-
Notifications
You must be signed in to change notification settings - Fork 4.1k
cutting #8824
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: preview
Are you sure you want to change the base?
cutting #8824
Changes from 6 commits
e745bd2
bf249d0
df32e6a
600e0b4
beb2bdd
272db44
c91dcf8
a10b60e
c5a2e26
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
| @@ -1,39 +1,37 @@ | ||||||
| (plane_proxy) { | ||||||
| request_body { | ||||||
| max_size {$FILE_SIZE_LIMIT} | ||||||
| } | ||||||
|
|
||||||
| redir /spaces /spaces/ permanent | ||||||
| reverse_proxy /spaces/* space:3000 | ||||||
|
|
||||||
| redir /god-mode /god-mode/ permanent | ||||||
| reverse_proxy /god-mode/* admin:3000 | ||||||
|
|
||||||
| reverse_proxy /live/* live:3000 | ||||||
|
|
||||||
| reverse_proxy /api/* api:8000 | ||||||
|
|
||||||
| reverse_proxy /auth/* api:8000 | ||||||
|
|
||||||
| reverse_proxy /static/* api:8000 | ||||||
|
|
||||||
| reverse_proxy /{$BUCKET_NAME}/* plane-minio:9000 | ||||||
| reverse_proxy /{$BUCKET_NAME} plane-minio:9000 | ||||||
|
|
||||||
| reverse_proxy /* web:3000 | ||||||
| { | ||||||
| email {$CERT_EMAIL} | ||||||
| acme_ca {$CERT_ACME_CA:https://acme-v02.api.letsencrypt.org/directory} | ||||||
| # acme_dns {$CERT_ACME_DNS} # if Let's Encrypt | ||||||
|
|
||||||
| servers { | ||||||
| max_header_size 25MB | ||||||
| client_ip_headers X-Forwarded-For X-Real-IP | ||||||
| trusted_proxies static {$TRUSTED_PROXIES:0.0.0.0/0} | ||||||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Security concern: overly permissive default for The default value Consider using a more restrictive default such as Suggested fix- trusted_proxies static {$TRUSTED_PROXIES:0.0.0.0/0}
+ trusted_proxies static {$TRUSTED_PROXIES:private_ranges}📝 Committable suggestion
Suggested change
🤖 Prompt for AI Agents |
||||||
| } | ||||||
| } | ||||||
|
|
||||||
| { | ||||||
| {$CERT_EMAIL} | ||||||
| acme_ca {$CERT_ACME_CA:https://acme-v02.api.letsencrypt.org/directory} | ||||||
| {$CERT_ACME_DNS} | ||||||
| servers { | ||||||
| max_header_size 25MB | ||||||
| client_ip_headers X-Forwarded-For X-Real-IP | ||||||
| trusted_proxies static {$TRUSTED_PROXIES:0.0.0.0/0} | ||||||
| } | ||||||
| (plane_proxy) { | ||||||
| request_body { | ||||||
| max_size {$FILE_SIZE_LIMIT} | ||||||
| } | ||||||
|
|
||||||
| redir /spaces /spaces/ permanent | ||||||
| reverse_proxy /spaces/* space:3000 | ||||||
|
|
||||||
| redir /god-mode /god-mode/ permanent | ||||||
| reverse_proxy /god-mode/* admin:3000 | ||||||
|
|
||||||
| reverse_proxy /live/* live:3000 | ||||||
| reverse_proxy /api/* api:8000 | ||||||
| reverse_proxy /auth/* api:8000 | ||||||
| reverse_proxy /static/* api:8000 | ||||||
|
|
||||||
| reverse_proxy /{$BUCKET_NAME}/* plane-minio:9000 | ||||||
| reverse_proxy /{$BUCKET_NAME} plane-minio:9000 | ||||||
|
|
||||||
| reverse_proxy /* web:3000 | ||||||
| } | ||||||
|
|
||||||
| {$SITE_ADDRESS} { | ||||||
| import plane_proxy | ||||||
| import plane_proxy | ||||||
| } | ||||||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,255 @@ | ||
| x-db-env: &db-env | ||
| PGHOST: ${PGHOST:-plane-db} | ||
| PGDATABASE: ${PGDATABASE:-plane} | ||
| POSTGRES_USER: ${POSTGRES_USER:-plane} | ||
| POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-plane} | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Fail fast when required secrets are missing. This stack currently boots with known defaults for the Postgres password, RabbitMQ password, MinIO access keys, Also applies to: 16-17, 21-22, 41-41, 47-47, 55-57, 60-60 🤖 Prompt for AI Agents |
||
| POSTGRES_DB: ${POSTGRES_DB:-plane} | ||
| POSTGRES_PORT: ${POSTGRES_PORT:-5432} | ||
| PGDATA: ${PGDATA:-/var/lib/postgresql/data} | ||
|
|
||
| x-redis-env: &redis-env | ||
| REDIS_HOST: ${REDIS_HOST:-plane-redis} | ||
| REDIS_PORT: ${REDIS_PORT:-6379} | ||
| REDIS_URL: ${REDIS_URL:-redis://plane-redis:6379/} | ||
|
|
||
| x-minio-env: &minio-env | ||
| MINIO_ROOT_USER: ${AWS_ACCESS_KEY_ID:-access-key} | ||
| MINIO_ROOT_PASSWORD: ${AWS_SECRET_ACCESS_KEY:-secret-key} | ||
|
|
||
| x-aws-s3-env: &aws-s3-env | ||
| AWS_REGION: ${AWS_REGION:-} | ||
| AWS_ACCESS_KEY_ID: ${AWS_ACCESS_KEY_ID:-access-key} | ||
| AWS_SECRET_ACCESS_KEY: ${AWS_SECRET_ACCESS_KEY:-secret-key} | ||
| AWS_S3_ENDPOINT_URL: ${AWS_S3_ENDPOINT_URL:-http://plane-minio:9000} | ||
| AWS_S3_BUCKET_NAME: ${AWS_S3_BUCKET_NAME:-uploads} | ||
|
|
||
| x-proxy-env: &proxy-env | ||
| APP_DOMAIN: ${APP_DOMAIN:-localhost} | ||
| FILE_SIZE_LIMIT: ${FILE_SIZE_LIMIT:-5242880} | ||
| CERT_EMAIL: ${CERT_EMAIL} | ||
| CERT_ACME_CA: ${CERT_ACME_CA} | ||
| CERT_ACME_DNS: ${CERT_ACME_DNS} | ||
| LISTEN_HTTP_PORT: ${LISTEN_HTTP_PORT:-80} | ||
| LISTEN_HTTPS_PORT: ${LISTEN_HTTPS_PORT:-443} | ||
| BUCKET_NAME: ${AWS_S3_BUCKET_NAME:-uploads} | ||
| SITE_ADDRESS: ${SITE_ADDRESS:-:80} | ||
|
|
||
| x-mq-env: &mq-env # RabbitMQ Settings | ||
| RABBITMQ_HOST: ${RABBITMQ_HOST:-plane-mq} | ||
| RABBITMQ_PORT: ${RABBITMQ_PORT:-5672} | ||
| RABBITMQ_DEFAULT_USER: ${RABBITMQ_USER:-plane} | ||
| RABBITMQ_DEFAULT_PASS: ${RABBITMQ_PASSWORD:-plane} | ||
| RABBITMQ_DEFAULT_VHOST: ${RABBITMQ_VHOST:-plane} | ||
| RABBITMQ_VHOST: ${RABBITMQ_VHOST:-plane} | ||
|
|
||
| x-live-env: &live-env | ||
| API_BASE_URL: ${API_BASE_URL:-http://api:8000} | ||
| LIVE_SERVER_SECRET_KEY: ${LIVE_SERVER_SECRET_KEY:-2FiJk1U2aiVPEQtzLehYGlTSnTnrs7LW} | ||
|
|
||
| x-app-env: &app-env | ||
| WEB_URL: ${WEB_URL:-http://localhost} | ||
| DEBUG: ${DEBUG:-0} | ||
| CORS_ALLOWED_ORIGINS: ${CORS_ALLOWED_ORIGINS} | ||
| GUNICORN_WORKERS: 1 | ||
| USE_MINIO: ${USE_MINIO:-1} | ||
| DATABASE_URL: ${DATABASE_URL:-postgresql://plane:plane@plane-db/plane} | ||
| SECRET_KEY: ${SECRET_KEY:-60gp0byfz2dvffa45cxl20p1scy9xbpf6d8c5y0geejgkyp1b5} | ||
| AMQP_URL: ${AMQP_URL:-amqp://plane:plane@plane-mq:5672/plane} | ||
| API_KEY_RATE_LIMIT: ${API_KEY_RATE_LIMIT:-60/minute} | ||
| MINIO_ENDPOINT_SSL: ${MINIO_ENDPOINT_SSL:-0} | ||
| LIVE_SERVER_SECRET_KEY: ${LIVE_SERVER_SECRET_KEY:-2FiJk1U2aiVPEQtzLehYGlTSnTnrs7LW} | ||
|
|
||
| services: | ||
| web: | ||
| image: artifacts.plane.so/makeplane/plane-frontend:${APP_RELEASE:-v1.2.3} | ||
| deploy: | ||
| replicas: ${WEB_REPLICAS:-1} | ||
| restart_policy: | ||
| condition: any | ||
|
Comment on lines
+65
to
+68
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. 🧩 Analysis chain🏁 Script executed: #!/bin/bash
set -euo pipefail
# Inspect how the installer launches the stack.
fd -a '^setup\.sh$' .
rg -n -C2 'docker\s+(compose|stack)\s+' setup.shRepository: makeplane/plane Length of output: 86 🏁 Script executed: cat -n /home/jailuser/git/setup.shRepository: makeplane/plane Length of output: 28021 🏁 Script executed: cat -n plane-app.backup_20260330_144144/docker-compose.yaml | head -100Repository: makeplane/plane Length of output: 3971 🏁 Script executed: rg -i 'docker\s+stack\s+deploy' --type sh --type yamlRepository: makeplane/plane Length of output: 152 🏁 Script executed: grep -r "docker stack" . --include="*.md" --include="*.sh" --include="*.yaml" --include="*.yml" 2>/dev/null | head -20Repository: makeplane/plane Length of output: 393 Remove or relocate the The standard installation path uses If supporting both deployment methods, consolidate the docker-compose.yaml into Compose-compatible configuration or maintain separate files. Otherwise, remove the This pattern affects multiple services across the file (web, space, admin, live, and likely others). 🤖 Prompt for AI Agents |
||
| depends_on: | ||
| - api | ||
| - worker | ||
|
|
||
| space: | ||
| image: artifacts.plane.so/makeplane/plane-space:${APP_RELEASE:-v1.2.3} | ||
| deploy: | ||
| replicas: ${SPACE_REPLICAS:-1} | ||
| restart_policy: | ||
| condition: any | ||
| depends_on: | ||
| - api | ||
| - worker | ||
| - web | ||
|
|
||
| admin: | ||
| image: artifacts.plane.so/makeplane/plane-admin:${APP_RELEASE:-v1.2.3} | ||
| deploy: | ||
| replicas: ${ADMIN_REPLICAS:-1} | ||
| restart_policy: | ||
| condition: any | ||
| depends_on: | ||
| - api | ||
| - web | ||
|
|
||
| live: | ||
| image: artifacts.plane.so/makeplane/plane-live:${APP_RELEASE:-v1.2.3} | ||
| environment: | ||
| <<: [*live-env, *redis-env] | ||
| deploy: | ||
| replicas: ${LIVE_REPLICAS:-1} | ||
| restart_policy: | ||
| condition: any | ||
| depends_on: | ||
| - api | ||
| - web | ||
|
|
||
| api: | ||
| image: artifacts.plane.so/makeplane/plane-backend:${APP_RELEASE:-v1.2.3} | ||
| command: ./bin/docker-entrypoint-api.sh | ||
| deploy: | ||
| replicas: ${API_REPLICAS:-1} | ||
| restart_policy: | ||
| condition: any | ||
| volumes: | ||
| - logs_api:/code/plane/logs | ||
| environment: | ||
| <<: [*app-env, *db-env, *redis-env, *minio-env, *aws-s3-env, *proxy-env] | ||
| depends_on: | ||
| - plane-db | ||
| - plane-redis | ||
| - plane-mq | ||
|
|
||
| worker: | ||
| image: artifacts.plane.so/makeplane/plane-backend:${APP_RELEASE:-v1.2.3} | ||
| command: ./bin/docker-entrypoint-worker.sh | ||
| deploy: | ||
| replicas: ${WORKER_REPLICAS:-1} | ||
| restart_policy: | ||
| condition: any | ||
| volumes: | ||
| - logs_worker:/code/plane/logs | ||
| environment: | ||
| <<: [*app-env, *db-env, *redis-env, *minio-env, *aws-s3-env, *proxy-env] | ||
| depends_on: | ||
| - api | ||
| - plane-db | ||
| - plane-redis | ||
| - plane-mq | ||
|
|
||
| beat-worker: | ||
| image: artifacts.plane.so/makeplane/plane-backend:${APP_RELEASE:-v1.2.3} | ||
| command: ./bin/docker-entrypoint-beat.sh | ||
| deploy: | ||
| replicas: ${BEAT_WORKER_REPLICAS:-1} | ||
| restart_policy: | ||
| condition: any | ||
| volumes: | ||
| - logs_beat-worker:/code/plane/logs | ||
| environment: | ||
| <<: [*app-env, *db-env, *redis-env, *minio-env, *aws-s3-env, *proxy-env] | ||
| depends_on: | ||
| - api | ||
| - plane-db | ||
| - plane-redis | ||
| - plane-mq | ||
|
|
||
| migrator: | ||
| image: artifacts.plane.so/makeplane/plane-backend:${APP_RELEASE:-v1.2.3} | ||
| command: ./bin/docker-entrypoint-migrator.sh | ||
| deploy: | ||
| replicas: 1 | ||
| restart_policy: | ||
| condition: on-failure | ||
| volumes: | ||
| - logs_migrator:/code/plane/logs | ||
| environment: | ||
| <<: [*app-env, *db-env, *redis-env, *minio-env, *aws-s3-env, *proxy-env] | ||
| depends_on: | ||
| - plane-db | ||
| - plane-redis | ||
|
|
||
| # Comment this if you already have a database running | ||
| plane-db: | ||
|
Comment on lines
+171
to
+172
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The “comment this out” guidance yields a broken external-service setup. Line 171 says Also applies to: 204-205 🤖 Prompt for AI Agents |
||
| image: postgres:15.7-alpine | ||
| command: postgres -c 'max_connections=1000' | ||
| deploy: | ||
| replicas: 1 | ||
| restart_policy: | ||
| condition: any | ||
| environment: | ||
| <<: *db-env | ||
| volumes: | ||
| - pgdata:/var/lib/postgresql/data | ||
|
|
||
| plane-redis: | ||
| image: valkey/valkey:7.2.11-alpine | ||
| deploy: | ||
| replicas: 1 | ||
| restart_policy: | ||
| condition: any | ||
| volumes: | ||
| - redisdata:/data | ||
|
|
||
| plane-mq: | ||
| image: rabbitmq:3.13.6-management-alpine | ||
| deploy: | ||
| replicas: 1 | ||
| restart_policy: | ||
| condition: any | ||
| environment: | ||
| <<: *mq-env | ||
| volumes: | ||
| - rabbitmq_data:/var/lib/rabbitmq | ||
|
|
||
| # Comment this if you using any external s3 compatible storage | ||
| plane-minio: | ||
| image: minio/minio:latest | ||
| command: server /export --console-address ":9090" | ||
| deploy: | ||
| replicas: 1 | ||
| restart_policy: | ||
| condition: any | ||
| environment: | ||
| <<: *minio-env | ||
| volumes: | ||
| - uploads:/export | ||
|
|
||
| # Comment this if you already have a reverse proxy running | ||
| proxy: | ||
| image: artifacts.plane.so/makeplane/plane-proxy:${APP_RELEASE:-v1.2.3} | ||
| deploy: | ||
| replicas: 1 | ||
| restart_policy: | ||
| condition: any | ||
| environment: | ||
| <<: *proxy-env | ||
| ports: | ||
| - target: 80 | ||
| published: ${LISTEN_HTTP_PORT:-80} | ||
| protocol: tcp | ||
| mode: host | ||
| - target: 443 | ||
| published: ${LISTEN_HTTPS_PORT:-443} | ||
| protocol: tcp | ||
| mode: host | ||
| volumes: | ||
| - proxy_config:/config | ||
| - proxy_data:/data | ||
| depends_on: | ||
| - web | ||
| - api | ||
| - space | ||
| - admin | ||
| - live | ||
|
|
||
| volumes: | ||
| pgdata: | ||
| redisdata: | ||
| uploads: | ||
| logs_api: | ||
| logs_worker: | ||
| logs_beat-worker: | ||
| logs_migrator: | ||
| rabbitmq_data: | ||
| proxy_config: | ||
| proxy_data: | ||
|
Comment on lines
+1
to
+255
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Remove the timestamped backup compose file from the repo.
🧰 Tools🪛 Checkov (3.2.510)[medium] 193-194: Basic Auth Credentials (CKV_SECRET_4) 🤖 Prompt for AI Agents |
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Security concern: overly permissive default for
trusted_proxies.Same issue as in
Caddyfile.ce— the default0.0.0.0/0trusts all IP addresses for client IP header spoofing. Consider usingprivate_rangesas the default.Suggested fix
📝 Committable suggestion
🤖 Prompt for AI Agents