Add Hostinger (managed-Traefik) deployment files (#459)

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-22 08:38:13 +02:00 · 2026-06-21 14:41:28 +05:30 · 2026-06-21 14:41:28 +05:30 · bb334106ad
commit bb334106ad
parent 678d4bfb1e
4 changed files with 463 additions and 0 deletions
--- a/deploy/hostinger/.env.example
+++ b/deploy/hostinger/.env.example
@ -0,0 +1,65 @@
+# Dograh — Hostinger VPS (managed Traefik) environment
+# Copy to .env (in this directory) and fill in. See README.md for bring-up.
+
+# ---------------------------------------------------------------------------
+# Public identity
+# ---------------------------------------------------------------------------
+# The domain users hit in the browser. Must already point (DNS A record) at
+# this VPS, and be a router rule Traefik will issue a Let's Encrypt cert for.
+PUBLIC_HOST=app.example.com
+
+# ---------------------------------------------------------------------------
+# Managed Traefik wiring  (confirm these three with Hostinger)
+# ---------------------------------------------------------------------------
+# Name of the existing Docker network Traefik watches/attaches to.
+TRAEFIK_NETWORK=traefik
+# Name of Traefik's HTTPS entrypoint (often "websecure" or "https").
+TRAEFIK_ENTRYPOINT=websecure
+# Name of Traefik's Let's Encrypt certificate resolver.
+TRAEFIK_CERTRESOLVER=letsencrypt
+
+# ---------------------------------------------------------------------------
+# WebRTC media (coturn) — REQUIRED for voice. NOT proxied by Traefik.
+# ---------------------------------------------------------------------------
+# Public IP of this VPS (or a domain that resolves to it). coturn advertises
+# this as its external relay address.
+TURN_HOST=203.0.113.10
+# Shared secret for time-limited TURN credentials. Generate a strong random
+# value, e.g.:  openssl rand -hex 32
+TURN_SECRET=change-me-to-a-long-random-secret
+# Set true only to *force* relay-only ICE for debugging TURN reachability.
+FORCE_TURN_RELAY=false
+
+# ---------------------------------------------------------------------------
+# Secrets
+# ---------------------------------------------------------------------------
+# JWT signing secret. Generate, e.g.:  openssl rand -hex 32
+OSS_JWT_SECRET=change-me-to-a-long-random-secret
+# Postgres password (baked into the volume on first init; changing later does
+# NOT re-key an existing volume).
+POSTGRES_PASSWORD=postgres
+
+# Internal datastore credentials. Redis and MinIO are NOT published to the host
+# (reachable only on the internal Docker network), but set strong values anyway
+# on a public box — the compose falls back to weak well-known defaults
+# (redissecret / minioadmin) if these are unset. Generate with: openssl rand -hex 32
+REDIS_PASSWORD=change-me-to-a-long-random-secret
+MINIO_ROOT_USER=dograh
+MINIO_ROOT_PASSWORD=change-me-to-a-long-random-secret
+
+# ---------------------------------------------------------------------------
+# Images — pin to a GitHub release tag for predictable upgrades/rollback.
+# Leave at "latest" only for evaluation.
+# ---------------------------------------------------------------------------
+REGISTRY=dograhai
+DOGRAH_VERSION=latest
+
+# ---------------------------------------------------------------------------
+# Optional
+# ---------------------------------------------------------------------------
+ENABLE_TELEMETRY=true
+
+# Only needed if you run the bundled docker-compose.traefik.yaml to self-host a
+# stand-in Traefik for testing (NOT on Hostinger — their Traefik provides this).
+# Email Let's Encrypt uses for expiry notices.
+ACME_EMAIL=admin@example.com