some tweaks

Author: nicktrn

docs/self-hosting/docker.mdx

@@ -82,19 +82,20 @@ cp .env.example .env
 3. Start the webapp
 
 ```bash
-docker compose -f docker-compose.webapp.yml up -d
+cd webapp
+docker compose up -d
 ```
 
 4. Optional: Add traefik as a reverse proxy
 
 ```bash
-docker compose -f docker-compose.webapp.yml -f docker-compose.traefik.yml up -d
+docker compose -f ../docker-compose.traefik.yml up -d
 ```
 
 Configure the webapp as needed using the [environment variables](/self-hosting/env/webapp) and apply the changes:
 
 ```bash
-docker compose -f docker-compose.webapp.yml up -d
+docker compose up -d
 ```
 
 ### Worker
@@ -115,13 +116,14 @@ cp .env.example .env
 3. Start the worker
 
 ```bash
-docker compose -f docker-compose.worker.yml up -d
+cd worker
+docker compose up -d
 ```
 
 Configure the supervisor as needed using the [environment variables](/self-hosting/env/supervisor) and apply the changes:
 
 ```bash
-docker compose -f docker-compose.worker.yml up -d
+docker compose up -d
 ```
 
 Repeat as needed for additional workers.
@@ -131,12 +133,14 @@ Repeat as needed for additional workers.
 If you want to run the webapp and worker on the same machine, just replace the `up` command with the following:
 
 ```bash
+# Run this from the /hosting/docker directory
 docker compose -f docker-compose.webapp.yml -f docker-compose.worker.yml up -d
 ```
 
 And optionally add traefik as a reverse proxy:
 
 ```bash
+# Run this from the /hosting/docker directory
 docker compose -f docker-compose.webapp.yml -f docker-compose.worker.yml -f docker-compose.traefik.yml up -d
 ```
 
@@ -218,6 +222,22 @@ WHITELISTED_EMAILS="authorized@yahoo\.com|authorized@gmail\.com"
 
 This will apply to all auth methods.
 
+## Troubleshooting
+
+- **Deployment fails at the push step.** The machine running `deploy` needs registry access:
+
+```bash
+docker login -u <username> <registry>
+# this should now succeed
+npx trigger.dev@v4-beta deploy
+```
+
+This needs to match the registry credentials. Defaults for the `localhost:5000` registry are `registry-user` and `very-safe-password`. You should change these.
+
+- **Magic links don't arrive.** The webapp container needs to be able to send emails. You probably need to set up an email transport. See the [authentication](#authentication) section for more details.
+
+You should check the logs of the webapp container to see the magic link: `docker logs -f trigger-webapp-1`
+
 ## CLI usage
 
 This section highlights some of the CLI commands and options that are useful when self-hosting. Please check the [CLI reference](/cli-introduction) for more in-depth documentation.

hosting/docker/.env.example

@@ -0,0 +1,71 @@
+# Secrets
+# - Do NOT use these defaults in production
+# - Generate your own by running `openssl rand -hex 16` for each secret
+SESSION_SECRET=2818143646516f6fffd707b36f334bbb
+MAGIC_LINK_SECRET=44da78b7bbb0dfe709cf38931d25dcdd
+ENCRYPTION_KEY=f686147ab967943ebbe9ed3b496e465a
+MANAGED_WORKER_SECRET=447c29678f9eaf289e9c4b70d3dd8a7f
+
+# Trigger image tags
+# - You should lock these to a specific version in production
+# - For example: SUPERVISOR_IMAGE_TAG=v4-beta.21
+SUPERVISOR_IMAGE_TAG=v4-beta
+WEBAPP_IMAGE_TAG=v4-beta
+
+# Webapp
+APP_ORIGIN=http://localhost:8030
+LOGIN_ORIGIN=http://localhost:8030
+# WEBAPP_PUBLISH_IP=0.0.0.0
+
+# Object store
+# - You need to set these up via the Minio dashboard first: http://localhost:9001
+# - See Minio section for login details
+# OBJECT_STORE_ACCESS_KEY_ID=
+# OBJECT_STORE_SECRET_ACCESS_KEY=
+
+# Postgres
+# - Do NOT use these defaults in production
+# - Especially if you decide to expose the database to the internet
+POSTGRES_USER=postgres
+POSTGRES_PASSWORD=postgres
+POSTGRES_DB=postgres
+# POSTGRES_PUBLISH_IP=127.0.0.1
+# POSTGRES_IMAGE_TAG=14
+
+# Redis
+# REDIS_PUBLISH_IP=127.0.0.1
+# REDIS_IMAGE_TAG=7
+
+# ElectricSQL
+# ELECTRIC_IMAGE_TAG=
+
+# Clickhouse
+# CLICKHOUSE_IMAGE_TAG=latest
+# CLICKHOUSE_PUBLISH_IP=127.0.0.1
+
+# Registry
+# REGISTRY_IMAGE_TAG=2
+# REGISTRY_PUBLISH_IP=127.0.0.1
+
+# Minio
+# MINIO_IMAGE_TAG=latest
+# MINIO_PUBLISH_IP=127.0.0.1
+# MINIO_ROOT_USER=admin
+# MINIO_ROOT_PASSWORD=very-safe-password
+
+# Docker Registry
+# DEPLOY_REGISTRY_HOST=localhost:5000
+# DOCKER_REGISTRY_URL=
+# DOCKER_REGISTRY_USERNAME=
+# DOCKER_REGISTRY_PASSWORD=
+
+# Docker Socket Proxy
+# DOCKER_PROXY_IMAGE_TAG=latest
+
+# Traefik
+# TRAEFIK_ENTRYPOINT=websecure
+# TRAEFIK_IMAGE_TAG=latest
+# RESTART_POLICY=
+# TRAEFIK_HTTP_PUBLISH_IP=0.0.0.0
+# TRAEFIK_HTTPS_PUBLISH_IP=0.0.0.0
+# TRAEFIK_DASHBOARD_PUBLISH_IP=127.0.0.1

hosting/docker/docker-compose.traefik.yml

@@ -35,9 +35,9 @@ services:
     image: traefik:${TRAEFIK_IMAGE_TAG:-v3.4}
     restart: ${RESTART_POLICY:-unless-stopped}
     ports:
-      - "80:80"
-      - "443:443"
-      - "8080:8080" # Traefik dashboard
+      - "${TRAEFIK_HTTP_PUBLISH_IP:-0.0.0.0}:80:80"
+      - "${TRAEFIK_HTTPS_PUBLISH_IP:-0.0.0.0}:443:443"
+      - "${TRAEFIK_DASHBOARD_PUBLISH_IP:-127.0.0.1}:8080:8080" # dashboard
     networks:
       - traefik
     command:

hosting/docker/webapp/.env

@@ -0,0 +1 @@
+../.env

hosting/docker/webapp/.gitignore

@@ -0,0 +1,2 @@
+# preserve the .env symlink
+!.env

hosting/docker/docker-compose.webapp.yml renamed to hosting/docker/webapp/docker-compose.yml

@@ -2,7 +2,7 @@ name: trigger
 
 services:
   webapp:
-    image: ghcr.io/triggerdotdev/trigger.dev:${TRIGGER_IMAGE_TAG:-main}
+    image: ghcr.io/triggerdotdev/trigger.dev:${WEBAPP_IMAGE_TAG:-v4-beta}
     restart: ${RESTART_POLICY:-unless-stopped}
     ports:
       - ${WEBAPP_PUBLISH_IP:-0.0.0.0}:8030:3000
@@ -14,7 +14,9 @@ services:
       - supervisor
     volumes:
       - shared:/home/node/shared
+    # Only needed for bootstrap
     user: root
+    # Only needed for bootstrap
     command: sh -c "chown -R node:node /home/node/shared && exec ./scripts/entrypoint.sh"
     healthcheck:
       test: ["CMD", "node", "-e", "http.get('http://localhost:3000/healthcheck', res => process.exit(res.statusCode === 200 ? 0 : 1)).on('error', () => process.exit(1))"]
@@ -23,7 +25,8 @@ services:
       retries: 5
       start_period: 10s
     environment:
-      APP_ORIGIN: http://localhost:8030
+      APP_ORIGIN: ${APP_ORIGIN:-http://localhost:8030}
+      LOGIN_ORIGIN: ${LOGIN_ORIGIN:-http://localhost:8030}
       ELECTRIC_ORIGIN: http://electric:3000
       DATABASE_URL: postgresql://postgres:postgres@postgres:5432/main?schema=public&sslmode=disable
       DIRECT_URL: postgresql://postgres:postgres@postgres:5432/main?schema=public&sslmode=disable
@@ -36,14 +39,16 @@ services:
       REDIS_TLS_DISABLED: true
       APP_LOG_LEVEL: info
       DEV_OTEL_EXPORTER_OTLP_ENDPOINT: http://localhost:8030/otel
-      TRIGGER_BOOTSTRAP_ENABLED: 1
-      TRIGGER_BOOTSTRAP_WORKER_GROUP_NAME: bootstrap-3
-      TRIGGER_BOOTSTRAP_WORKER_TOKEN_PATH: /home/node/shared/worker_token
-      DEPLOY_REGISTRY_HOST: localhost:5000
+      DEPLOY_REGISTRY_HOST: ${DEPLOY_REGISTRY_HOST:-localhost:5000}
       OBJECT_STORE_BASE_URL: http://minio:9000
       OBJECT_STORE_ACCESS_KEY_ID: ${OBJECT_STORE_ACCESS_KEY_ID}
       OBJECT_STORE_SECRET_ACCESS_KEY: ${OBJECT_STORE_SECRET_ACCESS_KEY}
       GRACEFUL_SHUTDOWN_TIMEOUT: 1000
+      # Bootstrap - this will automatically set up a worker group for you
+      # This will NOT work for split deployments
+      TRIGGER_BOOTSTRAP_ENABLED: 1
+      TRIGGER_BOOTSTRAP_WORKER_GROUP_NAME: bootstrap
+      TRIGGER_BOOTSTRAP_WORKER_TOKEN_PATH: /home/node/shared/worker_token
       # Limits
       # TASK_PAYLOAD_OFFLOAD_THRESHOLD: 524288 # 512KB
       # TASK_PAYLOAD_MAXIMUM_SIZE: 3145728 # 3MB
@@ -65,9 +70,9 @@ services:
       - -c
       - wal_level=logical
     environment:
-      POSTGRES_USER: postgres
-      POSTGRES_PASSWORD: postgres
-      POSTGRES_DB: postgres
+      POSTGRES_USER: ${POSTGRES_USER:-postgres}
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-postgres}
+      POSTGRES_DB: ${POSTGRES_DB:-postgres}
     healthcheck:
       test: ["CMD", "pg_isready", "-U", "postgres"]
       interval: 10s
@@ -119,7 +124,7 @@ services:
       CLICKHOUSE_ADMIN_PASSWORD: password
     volumes:
       - clickhouse:/bitnami/clickhouse
-      - ./clickhouse/override.xml:/bitnami/clickhouse/etc/config.d/override.xml:ro
+      - ../clickhouse/override.xml:/bitnami/clickhouse/etc/config.d/override.xml:ro
     networks:
       - webapp
     healthcheck:
@@ -138,18 +143,17 @@ services:
       - webapp
     volumes:
       # registry-user:very-secure-indeed
-      - ./registry/auth.htpasswd:/auth/htpasswd:ro
+      - ../registry/auth.htpasswd:/auth/htpasswd:ro
     environment:
       REGISTRY_AUTH: htpasswd
       REGISTRY_AUTH_HTPASSWD_REALM: Registry Realm
       REGISTRY_AUTH_HTPASSWD_PATH: /auth/htpasswd
-    # This won't work with auth enabled
-    # healthcheck:
-    #   test: ["CMD", "wget", "--spider", "-q", "http://localhost:5000/v2/"]
-    #   interval: 10s
-    #   timeout: 5s
-    #   retries: 5
-    #   start_period: 10s
+    healthcheck:
+      test: ["CMD", "wget", "--spider", "-q", "http://localhost:5000/"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+      start_period: 10s
 
   minio:
     image: minio/minio:${MINIO_IMAGE_TAG:-latest}

hosting/docker/worker/.env

@@ -0,0 +1 @@
+../.env

hosting/docker/worker/.gitignore

@@ -0,0 +1,2 @@
+# preserve the .env symlink
+!.env

hosting/docker/docker-compose.worker.yml renamed to hosting/docker/worker/docker-compose.yml

@@ -2,7 +2,7 @@ name: trigger
 
 services:
   supervisor:
-    image: ghcr.io/triggerdotdev/supervisor:${TRIGGER_IMAGE_TAG:-main}
+    image: ghcr.io/triggerdotdev/supervisor:${SUPERVISOR_IMAGE_TAG:-v4-beta}
     restart: ${RESTART_POLICY:-unless-stopped}
     depends_on:
       - docker-proxy
@@ -11,7 +11,9 @@ services:
       - docker-proxy
     volumes:
       - shared:/home/node/shared
+    # Only needed for bootstrap
     user: root
+    # Only needed for bootstrap
     command: sh -c "chown -R node:node /home/node/shared && exec /usr/bin/dumb-init -- pnpm run --filter supervisor start"
     environment:
       # This needs to match the token of the worker group you want to connect to