Add Warning component and enhance self-hosting docs

richiemcilroy · richiemcilroy · commit 1f847798f53b · 2026-01-26T20:52:44.000Z
diff --git a/.github/workflows/test-self-hosting.yml b/.github/workflows/test-self-hosting.yml
@@ -0,0 +1,136 @@
+name: "Test Self-Hosting"
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+    paths:
+      - "docker-compose.yml"
+      - "docker-compose.coolify.yml"
+      - "apps/media-server/**"
+      - "apps/web/Dockerfile"
+      - ".github/workflows/test-self-hosting.yml"
+  pull_request:
+    paths:
+      - "docker-compose.yml"
+      - "docker-compose.coolify.yml"
+      - "apps/media-server/**"
+      - "apps/web/Dockerfile"
+      - ".github/workflows/test-self-hosting.yml"
+
+jobs:
+  test-docker-compose:
+    name: Test Docker Compose Self-Hosting
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+
+      - name: Start Cap with Docker Compose
+        run: |
+          echo "Starting Cap..."
+          docker compose up -d
+          echo "Waiting for services to initialize..."
+
+      - name: Wait for MySQL to be healthy
+        run: |
+          echo "Waiting for MySQL..."
+          timeout 120 bash -c 'until docker inspect cap-mysql --format="{{.State.Health.Status}}" 2>/dev/null | grep -q "healthy"; do sleep 2; done'
+          echo "MySQL is healthy"
+
+      - name: Wait for MinIO to be healthy
+        run: |
+          echo "Waiting for MinIO..."
+          timeout 60 bash -c 'until docker inspect cap-minio --format="{{.State.Health.Status}}" 2>/dev/null | grep -q "healthy"; do sleep 2; done'
+          echo "MinIO is healthy"
+
+      - name: Wait for Media Server to be healthy
+        run: |
+          echo "Waiting for Media Server..."
+          timeout 60 bash -c 'until docker inspect cap-media-server --format="{{.State.Health.Status}}" 2>/dev/null | grep -q "healthy"; do sleep 2; done'
+          echo "Media Server is healthy"
+
+      - name: Wait for Cap Web to be healthy
+        run: |
+          echo "Waiting for Cap Web..."
+          timeout 180 bash -c 'until docker inspect cap-web --format="{{.State.Health.Status}}" 2>/dev/null | grep -q "healthy"; do sleep 2; done'
+          echo "Cap Web is healthy"
+
+      - name: Show service status
+        run: docker compose ps
+
+      - name: Test Cap Web responds
+        run: |
+          echo "Testing Cap Web..."
+          response=$(curl -s -o /dev/null -w "%{http_code}" http://localhost:3000)
+          if [ "$response" = "307" ] || [ "$response" = "200" ]; then
+            echo "✓ Cap Web responds (HTTP $response)"
+          else
+            echo "✗ Cap Web failed (HTTP $response)"
+            exit 1
+          fi
+
+      - name: Test login page renders
+        run: |
+          echo "Testing login page..."
+          if curl -s http://localhost:3000/login | grep -q "Cap"; then
+            echo "✓ Login page renders correctly"
+          else
+            echo "✗ Login page failed to render"
+            exit 1
+          fi
+
+      - name: Test Media Server health
+        run: |
+          echo "Testing Media Server..."
+          health=$(docker exec cap-web wget -qO- http://media-server:3456/health)
+          if echo "$health" | grep -q '"status":"ok"'; then
+            echo "✓ Media Server is healthy"
+            echo "  Response: $health"
+          else
+            echo "✗ Media Server health check failed"
+            exit 1
+          fi
+
+      - name: Test database has tables
+        run: |
+          echo "Testing database..."
+          tables=$(docker exec cap-mysql mysql -ucap -pcap-local-pwd-123 cap -e "SELECT COUNT(*) FROM information_schema.tables WHERE table_schema='cap';" -s -N 2>/dev/null)
+          if [ "$tables" -gt 0 ]; then
+            echo "✓ Database has $tables tables (migrations ran successfully)"
+          else
+            echo "✗ Database has no tables"
+            exit 1
+          fi
+
+      - name: Test MinIO bucket exists
+        run: |
+          echo "Testing MinIO bucket..."
+          if docker compose logs minio-setup 2>&1 | grep -q "Bucket created successfully\|already exists"; then
+            echo "✓ MinIO bucket is configured"
+          else
+            echo "✗ MinIO bucket setup failed"
+            docker compose logs minio-setup
+            exit 1
+          fi
+
+      - name: Show Cap Web logs
+        if: always()
+        run: |
+          echo "=== Cap Web Logs ==="
+          docker compose logs cap-web | tail -50
+
+      - name: Show all logs on failure
+        if: failure()
+        run: |
+          echo "=== All Service Logs ==="
+          docker compose logs
+
+      - name: Cleanup
+        if: always()
+        run: |
+          docker compose down -v
+          echo "Cleanup complete"
diff --git a/apps/web/app/(site)/docs/[...slug]/page.tsx b/apps/web/app/(site)/docs/[...slug]/page.tsx
@@ -3,7 +3,7 @@ import type { Metadata } from "next";
 import Image from "next/image";
 import Link from "next/link";
 import { notFound } from "next/navigation";
-import { MDXRemote } from "next-mdx-remote/rsc";
+import { CustomMDX } from "@/components/mdx";
 import type { DocMetadata } from "@/utils/blog";
 import { getDocs } from "@/utils/blog";
 
@@ -121,7 +121,7 @@ export default async function DocPage(props: DocProps) {
 				{/* Show root category content if it exists */}
 				{rootDoc && (
 					<div className="mb-8">
-						<MDXRemote source={rootDoc.content} />
+						<CustomMDX source={rootDoc.content} />
 						<hr className="my-8" />
 					</div>
 				)}
@@ -194,7 +194,7 @@ export default async function DocPage(props: DocProps) {
 					<h1 className="mb-2">{doc.metadata.title}</h1>
 				</header>
 				<hr className="my-6" />
-				<MDXRemote source={doc.content} />
+				<CustomMDX source={doc.content} />
 			</div>
 		</article>
 	);
diff --git a/apps/web/components/mdx.tsx b/apps/web/components/mdx.tsx
@@ -75,6 +75,36 @@ function Callout(props: CalloutProps) {
 	);
 }
 
+interface WarningProps {
+	title?: string;
+	children: ReactNode;
+}
+
+function Warning(props: WarningProps) {
+	return (
+		<div className="px-4 py-3 border-2 border-red-300 bg-red-50 rounded-lg text-sm mb-8 dark:bg-red-950 dark:border-red-800">
+			<div className="flex items-center gap-2 font-semibold text-red-700 dark:text-red-400 mb-2">
+				<svg
+					xmlns="http://www.w3.org/2000/svg"
+					viewBox="0 0 20 20"
+					fill="currentColor"
+					className="w-5 h-5"
+				>
+					<path
+						fillRule="evenodd"
+						d="M8.485 2.495c.673-1.167 2.357-1.167 3.03 0l6.28 10.875c.673 1.167-.17 2.625-1.516 2.625H3.72c-1.347 0-2.189-1.458-1.515-2.625L8.485 2.495zM10 5a.75.75 0 01.75.75v3.5a.75.75 0 01-1.5 0v-3.5A.75.75 0 0110 5zm0 9a1 1 0 100-2 1 1 0 000 2z"
+						clipRule="evenodd"
+					/>
+				</svg>
+				{props.title || "Warning"}
+			</div>
+			<div className="text-red-700 dark:text-red-300 [&>p]:m-0 [&>ul]:m-0 [&>ul]:mt-2">
+				{props.children}
+			</div>
+		</div>
+	);
+}
+
 function slugify(str: string) {
 	return str
 		.toString()
@@ -114,6 +144,7 @@ const components = {
 	Image: RoundedImage,
 	a: CustomLink,
 	Callout,
+	Warning,
 	Table,
 };
 
diff --git a/apps/web/content/docs/self-hosting.mdx b/apps/web/content/docs/self-hosting.mdx
@@ -36,6 +36,10 @@ docker compose up -d
 
 That's it! Cap will be available at `http://localhost:3000`.
 
+<Warning title="Security Notice for Production Deployments">
+The default `docker-compose.yml` includes placeholder secrets for quick local testing. **If you're deploying to a public server or production environment**, you must change these values. See the [Production Checklist](#production-checklist) below.
+</Warning>
+
 Login links will appear in the logs since email isn't configured:
 ```bash
 docker compose logs cap-web
@@ -133,12 +137,30 @@ GOOGLE_CLIENT_SECRET=your-secret
 
 ## Production Checklist
 
-> **Important:** The default configuration uses placeholder passwords suitable for local testing only. For production, you must set secure values via environment variables.
+<Warning title="Critical: Change Default Secrets Before Going Public">
+The default `docker-compose.yml` contains **hardcoded placeholder secrets** that are visible in the public repository. Anyone who knows you're using Cap with defaults could potentially:
+
+- **Forge authentication sessions** (via `NEXTAUTH_SECRET`)
+- **Decrypt sensitive database fields** (via `DATABASE_ENCRYPTION_KEY`)
+- **Spoof webhook requests** (via `MEDIA_SERVER_WEBHOOK_SECRET`)
+
+This is fine for local development or testing on a private network, but **you must generate unique secrets before exposing Cap to the internet**.
+</Warning>
+
+**Generate secure secrets:**
+```bash
+openssl rand -hex 32
+```
+
+Run this command three times to generate values for:
+- `NEXTAUTH_SECRET`
+- `DATABASE_ENCRYPTION_KEY`
+- `MEDIA_SERVER_WEBHOOK_SECRET`
 
-For production deployments:
+**Full production checklist:**
 
 - [ ] Set secure passwords: `MYSQL_PASSWORD`, `MINIO_ROOT_PASSWORD`
-- [ ] Set secure secrets: `DATABASE_ENCRYPTION_KEY`, `NEXTAUTH_SECRET`, `MEDIA_SERVER_WEBHOOK_SECRET` (use `openssl rand -hex 32`)
+- [ ] Set secure secrets: `DATABASE_ENCRYPTION_KEY`, `NEXTAUTH_SECRET`, `MEDIA_SERVER_WEBHOOK_SECRET`
 - [ ] Set `CAP_URL` to your public URL
 - [ ] Set `S3_PUBLIC_URL` to your MinIO/S3 public URL
 - [ ] Configure a reverse proxy (nginx, Caddy, Traefik) with SSL
