davidherran
9b28f8ffaf
Deploy to VPS / deploy (push) Has been cancelled
THREE INTERLOCKING FIXES so editors stop hitting permission walls.
1) DOCKERFILE — gid 65533 (nogroup) on uploaded files
The container was creating files as 1001:65533 because Alpine's
`adduser --system --uid 1001 nextjs` doesn't set a primary group.
Files written through /api/assets ended up with `nogroup` ownership,
which surprised host sysadmins and made `chown -R 1001:1001` revert
on each fresh container start.
Fix: `adduser --system --uid 1001 --ingroup nodejs nextjs`. Now
every file written by the container is 1001:1001 (nextjs:nodejs),
matching the host conventions and the existing chown automation.
2) ENTRYPOINT — recursively normalise existing files
The recursive chown in scripts/docker-entrypoint.sh now sweeps every
subfolder of /app/public/branding|footage|applications|cases|news|
parts|operations-inbox|heritage on each container start, fixing any
files that previously slipped through with the wrong group. Single
fast pass, idempotent. Adds /app/public/heritage to the list (was
missing).
3) AUTO-CREATE ASSET BUCKETS on entity create
The big editor UX win: when an admin creates a Case (GlobalNode), an
Application or a News article in HQ Command, the server now also
mkdir's the well-known asset subfolders for that entity. So after
creating "Acme Industries" as a case, the editor immediately gets
/public/cases/acme-industries/{videos,renders,gallery,datasheet,models}
ready — no more "EACCES because the dir wasn't created" gotcha
when they upload their first video.
Implementation:
- src/lib/assetFolders.ts: typed helper with per-scope bucket lists
+ a titleToSlug helper that mirrors the front-end's slugger so the
folder name matches what ApplicationClient expects when rendering
/cases/<slug>/videos/<file>.
- network/actions.ts: createNode -> ensureAssetFolders("cases", slug).
Plus a new server action ensureNodeAssetFolders(id) so the editor
can fix existing nodes without recreating them (one-click "Repair").
- news/actions.ts: createNewsArticle -> ensureAssetFolders("news",slug)
- applications/actions.ts: createApplication -> ensureAssetFolders(...)
DEPLOY (David)
cd /opt/flux-srl
git pull
docker compose up -d --build app
# The entrypoint will fix existing 1001:65533 files automatically
# as the container boots — no manual chown needed.
39 lines
1.7 KiB
Bash
39 lines
1.7 KiB
Bash
#!/bin/sh
|
|
# ─────────────────────────────────────────────────────────────────────────────
|
|
# FLUX container entrypoint.
|
|
#
|
|
# Runs as root briefly so we can:
|
|
# 1. Make sure every mounted upload dir AND every file inside is owned by
|
|
# uid 1001 / gid 1001 (nextjs:nodejs). Without this, files written
|
|
# previously when nextjs had nogroup (gid 65533) stay 1001:65533 and
|
|
# sysadmins on the host see a wrong group.
|
|
# 2. Apply pending Prisma migrations idempotently.
|
|
# 3. Hand off to the Next.js server, dropping privileges to nextjs.
|
|
# ─────────────────────────────────────────────────────────────────────────────
|
|
|
|
set -e
|
|
|
|
# Recursively normalise ownership on every mounted public/* folder. Recursive
|
|
# is fine because (a) Prisma and Next.js never read /app/public except from
|
|
# fs APIs that don't care about ownership, and (b) the chown is fast on local
|
|
# disk even with thousands of files — runs once per container start.
|
|
for dir in \
|
|
/app/public/branding \
|
|
/app/public/footage \
|
|
/app/public/applications \
|
|
/app/public/cases \
|
|
/app/public/news \
|
|
/app/public/parts \
|
|
/app/public/operations-inbox \
|
|
/app/public/heritage; do
|
|
if [ -d "$dir" ]; then
|
|
chown -R 1001:1001 "$dir" 2>/dev/null || true
|
|
fi
|
|
done
|
|
|
|
# Run pending migrations (idempotent).
|
|
su-exec nextjs node ./node_modules/prisma/build/index.js migrate deploy
|
|
|
|
# Boot the Next.js server as the unprivileged user.
|
|
exec su-exec nextjs node server.js
|