4.2 KiB
chocoadmin Deployment
1. Environment Files
Create environment files on the Synology NAS. Do not commit real .env.* files.
Stage file path:
/volume1/docker/service/jinaju/stage-chocoadmin/.env.stage
Stage example:
DATABASE_URL="mysql://USER:PASSWORD@mariadb.jisangs.com:30001/chocomae"
AUTH_SECRET="replace-with-stage-secret"
NEXTAUTH_SECRET="replace-with-stage-secret"
AUTH_URL="https://stage-chocoadmin.jinaju.com"
NEXTAUTH_URL="https://stage-chocoadmin.jinaju.com"
Production example:
DATABASE_URL="mysql://CHCOCO_ADMIN_USER:PASSWORD@AWS_EC2_HOST:3306/chocomae"
AUTH_SECRET="replace-with-production-secret"
NEXTAUTH_SECRET="replace-with-production-secret"
AUTH_URL="https://NAS_HOST_OR_DOMAIN"
NEXTAUTH_URL="https://NAS_HOST_OR_DOMAIN"
AUTH_SECRET and NEXTAUTH_SECRET should use the same strong random value per environment for Auth.js compatibility.
When the public URL uses HTTPS, both AUTH_URL and NEXTAUTH_URL must use the exact external HTTPS URL. Auth.js then writes secure cookies, and proxy.ts reads the secure session cookie.
Generate a secret on the NAS:
openssl rand -base64 32
2. Synology Stage Deployment
The stage source is deployed by pulling Git on the NAS:
cd /volume1/docker/service/jinaju/stage-chocoadmin
git pull --ff-only
Stage uses docker-compose.stage.yml, the stage-chocoadmin container, and the external Docker network proxy-network.
Verify or create the network:
docker network inspect proxy-network >/dev/null 2>&1 || docker network create proxy-network
Start or update stage:
docker compose -f docker-compose.stage.yml down
docker compose -f docker-compose.stage.yml up -d --build
docker compose -f docker-compose.stage.yml ps
docker compose -f docker-compose.stage.yml logs -f
docker-compose.stage.yml exposes container port 3000 to proxy-network instead of binding host port 3000, because host port 3000 may already be used by another service such as Gitea.
Nginx Proxy Manager settings:
- Scheme:
http - Forward Hostname / IP:
stage-chocoadmin - Forward Port:
3000 - Websockets Support: enabled
- SSL: enabled
- Force SSL: enabled
Stage URL:
https://stage-chocoadmin.jinaju.com
After changing AUTH_URL, NEXTAUTH_URL, or cookie-related settings, clear browser cookies for the stage domain or test in a private window.
3. Production Deployment
Production uses docker-compose.yml and reads .env.production by default:
cd /volume1/docker/service/jinaju/chocoadmin
git pull --ff-only
docker compose up -d --build
docker compose ps
docker compose logs -f chocoadmin
If production is also routed through Nginx Proxy Manager, attach it to proxy-network and use the container name and port 3000 as the upstream target.
The Docker build uses placeholder build-time environment variables only so Next.js can compile without committing secrets. Runtime values are read from the compose env_file.
4. AWS EC2 Security Group
Allow MariaDB only from the Synology NAS public IP.
- Type:
MYSQL/Aurora - Protocol:
TCP - Port:
3306 - Source:
NAS_PUBLIC_IP/32 - Description:
chocoadmin Synology NAS
Do not open 3306 to 0.0.0.0/0.
5. Read-Only Rehearsal
Before enabling approval/rejection operations against production DB:
- Create or use a DB account with read-only permissions.
- Set
DATABASE_URLin.env.productionto that read-only account. - Start the container.
- Verify login, maestro list, extension request list, and upgrade request list.
- Switch to the production write-capable chocoadmin DB account only after read screens work.
6. Smoke Checks
After stage container start:
docker compose -f docker-compose.stage.yml ps
docker compose -f docker-compose.stage.yml logs -f
Verify these routes in the browser:
/login/maestros/extension-requests/upgrade-requests
If the browser reports too many redirects after login:
- Confirm
AUTH_URLandNEXTAUTH_URLexactly match the public URL and scheme. - Confirm Nginx Proxy Manager forwards to
stage-chocoadmin:3000with schemehttp. - Recreate the container after changing
.env.stage. - Clear cookies for the stage domain.