feat: enhance Dokku plugin management and update configuration variables

- Added checks and installation commands for Dokku redirect and letsencrypt plugins in site.yml to ensure they are installed and updated to specified versions.
- Updated vars.example.yml to include new variables for redirect and letsencrypt plugin versions, improving configuration clarity.
- Adjusted Docker Compose configurations to use specific image versions for MinIO, Redis, and MeiliSearch, enhancing stability and predictability in deployments.
- Modified cloud-init.yaml to enforce stricter sudo permissions for improved security.
- Enhanced SSH CIDR validation in variables.tf to prevent the use of open access CIDR ranges.

Author: regenrek

.gitignore

@@ -98,5 +98,6 @@ infra/hetzner/terraform.tfstate.*
 /src/server/function/CLAUDE.md.bak
 # Ansible secret overrides
 infra/ansible/group_vars/constructa/vars.yml
+.vault-pass.txt
 # END Ruler Generated Files
-.ex0
+.ex0

infra/ansible/group_vars/constructa/vars.example.yml

@@ -19,8 +19,10 @@ constructa_registry_username: 'your-ghcr-username'
 constructa_registry_password: 'ghp_...'
 
 constructa_redirect_plugin_repo: 'https://github.com/dokku/dokku-redirect.git'
+constructa_redirect_plugin_version: '0.9.1'
 # lets encrypt
 constructa_letsencrypt_plugin_repo: 'https://github.com/dokku/dokku-letsencrypt.git'
+constructa_letsencrypt_plugin_version: '0.22.0'
 constructa_letsencrypt_email: ''
 
 
@@ -35,8 +37,8 @@ constructa_compose_env:
   APP_TAG: 'latest'
 
   # Compose exposes services to the host on this address. Dokku apps reach
-  # them through host.docker.internal, so bind to 0.0.0.0 on the VPS.
-  HOST_BIND_ADDR: '0.0.0.0'
+  # them through host.docker.internal, so we keep them bound to 127.0.0.1 on the VPS.
+  HOST_BIND_ADDR: '127.0.0.1'
   APP_HOSTNAME: 'app.example.com'
   ACME_EMAIL: 'admin@example.com'
 
@@ -49,8 +51,9 @@ constructa_compose_env:
   MINIO_ROOT_USER: 'minioadmin'
   MINIO_ROOT_PASSWORD: 'minioadmin'
   MINIO_BUCKET: 'constructa-files'
+  REDIS_PASSWORD: 'change-me-redis-password'
+  REDIS_URL: 'redis://:change-me-redis-password@127.0.0.1:6379'
   MEILI_MASTER_KEY: 'changeme-master-key'
-  REDIS_URL: 'redis://127.0.0.1:6379'
   MEILI_HOST: 'http://127.0.0.1:7700'
   MEILI_API_KEY: 'changeme-master-key'
   S3_ENDPOINT: 'http://127.0.0.1:9000'
@@ -78,7 +81,7 @@ constructa_compose_env:
   CHECKOUT_CANCEL_URL: 'https://app.example.com/dashboard/billing'
   EMAIL_PROVIDER: 'smtp'
   EMAIL_FROM: 'noreply@example.org'
-  SMTP_HOST: 'smtp.sendgrid.net'
+  SMTP_HOST: 'smtp.example.net'
   SMTP_PORT: '587'
   SMTP_SECURE: 'false'
   SMTP_USER: 'apikey'
@@ -106,7 +109,7 @@ constructa_swap_size: 2G
 constructa_dokku_config:
   NODE_ENV: production
   PORT: '5000'
-  DOKKU_PROXY_PORT_MAP: 'http:80:5000'
+  DOKKU_PROXY_PORT_MAP: 'http:80:5000 https:443:5000'
   DATABASE_URL: 'postgresql://ex0:change-me@host.docker.internal:5432/ex0'
   S3_ENDPOINT: 'http://host.docker.internal:9000'
   S3_REGION: 'us-east-1'
@@ -117,7 +120,7 @@ constructa_dokku_config:
   S3_PREVIEW_URL_EXPIRE_IN: '7200'
   MEILI_HOST: 'http://host.docker.internal:7700'
   MEILI_API_KEY: 'changeme-master-key'
-  REDIS_URL: 'redis://host.docker.internal:6379'
+  REDIS_URL: 'redis://:change-me-redis-password@host.docker.internal:6379'
   SEARCH_REINDEX_ON_BOOT: 'false'
   BULLMQ_PREFIX: 'constructa'
   DAILY_CREDIT_REFILL_CRON: '0 3 * * *'

infra/ansible/site.yml

@@ -252,17 +252,75 @@
       register: constructa_dokku_plugins
       changed_when: false
 
+    - name: Check if Dokku redirect plugin installed
+      become: true
+      command:
+        argv:
+          - dokku
+          - plugin:installed
+          - redirect
+      register: constructa_redirect_installed
+      changed_when: false
+      failed_when: constructa_redirect_installed.rc not in [0, 1]
+      when:
+        - constructa_redirect_enabled | default(false) | bool
+        - constructa_redirect_plugin_repo is defined
+        - constructa_redirect_plugin_repo | length > 0
+
     - name: Install Dokku redirect plugin when missing
       become: true
       command:
         argv:
           - dokku
           - plugin:install
           - "{{ constructa_redirect_plugin_repo | default('https://github.com/dokku/dokku-redirect.git') }}"
+          - --committish
+          - "{{ constructa_redirect_plugin_version }}"
+      register: constructa_redirect_install
+      when:
+        - constructa_redirect_enabled | default(false) | bool
+        - constructa_redirect_plugin_repo is defined
+        - constructa_redirect_plugin_repo | length > 0
+        - constructa_redirect_plugin_version is defined
+        - constructa_redirect_plugin_version | length > 0
+        - constructa_redirect_installed is defined
+        - constructa_redirect_installed.rc != 0
+      changed_when: true
+
+    - name: Pin Dokku redirect plugin to target version
+      become: true
+      command:
+        argv:
+          - dokku
+          - plugin:update
+          - redirect
+          - "{{ constructa_redirect_plugin_version }}"
+      register: constructa_redirect_update
+      changed_when: >-
+        constructa_redirect_update.stdout is defined and
+        ('already' not in (constructa_redirect_update.stdout | lower))
       when:
         - constructa_redirect_enabled | default(false) | bool
-        - constructa_dokku_plugins.stdout is defined
-        - not ('redirect' in (constructa_dokku_plugins.stdout | default('')))
+        - constructa_redirect_plugin_repo is defined
+        - constructa_redirect_plugin_repo | length > 0
+        - constructa_redirect_plugin_version is defined
+        - constructa_redirect_plugin_version | length > 0
+        - constructa_redirect_installed is defined
+        - constructa_redirect_installed.rc == 0
+
+    - name: Check if Dokku letsencrypt plugin installed
+      become: true
+      command:
+        argv:
+          - dokku
+          - plugin:installed
+          - letsencrypt
+      register: constructa_letsencrypt_installed
+      changed_when: false
+      failed_when: constructa_letsencrypt_installed.rc not in [0, 1]
+      when:
+        - constructa_letsencrypt_plugin_repo is defined
+        - constructa_letsencrypt_plugin_repo | length > 0
 
     - name: Install Dokku letsencrypt plugin when missing
       become: true
@@ -271,11 +329,37 @@
           - dokku
           - plugin:install
           - "{{ constructa_letsencrypt_plugin_repo | default('https://github.com/dokku/dokku-letsencrypt.git') }}"
+          - --committish
+          - "{{ constructa_letsencrypt_plugin_version }}"
+      register: constructa_letsencrypt_install
+      when:
+        - constructa_letsencrypt_plugin_repo is defined
+        - constructa_letsencrypt_plugin_repo | length > 0
+        - constructa_letsencrypt_plugin_version is defined
+        - constructa_letsencrypt_plugin_version | length > 0
+        - constructa_letsencrypt_installed is defined
+        - constructa_letsencrypt_installed.rc != 0
+      changed_when: true
+
+    - name: Pin Dokku letsencrypt plugin to target version
+      become: true
+      command:
+        argv:
+          - dokku
+          - plugin:update
+          - letsencrypt
+          - "{{ constructa_letsencrypt_plugin_version }}"
+      register: constructa_letsencrypt_update
+      changed_when: >-
+        constructa_letsencrypt_update.stdout is defined and
+        ('already' not in (constructa_letsencrypt_update.stdout | lower))
       when:
         - constructa_letsencrypt_plugin_repo is defined
         - constructa_letsencrypt_plugin_repo | length > 0
-        - constructa_dokku_plugins.stdout is defined
-        - not ('letsencrypt' in (constructa_dokku_plugins.stdout | default('')))
+        - constructa_letsencrypt_plugin_version is defined
+        - constructa_letsencrypt_plugin_version | length > 0
+        - constructa_letsencrypt_installed is defined
+        - constructa_letsencrypt_installed.rc == 0
 
     - name: Ensure secondary domains exist
       become: true

infra/deploy/compose.yml

@@ -1,5 +1,3 @@
-version: '3.9'
-
 x-app-image: &app_image '${APP_IMAGE:-ghcr.io/your-org/your-repo/app}:${APP_TAG:-latest}'
 
 services:
@@ -22,7 +20,7 @@ services:
       retries: 20
 
   minio:
-    image: quay.io/minio/minio:latest
+    image: minio/minio:RELEASE.2025-04-22T22-12-26Z
     container_name: ex0-minio
     restart: unless-stopped
     environment:
@@ -42,7 +40,7 @@ services:
 
   # one-time bucket/policy provisioning; idempotent; safe to re-run
   provision-minio:
-    image: minio/mc:latest
+    image: minio/mc:RELEASE.2025-04-16T18-13-26Z
     depends_on:
       minio:
         condition: service_healthy
@@ -55,10 +53,20 @@ services:
     restart: 'no'
 
   redis:
-    image: redis:7-alpine
+    image: redis:8.2.1-alpine
     container_name: ex0-redis
     restart: unless-stopped
-    command: ['redis-server', '--save', '60', '1', '--loglevel', 'warning']
+    command:
+      - redis-server
+      - --bind
+      - 127.0.0.1
+      - --save
+      - '60'
+      - '1'
+      - --loglevel
+      - warning
+      - --requirepass
+      - ${REDIS_PASSWORD:?}
     volumes:
       - ex0-redis-data:/data
     ports:
@@ -70,7 +78,7 @@ services:
       retries: 20
 
   meilisearch:
-    image: getmeili/meilisearch:latest
+    image: getmeili/meilisearch:v1.22.0
     container_name: ex0-meili
     restart: unless-stopped
     environment:
@@ -126,7 +134,7 @@ services:
       S3_ENABLE_PATH_STYLE: ${S3_ENABLE_PATH_STYLE:-1}
       S3_PREVIEW_URL_EXPIRE_IN: ${S3_PREVIEW_URL_EXPIRE_IN:-7200}
       # Queue + schedules
-      REDIS_URL: ${REDIS_URL:-redis://127.0.0.1:6379}
+      REDIS_URL: redis://:${REDIS_PASSWORD:?}@127.0.0.1:6379
       BULLMQ_PREFIX: ${BULLMQ_PREFIX:-constructa}
       DAILY_CREDIT_REFILL_CRON: ${DAILY_CREDIT_REFILL_CRON:-0 3 * * *}
       JOB_DAILY_CREDIT_REFILL_URL: ${JOB_DAILY_CREDIT_REFILL_URL:-http://app:3000/api/jobs/daily-credit-refill}

infra/hetzner/cloud-init.yaml

@@ -3,7 +3,7 @@ users:
   - name: ${deploy_username}
     groups: [sudo]
     shell: /bin/bash
-    sudo: ALL=(ALL) NOPASSWD:ALL
+    sudo: ALL=(ALL) ALL
     ssh_authorized_keys:
       - ${deploy_ssh_pubkey}
 
@@ -29,7 +29,6 @@ runcmd:
   - bash -c 'echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(. /etc/os-release && echo $${VERSION_CODENAME}) stable" > /etc/apt/sources.list.d/docker.list'
   - apt-get update
   - apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
-  - usermod -aG docker ${deploy_username}
   - systemctl enable --now docker
 
   # Wait for Docker to be ready

infra/hetzner/variables.tf

@@ -31,7 +31,14 @@ variable "ssh_public_key_path" {
 variable "allowed_ssh_cidr" {
   description = "CIDR allowed to SSH (e.g., your IP /32)"
   type        = string
-  default     = "0.0.0.0/0"
+
+  validation {
+    condition = !contains(["0.0.0.0/0", "::/0"], var.allowed_ssh_cidr) && anytrue([
+      can(cidrnetmask(var.allowed_ssh_cidr)),
+      can(cidrhost(var.allowed_ssh_cidr, 0))
+    ])
+    error_message = "Provide a specific CIDR (for example 198.51.100.23/32) instead of 0.0.0.0/0 or ::/0."
+  }
 }
 
 variable "enable_http3" {
@@ -44,4 +51,4 @@ variable "deploy_username" {
   description = "Non-root user for SSH deploy"
   type        = string
   default     = "deploy"
-}
+}

src/components/auth/auth-styles.ts

@@ -67,6 +67,8 @@ export const authLocalizationOverrides: Partial<AuthLocalization> = {
   TERMS_OF_SERVICE: 'Terms of Service',
   PRIVACY_POLICY: 'Privacy Policy',
   REQUEST_FAILED: 'An error occurred. Please try again.',
+  OR_CONTINUE_WITH: 'Or continue with',
+  SIGN_IN_WITH: 'Continue with',
 };
 
 // Container styling for auth pages

src/components/auth/social-provider-icons.tsx

@@ -0,0 +1,49 @@
+import type { ComponentType, SVGProps } from 'react';
+import type { SocialProvider } from 'better-auth/social-providers';
+import RiGithubFill from '~icons/ri/github-fill';
+import RiGoogleFill from '~icons/ri/google-fill';
+
+export type SupportedSocialProvider = Extract<SocialProvider, 'github' | 'google'>;
+
+export type SocialProviderDisplay = {
+  readonly id: SupportedSocialProvider;
+  readonly label: string;
+  readonly cta: string;
+  readonly icon: ComponentType<SVGProps<SVGSVGElement>>;
+  readonly buttonClassName: string;
+  readonly iconClassName?: string;
+};
+
+const baseButtonClass =
+  'h-11 w-full justify-center gap-2 rounded-lg border transition-all focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-offset-2';
+
+export const SOCIAL_PROVIDER_DISPLAYS: Record<SupportedSocialProvider, SocialProviderDisplay> = {
+  github: {
+    id: 'github',
+    label: 'Continue with GitHub',
+    cta: 'Sign in with GitHub',
+    icon: RiGithubFill,
+    buttonClassName: `${baseButtonClass} border-transparent bg-[#1F2328] text-white shadow-sm hover:bg-[#161B22] focus-visible:ring-[#8C949E] dark:bg-[#0D1117] dark:hover:bg-[#161B22]`,
+    iconClassName: 'size-5',
+  },
+  google: {
+    id: 'google',
+    label: 'Continue with Google',
+    cta: 'Sign in with Google',
+    icon: RiGoogleFill,
+    buttonClassName: `${baseButtonClass} border-input bg-white text-neutral-900 shadow-sm hover:bg-neutral-100 focus-visible:ring-[#4285F4] dark:text-neutral-900`,
+    iconClassName: 'size-5',
+  },
+};
+
+export function resolveSocialProviderDisplays(
+  providers: ReadonlyArray<SocialProvider> | undefined
+): SocialProviderDisplay[] {
+  if (!providers?.length) {
+    return [];
+  }
+
+  return providers
+    .map((provider) => SOCIAL_PROVIDER_DISPLAYS[provider as SupportedSocialProvider])
+    .filter((value): value is SocialProviderDisplay => Boolean(value));
+}

src/routes/__root.tsx

@@ -96,6 +96,12 @@ function RootComponent() {
 function RootDocument({ children }: { children: React.ReactNode }) {
   const initial = Route.useLoaderData() as Theme;
   const router = useRouter();
+  const hasGithub = !!import.meta.env.VITE_GITHUB_CLIENT_ID;
+  const hasGoogle = !!import.meta.env.VITE_GOOGLE_CLIENT_ID;
+  const socialProviders = [
+    ...(hasGithub ? ['github'] : []),
+    ...(hasGoogle ? ['google'] : []),
+  ];
 
   return (
     <html lang="en" className={initial === 'system' ? '' : initial}>
@@ -110,9 +116,14 @@ function RootDocument({ children }: { children: React.ReactNode }) {
             <AuthUIProviderTanstack
               authClient={authClient}
               redirectTo="/dashboard"
-              navigate={(href) => router.navigate({ href })}
-              replace={(href) => router.navigate({ href, replace: true })}
+              navigate={(to) => router.navigate({ to })}
+              replace={(to) => router.navigate({ to, replace: true })}
               Link={({ href, ...props }) => <Link to={href} {...props} />}
+              social={
+                socialProviders.length > 0
+                  ? { providers: socialProviders }
+                  : undefined
+              }
             >
               <div className="flex min-h-svh flex-col">{children}</div>
               <Toaster />