[chore] configure Docker for local environment

[dudina-ma]

Summary by CodeRabbit

• New Features

  • Docker and Docker Compose support for multi-service deployment (backend, database, S3-compatible storage).
  • Storage integration now supports configurable secure/insecure connections and credential-based access.

• Documentation

  • Added a comprehensive environment configuration template documenting server, database, JWT, storage, attachment limits, timezone, and other runtime settings.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 81a4626b-1db0-4398-aefb-fb3429ac04fb

📥 Commits

Reviewing files that changed from the base of the PR and between 023572b and 7fc54f6.

📒 Files selected for processing (1)

• docker-compose.yml

---

📝 Walkthrough

Walkthrough

This PR adds MinIO S3 storage support with configurable TLS, environment configuration documentation, Docker build, and docker-compose wiring to run the backend locally with MariaDB and MinIO.

Changes

Local Docker development and MinIO storage

Layer / File(s)	Summary
MinIO secure connection configuration pkg/miniofx/config.go, internal/storage/module.go, pkg/miniofx/client.go	Config struct adds Secure bool field; storage module parses insecure URL query parameter (default secure unless explicitly insecure=true); NewClient uses config.Secure instead of hardcoded true.
Environment configuration template .env.example	Complete environment variable documentation covering HTTP server, OpenAPI, MariaDB pool settings, JWT auth, S3-compatible storage endpoint and TTL, AWS/MinIO credentials, attachment limits, and timezone.
Multi-stage Docker build Dockerfile	Builder stage (golang:1.25-alpine) compiles with module caching and optimization flags; runtime stage (alpine:latest) installs CA certs and timezone data, creates non-root appuser (UID/GID 1000), copies binary, and sets entrypoint.
Docker Compose services docker-compose.yml	Defines backend service (built from Dockerfile, port 3000, env vars pointing to local containers, startup gating on mariadb health and minio-init); mariadb service (mariadb:lts with healthcheck); minio and minio-init services (S3 container and bucket initialization); named volumes for persistence.

Sequence Diagram

sequenceDiagram
  participant User as User: docker compose up
  participant Compose as Docker Compose
  participant MariaDB as mariadb
  participant MinIO as minio
  participant MinIOInit as minio-init
  participant Backend as backend
  User->>Compose: up --build
  Compose->>MariaDB: start
  Compose->>MinIO: start
  Compose->>MinIOInit: start (depends_on minio healthy)
  MinIO-->>Compose: healthy
  MinIOInit->>MinIO: configure bucket
  MariaDB-->>Compose: healthy
  Compose->>Backend: start (depends_on mariadb health + minio-init)
  Backend->>MariaDB: connect via DATABASE__URL
  Backend->>MinIO: connect via STORAGE__URL

Loading

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title focuses on Docker configuration, but the PR includes significant changes beyond Docker—specifically S3/MinIO storage integration across multiple code files.	Revise the title to reflect the full scope, such as 'Add Docker setup and S3/MinIO storage integration for local environment' or split into multiple PRs if the storage changes are intended separately.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🤖 Pull request artifacts

Platform	File
🐳 Docker	GitHub Container Registry
🍎 Darwin arm64	backend_Darwin_arm64.tar.gz
🍎 Darwin x86_64	backend_Darwin_x86_64.tar.gz
🐧 Linux arm64	backend_Linux_arm64.tar.gz
🐧 Linux i386	backend_Linux_i386.tar.gz
🐧 Linux x86_64	backend_Linux_x86_64.tar.gz
🪟 Windows arm64	backend_Windows_arm64.zip
🪟 Windows i386	backend_Windows_i386.zip
🪟 Windows x86_64	backend_Windows_x86_64.zip

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

Dockerfile (2)

15-15: ⚡ Quick win

alpine:3.22.2 is behind the current patch — consider alpine:3.22 or alpine:3.22.4

Docker Hub currently lists 3.22.4 as the latest 3.22.x patch. Pinning to 3.22.2 for the runtime image means missing any CVE/security fixes shipped in 3.22.3 and 3.22.4. For the runtime stage, prefer the floating minor tag (alpine:3.22) to track patches automatically, or bump to alpine:3.22.4.

🔧 Proposed fix

-FROM alpine:3.22.2
+FROM alpine:3.22

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile` at line 15, Update the base image reference in the Dockerfile's
FROM instruction (currently "FROM alpine:3.22.2") to a non-outdated tag—either
use the floating minor tag "alpine:3.22" to get future patch updates
automatically, or bump to the specific patched release "alpine:3.22.4" so the
runtime image includes the latest CVE/security fixes.

---

12-12: ⚡ Quick win

Consider using go build . for idiomatic Go style

While go build ./main.go works fine in this repository, the idiomatic form is go build . (or go build ./cmd/...). Using the file argument can silently exclude other package main source files if they exist in the same directory, though this repository currently contains only main.go at the root.

🔧 Proposed fix

-RUN CGO_ENABLED=0 GOOS=linux go build -trimpath -ldflags="-s -w" -o /out/server ./main.go
+RUN CGO_ENABLED=0 GOOS=linux go build -trimpath -ldflags="-s -w" -o /out/server .

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Dockerfile` at line 12, Replace the explicit file argument in the Dockerfile
RUN command so the Go build uses the package path rather than a filename: update
the RUN line that currently invokes "CGO_ENABLED=0 GOOS=linux go build -trimpath
-ldflags=\"-s -w\" -o /out/server ./main.go" to use "go build ." (keeping
CGO_ENABLED, GOOS, -trimpath, -ldflags and -o /out/server intact) to ensure all
package main sources in the directory are included.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docker-compose.yml`:
- Around line 7-8: Update the backend service's compose configuration so it
waits for the mariadb healthcheck to pass and restarts on transient failures:
replace the simple depends_on: - mariadb with a depends_on entry referencing
mariadb: condition: service_healthy (so the backend waits until the mariadb
healthcheck passes) and add restart: on-failure to the backend service to
automatically retry if it still races on first start.

In `@Dockerfile`:
- Around line 10-12: The Docker build is copying the entire context via the COPY
. . step which can bake secrets into the build cache; add a .dockerignore to
exclude sensitive and unnecessary files (at minimum: .env, local.docker.yml,
.aws/, .git, Dockerfile, node_modules, *.log, and any local config/secrets) so
those files are not sent to the daemon or included in builder layers, commit the
.dockerignore to repo root, and keep the existing Dockerfile (the COPY . . line
will then respect the .dockerignore).

---

Nitpick comments:
In `@Dockerfile`:
- Line 15: Update the base image reference in the Dockerfile's FROM instruction
(currently "FROM alpine:3.22.2") to a non-outdated tag—either use the floating
minor tag "alpine:3.22" to get future patch updates automatically, or bump to
the specific patched release "alpine:3.22.4" so the runtime image includes the
latest CVE/security fixes.
- Line 12: Replace the explicit file argument in the Dockerfile RUN command so
the Go build uses the package path rather than a filename: update the RUN line
that currently invokes "CGO_ENABLED=0 GOOS=linux go build -trimpath
-ldflags=\"-s -w\" -o /out/server ./main.go" to use "go build ." (keeping
CGO_ENABLED, GOOS, -trimpath, -ldflags and -o /out/server intact) to ensure all
package main sources in the directory are included.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: eae7f09e-2d13-4d9c-988b-7938b9d964a8

📥 Commits

Reviewing files that changed from the base of the PR and between 872741b and f84297e.

📒 Files selected for processing (6)

• .env.example
• .gitignore
• DOCKER.md
• Dockerfile
• docker-compose.yml
• local.docker.yml.example

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@DOCKER.md`:
- Line 31: Fix the punctuation in the sentence "Presigned-ссылки для вложений
должны совпадать с тем URL, по которому **браузер** открывает тот же S3 (как
правило публичный HTTPS endpoint провайдера)." by inserting a comma after "как
правило" so it reads "(как правило, публичный HTTPS endpoint провайдера)";
update the DOCKER.md sentence accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 70de6131-642b-43f4-9d38-828d6789c0dc

📥 Commits

Reviewing files that changed from the base of the PR and between f84297e and 2e6d616.

📒 Files selected for processing (4)

• .dockerignore
• .dockerignore
• DOCKER.md
• docker-compose.yml

✅ Files skipped from review due to trivial changes (2)

• docker-compose.yml
• .dockerignore

[github-actions]

This PR is stale because it has been open for 7 days with no activity.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docker-compose.yml`:
- Line 19: The docker-compose env interpolation uses the wrong variable name:
change the JWT fallback from ${JWT_SECRET:-secret} to ${JWT__SECRET:-secret} so
it matches the documented/expected JWT__SECRET used by the backend; update the
JWT__SECRET reference in the docker-compose.yml environment block (replace
JWT_SECRET with JWT__SECRET) to ensure values from .env.example/.env are applied
to the backend JWT configuration.
- Around line 20-24: Replace the host in STORAGE__URL so the backend talks to
the MinIO service by name (use minio:9000) instead of localhost, and remove the
unnecessary extra_hosts entry; specifically update the STORAGE__URL environment
value (STORAGE__URL) to point to
s3://bit-issues/uploads?endpoint=minio:9000&region=us-east-1&insecure=true and
delete the extra_hosts: - "localhost:host-gateway" stanza so
container-to-container traffic uses the Compose service name `minio`.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 512dd222-d050-4a2f-b21e-e82b9982a017

📥 Commits

Reviewing files that changed from the base of the PR and between a6cfac8 and 023572b.

📒 Files selected for processing (6)

• .env.example
• Dockerfile
• docker-compose.yml
• internal/storage/module.go
• pkg/miniofx/client.go
• pkg/miniofx/config.go

✅ Files skipped from review due to trivial changes (1)

• pkg/miniofx/config.go