You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
deploy: harden compose (restart, healthcheck, mem limits, secret gen)
- restart: unless-stopped on ALL services (only caddy had it → one crash was a
permanent outage, exactly the boot-assert episode)
- remnacore healthcheck → /readyz (aggregates PG/Valkey/NATS/outbox); caddy now
depends_on remnacore: service_healthy so it never routes to a not-ready app
- mem_limit on every service (env-overridable) matching the documented sizing —
GOMEMLIMIT was guarding a ceiling that didn't exist
- SECURITY_ENCRYPTION_KEY wired into the remnacore env and generated by
first-deploy (base64 32 bytes) — the shop-bot feature was silently broken
without it
- drop insecure defaults: METRICS admin/admin → generated METRICS_PASS (required);
REMNAWAVE_WEBHOOK_SECRET now required (empty = forgeable webhooks)
- first-deploy back-fills the new required secrets into an older .env before any
compose command, so re-deploys of existing installs keep working
0 commit comments