, node-red - Dockerfile + docker-compose for containerized deployment - deploy/README.md with install instructions Auth: - /api/admin/_check endpoint for proxy auth_request subrequest - Returns 200 if admin session valid, 401/403 otherwise - Sets X-BetterFrame-User header for upstream CEC (Pi5 HDMI control): - kiosk/src/cec.rs wraps cec-ctl subprocess - Standby/wake/active-source commands - WS message types "standby" / "wake" dispatched to CEC - Admin UI: Wake/Standby buttons on kiosk edit page - Server sendToKiosk via coordinator 2026-05-10 20:45:56 +00:00			`volumes:`
fix(deploy): gate proxied runtime routes 2026-05-11 06:57:55 +00:00			`- ../angie/betterframe.docker.conf:/etc/nginx/conf.d/default.conf:ro`
feat: deployment artifacts + CEC relay + auth-check endpoint Deployment (deploy/): - systemd units for server (system) and kiosk (user session) - Angie/nginx proxy config — routes admin, api, ws, node-red - Dockerfile + docker-compose for containerized deployment - deploy/README.md with install instructions Auth: - /api/admin/_check endpoint for proxy auth_request subrequest - Returns 200 if admin session valid, 401/403 otherwise - Sets X-BetterFrame-User header for upstream CEC (Pi5 HDMI control): - kiosk/src/cec.rs wraps cec-ctl subprocess - Standby/wake/active-source commands - WS message types "standby" / "wake" dispatched to CEC - Admin UI: Wake/Standby buttons on kiosk edit page - Server sendToKiosk via coordinator 2026-05-10 20:45:56 +00:00			`networks:`
			`- betterframe`

			`nodered:`
feat: bake BF Node-RED nodes into nodered Docker image - New deploy/docker/Dockerfile.nodered extends nodered/node-red, npm-installs the workspace nodered/ package into /usr/src/node-red/node_modules so bf-* nodes auto-load on boot. - docker-compose nodered service switched from public image to this build context. Rebuilding (--build) picks up node changes. 2026-05-12 23:57:26 +00:00			`build:`
			`context: ../..`
			`dockerfile: deploy/docker/Dockerfile.nodered`
feat: deployment artifacts + CEC relay + auth-check endpoint Deployment (deploy/): - systemd units for server (system) and kiosk (user session) - Angie/nginx proxy config — routes admin, api, ws, node-red - Dockerfile + docker-compose for containerized deployment - deploy/README.md with install instructions Auth: - /api/admin/_check endpoint for proxy auth_request subrequest - Returns 200 if admin session valid, 401/403 otherwise - Sets X-BetterFrame-User header for upstream CEC (Pi5 HDMI control): - kiosk/src/cec.rs wraps cec-ctl subprocess - Standby/wake/active-source commands - WS message types "standby" / "wake" dispatched to CEC - Admin UI: Wake/Standby buttons on kiosk edit page - Server sendToKiosk via coordinator 2026-05-10 20:45:56 +00:00			`container_name: betterframe-nodered`
			`restart: unless-stopped`
			`environment:`
			`- TZ=UTC`
			`volumes:`
			`- nodered-data:/data`
fix(proxy): split Node-RED route surfaces Route backend, kiosk ingest, kiosk dashboards, and public Node-RED HTTP-in separately. Keep Node-RED editor under admin auth and attach kiosk auth when kiosk loads protected dashboard URLs. 2026-05-11 08:44:45 +00:00			`- ./nodered-settings.js:/data/settings.js:ro`
feat: deployment artifacts + CEC relay + auth-check endpoint Deployment (deploy/): - systemd units for server (system) and kiosk (user session) - Angie/nginx proxy config — routes admin, api, ws, node-red - Dockerfile + docker-compose for containerized deployment - deploy/README.md with install instructions Auth: - /api/admin/_check endpoint for proxy auth_request subrequest - Returns 200 if admin session valid, 401/403 otherwise - Sets X-BetterFrame-User header for upstream CEC (Pi5 HDMI control): - kiosk/src/cec.rs wraps cec-ctl subprocess - Standby/wake/active-source commands - WS message types "standby" / "wake" dispatched to CEC - Admin UI: Wake/Standby buttons on kiosk edit page - Server sendToKiosk via coordinator 2026-05-10 20:45:56 +00:00			`expose:`
			`- "1880"`
feat(server): env-var overrides for sec-config keys + docker healthchecks 2026-05-14 05:33:10 +00:00			`healthcheck:`
			`test: ["CMD-SHELL", "wget -qO- http://localhost:1880/nrdp/auth/login >/dev/null \|\| exit 1"]`
			`interval: 30s`
			`timeout: 5s`
			`retries: 3`
			`start_period: 60s`
feat: deployment artifacts + CEC relay + auth-check endpoint Deployment (deploy/): - systemd units for server (system) and kiosk (user session) - Angie/nginx proxy config — routes admin, api, ws, node-red - Dockerfile + docker-compose for containerized deployment - deploy/README.md with install instructions Auth: - /api/admin/_check endpoint for proxy auth_request subrequest - Returns 200 if admin session valid, 401/403 otherwise - Sets X-BetterFrame-User header for upstream CEC (Pi5 HDMI control): - kiosk/src/cec.rs wraps cec-ctl subprocess - Standby/wake/active-source commands - WS message types "standby" / "wake" dispatched to CEC - Admin UI: Wake/Standby buttons on kiosk edit page - Server sendToKiosk via coordinator 2026-05-10 20:45:56 +00:00			`networks:`
			`- betterframe`

			`volumes:`
feat(deploy): env-overridable volume names + host port for Coolify BF_DATA_VOLUME_NAME, NODERED_DATA_VOLUME_NAME, BF_HOST_PORT keep the compose public while letting per-deployment specifics (host paths, multiple staging/prod instances on one host, alternate edge ports) land in Coolify's env tab. Defaults preserve current behaviour. 2026-05-18 09:50:51 +00:00			# Top-level keys are the in-compose references used above. `name:` sets the
			`# actual docker volume name on the host so multiple Coolify deployments on`
			`# the same host can share machine without name collisions. Default keeps`
			`# backward compat with existing single-host deployments.`
feat: deployment artifacts + CEC relay + auth-check endpoint Deployment (deploy/): - systemd units for server (system) and kiosk (user session) - Angie/nginx proxy config — routes admin, api, ws, node-red - Dockerfile + docker-compose for containerized deployment - deploy/README.md with install instructions Auth: - /api/admin/_check endpoint for proxy auth_request subrequest - Returns 200 if admin session valid, 401/403 otherwise - Sets X-BetterFrame-User header for upstream CEC (Pi5 HDMI control): - kiosk/src/cec.rs wraps cec-ctl subprocess - Standby/wake/active-source commands - WS message types "standby" / "wake" dispatched to CEC - Admin UI: Wake/Standby buttons on kiosk edit page - Server sendToKiosk via coordinator 2026-05-10 20:45:56 +00:00			`betterframe-data:`
feat(deploy): env-overridable volume names + host port for Coolify BF_DATA_VOLUME_NAME, NODERED_DATA_VOLUME_NAME, BF_HOST_PORT keep the compose public while letting per-deployment specifics (host paths, multiple staging/prod instances on one host, alternate edge ports) land in Coolify's env tab. Defaults preserve current behaviour. 2026-05-18 09:50:51 +00:00			`name: ${BF_DATA_VOLUME_NAME:-betterframe-data}`
feat: deployment artifacts + CEC relay + auth-check endpoint Deployment (deploy/): - systemd units for server (system) and kiosk (user session) - Angie/nginx proxy config — routes admin, api, ws, node-red - Dockerfile + docker-compose for containerized deployment - deploy/README.md with install instructions Auth: - /api/admin/_check endpoint for proxy auth_request subrequest - Returns 200 if admin session valid, 401/403 otherwise - Sets X-BetterFrame-User header for upstream CEC (Pi5 HDMI control): - kiosk/src/cec.rs wraps cec-ctl subprocess - Standby/wake/active-source commands - WS message types "standby" / "wake" dispatched to CEC - Admin UI: Wake/Standby buttons on kiosk edit page - Server sendToKiosk via coordinator 2026-05-10 20:45:56 +00:00			`nodered-data:`
feat(deploy): env-overridable volume names + host port for Coolify BF_DATA_VOLUME_NAME, NODERED_DATA_VOLUME_NAME, BF_HOST_PORT keep the compose public while letting per-deployment specifics (host paths, multiple staging/prod instances on one host, alternate edge ports) land in Coolify's env tab. Defaults preserve current behaviour. 2026-05-18 09:50:51 +00:00			`name: ${NODERED_DATA_VOLUME_NAME:-nodered-data}`
feat: deployment artifacts + CEC relay + auth-check endpoint Deployment (deploy/): - systemd units for server (system) and kiosk (user session) - Angie/nginx proxy config — routes admin, api, ws, node-red - Dockerfile + docker-compose for containerized deployment - deploy/README.md with install instructions Auth: - /api/admin/_check endpoint for proxy auth_request subrequest - Returns 200 if admin session valid, 401/403 otherwise - Sets X-BetterFrame-User header for upstream CEC (Pi5 HDMI control): - kiosk/src/cec.rs wraps cec-ctl subprocess - Standby/wake/active-source commands - WS message types "standby" / "wake" dispatched to CEC - Admin UI: Wake/Standby buttons on kiosk edit page - Server sendToKiosk via coordinator 2026-05-10 20:45:56 +00:00
			`networks:`
			`betterframe:`
			`driver: bridge`