Skip to content

fix: ensure data paths are set correctly in docker, fixes #958#959

Merged
steveiliop56 merged 4 commits into
mainfrom
fix/docker-data-path
Jul 1, 2026
Merged

fix: ensure data paths are set correctly in docker, fixes #958#959
steveiliop56 merged 4 commits into
mainfrom
fix/docker-data-path

Conversation

@steveiliop56

@steveiliop56 steveiliop56 commented Jul 1, 2026

Copy link
Copy Markdown
Member

Summary by CodeRabbit

  • New Features

    • Added a new command to display the current application configuration in a readable JSON format.
    • Improved container startup behavior by automatically using environment-specific defaults when running in Docker.
    • Added support for a new application URL setting in the configuration.
  • Bug Fixes

    • Standardized default storage locations for container-based deployments.
    • Updated container images to run with a non-root user and prepared required data directories automatically.
@dosubot dosubot Bot added the size:L This PR changes 100-499 lines, ignoring generated files. label Jul 1, 2026
@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Important

Review skipped

No new commits to review since the last review.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: c60d2e31-ca64-4405-a3d0-9ce0572a8498

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

Introduces runtime environment detection (RuntimeEnv/DetectRuntimeEnv) that applies docker-specific default config paths, adds a new config CLI subcommand that dumps configuration as JSON, updates both Dockerfiles to create a non-root /data layout with RUNTIME_ENV=docker, and adds Makefile docker/docker-distroless build targets.

Changes

Runtime env detection, config, CLI, and Docker image updates

Layer / File(s) Summary
RuntimeEnv detection and default config overrides
internal/model/config.go
Adds RuntimeEnv enum with DetectRuntimeEnv() reading RUNTIME_ENV; NewDefaultConfiguration now takes a runtimeEnv param and overrides database/resources/OIDC/Tailscale paths to /data/... for docker; Config struct gains AppURL and loses Experimental.
CLI wiring: runtime detection and config-dump command
cmd/tinyauth/tinyauth.go, cmd/tinyauth/config.go
main detects runtime env and passes it into NewDefaultConfiguration, and registers a new config subcommand (configCmd) that JSON-marshals and prints the configuration.
Docker image data layout and env vars
Dockerfile, Dockerfile.distroless
Both images create a non-root tinyauth user/group, build /data/resources, /data/oidc, /data/tailscale, chown them recursively, declare/copy /data, and set ENV RUNTIME_ENV=docker in place of prior TINYAUTH_DATABASE_PATH/TINYAUTH_RESOURCES_PATH vars.
Makefile docker build targets
Makefile
Consolidates .PHONY declarations into one list and adds docker/docker-distroless targets running docker buildx build with VERSION, COMMIT_HASH, and BUILD_TIMESTAMP build args.

Estimated code review effort: 3 (Moderate) | ~25 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Main as main
  participant Model as model
  participant Cmd as cmdTinyauth
  participant ConfigDump as configCmd

  Main->>Model: DetectRuntimeEnv()
  Model-->>Main: RuntimeEnv
  Main->>Model: NewDefaultConfiguration(runtimeEnv)
  Model-->>Main: Config
  Main->>Cmd: AddCommand(configCmd(tConfig, loaders))
  Cmd->>ConfigDump: execute config command
  ConfigDump->>ConfigDump: json.MarshalIndent(config)
  ConfigDump-->>Cmd: print JSON to stdout
Loading

Possibly related PRs

  • tinyauthapp/tinyauth#647: Both PRs modify cmd/tinyauth/tinyauth.go to change how the default configuration is constructed, with this PR extending that pattern by adding runtime-env detection into the new config signature.

Suggested reviewers: Rycochet

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: Docker runtime data paths are corrected.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/docker-data-path

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@codecov

codecov Bot commented Jul 1, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 0% with 35 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
internal/model/config.go 0.00% 16 Missing ⚠️
cmd/tinyauth/config.go 0.00% 12 Missing ⚠️
cmd/tinyauth/tinyauth.go 0.00% 5 Missing ⚠️
gen/gen_env.go 0.00% 1 Missing ⚠️
gen/gen_md.go 0.00% 1 Missing ⚠️

📢 Thoughts on this report? Let us know!

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🧹 Nitpick comments (1)
cmd/tinyauth/config_dump.go (1)

18-18: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Config dump uses JSON while the config format is YAML.

The Config struct declares only yaml tags, so json.MarshalIndent emits Go field names (e.g. AppURL, Database) and includes fields marked yaml:"-" such as ConfigFile. For a config-dump this diverges from the format users actually configure. Consider marshaling to YAML for parity with the config file.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@cmd/tinyauth/config_dump.go` at line 18, The config dump in config_dump.go is
using json.MarshalIndent in the config dump path, which produces JSON field
names and can include fields that should be omitted from YAML output. Update the
config dump logic to use YAML marshaling instead, using the existing Config type
so the output matches the same yaml tags and exclusions as the config file
format.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@Dockerfile`:
- Around line 57-60: The image setup creates the tinyauth user and fixes /data
ownership, but the final container still runs as root. Update the Dockerfile to
switch the runtime user to tinyauth after the addgroup/adduser and chown steps,
so the container actually starts under the non-root account and the prepared
permissions take effect.

In `@Dockerfile.distroless`:
- Around line 50-51: The distroless Docker build is using mismatched data paths,
so the copy step in the final stage cannot find the source directory. Update the
Dockerfile so the builder stage and the runner stage use the same data location,
and ensure the COPY instruction references the directory created by the earlier
RUN mkdir/chown steps (the data setup around the /data paths in
Dockerfile.distroless).
- Around line 48-49: The distroless runner still starts as root because the
`tinyauth` account created in the builder stage is not available in the final
image and `Dockerfile.distroless` never switches users. Update the final runtime
stage to run as a non-root user by adding an appropriate `USER` directive there,
and make sure `tinyauth` is created or referenced in a way that exists in that
stage. Locate the fix around the `RUN addgroup tinyauth && adduser -DH tinyauth
-G tinyauth` step and the final runner stage configuration.

---

Nitpick comments:
In `@cmd/tinyauth/config_dump.go`:
- Line 18: The config dump in config_dump.go is using json.MarshalIndent in the
config dump path, which produces JSON field names and can include fields that
should be omitted from YAML output. Update the config dump logic to use YAML
marshaling instead, using the existing Config type so the output matches the
same yaml tags and exclusions as the config file format.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 759dd09f-f2e5-4a42-ae80-2a32aa215356

📥 Commits

Reviewing files that changed from the base of the PR and between ffafb5b and a441159.

⛔ Files ignored due to path filters (2)
  • gen/gen_env.go is excluded by !**/gen/**
  • gen/gen_md.go is excluded by !**/gen/**
📒 Files selected for processing (6)
  • Dockerfile
  • Dockerfile.distroless
  • Makefile
  • cmd/tinyauth/config_dump.go
  • cmd/tinyauth/tinyauth.go
  • internal/model/config.go
Comment thread Dockerfile
Comment thread Dockerfile.distroless
Comment thread Dockerfile.distroless
@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Caution

Failed to replace (edit) comment. This is likely due to insufficient permissions or the comment being deleted.

Error details
{}
@steveiliop56

Copy link
Copy Markdown
Member Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
cmd/tinyauth/config.go (1)

11-26: 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Redact secret-bearing fields from config output. configCmd prints the full model.Config as JSON, and that struct includes plaintext secrets (LDAP bind password, OAuth/OIDC client secrets, Tailscale auth key, app basic-auth password, etc.) with no redaction. Use a redacted DTO or custom MarshalJSON before writing to stdout.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@cmd/tinyauth/config.go` around lines 11 - 26, The config command currently
marshals model.Config directly in configCmd, which exposes secret-bearing fields
in stdout. Update configCmd to print a redacted representation instead, either
by introducing a DTO that omits or masks sensitive values or by implementing
custom MarshalJSON on model.Config so fields like LDAP bind password, OAuth/OIDC
client secrets, Tailscale auth key, and app basic-auth password are not emitted.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@cmd/tinyauth/config.go`:
- Around line 11-26: The config command currently marshals model.Config directly
in configCmd, which exposes secret-bearing fields in stdout. Update configCmd to
print a redacted representation instead, either by introducing a DTO that omits
or masks sensitive values or by implementing custom MarshalJSON on model.Config
so fields like LDAP bind password, OAuth/OIDC client secrets, Tailscale auth
key, and app basic-auth password are not emitted.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 59cca6b4-5d6b-4e9d-b6a2-7812b843a248

📥 Commits

Reviewing files that changed from the base of the PR and between a441159 and 867ef31.

📒 Files selected for processing (3)
  • Dockerfile.distroless
  • cmd/tinyauth/config.go
  • cmd/tinyauth/tinyauth.go
🚧 Files skipped from review as they are similar to previous changes (2)
  • cmd/tinyauth/tinyauth.go
  • Dockerfile.distroless
@dosubot dosubot Bot added the lgtm This PR has been approved by a maintainer label Jul 1, 2026
@steveiliop56 steveiliop56 merged commit a6c716c into main Jul 1, 2026
5 checks passed
@steveiliop56 steveiliop56 deleted the fix/docker-data-path branch July 1, 2026 13:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

lgtm This PR has been approved by a maintainer size:L This PR changes 100-499 lines, ignoring generated files.

2 participants