Decouple dev compose stack from itkdev-docker tooling#469
Open
turegjorup wants to merge 4 commits into
Open
Conversation
Fresh clones now run end-to-end without host-level itkdev tooling
(itkdev-docker-compose wrapper, external `frontend` traefik network).
- Bundled traefik behind `profiles: [traefik]` (on by default),
terminating TLS on :80/:443 with a self-signed cert. Generated by
`task dev:cert` via alpine/openssl, chained into `task compose-up`.
Script is profile-aware: itkdev devs with `COMPOSE_PROFILES=` in
`.env.local` get a no-op skip.
- Consolidated to a single `docker-compose.yml`. The four ITK-hosting-
specific files (`docker-compose.{override,server,dev,redirect}.yml`)
are dropped; redis/node/playwright/markdownlint/prettier merged in.
- mailpit removed — the app sends no mail.
- `${COMPOSE_FRONTEND_NETWORK}` parameterizes both the network's engine
name and the `traefik.docker.network` labels so the default
(`display_frontend`) never collides with the shared `frontend` network
itkdev hosts pre-create.
- `docker-compose.shared-frontend.yml` overlay for itkdev opt-in:
flips `frontend` to external + matching dotenv overrides documented
in `.env` and README.
- Taskfile: `DOCKER_COMPOSE` default → `docker compose`; the legacy
wrapper remains opt-in via `TASK_DOCKER_COMPOSE=itkdev-docker-compose`.
- New `Compose` workflow lints all four operational modes and
smoke-tests both default and itkdev opt-in stacks. Path-scoped to
compose files, traefik config, dev-cert script, and `.env`.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
4 tasks
scripts/dev-cert.sh has a bash shebang and uses `set -o pipefail`, which dash (the Ubuntu runner's `sh`) rejects, so both Compose smoke-test jobs exited at line 16. Invoke the script with `bash` to match its declared interpreter. Also add the missing Unreleased CHANGELOG entry that the changelog gate requires. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Traefik v3 returns 421 (misdirected request) when the TLS SNI differs from the HTTP Host header, irrespective of `sniStrict`. Curl was sending SNI=localhost (from the URL) but Host=display.local.itkdev.dk (to match the router rule), tripping that check. Use `--resolve` so the URL host, SNI, and Host header all match the rule. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
tuj
approved these changes
May 28, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
A fresh
git clone && task site-installnow works end-to-end on any host with Docker Compose v2 + Task — no itkdev-docker-compose wrapper, no pre-created externalfrontendnetwork, no host-level traefik required. Itkdev workflows keep working via dotenv opt-in.profiles: [traefik](on by default), terminating TLS on :80/:443 with a self-signed cert. Generated on demand bytask dev:cert(alpine/openssl in a transient container), chained intotask compose-up. Profile-aware: itkdev devs withCOMPOSE_PROFILES=in.env.localget a no-op skip.docker-compose.ymlfor the dev stack. The four ITK-hosting-specific files (docker-compose.{override,server,dev,redirect}.yml) are dropped; previously-overridden services (redis, node, playwright, markdownlint, prettier) are merged into the base. mailpit removed (the app sends no mail).${COMPOSE_FRONTEND_NETWORK}parameterizes both the network's engine name and thetraefik.docker.networklabels — defaultdisplay_frontendwon't collide with the sharedfrontendnetwork itkdev hosts use, so devs can switch between bundled and host-level traefik without manual cleanup.docker-compose.shared-frontend.ymloverlay for itkdev opt-in: flipsfrontendto external. The required.env.localblock (COMPOSE_PROFILES=,COMPOSE_FILE,COMPOSE_FRONTEND_NETWORK=frontend) is documented in.envand the README's new "Itkdev developers: host-level traefik opt-in" section.Taskfile.yml:DOCKER_COMPOSEdefaults to plaindocker compose; the legacy itkdev-docker-compose wrapper remains available viaTASK_DOCKER_COMPOSE=itkdev-docker-composein.env.local.Composeworkflow lints all four operational modes (default, default + dev tools, postgres overlay, itkdev opt-in) and smoke-tests both default and itkdev stacks. Path-scoped to compose files, traefik config, dev-cert script, and.env.Test plan
git clone && task site-installsucceeds on a host with only Docker Compose v2 + Task installed, no itkdev tooling.task dev:certgeneratestraefik/ssl/dev.{crt,key}coveringCOMPOSE_DOMAINandnode-${COMPOSE_DOMAIN}. Second run says "already exists" and exits 0.https://${COMPOSE_DOMAIN}/healthreturns 200 through the bundled traefik (accepts self-signed cert)..env.localcontainingCOMPOSE_PROFILES=,COMPOSE_FILE=docker-compose.yml:docker-compose.shared-frontend.yml,COMPOSE_FRONTEND_NETWORK=frontend,task site-installattaches to the host-level traefik on the externalfrontendnetwork.task dev:certreports "skipping dev cert."task compose -- down -vbetween switches) doesn't leave colliding networks.task coding-standards:yml/markdown/assets:*still run via the now profile-gatedprettier/markdownlintservices.Composeworkflow passes;Doctrineand other unrelated workflows are unaffected.🤖 Generated with Claude Code