Recent ghcr.io/hkuds/lightrag releases validate auth config at startup
and refuse to boot with `TOKEN_SECRET must be explicitly set to a
non-default value when AUTH_ACCOUNTS is configured`. The container
crash-looped and Caddy returned 502.
Generate LIGHTRAG_TOKEN_SECRET (secret:64) and pass it as TOKEN_SECRET
to the lightrag container. Existing installations pick it up on
`make update` via 03_generate_secrets.sh --update.
Release 1.4.3.
Closes#60
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
supabase-storage crashes with "Region is missing" after upstream image
update because @aws-sdk/client-s3vectors requires REGION env var.
- add REGION, GLOBAL_S3_BUCKET, STORAGE_TENANT_ID to .env.example
- auto-generate S3_PROTOCOL_ACCESS_KEY_ID/SECRET in secret generation
- sync new env vars to existing supabase/docker/.env during updates
(append-only, never overwrites existing values)
- bump version 1.3.3 → 1.4.1
fix healthcheck port (3000→3001), add missing logging config,
add UPTIME_KUMA_HOSTNAME to caddy env, add import service_tls
in caddyfile, fix hostname typo in .env.example, add uptime-kuma
to GOST_NO_PROXY, fix profile name in wizard/final report, fix
env var in welcome page generator, add missing trailing comma in
app.js, move changelog to Added section, declare volume in
top-level section, fix container name in caddyfile, fix volume
mount path, fix broken markdown link in README
the postiz backend image uses dotenv-cli to load /app/.env, which
doesn't exist when config is only passed via docker environment vars.
generate postiz.env from root .env and mount it read-only. also handle
edge case where docker creates the file as a directory on bind mount
failure, and quote values to prevent dotenv-cli misparses.
load COMPOSE_PROFILES early in 05_configure_services.sh so
is_profile_active guards n8n workflow import and worker config
sections, avoiding confusing prompts for users who don't use n8n
adds appsmith as an optional service with caddy reverse proxy,
auto-generated encryption secrets, wizard selection, welcome page
integration, update preview support, and final report output.
bumps version to 1.3.0.
mount nginx config to conf.d/default.conf instead of
sites-available/default, and set SVR_HTTP_PORT to 9380
(official default) instead of 80 which conflicts with
nginx and causes 502 on api requests
users may mistakenly use https:// for http proxies, which causes
gost to fail connecting to upstream. the protocol refers to proxy
type, not connection security.
docker volume mounts preserve host permissions, and caddy container
may run as different uid than host user, causing certificate read
failures with restrictive (600) permissions.
when accessing welcome page through cloudflare tunnel, caddy was
redirecting http to https, causing an infinite redirect loop.
adding an explicit http block prevents automatic https redirect.
temporal with sql visibility has a hard limit of 3 text search
attributes per namespace. postiz requires more, causing startup
failure. adding elasticsearch enables advanced visibility mode
which removes this limitation.
add temporal and temporal-ui services to the postiz profile for
workflow orchestration. includes caddy reverse proxy with basic
auth, secret generation, and welcome page integration.
