feat: update Dockerfile and Ansible configurations for improved deployment and security

- Enhanced Dockerfile to include TLS root store for outbound HTTPS and updated pnpm version to 10.17.1.
- Modified .gitignore to exclude additional Ansible files for better repository cleanliness.
- Improved Ansible playbook to validate required database variables and ensure derived URLs are not preset.
- Updated inventory files to separate sensitive information and ensure proper host configuration.
- Enhanced environment variable management in vars.example.yml for better clarity and security.

Author: regenrek

.cursor/commands/problem-analyzer.md

@@ -0,0 +1,21 @@
+Tasks:
+1) Locate all files/modules affected by the issue. List paths and why each is implicated.
+2) Explain the root cause(s): what changed, how it propagates to the failure, and any environmental factors.
+3) Propose the minimal, safe fix. Include code-level steps, side effects, and tests to add/update.
+4) Flag any missing or outdated documentation/configs/schemas that should be updated or added (especially if code appears outdated vs. current behavior). Specify exact docs/sections to create or amend.
+
+Output format:
+- Affected files:
+  - <path>: <reason>
+- Root cause:
+  - <concise explanation>
+- Proposed fix:
+  - <steps/patch outline>
+  - Tests:
+- Documentation gaps:
+  - <doc_section_what_to_update_add>
+- Open questions/assumptions:
+  - <items>
+  
+  
+ DON'T CODE YET.

.gitignore

@@ -106,3 +106,5 @@ infra/ansible/group_vars/constructa/vars.yml
 *.tfstate
 *.tfstate.*
 *.tfstate.backup
+.ansible
+hosts.local.ini

Dockerfile

@@ -1,14 +1,14 @@
 # ---- Stage 1: Build ----------------------------------------------------------
 FROM node:22-alpine AS builder
 
-# Slightly better compatibility on alpine
-RUN apk add --no-cache libc6-compat
+# Slightly better compatibility on alpine + TLS root store for outbound HTTPS
+RUN apk add --no-cache libc6-compat ca-certificates
 
 # Allow Vite build to use more memory inside the builder container
 ENV NODE_OPTIONS="--max-old-space-size=4096"
 
 # Use pnpm
-RUN corepack enable && corepack prepare pnpm@9.14.4 --activate
+RUN corepack enable && corepack prepare pnpm@10.17.1 --activate
 
 WORKDIR /app
 
@@ -24,16 +24,17 @@ RUN pnpm run build
 # ---- Stage 2: Runtime --------------------------------------------------------
 FROM node:22-alpine AS runner
 
-RUN apk add --no-cache libc6-compat
-RUN corepack enable && corepack prepare pnpm@9.14.4 --activate
+RUN apk add --no-cache libc6-compat ca-certificates
+RUN npm install -g pnpm@10.17.1
 
 WORKDIR /app
-ENV NODE_ENV=production
 ENV PORT=5000
 
-# Install production dependencies only
+# Install runtime dependencies (keep dev tools for migrations/worker)
 COPY package.json pnpm-lock.yaml ./
-RUN pnpm install --prod --frozen-lockfile
+RUN pnpm install --frozen-lockfile
+
+ENV NODE_ENV=production
 
 # Copy build output and runtime assets
 COPY --from=builder /app/.output ./.output

cli/index.ts

@@ -72,19 +72,46 @@ const checkDocker = () => {
 }
 
 type Remote = { host: string; user: string }
+type InventoryEntry = { host?: string; user?: string }
+
+const inventoryFiles = [
+  'infra/ansible/inventory/hosts.ini',
+  'infra/ansible/inventory/hosts.local.ini'
+]
+
+const loadInventoryEntries = (): Record<string, InventoryEntry> => {
+  const entries: Record<string, InventoryEntry> = {}
+  for (const file of inventoryFiles) {
+    if (!existsSync(file)) continue
+    const content = readFileSync(file, 'utf8')
+    for (const rawLine of content.split('\n')) {
+      const line = rawLine.trim()
+      if (!line || line.startsWith('#') || line.startsWith('[')) continue
+      const [name, ...rest] = line.split(/\s+/)
+      if (!name) continue
+      const data = entries[name] ?? {}
+      for (const kv of rest) {
+        const [key, value] = kv.split('=')
+        if (!key || typeof value === 'undefined') continue
+        if (key === 'ansible_host') data.host = value
+        if (key === 'ansible_user') data.user = value
+      }
+      entries[name] = data
+    }
+  }
+  return entries
+}
+
 const resolveRemote = (env: 'dev' | 'prod'): Remote => {
-  const invPath = 'infra/ansible/inventory/hosts.ini'
-  const inv = readFileSync(invPath, 'utf8')
   const name = `ex0-${env}`
-  const line = inv
-    .split('\n')
-    .map((l) => l.trim())
-    .find((l) => l.startsWith(name))
-  if (!line) throw new Error(`No inventory entry for ${name} in ${invPath}`)
-  const host = /ansible_host=([^\s]+)/.exec(line)?.[1]
-  const user = /ansible_user=([^\s]+)/.exec(line)?.[1] || 'deploy'
-  if (!host) throw new Error(`Missing ansible_host for ${name}`)
-  return { host, user }
+  const entries = loadInventoryEntries()
+  const entry = entries[name]
+  if (!entry?.host || entry.host === '<insert' || entry.host.includes(' ')) {
+    throw new Error(
+      `Missing ansible_host for ${name}. Fill hosts.local.ini with "${name} ansible_host=<ip> ansible_user=deploy".`
+    )
+  }
+  return { host: entry.host, user: entry.user ?? 'deploy' }
 }
 
 const getDataDir = () => {
@@ -416,6 +443,8 @@ const deployBranchCommand = defineCommand({
 })
 
 // ----- Logs & Restart on remote (defaults to dev) -----
+const composeFilePath = '/opt/constructa/compose.yml'
+
 const logsCommand = defineCommand({
   meta: { name: 'logs', description: 'Stream remote compose logs' },
   args: {
@@ -428,7 +457,8 @@ const logsCommand = defineCommand({
     const password = await getSudoPassword()
     const safeTail = Number.isFinite(args.tail) ? args.tail : 100
     const safeService = escapeSingleQuotes(args.service)
-    const command = `cd '/opt/constructa' && sudo -SE docker compose logs -f --tail=${safeTail} '${safeService}'`
+    const command =
+      `cd '/opt/constructa' && sudo -SE docker compose -f '${composeFilePath}' logs -f --tail=${safeTail} '${safeService}'`
     runRemote(remote, command, `Logs (${args.service})`, { sudo: true, password })
   }
 })
@@ -440,7 +470,8 @@ const restartCommand = defineCommand({
     const remote = resolveRemote(args.env as 'dev' | 'prod')
     const password = await getSudoPassword()
     const safeService = escapeSingleQuotes(args.service)
-    const command = `cd '/opt/constructa' && sudo -SE docker compose restart '${safeService}'`
+    const command =
+      `cd '/opt/constructa' && sudo -SE docker compose -f '${composeFilePath}' restart '${safeService}'`
     runRemote(remote, command, `Restart ${args.service}`, { sudo: true, password })
   }
 })

infra/ansible/group_vars/constructa/vars.example.yml

@@ -8,14 +8,20 @@
 
 constructa_deploy_dir: /opt/constructa
 
+# Optional Docker daemon DNS overrides (helps containers reach the Internet)
+# Leave empty to skip writing /etc/docker/daemon.json
+constructa_docker_dns_servers:
+  - '1.1.1.1'
+  - '8.8.8.8'
+
 # Sudo password for the deploy user (store encrypted via Vault)
 constructa_deploy_sudo_passwort: 'change-me-deploy-password'
 
 # Make Ansible escalate with the password above
 ansible_become: true
 ansible_become_method: sudo
-ansible_become_password: "{{ constructa_deploy_sudo_passwort }}"
-ansible_become_flags: "-SE"
+ansible_become_password: '{{ constructa_deploy_sudo_passwort }}'
+ansible_become_flags: '-SE'
 
 # Optional: login to image registry before pulling
 constructa_enable_registry_login: false
@@ -47,7 +53,8 @@ constructa_env:
   POSTGRES_USER: 'user'
   POSTGRES_PASSWORD: 'password'
   POSTGRES_DB: 'ex0'
-  DATABASE_URL: 'postgresql://user:password@db:5432/ex0'
+  POSTGRES_HOST: 'db'
+  POSTGRES_PORT: '5432'
 
   # MinIO/S3
   MINIO_ROOT_USER: 'minioadmin'
@@ -58,11 +65,10 @@ constructa_env:
   S3_SECRET_ACCESS_KEY: '${MINIO_ROOT_PASSWORD}'
   S3_BUCKET: '${MINIO_BUCKET}'
   S3_ENABLE_PATH_STYLE: '1'
-  S3_PREVIEW_URL_EXPIRE_IN: '7200'
+  S3_PREVIEW_URL_EXPIRE_IN: '900'
 
   # Redis / BullMQ
   REDIS_PASSWORD: 'change-me-redis-password'
-  REDIS_URL: 'redis://:${REDIS_PASSWORD}@redis:6379'
   BULLMQ_PREFIX: 'constructa'
   DAILY_CREDIT_REFILL_CRON: '0 3 * * *'
   JOB_DAILY_CREDIT_REFILL_URL: 'http://app:3000/api/jobs/daily-credit-refill'
@@ -91,3 +97,6 @@ constructa_env:
   POLAR_PRODUCT_BUSINESS_MONTHLY: ''
   POLAR_PRODUCT_CREDITS_50: ''
   POLAR_PRODUCT_CREDITS_100: ''
+
+  # Frontend logging helpers
+  VITE_BROWSER_ECHO_ENABLED: 'false'

infra/ansible/inventory/hosts.ini

@@ -1,4 +1,4 @@
 [constructa]
-# Replace with the reachable hostname or IP of your Compose host
-# example: ex0-dev ansible_user=deploy
-ex0-dev ansible_host=5.75.251.186 ansible_user=deploy
+# Replace with the reachable hostname or IP of your Compose host.
+# Keep secrets/real IP addresses in hosts.local.ini (gitignored).
+ex0-dev ansible_host=<insert server ip> ansible_user=deploy