From fc408f03b925887b0278629943cada4dc3a1a995 Mon Sep 17 00:00:00 2001
From: Gandalf <gandalf@storm.pl>
Date: Sat, 3 Jan 2026 21:00:13 +0100
Subject: [PATCH] Improve Docker Swarm deployment for production use

docker-compose.yml:
- Remove 'name' property (unsupported by docker stack deploy)
- Use host mode for ports (required for WireGuard/VPN interfaces)
- Set HOSTNAME=0.0.0.0 via command (Docker overrides env var with container ID)
- Adjust healthcheck intervals (30s interval, 60s start period)

deploy-swarm.sh:
- Auto-initialize Swarm with localhost-only binding (127.0.0.1)
- Force service update after deploy to prevent config caching issues

.env.wallet.example:
- Remove OIDC config (wallet has no OIDC routes, only blog acts as provider)
- Remove chat integration (minimizes attack surface for active key operations)

LinkSanitizer.ts:
- Comment out broken debug log that spams without showing values
---
 .env.wallet.example                           | 20 +-------------
 docker/docker-compose.yml                     | 26 ++++++++++++-------
 .../renderer/src/security/LinkSanitizer.ts    |  3 ++-
 scripts/deploy-swarm.sh                       | 13 ++++++++++
 4 files changed, 32 insertions(+), 30 deletions(-)

diff --git a/.env.wallet.example b/.env.wallet.example
index c38bd9068..aebc5136d 100644
--- a/.env.wallet.example
+++ b/.env.wallet.example
@@ -1,8 +1,7 @@
 # Denser Wallet Environment Configuration
 # Copy to ~/.denser/.env.wallet and fill in secrets
 #
-# IMPORTANT: Secrets (SECRET_COOKIE_PASSWORD, OIDC_COOKIES_KEYS) should be
-# different from blog for defense in depth. Generate unique values for each.
+# IMPORTANT: Secrets should be different from blog for defense in depth.
 
 # =============================================================================
 # App Identity (MUST differ between blog and wallet)
@@ -42,23 +41,6 @@ DENSER_SERVER_API_CORS_ALLOW_ORIGIN="false"
 # Must be unique - do not share with blog
 DENSER_SERVER_SECRET_COOKIE_PASSWORD="CHANGE_ME_GENERATE_UNIQUE_SECRET"
 
-# =============================================================================
-# OIDC (OpenID Connect)
-# =============================================================================
-DENSER_SERVER_OIDC_ENABLED="yes"
-
-# REQUIRED: Generate with: openssl rand -base64 32
-# Must be unique - do not share with blog
-DENSER_SERVER_OIDC_COOKIES_KEYS="CHANGE_ME_GENERATE_UNIQUE_SECRET"
-
-# =============================================================================
-# OpenHive Chat Integration
-# =============================================================================
-# Chat is intentionally disabled for wallet - minimizes attack surface
-# for active key operations. Enable only if specifically needed.
-REACT_APP_OPENHIVE_CHAT_IFRAME_INTEGRATION_ENABLE="no"
-REACT_APP_OPENHIVE_CHAT_IFRAME_VISIBLE="no"
-
 # =============================================================================
 # Logging & Debugging
 # =============================================================================
diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml
index f5a788bc1..65777b9e6 100644
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@@ -1,12 +1,14 @@
-name: 'denser'
-
 services:
   denser-blog:
     image: registry.gitlab.syncad.com/hive/denser/blog:${VERSION:?VERSION required}
     ports:
-      - '3000:3000'
+      - target: 3000
+        published: 3000
+        mode: host
     environment:
       PORT: 3000
+    # HOSTNAME must be set via command because Docker overrides env var with container ID
+    command: ["sh", "-c", "HOSTNAME=0.0.0.0 node ./apps/blog/server.js"]
     volumes:
       - ${BLOG_ENV_FILE:?BLOG_ENV_FILE must be set}:/app/apps/.env:ro
     deploy:
@@ -17,18 +19,22 @@ services:
       rollback_config:
         order: start-first
     healthcheck:
-      test: ['CMD', 'wget', '-q', '--spider', 'http://localhost:3000/trending']
-      interval: 10s
-      timeout: 5s
+      test: ["CMD", "wget", "-q", "--spider", "http://localhost:3000/"]
+      interval: 30s
+      timeout: 10s
       retries: 3
       start_period: 60s
 
   denser-wallet:
     image: registry.gitlab.syncad.com/hive/denser/wallet:${VERSION:?VERSION required}
     ports:
-      - '4000:3000'
+      - target: 3000
+        published: 4000
+        mode: host
     environment:
       PORT: 3000
+    # HOSTNAME must be set via command because Docker overrides env var with container ID
+    command: ["sh", "-c", "HOSTNAME=0.0.0.0 node ./apps/wallet/server.js"]
     volumes:
       - ${WALLET_ENV_FILE:?WALLET_ENV_FILE must be set}:/app/apps/.env:ro
     deploy:
@@ -39,8 +45,8 @@ services:
       rollback_config:
         order: start-first
     healthcheck:
-      test: ['CMD', 'wget', '-q', '--spider', 'http://localhost:3000/']
-      interval: 10s
-      timeout: 5s
+      test: ["CMD", "wget", "-q", "--spider", "http://localhost:3000/"]
+      interval: 30s
+      timeout: 10s
       retries: 3
       start_period: 60s
diff --git a/packages/renderer/src/security/LinkSanitizer.ts b/packages/renderer/src/security/LinkSanitizer.ts
index 937eebf36..a84fd4ba1 100644
--- a/packages/renderer/src/security/LinkSanitizer.ts
+++ b/packages/renderer/src/security/LinkSanitizer.ts
@@ -25,7 +25,8 @@ export class LinkSanitizer {
     public sanitizeLink(url: string, urlTitle: string): string | false {
         url = this.prependUnknownProtocolLink(url);
 
-        Log.log().debug('LinkSanitizer#sanitizeLink', {url, urlTitle});
+        // Commented out: broken log that doesn't display url/urlTitle, just noise
+        // Log.log().debug('LinkSanitizer#sanitizeLink', {url, urlTitle});
 
         if (Phishing.looksPhishy(url)) {
             Log.log().debug('LinkSanitizer#sanitizeLink', 'phishing link detected', 'phishing list', url, {
diff --git a/scripts/deploy-swarm.sh b/scripts/deploy-swarm.sh
index 8080e43e0..e1470bb67 100755
--- a/scripts/deploy-swarm.sh
+++ b/scripts/deploy-swarm.sh
@@ -87,6 +87,13 @@ fi
 SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
 COMPOSE_FILE="$SCRIPT_DIR/../docker/docker-compose.yml"
 
+# Initialize swarm if not already active (single-node, localhost only)
+SWARM_STATE=$(docker info --format '{{.Swarm.LocalNodeState}}' 2>/dev/null || echo "unknown")
+if [ "$SWARM_STATE" != "active" ]; then
+    echo "Initializing Docker Swarm (single-node, localhost only)..."
+    docker swarm init --advertise-addr 127.0.0.1 --listen-addr 127.0.0.1:2377
+fi
+
 echo "Deploying version: $VERSION"
 echo "Blog env: $BLOG_ENV_FILE"
 echo "Wallet env: $WALLET_ENV_FILE"
@@ -99,4 +106,10 @@ export BLOG_ENV_FILE
 export WALLET_ENV_FILE
 docker stack deploy -c "$COMPOSE_FILE" denser
 
+# Force service update to ensure config changes are applied
+# (Docker Swarm sometimes caches service spec when image is unchanged)
+echo "Forcing service update..."
+docker service update --force denser_denser-blog
+docker service update --force denser_denser-wallet
+
 echo "Done. Check status: docker service ls"
-- 
GitLab