fix(docker): ensure correct permissions for PostgreSQL directories

Ensure that PGDATA, /run/postgresql, and /var/log/postgresql are owned by the postgres user to prevent volume permission issues during container startup.

.env.example

@@ -1,13 +1,14 @@
-# Trackeep Configuration for Casa OS
-# Only required variables - everything else is auto-configured
+# Trackeep All-in-One Configuration
+# PostgreSQL is bundled inside the container — no external database needed.
+# Everything below is optional; the container auto-generates sensible defaults.
 
-# Host port for the application (default: 8080)
+# Host port mapping (default: 8080)
 HOST_PORT=8080
 
-# Database Configuration
-DB_PASSWORD=your_secure_password_here
-DB_USER=trackeep
-DB_NAME=trackeep
+# Database credentials (auto-generated if left empty)
+# DB_PASSWORD=your_secure_password_here
+# DB_USER=trackeep
+# DB_NAME=trackeep
 
-# JWT Secret (generate with: openssl rand -hex 32)
-JWT_SECRET=your_jwt_secret_here_64_hex_characters_long_exactly
+# JWT Secret (auto-generated and persisted in /data if left empty)
+# JWT_SECRET=your_jwt_secret_here_64_hex_characters_long_exactly

Dockerfile

@@ -20,8 +20,12 @@ RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o main .
 # Stage 3: Final unified image
 FROM alpine:latest
 
-# Install dependencies
-RUN apk --no-cache add ca-certificates tzdata nginx
+# Install dependencies including PostgreSQL
+RUN apk --no-cache add ca-certificates tzdata nginx postgresql postgresql-contrib
+
+# Create postgres user directories and fix permissions
+RUN mkdir -p /var/lib/postgresql/data /run/postgresql /var/log/postgresql && \
+    chown -R postgres:postgres /var/lib/postgresql /run/postgresql /var/log/postgresql
 
 # Copy backend binary and migrations
 COPY --from=backend-builder /app/backend/main /app/main
@@ -45,10 +49,10 @@ RUN mkdir -p /app/uploads /data /var/log/nginx
 EXPOSE 8080
 
 # Health check
-HEALTHCHECK --interval=30s --timeout=10s --start-period=40s --retries=3 \
+HEALTHCHECK --interval=30s --timeout=10s --start-period=60s --retries=3 \
     CMD wget --no-verbose --tries=1 --spider http://localhost:8080/health || exit 1
 
-# Start script to run both backend and nginx
+# Start script to run PostgreSQL, backend and nginx
 COPY docker-entrypoint.sh /docker-entrypoint.sh
 RUN chmod +x /docker-entrypoint.sh
 

README.md

@@ -33,34 +33,23 @@
 
 ## 🚀 Quick Start
 
-### One-Command Deployment (GHCR Image - Recommended for Casa OS)
+### One-Command Deployment (Docker Run)
+
+PostgreSQL is bundled inside the image. Zero external dependencies.
 
 ```bash
 docker run -d \
   --name trackeep \
   -p 8080:8080 \
-  -e DB_PASSWORD=your_password \
-  -e DB_USER=trackeep \
-  -e DB_NAME=trackeep \
-  -e JWT_SECRET=your_jwt_secret \
+  -e DB_PASSWORD=your_secure_password \
+  -e JWT_SECRET=$(openssl rand -hex 32) \
+  -v trackeep_postgres:/var/lib/postgresql/data \
+  -v trackeep_uploads:/app/uploads \
+  -v trackeep_data:/data \
   ghcr.io/dvorinka/trackeep:latest
 ```
 
-**Note**: This requires an external PostgreSQL database. For a complete deployment with the database included, use Docker Compose below.
-
-### Production Deployment with Docker Compose
-
-```bash
-git clone https://github.com/dvorinka/trackeep.git
-cd trackeep
-cp .env.example .env
-# Edit .env file with your configuration
-docker compose up -d
-```
-
-The setup uses a unified Docker image with frontend and backend in a single container.
-
-**Complete docker-compose.yml**:
+### CasaOS / Docker Compose (Copy-Paste Ready)
 
 ```yaml
 icon: https://github.com/Dvorinka/Trackeep/raw/main/trackeepfavi_bg.png
@@ -68,78 +57,47 @@ icon: https://github.com/Dvorinka/Trackeep/raw/main/trackeepfavi_bg.png
 services:
   trackeep:
     image: ghcr.io/dvorinka/trackeep:latest
+    container_name: trackeep
     ports:
       - "${HOST_PORT:-8080}:8080"
-    env_file:
-      - .env
     environment:
-      - BACKEND_PORT=8080
-      - DB_HOST=postgres
-      - DB_PORT=5432
-      - GIN_MODE=release
+      DB_PASSWORD: ${DB_PASSWORD:-}
+      DB_USER: ${DB_USER:-trackeep}
+      DB_NAME: ${DB_NAME:-trackeep}
+      JWT_SECRET: ${JWT_SECRET:-}
+      GIN_MODE: release
     volumes:
-      - ./uploads:/app/uploads
-      - ./data:/data
+      - trackeep_postgres:/var/lib/postgresql/data
+      - trackeep_uploads:/app/uploads
+      - trackeep_data:/data
     restart: unless-stopped
-    depends_on:
-      postgres:
-        condition: service_healthy
-
-  postgres:
-    image: postgres:15-alpine
-    environment:
-      POSTGRES_DB: ${DB_NAME:-trackeep}
-      POSTGRES_USER: ${DB_USER:-trackeep}
-      POSTGRES_PASSWORD: ${DB_PASSWORD}
-    volumes:
-      - postgres_data:/var/lib/postgresql/data
-    restart: unless-stopped
-    healthcheck:
-      test: ["CMD-SHELL", "pg_isready -U ${DB_USER:-trackeep} -d ${DB_NAME:-trackeep}"]
-      interval: 10s
-      timeout: 5s
-      retries: 5
-      start_period: 30s
 
 volumes:
-  postgres_data:
+  trackeep_postgres:
+  trackeep_uploads:
+  trackeep_data:
 ```
 
-### Service Architecture
+**Why this is CasaOS-ready:**
+- **Single service** — PostgreSQL runs inside the same container
+- **No `BACKEND_PORT`** — internal backend runs on 8081, only port 8080 is exposed
+- **Named volumes** — CasaOS handles them automatically
+- **Optional env vars** — if `DB_PASSWORD` or `JWT_SECRET` are empty, the container auto-generates them
+- **Icon header** — CasaOS reads the `icon:` field for the app tile
 
-Trackeep deployment consists of **2 services**:
+### Optional Environment Variables
 
-#### **🎯 Trackeep Service (Unified)**
-- **Image**: Built from unified Dockerfile (frontend + backend in one)
-- **Ports**: `${HOST_PORT:-8080}:8080`
-- **Purpose**: Web interface, API server, and business logic combined
-- **Health**: HTTP health check endpoint
-- **Auto-configuration**: Frontend automatically connects to backend via nginx proxy
-
-#### **🗄️ Database Service**
-- **Image**: `postgres:15-alpine`
-- **Purpose**: Data persistence and storage
-- **Health**: PostgreSQL readiness check
-- **Storage**: Persistent volume for data
-
-### Required Environment Variables
-
-Create a `.env` file from the provided `.env.example` and configure these required variables:
+All variables have sensible defaults. Only override what you need:
 
 ```env
-# Host port for the application (default: 8080)
 HOST_PORT=8080
-
-# Database Configuration
-DB_PASSWORD=your_secure_password_here
+DB_PASSWORD=your_secure_password_here   # auto-generated if empty
 DB_USER=trackeep
 DB_NAME=trackeep
-
-# JWT Secret (generate with: openssl rand -hex 32)
-JWT_SECRET=your_jwt_secret_here_64_hex_characters_long_exactly
+JWT_SECRET=your_jwt_secret_here         # auto-generated & persisted if empty
 ```
 
-**Note**: The frontend automatically connects to the backend via nginx proxy - no VITE_API_URL or additional configuration needed.
+**Note:** The frontend automatically connects to the backend via nginx proxy — no `VITE_API_URL` or additional configuration needed.
 
 ### AI Services Configuration
 
@@ -404,25 +362,15 @@ DISABLE_CHINESE_AI=true
    cd Trackeep
    ```
 
-2. **Configure environment**
+2. **Start the container**
    ```bash
-   cp .env.example .env
-   # Edit .env with your configuration
-   ```
-
-3. **Start all services**
-   ```bash
-   # Using the startup script
-   ./start.sh
-   
-   # Or manually with Docker Compose
    docker compose up -d
    ```
 
-4. **Access the application**
-   - Application: http://localhost:${HOST_PORT:-8080}
-   - Health Check: http://localhost:${HOST_PORT:-8080}/health
-   - API: http://localhost:${HOST_PORT:-8080}/api/
+3. **Access the application**
+   - Application: http://localhost:8080
+   - Health Check: http://localhost:8080/health
+   - API: http://localhost:8080/api/
 
 ### Demo Login
 - Email: `demo@trackeep.com`
@@ -489,22 +437,22 @@ Additional documentation files:
 
 ### Environment Variables
 
-Key environment variables to configure:
+Only override what you need — everything else auto-configures:
 
 ```bash
 # Host port for the application
 HOST_PORT=8080
 
-# Database Configuration
+# Database credentials (auto-generated if omitted)
 DB_PASSWORD=your_secure_password_here
 DB_USER=trackeep
 DB_NAME=trackeep
 
-# JWT Configuration (generate with: openssl rand -hex 32)
+# JWT Secret (auto-generated & persisted if omitted)
 JWT_SECRET=your_jwt_secret_here_64_hex_characters_long_exactly
 ```
 
-**Note**: All other configuration has sensible defaults. The frontend automatically connects to the backend via nginx proxy - no additional API URL configuration needed.
+**Note:** All other configuration has sensible defaults. The frontend automatically connects to the backend via nginx proxy — no additional API URL configuration needed.
 
 ## Contributing
 

docker-compose.yml

@@ -1,39 +1,31 @@
+icon: https://github.com/Dvorinka/Trackeep/raw/main/trackeepfavi_bg.png
+
 services:
   trackeep:
-    build:
-      context: .
-      dockerfile: Dockerfile
+    image: ghcr.io/dvorinka/trackeep:latest
+    container_name: trackeep
     ports:
       - "${HOST_PORT:-8080}:8080"
-    env_file:
-      - .env
     environment:
-      - DB_HOST=postgres
-      - DB_PORT=5432
-      - GIN_MODE=release
+      DB_PASSWORD: ${DB_PASSWORD:-}
+      DB_USER: ${DB_USER:-trackeep}
+      DB_NAME: ${DB_NAME:-trackeep}
+      JWT_SECRET: ${JWT_SECRET:-}
+      GIN_MODE: release
+      CORS_ALLOWED_ORIGINS: ${CORS_ALLOWED_ORIGINS:-*}
     volumes:
-      - ./uploads:/app/uploads
-      - ./data:/data
-    restart: unless-stopped
-    depends_on:
-      postgres:
-        condition: service_healthy
-
-  postgres:
-    image: postgres:15-alpine
-    environment:
-      POSTGRES_DB: ${DB_NAME:-trackeep}
-      POSTGRES_USER: ${DB_USER:-trackeep}
-      POSTGRES_PASSWORD: ${DB_PASSWORD}
-    volumes:
-      - postgres_data:/var/lib/postgresql/data
+      - trackeep_postgres:/var/lib/postgresql/data
+      - trackeep_uploads:/app/uploads
+      - trackeep_data:/data
     restart: unless-stopped
     healthcheck:
-      test: ["CMD-SHELL", "pg_isready -U ${DB_USER:-trackeep} -d ${DB_NAME:-trackeep}"]
-      interval: 10s
-      timeout: 5s
-      retries: 5
-      start_period: 30s
+      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:8080/health"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 60s
 
 volumes:
-  postgres_data:
+  trackeep_postgres:
+  trackeep_uploads:
+  trackeep_data:

docker-entrypoint.sh

@@ -1,24 +1,90 @@
 #!/bin/sh
 
-# Unified entrypoint for Trackeep
-# Starts both backend and nginx in one container
+# All-in-one entrypoint for Trackeep
+# Initializes and starts PostgreSQL, then backend + nginx
 
 set -e
 
-# Backend configuration
+PGDATA=${PGDATA:-/var/lib/postgresql/data}
+
+# Auto-generate DB_PASSWORD if not provided
+if [ -z "$DB_PASSWORD" ]; then
+    DB_PASSWORD=$(tr -dc 'a-zA-Z0-9' < /dev/urandom | head -c 32)
+    echo "========================================"
+    echo "WARNING: DB_PASSWORD was not set."
+    echo "Auto-generated password: $DB_PASSWORD"
+    echo "Set DB_PASSWORD explicitly to keep it stable across restarts."
+    echo "========================================"
+fi
+
+DB_USER=${DB_USER:-trackeep}
+DB_NAME=${DB_NAME:-trackeep}
+
+# Ensure PostgreSQL directories are owned by postgres (fixes volume permission issues)
+mkdir -p "$PGDATA" /run/postgresql /var/log/postgresql
+chown -R postgres:postgres "$PGDATA" /run/postgresql /var/log/postgresql
+
+# Initialize PostgreSQL if data directory is empty
+if [ ! -f "$PGDATA/PG_VERSION" ]; then
+    echo "Initializing PostgreSQL database cluster..."
+    su -s /bin/sh postgres -c "initdb -D $PGDATA --auth-local=trust --auth-host=md5"
+
+    # Allow local TCP connections
+    echo "host all all 127.0.0.1/32 md5" >> "$PGDATA/pg_hba.conf"
+    echo "host all all ::1/128 md5"     >> "$PGDATA/pg_hba.conf"
+
+    # Start postgres temporarily to create user and database
+    su -s /bin/sh postgres -c "pg_ctl -D $PGDATA -l /var/log/postgresql/server.log start"
+
+    # Wait until postgres accepts connections
+    echo "Waiting for PostgreSQL to accept connections..."
+    for i in $(seq 1 30); do
+        if su -s /bin/sh postgres -c "pg_isready -q"; then
+            break
+        fi
+        sleep 1
+    done
+
+    # Create role and database
+    su -s /bin/sh postgres -c "psql -c \"CREATE USER \\\"$DB_USER\\\" WITH PASSWORD '$DB_PASSWORD';\""
+    su -s /bin/sh postgres -c "psql -c \"CREATE DATABASE \\\"$DB_NAME\\\" OWNER \\\"$DB_USER\\\";\""
+
+    su -s /bin/sh postgres -c "pg_ctl -D $PGDATA stop"
+    echo "PostgreSQL initialized."
+fi
+
+# Start PostgreSQL
+echo "Starting PostgreSQL..."
+su -s /bin/sh postgres -c "pg_ctl -D $PGDATA -l /var/log/postgresql/server.log start"
+
+# Wait for PostgreSQL to be ready
+echo "Waiting for PostgreSQL to be ready..."
+for i in $(seq 1 30); do
+    if su -s /bin/sh postgres -c "pg_isready -q"; then
+        echo "PostgreSQL is ready."
+        break
+    fi
+    echo "Waiting for PostgreSQL... ($i/30)"
+    sleep 1
+done
+
+# Backend connects to the bundled local PostgreSQL
 export BACKEND_PORT=8081
-export DB_HOST=${DB_HOST:-postgres}
-export DB_PORT=${DB_PORT:-5432}
-export DB_NAME=${DB_NAME:-trackeep}
-export DB_USER=${DB_USER:-trackeep}
-export DB_PASSWORD=${DB_PASSWORD}
-export JWT_SECRET=${JWT_SECRET}
+export DB_HOST=localhost
+export DB_PORT=5432
+export DB_NAME="$DB_NAME"
+export DB_USER="$DB_USER"
+export DB_PASSWORD="$DB_PASSWORD"
+export DB_SSL_MODE=disable
+export JWT_SECRET=${JWT_SECRET:-}
 export GIN_MODE=${GIN_MODE:-release}
+export CORS_ALLOWED_ORIGINS=${CORS_ALLOWED_ORIGINS:-*}
 
 # Start backend in background
 cd /app
 echo "Starting Trackeep backend on port ${BACKEND_PORT}..."
 ./main &
+BACKEND_PID=$!
 
 # Wait for backend to be ready
 echo "Waiting for backend to be ready..."
@@ -31,6 +97,6 @@ for i in $(seq 1 30); do
     sleep 2
 done
 
-# Start nginx
-echo "Starting nginx..."
+# Start nginx in foreground (keeps container alive)
+echo "Starting nginx on port 8080..."
 nginx -g "daemon off;"

frontend/nginx.conf

@@ -40,6 +40,7 @@ http {
 
     server {
         listen 8080;
+        listen [::]:8080;
         server_name localhost;
         root /usr/share/nginx/html;
         index index.html;