fix(docker): refactor volume mounts and path resolution for server deployment

- Simplified Docker volume architecture from multiple mounts to single mount point
  * Changed from /opt/cryptic to /opt/cryptic/server_data to avoid overwriting Erlang release
  * Updated docker-compose.yml to use single volume: ./server_data:/opt/cryptic/server_data:rw

- Fixed certificate and database path resolution
  * Removed hardcoded ENV vars from Dockerfile (CRYPTIC_SERVER_CERT, etc.)
  * Added cryptic_lib:get_server_file/2 for unified path resolution
  * Paths from sys.config now relative, prepended with CRYPTIC_SERVER_DIR
  * Fixed empty string handling in environment variables ("" treated as false)

- Enhanced docker-entrypoint.sh
  * Auto-generates CA certificates if missing using generate-mtls-certs.sh
  * Sets default CRYPTIC_SERVER_DIR=/opt/cryptic/server_data
  * Improved debug logging and directory structure validation

- Updated GPG bootstrap configuration
  * Added bootstrap_dir to sys.config and cryptic.app.src
  * Updated cryptic_ca_bootstrap to use get_server_file/2 for bootstrap directory
  * Simplified cryptic_ca_store certificate/key loading to use helper functions

- Improved documentation (DOCKER.md)
  * Simplified deployment instructions with single volume mount
  * Removed redundant mkdir commands (script handles internally)
  * Updated all examples to use CRYPTIC_SERVER_DIR environment variable

This refactoring improves deployment reliability and simplifies the Docker setup
process by eliminating mount conflicts and standardizing path resolution.

Author: etnt

Dockerfile

@@ -73,12 +73,10 @@ RUN mkdir -p /opt/cryptic/certs /opt/cryptic/logs /opt/cryptic/data/ca /opt/cryp
 EXPOSE 8443
 
 # Set environment variables with defaults
+# Note: Certificate paths are configured in sys.config as relative paths
+# CRYPTIC_SERVER_DIR will be prepended by cryptic_lib:get_server_file/2
 ENV CRYPTIC_SERVER_HOST=0.0.0.0 \
     CRYPTIC_SERVER_PORT=8443 \
-    CRYPTIC_SERVER_CERT=/opt/cryptic/certs/server.crt \
-    CRYPTIC_SERVER_KEY=/opt/cryptic/certs/server.key \
-    CRYPTIC_CA_CERT=/opt/cryptic/certs/ca.crt \
-    CRYPTIC_CA_DB_FILE=/opt/cryptic/data/ca/cryptic_ca.db \
     CRYPTIC_EVENT_HANDLERS=cryptic_file_logger
 
 # Health check

config/sys.config

@@ -7,7 +7,7 @@
         {cert_renewal_check_interval, 3600},    % Check every hour (3600 seconds)
         {cert_renewal_max_retries, 5},          % Max retry attempts before alerting user
         {cert_renewal_retry_interval, 3600},    % Base retry interval: 1 hour (seconds)
-        
+
         %% CA Certificate Files (generated by myca)
         {ca_cert_file, "priv/ssl/ca.crt"},
         {ca_key_file, "priv/ssl/ca.key"},
@@ -16,6 +16,9 @@
         {server_cert_file, "priv/ssl/server.crt"},
         {server_key_file, "priv/ssl/server.key"},
 
+        %% Directory holding GPG bootstrap keys
+        {bootstrap_dir, "priv/ca/bootstrap"},
+
         %% Database Configuration
         {ca_db_file, "data/ca/cryptic_ca.db"},
         {storage_backend, esqlite},

docker-compose.yml

@@ -17,38 +17,23 @@ services:
     environment:
       - CRYPTIC_SERVER_HOST=0.0.0.0
       - CRYPTIC_SERVER_PORT=8443
-      - CRYPTIC_SERVER_CERT=/opt/cryptic/certs/server.crt
-      - CRYPTIC_SERVER_KEY=/opt/cryptic/certs/server.key
-      - CRYPTIC_CA_CERT=/opt/cryptic/certs/ca.crt
-      - CRYPTIC_CA_DB_FILE=/opt/cryptic/data/ca/cryptic_ca.db
+      # Set server directory - all server data stored here
+      # Paths in sys.config (e.g., "priv/ssl/ca.crt") are relative to this directory
+      - CRYPTIC_SERVER_DIR=/opt/cryptic/server_data
       - CRYPTIC_EVENT_HANDLERS=cryptic_file_logger
       # Optional: Enable debug logging (set to "true" for verbose output)
       - CRYPTIC_DEBUG=true
 
     # Volume mounts for certificates and persistent data
     volumes:
-      # Mount certificates from priv/ssl (generated by scripts/generate-mtls-certs.sh)
-      - ./priv/ssl/server.crt:/opt/cryptic/certs/server.crt:ro
-      - ./priv/ssl/server.key:/opt/cryptic/certs/server.key:ro
-      - ./priv/ssl/ca.crt:/opt/cryptic/certs/ca.crt:ro
-
-      # Mount CA cert and key to release priv directory for certificate issuance
-      - ./priv/ssl/ca.crt:/opt/cryptic/lib/cryptic-1.0.0/priv/ssl/ca.crt:ro
-      - ./priv/ssl/ca.key:/opt/cryptic/lib/cryptic-1.0.0/priv/ssl/ca.key:ro
-
-      # Bootstrap GPG fingerprints for pre-verified users
-      # Read-write so bootstrap script can export GPG keys from inside container
-      - ./priv/ca/bootstrap:/opt/cryptic/lib/cryptic-1.0.0/priv/ca/bootstrap:rw
+      # Single mount point for all server data (priv/, logs/, data/)
+      # Note: /opt/cryptic contains Erlang release, so mount to subdirectory
+      - ./server_data:/opt/cryptic/server_data:rw
 
       # Shared GPG keyring - allows GPG key generation inside container
       # Keys generated in container are available on host and vice versa
       - ${HOME}/.gnupg:/home/cryptic/.gnupg:rw
 
-      # Persistent data volumes (logs and CA database)
-      - cryptic-logs:/opt/cryptic/logs
-      - cryptic-ca-data:/opt/cryptic/data/ca
-      - cryptic-data:/opt/cryptic/data
-
     # Restart policy
     restart: unless-stopped
 

docs/DOCKER.md

@@ -63,42 +63,37 @@ docker run -it --rm --name cryptic-client \
 # Get the latest Server docker image
 docker pull ghcr.io/etnt/cryptic:latest
 
-# Create a directory for storing the Cryptic server data
+# Create a directory for storing all Cryptic server data
 mkdir ~/.cryptic_server
 cd ~/.cryptic_server
 
 # Setup the server certificates (one-time step)
 # Creates ca.crt, ca.key, server.crt, server.key in ./priv/ssl/
-mkdir -p priv/ssl priv/ca/bootstrap
 docker run -it --rm \
-  -v $(pwd)/priv/ssl:/opt/cryptic/certs \
-  ghcr.io/etnt/cryptic:latest sh -c 'DIR=/opt/cryptic/certs generate-mtls-certs.sh'
+  -v $(pwd):/opt/cryptic/server_data \
+  -e CRYPTIC_SERVER_DIR=/opt/cryptic/server_data \
+  ghcr.io/etnt/cryptic:latest \
+  sh -c 'DIR=${CRYPTIC_SERVER_DIR}/priv/ssl generate-mtls-certs.sh'
 
 # Bootstrap the first admin user BEFORE starting the server
 # Step 1: Generate a GPG key on your host (if you don't have one)
 #         No passphrase needed - it's only used for signing CSRs
 gpg --quick-generate-key 'alice <alice@cryptic.local>' rsa4096
 
 # Step 2: Export your GPG public key to the bootstrap directory
+mkdir -p priv/ca/bootstrap
 gpg --armor --export alice@cryptic.local > priv/ca/bootstrap/alice.gpg
 
-# Run the server (requires certificates in ./priv/ssl/)
-# Here we show how to expose port 9898 instead of the default (8443)
+# Run the server with single directory mount
+# All server data (priv/, logs/, data/) will be in ~/.cryptic_server/
+# Note: Mount to /opt/cryptic/server_data (not /opt/cryptic which contains the Erlang release)
 # For debug log output, add: -e CRYPTIC_DEBUG=true
-mkdir -p logs data/ca/bootstrap
 docker run -d \
   --name cryptic-server \
-  -p 9898:8443 \
-  -v $(pwd)/priv/ssl:/opt/cryptic/lib/cryptic-1.0.0/priv/ssl:ro \
-  -v $(pwd)/priv/ca:/opt/cryptic/lib/cryptic-1.0.0/priv/ca:ro \
-  -v $(pwd)/logs:/opt/cryptic/logs \
-  -v $(pwd)/data:/opt/cryptic/data \
+  -p 8443:8443 \
+  -v $(pwd):/opt/cryptic/server_data:rw \
   -e CRYPTIC_SERVER_HOST=0.0.0.0 \
-  -e CRYPTIC_SERVER_CERT=/opt/cryptic/lib/cryptic-1.0.0/priv/ssl/server.crt \
-  -e CRYPTIC_SERVER_KEY=/opt/cryptic/lib/cryptic-1.0.0/priv/ssl/server.key \
-  -e CRYPTIC_CA_CERT=/opt/cryptic/lib/cryptic-1.0.0/priv/ssl/ca.crt \
-  -e CRYPTIC_CA_CERT_FILE=/opt/cryptic/lib/cryptic-1.0.0/priv/ssl/ca.crt \
-  -e CRYPTIC_CA_KEY_FILE=/opt/cryptic/lib/cryptic-1.0.0/priv/ssl/ca.key \
+  -e CRYPTIC_SERVER_DIR=/opt/cryptic/server_data \
   ghcr.io/etnt/cryptic:latest
 
 # Check server logs

scripts/docker-entrypoint.sh

@@ -1,66 +1,66 @@
 #!/bin/sh
 set -e
 
-# Ensure required directories exist (in case volumes are mounted empty)
-mkdir -p /opt/cryptic/data/ca
-mkdir -p /opt/cryptic/logs
-mkdir -p /opt/cryptic/certs
-
-# Fix ownership of mounted volumes (they may be created as root)
-chown -R cryptic:cryptic /opt/cryptic/data
-chown -R cryptic:cryptic /opt/cryptic/logs
-
-# Note: Certificate files at /opt/cryptic/certs/ are bind-mounted as read-only
-# Ensure they have correct permissions on the HOST before mounting:
-#   chmod 644 priv/ssl/*.{crt,key}
+# Set default CRYPTIC_SERVER_DIR to /opt/cryptic/server_data if not already set
+# This will contain all server data: priv/, logs/, and data/
+# Note: /opt/cryptic contains the Erlang release (bin/, lib/, etc.)
+if [ -z "${CRYPTIC_SERVER_DIR}" ]; then
+    CRYPTIC_SERVER_DIR="/opt/cryptic/server_data"
+    export CRYPTIC_SERVER_DIR
+fi
 
-# Ensure priv/ssl directory exists for CA cert/key mounts
-# The release path includes version, but we'll create under all lib versions
-for libdir in /opt/cryptic/lib/cryptic-*/; do
-    if [ -d "$libdir" ]; then
-        mkdir -p "${libdir}priv/ssl"
-        # Only chown the directory, not the read-only mounted files inside
-        chown cryptic:cryptic "${libdir}priv/ssl" 2>/dev/null || true
-        chown cryptic:cryptic "${libdir}priv" 2>/dev/null || true
-    fi
-done
+# Ensure all required directories exist under CRYPTIC_SERVER_DIR
+mkdir -p "${CRYPTIC_SERVER_DIR}/data/ca"
+mkdir -p "${CRYPTIC_SERVER_DIR}/logs"
+mkdir -p "${CRYPTIC_SERVER_DIR}/priv/ssl"
+mkdir -p "${CRYPTIC_SERVER_DIR}/priv/ca/bootstrap"
 
-# Also create priv/ssl in the working directory since config uses relative paths
-mkdir -p /opt/cryptic/priv/ssl
+echo "INFO: CRYPTIC_SERVER_DIR is set to ${CRYPTIC_SERVER_DIR}"
+echo "INFO: Expected structure:"
+echo "  ${CRYPTIC_SERVER_DIR}/priv/ssl/ca.crt        - CA certificate"
+echo "  ${CRYPTIC_SERVER_DIR}/priv/ssl/ca.key        - CA private key"
+echo "  ${CRYPTIC_SERVER_DIR}/priv/ssl/server.crt    - Server certificate"
+echo "  ${CRYPTIC_SERVER_DIR}/priv/ssl/server.key    - Server private key"
+echo "  ${CRYPTIC_SERVER_DIR}/priv/ca/bootstrap/*.gpg - Bootstrap GPG keys"
+echo "  ${CRYPTIC_SERVER_DIR}/data/                   - Database files"
+echo "  ${CRYPTIC_SERVER_DIR}/logs/                   - Log files"
 
-# Copy CA cert/key files from mounted certs directory to priv/ssl
-# The application config uses relative path "priv/ssl/ca.crt"
-if [ -f "/opt/cryptic/certs/ca.crt" ] && [ -f "/opt/cryptic/certs/ca.key" ]; then
-    echo "DEBUG: Copying CA files from /opt/cryptic/certs/ to priv/ssl/"
-    cp /opt/cryptic/certs/ca.crt /opt/cryptic/priv/ssl/
-    cp /opt/cryptic/certs/ca.key /opt/cryptic/priv/ssl/
-    chown cryptic:cryptic /opt/cryptic/priv/ssl/*
+# Check if CA certificates exist, generate if missing
+if [ ! -f "${CRYPTIC_SERVER_DIR}/priv/ssl/ca.crt" ] || [ ! -f "${CRYPTIC_SERVER_DIR}/priv/ssl/ca.key" ]; then
+    echo "INFO: CA certificates not found, generating..."
+    DIR="${CRYPTIC_SERVER_DIR}/priv/ssl" /usr/local/bin/generate-mtls-certs.sh
 else
-    echo "WARNING: CA certificate files not found in /opt/cryptic/certs/"
-    echo "  Expected: /opt/cryptic/certs/ca.crt and /opt/cryptic/certs/ca.key"
-    echo "  Run certificate generation first or mount the files."
+    echo "INFO: CA certificates found"
 fi
 
-# Debug: Show directory permissions
-echo "DEBUG: /opt/cryptic/data permissions:"
-ls -ld /opt/cryptic/data
-echo "DEBUG: /opt/cryptic/data/ca permissions:"
-ls -ld /opt/cryptic/data/ca
-echo "DEBUG: /opt/cryptic/data/ca contents:"
-ls -la /opt/cryptic/data/ca/ || echo "Directory empty or not readable"
-echo "DEBUG: Environment CRYPTIC_CA_DB_FILE=${CRYPTIC_CA_DB_FILE}"
-echo "DEBUG: Environment CRYPTIC_DEBUG=${CRYPTIC_DEBUG}"
-echo "DEBUG: Test file creation:"
-su-exec cryptic touch /opt/cryptic/data/ca/test.txt && echo "SUCCESS" || echo "FAILED"
+# Fix ownership of mounted volumes (they may be created as root)
+chown -R cryptic:cryptic "${CRYPTIC_SERVER_DIR}/data" 2>/dev/null || true
+chown -R cryptic:cryptic "${CRYPTIC_SERVER_DIR}/logs" 2>/dev/null || true
+
+# Debug: Show directory structure and permissions
+if [ "${CRYPTIC_DEBUG}" = "true" ]; then
+    echo "DEBUG: ${CRYPTIC_SERVER_DIR}/data permissions:"
+    ls -ld "${CRYPTIC_SERVER_DIR}/data"
+    echo "DEBUG: ${CRYPTIC_SERVER_DIR}/data/ca permissions:"
+    ls -ld "${CRYPTIC_SERVER_DIR}/data/ca"
+    echo "DEBUG: ${CRYPTIC_SERVER_DIR}/data/ca contents:"
+    ls -la "${CRYPTIC_SERVER_DIR}/data/ca/" || echo "Directory empty or not readable"
+    
+    echo "DEBUG: ${CRYPTIC_SERVER_DIR}/priv contents:"
+    ls -laR "${CRYPTIC_SERVER_DIR}/priv" 2>/dev/null || echo "Directory not readable"
+    
+    echo "DEBUG: Environment variables:"
+    echo "  CRYPTIC_SERVER_DIR=${CRYPTIC_SERVER_DIR}"
+    echo "  CRYPTIC_CA_DB_FILE=${CRYPTIC_CA_DB_FILE}"
+    echo "  CRYPTIC_DEBUG=${CRYPTIC_DEBUG}"
+fi
 
 # Switch to cryptic user and execute the main command
 # Explicitly preserve environment variables that the application needs
 exec su-exec cryptic env \
     CRYPTIC_SERVER_HOST="${CRYPTIC_SERVER_HOST}" \
     CRYPTIC_SERVER_PORT="${CRYPTIC_SERVER_PORT}" \
-    CRYPTIC_SERVER_CERT="${CRYPTIC_SERVER_CERT}" \
-    CRYPTIC_SERVER_KEY="${CRYPTIC_SERVER_KEY}" \
-    CRYPTIC_CA_CERT="${CRYPTIC_CA_CERT}" \
+    CRYPTIC_SERVER_DIR="${CRYPTIC_SERVER_DIR}" \
     CRYPTIC_CA_DB_FILE="${CRYPTIC_CA_DB_FILE}" \
     CRYPTIC_EVENT_HANDLERS="${CRYPTIC_EVENT_HANDLERS}" \
     CRYPTIC_DEBUG="${CRYPTIC_DEBUG}" \

src/cryptic.app.src

@@ -27,8 +27,6 @@
         {websocket_mtls_port, 8443},
 
         % Poll interval (seconds)
-
-        % FIXME: adjust as needed
         {poll_interval, 2},
 
         % Enable debug output
@@ -42,6 +40,9 @@
         {server_cert_file, "priv/ssl/server.crt"},
         {server_key_file, "priv/ssl/server.key"},
 
+        %% Directory holding GPG bootstrap keys
+        {bootstrap_dir, "priv/ca/bootstrap"},
+
         %% Database Configuration
         {ca_db_file, "data/ca/cryptic_ca.db"},
         {storage_backend, esqlite},
@@ -51,10 +52,6 @@
         {cert_max_lifetime_days, 30},
         {cert_renewal_threshold, 0.5},
 
-        %% Invite Policy
-        {invite_default_ttl_hours, 24},
-        {invite_max_ttl_hours, 72},
-
         %% Audit Configuration
         {audit_enabled, true},
         {audit_retention_days, 90}

src/cryptic_ca_app.erl

@@ -96,7 +96,7 @@ init_ca() ->
     %% Get database file path from config
     DbFile = get_ca_db_file(),
 
-    ?info("Initializing CA database: ~s", [DbFile]),
+    ?info("Initializing CA database at: ~p", [DbFile]),
 
     %% Ensure directory exists
     DbDir = filename:dirname(DbFile),
@@ -142,18 +142,27 @@ get_ca_db() ->
 %% @doc Get CA database file path from configuration.
 -spec get_ca_db_file() -> string().
 get_ca_db_file() ->
-    %% Try environment variable first
-    case os:getenv("CRYPTIC_CA_DB_FILE") of
-        false ->
-            %% Try application config
-            case application:get_env(cryptic, ca_db_file) of
-                {ok, Path} ->
-                    Path;
-                undefined ->
-                    %% Use default path
-                    PrivDir = code:priv_dir(cryptic),
-                    filename:join([PrivDir, "ca", "cryptic_ca.db"])
+    %% Debug: Check application environment
+    AppEnvResult = application:get_env(cryptic, ca_db_file),
+    ?info("DEBUG: application:get_env(cryptic, ca_db_file) = ~p", [AppEnvResult]),
+    
+    EnvVar = os:getenv("CRYPTIC_CA_DB_FILE"),
+    ?info("DEBUG: os:getenv(CRYPTIC_CA_DB_FILE) = ~p", [EnvVar]),
+    
+    ServerDir = os:getenv("CRYPTIC_SERVER_DIR"),
+    ?info("DEBUG: os:getenv(CRYPTIC_SERVER_DIR) = ~p", [ServerDir]),
+    
+    case cryptic_lib:get_server_file("CRYPTIC_CA_DB_FILE", ca_db_file) of
+        undefined ->
+            ?info("DEBUG: get_server_file returned undefined, using fallback", []),
+            %% Fallback to default path under CRYPTIC_SERVER_DIR
+            case ServerDir of
+                false ->
+                    "data/ca/cryptic_ca.db";
+                _ ->
+                    filename:join([ServerDir, "data/ca/cryptic_ca.db"])
             end;
-        EnvPath ->
-            EnvPath
+        DbFile ->
+            ?info("DEBUG: get_server_file returned: ~p", [DbFile]),
+            DbFile
     end.

src/cryptic_ca_bootstrap.erl

@@ -25,8 +25,10 @@
 %% @doc Get the bootstrap directory path
 -spec get_bootstrap_dir() -> file:filename().
 get_bootstrap_dir() ->
-    PrivDir = code:priv_dir(cryptic),
-    filename:join([PrivDir, "ca", "bootstrap"]).
+    cryptic_lib:get_server_file(
+        "CRYPTIC_BOOTSTRAP_DIR",
+        bootstrap_dir
+    ).
 
 %% @doc Load all GPG bootstrap registrations from filesystem
 %%

src/cryptic_ca_init.erl

@@ -42,10 +42,18 @@ get_db_ref() ->
 
 %% @doc Initialize the CA database.
 init([]) ->
+    LogDir =
+        case os:getenv("CRYPTIC_SERVER_DIR") of
+            false ->
+                "logs";
+            ServerDir ->
+                filename:join([ServerDir, "logs"])
+        end,
+
     %% Set up event handlers for logging (event manager is already started by supervisor)
     cryptic_event_manager:setup_event_handlers(#{
         log_type => server,
-        log_dir => "logs"
+        log_dir => LogDir
     }),
 
     ?info("CA initializer starting...", []),