fix(deploy): bake configs into images — no host bind mounts

Coolify deployments don't always carry the full source tree on disk
at the bind-mount source path. Mounting a missing file lets Docker
auto-create a directory at the target, which then fails to mount over
the file the image expects.

Fix: bake config files into the images themselves:
- Dockerfile.server COPYs deploy/docker/sec-config.yaml → /app/server/.
  Env vars (BF_*) still override at runtime per env-overrides.ts.
- New Dockerfile.angie wraps nginx:alpine + baked betterframe.docker.conf.
- Dockerfile.nodered COPYs nodered-settings.js to /usr/src/bf-settings.js
  (outside the /data volume) and uses --settings to point at it.

Compose drops the three bind mounts; volumes are now strictly
runtime state (DB + secrets, Node-RED flows). Users who want a
different sec-config still get full control via env overrides or
Coolify's Storage UI.

deploy/docker/Dockerfile.angie

@@ -0,0 +1,8 @@
+# BetterFrame edge proxy. nginx:alpine + baked Angie/BF reverse-proxy conf.
+#
+# Built into the image rather than bind-mounted so Coolify deployments that
+# don't have the source repo on disk still get the right /etc/nginx/conf.d.
+
+FROM nginx:alpine
+
+COPY deploy/angie/betterframe.docker.conf /etc/nginx/conf.d/default.conf

deploy/docker/Dockerfile.nodered

@@ -11,9 +11,16 @@ USER root
 # Copy our nodes into a path outside /data (which is volume-mounted)
 COPY nodered /usr/src/betterframe-nodes
 
+# Settings file at a non-/data path so the nodered-data volume doesn't
+# overlay it. CMD passes --settings to point Node-RED at it.
+COPY deploy/docker/nodered-settings.js /usr/src/bf-settings.js
+
 # Install deps for the nodes
 RUN cd /usr/src/betterframe-nodes && \
     npm install --omit=dev && \
-    chown -R node-red:root /usr/src/betterframe-nodes
+    chown -R node-red:root /usr/src/betterframe-nodes /usr/src/bf-settings.js
 
 USER node-red
+
+# Override the default CMD to use the baked settings.js.
+CMD ["npm", "start", "--cache", "/data/.npm", "--", "--userDir", "/data", "--settings", "/usr/src/bf-settings.js"]

deploy/docker/Dockerfile.server

@@ -36,6 +36,10 @@ COPY --from=builder /app/server ./server
 COPY --from=builder /app/tsconfig.base.json ./
 COPY --from=builder /app/package.json ./
 
+# Default sec-config baked into image. BF_* env vars in compose override at
+# runtime (see shared/env-overrides.ts). No host bind mount needed.
+COPY deploy/docker/sec-config.yaml /app/server/sec-config.yaml
+
 RUN mkdir -p /var/lib/betterframe && chown betterframe:betterframe /var/lib/betterframe
 VOLUME /var/lib/betterframe
 

docker-compose.yml

@@ -45,7 +45,6 @@ services:
       # - BF_MQTT_TOPIC_PREFIX=betterframe
     volumes:
       - betterframe-data:/var/lib/betterframe
-      - ./deploy/docker/sec-config.yaml:/app/server/sec-config.yaml:ro
     expose:
       - "18080"
       - "18081"
@@ -60,7 +59,9 @@ services:
       - betterframe
 
   angie:
-    image: nginx:alpine
+    build:
+      context: .
+      dockerfile: deploy/docker/Dockerfile.angie
     container_name: betterframe-angie
     restart: unless-stopped
     depends_on:
@@ -68,8 +69,6 @@ services:
       - nodered
     ports:
       - "${BF_HOST_PORT:-80}:80"
-    volumes:
-      - ./deploy/angie/betterframe.docker.conf:/etc/nginx/conf.d/default.conf:ro
     networks:
       - betterframe
 
@@ -83,7 +82,6 @@ services:
       - TZ=UTC
     volumes:
       - nodered-data:/data
-      - ./deploy/docker/nodered-settings.js:/data/settings.js:ro
     expose:
       - "1880"
     healthcheck: