Fix Bitbucket auth migration in deploy workflow

Bind Dozzle to 127.0.0.1 to prevent exposure on external/LAN interfaces.
Previously bound to 0.0.0.0, allowing unauthenticated access to container
logs from any network-reachable host.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.env.default

@@ -3,7 +3,6 @@
 # ------------------------------------------------------------------------------
 # Copy this file to .env and fill in real values.
 # .env is gitignored — never commit the live file.
-# Profile: Scott's Workstation (Arch Linux)
 # ------------------------------------------------------------------------------
 
 # ------------------------------------------------------------------------------
@@ -12,9 +11,6 @@
 # System timezone for all containers
 TZ=US/Eastern
 
-# Environment mode (development, testing, production)
-OSIT_ENV=development
-
 # Logging level for the API and background workers (debug, info, warning, error)
 AE_LOG_LVL=debug
 
@@ -24,52 +20,49 @@ AE_LOG_LVL=debug
 # COMPOSE_PROFILES=database
 
 # ------------------------------------------------------------------------------
-# CONTAINER NAMES
+# STACK ISOLATION
 # ------------------------------------------------------------------------------
-# Internal Docker container names (should be unique per environment)
+# Unique Docker network name per stack (prevents collisions when running test/prod on same host)
+AE_NETWORK_NAME=ae_dev_net
+
+# Internal Docker container names (must be unique per stack)
+# Note: ae_api and ae_app are scaled services — Docker does not allow container_name on those.
 CONTAINER_WEB=ae_web_dev
-CONTAINER_AE_API=ae_api_dev
-CONTAINER_AE_APP=ae_app_dev
 CONTAINER_REDIS=ae_redis_dev
+CONTAINER_DOZZLE=ae_dozzle_dev
 CONTAINER_MARIADB=ae_mariadb_dev
 CONTAINER_PMA=ae_pma_dev
+CONTAINER_AE_OPS=ae_ops_dev
 
 # ------------------------------------------------------------------------------
 # NETWORK & PROXY SETTINGS
 # ------------------------------------------------------------------------------
 # Local Nginx listener ports on the host system
 OSIT_WEB_HTTP_PORT=8888
-OSIT_WEB_HTTPS_PORT=443
 
 # Maximum allowed file upload size (Global for Nginx)
 OSIT_WEB_MAX_BODY_SIZE=5120M
 
-# AE API (Node SvelteKit) Gateway Port for External Reverse Proxy
-# Used when a master proxy (e.g. Home Server) forwards traffic to this node
-# The gateway port has Docker with Nginx running the internal reverse proxy
+# Gateway ports for external reverse proxy (Home Server → this node → Docker Nginx)
+AE_APP_GATEWAY_PORT=3001
 AE_API_GATEWAY_PORT=5060
 
-# DNS Overrides (Injected into containers' /etc/hosts)
-# Format: DOMAIN:IP_ADDRESS
-# Useful for container-to-container routing when using real domain names
-DOCKER_AE_SERVER_EXTRA_HOST=dev.oneskyit.com:XXXX
-DOCKER_AE_APP_SERVER_EXTRA_HOST=dev-app.oneskyit.com:XXXX
-DOCKER_AE_API_SERVER_EXTRA_HOST=dev-api.oneskyit.com:XXXX
-DOCKER_AE_API_BAK_SERVER_EXTRA_HOST=test-api.oneskyit.com:XXXX
-DOCKER_AE_DB_SERVER_EXTRA_HOST=vpn-db.oneskyit.com:XXXX
+# Dozzle log viewer port
+AE_DOZZLE_PORT=8881
 
-# Nginx Server Names (Used in vhost configuration templates)
+# Nginx Server Names (used in vhost config templates)
 DOCKER_AE_API_SERVER_NAME=dev-api.oneskyit.com
 DOCKER_AE_APP_SERVER_NAME=dev-example.oneskyit.com
 DOCKER_PHPMYADMIN_SERVER_NAME=dev-phpmyadmin.oneskyit.com
 DOCKER_OSIT_SERVER_NAME=dev.oneskyit.com
 
+
 # ------------------------------------------------------------------------------
 # DATABASE SETTINGS (MariaDB)
 # ------------------------------------------------------------------------------
 # To use an EXTERNAL database:
 # 1. Set COMPOSE_PROFILES= (empty) above to disable local DB containers.
-# 2. Set AE_DB_SERVER to the external IP or Hostname.
+# 2. Set AE_DB_SERVER to the external IP or hostname.
 # 3. Ensure the external DB allows connections from this host's IP.
 
 # DB Hostname (use 'mariadb' for the local container, or a remote IP/FQDN)
@@ -78,18 +71,35 @@ AE_DB_SERVER=vpn-db.oneskyit.com
 AE_DB_PORT=3306
 
 # Port to expose on the host system if running a local MariaDB container
-AE_DB_EXTERNAL_PORT=3306
+AE_DB_EXTERNAL_PORT=32768
 
 # Database credentials
 AE_DB_NAME=aether_dev
 AE_DB_USERNAME=aether_dev
 AE_DB_PASSWORD=XXXX
-AE_DB_ROOT_PASSWORD=XXXX
 
 # Connection Tuning
+# Seconds to wait when establishing a new connection before giving up.
+# Lower values fail fast on DB outage rather than hanging requests.
 AE_DB_CONNECTION_TIMEOUT=7
+
+# Seconds before a pooled connection is recycled (closed and reopened).
+# Prevents "MySQL server has gone away" errors from MariaDB's wait_timeout.
+# Must be less than MariaDB's wait_timeout (default 28800s / 8 hours).
+# 900s (15 min) is a safe conservative value for active workloads.
 AE_DB_POOL_RECYCLE=900
 
+# Connections held open per API replica at idle (the "warm" pool).
+# Each replica maintains this many persistent connections to MariaDB.
+AE_DB_POOL_SIZE=10
+
+# Additional connections a replica can open beyond AE_DB_POOL_SIZE under burst load.
+# These are created on demand and closed when the burst subsides.
+# Max connections per replica = AE_DB_POOL_SIZE + AE_DB_POOL_MAX_OVERFLOW.
+# Total max DB connections across all replicas = AE_API_REPLICAS × (AE_DB_POOL_SIZE + AE_DB_POOL_MAX_OVERFLOW).
+# Example: 3 replicas × (10 + 20) = 90 max connections. MARIADB_MAX_CONNECTIONS must exceed this.
+AE_DB_POOL_MAX_OVERFLOW=20
+
 # ------------------------------------------------------------------------------
 # REDIS SETTINGS
 # ------------------------------------------------------------------------------
@@ -100,25 +110,44 @@ AE_REDIS_PORT=6379
 # ------------------------------------------------------------------------------
 # API SETTINGS (FastAPI)
 # ------------------------------------------------------------------------------
-AE_API_ENV=development
 
-# Number of API container instances to run (Docker Compose Scaling)
+# Number of API container instances (Docker Compose replica scaling).
+# Each replica is an independent container with its own Gunicorn process and
+# connection pool. Total DB connections = AE_API_REPLICAS × (AE_DB_POOL_SIZE + AE_DB_POOL_MAX_OVERFLOW).
+# Increase for horizontal scaling across CPU cores. On a single-node Linode,
+# 2-4 replicas is typical; more replicas won't help if the DB is the bottleneck.
 AE_API_REPLICAS=3
 
-# Gunicorn / Uvicorn Tuning
-# AE_API_GUNICORN_TIMEOUT: worker timeout in seconds. Default in gunicorn_conf.py
-# is 120s. Raise for endpoints that run long ffmpeg operations (clip_video, etc.)
-# The dev .env typically sets this to 900 to accommodate 5-15 min video jobs.
+# --- Gunicorn / Uvicorn Tuning ---
+
+# Internal port Gunicorn listens on inside the container. Nginx proxies to this.
+# Each replica uses this same port within its own network namespace.
 AE_API_GUNICORN_PORT=5065
+
+# Worker timeout in seconds. A request that takes longer than this causes Gunicorn
+# to kill and restart the worker. Default in gunicorn_conf.py is 120s.
+# Raise for endpoints that run long ffmpeg operations (clip_video, convert_file, etc.).
+# Dev typically uses 900s to accommodate 5-15 min video jobs.
 AE_API_GUNICORN_TIMEOUT=900
-AE_API_GUNICORN_WORKERS=2
+
+# Uvicorn worker processes per replica. Each worker handles requests independently
+# using async I/O, but SQLAlchemy DB calls are synchronous and block the worker.
+# More workers = more parallel DB queries. Recommended: 2-4 per replica.
+# Total parallel DB query capacity ≈ AE_API_REPLICAS × AE_API_GUNICORN_WORKERS.
+# Stress testing at 4 workers/replica yielded ~2x throughput vs 2 workers (14 req/s vs 7.5 req/s).
+# Rule of thumb: (2 × CPU cores) + 1 per replica, but DB throughput caps before CPU becomes the limit.
+AE_API_GUNICORN_WORKERS=4
+
+# Threads per Gunicorn worker. Uvicorn workers use async I/O, so threading provides
+# minimal benefit here. Leave at 1 unless explicitly benchmarked otherwise.
 AE_API_GUNICORN_THREADS=1
 
 # Security & CORS
-# JWT_KEY should be a 22+ character secret string
+# JWT_KEY should be a 22+ character secret string. Rotate if compromised.
 AE_API_JWT_KEY=XXXX
 
-# Regex for allowed CORS origins
+# Regex for allowed CORS origins. Requests from non-matching origins are blocked.
+# Extend the pattern if adding new domains or local dev ports.
 AE_API_ORIGINS_REGEX="(https://.*\.oneskyit\.com)|(http://.*\.oneskyit\.com)|(http://.*.localhost)|(http://.*.localhost:5173)"
 
 # ------------------------------------------------------------------------------
@@ -133,22 +162,17 @@ AE_SMTP_PASSWORD=XXXX
 # ------------------------------------------------------------------------------
 # APP SETTINGS (SvelteKit)
 # ------------------------------------------------------------------------------
-AE_APP_ENV=development
-AE_APP_BUILD_MODE=staging
+# Build mode baked into the Docker image at build time (dev, test, prod)
+AE_APP_BUILD_MODE=dev
 AE_APP_REPLICAS=2
-# AE App (Node SvelteKit) Gateway Port for External Reverse Proxy
-AE_APP_GATEWAY_PORT=3001
 
 # ------------------------------------------------------------------------------
 # SOURCE PATHS (Absolute paths on Host Machine)
 # ------------------------------------------------------------------------------
-# IMPORTANT: These paths must exist on the machine running Docker
-# They are mounted into containers as volumes for real-time development
-
-# Project Source Code
+# IMPORTANT: These paths must exist on the machine running Docker.
+# They are mounted into containers as volumes for real-time development.
 AE_API_SRC=/home/scott/OSIT_dev/aether_api_fastapi
 AE_APP_SRC=/home/scott/OSIT_dev/aether_app_sveltekit
-AE_FLASK_APP_SRC=/home/scott/OSIT_dev/aether_app_flask
 
 # Physical File Storage (Images, Documents, etc.)
 # NOTE: Shared between environments to ensure binary availability

CHEATSHEET.md

@@ -4,7 +4,8 @@
 - **Full Rebuild:** `docker compose up -d --build`
 - **Rebuild SvelteKit only:** `docker compose up -d --build ae_app`
 - **Restart API (pick up Python changes):** `docker compose restart ae_api`
-- **Switch Build Mode:** Edit `.env` → `AE_APP_BUILD_MODE=prod` → `docker compose up -d --build ae_app`
+- **Rebuild SvelteKit (local):** `make build-docker-dev` / `build-docker-test` / `build-docker-prod`
+- **Deploy to remote:** `make deploy-remote-test` / `deploy-remote-prod` (SSH → linode.oneskyit.com)
 - **Shut everything down:** `npm run compose:down` (from `aether_app_sveltekit/`)
 
 ## 🛠️ Management Links
@@ -26,7 +27,10 @@ To run multiple stacks (`test`, `bak`, `prod`) on one host, you **must** assign
 
 ## 🏗️ Multi-Stack Isolation
 1. **Network Name:** Set `AE_NETWORK_NAME=ae_test_net` (etc) to prevent Docker network name collisions.
-2. **Container Names:** Set `CONTAINER_` variables (e.g., `CONTAINER_WEB=ae_web_test`) to prevent Docker from refusing to start "conflicting" containers.
+2. **Container Names:** All service container names are now `.env` variables with `:-default` fallbacks. Set unique values per stack:
+   - `CONTAINER_WEB`, `CONTAINER_REDIS`, `CONTAINER_DOZZLE`
+   - `CONTAINER_MARIADB`, `CONTAINER_PMA`, `CONTAINER_AE_OPS` (database profile only)
+   - Note: `ae_api` and `ae_app` use `scale` — Docker does not allow `container_name` on scaled services.
 3. **Internal Shared Net:** All stacks must connect to `aether_shared_net` to reach a shared MariaDB/Redis.
 
 ## 💾 Database Operations

Makefile

@@ -1,7 +1,7 @@
 # Aether Platform - Operations Makefile
 # Use these shortcuts for faster development and deployment.
 
-.PHONY: up down restart-api build-api build-ui logs ps
+.PHONY: up down restart-api build-api build-docker-dev build-docker-test build-docker-prod logs ps deploy-remote-test deploy-remote-prod
 
 # Start the entire stack
 up:
@@ -21,10 +21,18 @@ restart-api:
 build-api:
 	docker compose up -d --build ae_api
 
-# REBUILD UI: Standard autonomous build for SvelteKit
-build-ui:
+# BUILD DOCKER UI: Build the SvelteKit container for the given mode.
+# Use 'npm run dev' for active development (Vite HMR, no Docker).
+# Use these only when testing the production-like Docker build locally.
+build-docker-dev:
 	docker compose build ae_app && docker compose up -d ae_app
 
+build-docker-test:
+	docker compose build --build-arg BUILD_MODE=test ae_app && docker compose up -d ae_app
+
+build-docker-prod:
+	docker compose build --build-arg BUILD_MODE=prod ae_app && docker compose up -d --remove-orphans ae_app
+
 # View combined logs
 logs:
 	docker compose logs -f --tail=100
@@ -32,3 +40,11 @@ logs:
 # Check service status
 ps:
 	docker compose ps
+
+# Remote deploy (SSH to linode.oneskyit.com, run deploy.sh)
+# Requires key-based SSH and deploy.sh committed + pulled on the server.
+deploy-remote-test:
+	ssh linode.oneskyit.com 'bash /srv/env/test_aether/deploy.sh test'
+
+deploy-remote-prod:
+	ssh linode.oneskyit.com 'bash /srv/env/prod_aether/deploy.sh prod'

README.md

@@ -23,6 +23,7 @@ workstation:3001           workstation:5060
 ```
 
 **Key Improvements:**
+- **Timezone Support:** All containers use the `TZ` variable from `.env` for consistent logging and database timestamps.
 - **Scalable Routing:** Nginx uses Regex (`~^(dev|test|bak|sr|prod)?-?...`) to automatically handle any environment prefix without configuration changes.
 - **Isolated Stacks:** Each deployment uses a unique `AE_NETWORK_NAME` and `CONTAINER_` prefix to prevent collisions.
 - **Shared Services:** Core infrastructure (DB/Redis) resides on the `aether_shared_net` which must be created manually once.
@@ -42,7 +43,7 @@ Create the base directory and clone this environment:
 ```bash
 sudo mkdir -p /srv/env/aether
 sudo chown -R $USER:$USER /srv/env/aether
-git clone https://bitbucket.org/oneskyit/one-sky-it-container-environment.git /srv/env/aether/container_env
+git clone git@bitbucket.org:oneskyit/one-sky-it-container-environment.git /srv/env/aether/container_env
 ```
 
 ### 3. Configure Environment Settings
@@ -78,13 +79,24 @@ docker compose restart ae_api  # Restart the FastAPI Backend
 ```
 
 ### Deployment Workflow
-The SvelteKit application is built **inside** the container. You can control the build mode (which bakes in the correct `PUBLIC_` variables) via the `.env` file:
-- Set `AE_APP_BUILD_MODE=staging` for development/testing.
-- Set `AE_APP_BUILD_MODE=prod` for production.
+The SvelteKit application is built **inside** the container using `vite build --mode <env>`, which reads the corresponding `.env.<env>` file for `PUBLIC_` variables.
 
-Then run:
+From `aether_app_sveltekit/`:
 ```bash
-docker compose up -d --build ae_app
+# Build Docker image locally
+npm run build:docker:dev    # uses .env.dev
+npm run build:docker:test   # uses .env.test
+npm run build:docker:prod   # uses .env.prod
+
+# Deploy to remote server (linode.oneskyit.com)
+npm run deploy:remote:test
+npm run deploy:remote:prod
+```
+
+Or via Makefile targets in this directory:
+```bash
+make build-docker-dev
+make deploy-remote-prod
 ```
 
 ---
@@ -108,7 +120,7 @@ These scripts are located in the root directory:
 ## 📂 Directory Map
 
 *   **`conf/`**: Configuration templates for Nginx and Gunicorn. API config now lives in the `aether_api_fastapi` repo as `app/config.py` and reads settings directly from env vars.
-*   **`logs/`**: Centralized logging for all containers.
+*   **`logs/`**: Centralized logging for all containers. Automatic rotation is managed by the `ae_ops` service (7-day retention).
 *   **`srv/`**: Mount points for data and source code (managed via symlinks).
 *   **`scripts/`**: Internal automation logic.
 *   **`backups/`**: Storage for MariaDB snapshots.

conf/crontab

@@ -1 +1,2 @@
 55 * * * * bash /scripts/backup_internal.sh >> /logs/backup_cron.log 2>&1
+0 0 * * * /usr/sbin/logrotate /etc/logrotate.internal.conf

conf/logrotate.conf

@@ -1,7 +1,7 @@
-# Logrotate configuration for Aether Docker Logs
-# To use: sudo ln -s /home/scott/OSIT_dev/aether_container_env/conf/logrotate.conf /etc/logrotate.d/aether
+# Logrotate configuration for Aether Docker Logs (Internal container version)
 
-/home/scott/OSIT_dev/aether_container_env/logs/*/*.log {
+/logs/*/*.log /logs/web/*/*.log {
+    su aether aether
     daily
     rotate 7
     missingok

deploy.sh

@@ -0,0 +1,103 @@
+#!/bin/bash
+# deploy.sh — Remote deploy for Aether Platform
+# Run on srv-nyx directly, or triggered via SSH from the workstation.
+#
+# Usage:   ./deploy.sh <prod|test> [app_branch] [api_branch]
+# Example: ./deploy.sh prod
+#          ./deploy.sh test ae_app_3x_llm development
+#
+# From workstation (npm run deploy:remote:prod / deploy:remote:test):
+#   ssh linode.oneskyit.com 'bash /srv/env/prod_aether/deploy.sh prod'
+#   ssh linode.oneskyit.com 'bash /srv/env/test_aether/deploy.sh test'
+#
+# NOTE: bak_aether shares the same app/api dirs as prod.
+# After a prod deploy, restart bak containers manually if running:
+#   cd /srv/env/bak_aether && docker compose restart ae_app ae_api
+
+set -euo pipefail
+
+ensure_bitbucket_ssh_remote() {
+    local repo_path=$1
+    local remote_url
+    local remote_path
+
+    remote_url=$(git -C "$repo_path" remote get-url origin)
+    if [[ "$remote_url" =~ ^https://([^@/]+@)?bitbucket\.org/(.+)$ ]]; then
+        remote_path=${BASH_REMATCH[2]}
+        git -C "$repo_path" remote set-url origin "git@bitbucket.org:${remote_path}"
+    fi
+}
+
+ENV=${1:-}
+if [ -z "$ENV" ]; then
+    echo "Usage: $0 <prod|test> [app_branch] [api_branch]"
+    exit 1
+fi
+
+# --- Environment config ---
+# TODO: Update default branches once prod/test branch strategy is finalized.
+# Currently both envs pull from the same working branches.
+if [ "$ENV" = "prod" ]; then
+    APP_DIR=/srv/apps/prod_aether_app_sveltekit
+    API_DIR=/srv/apps/prod_aether_api_fastapi
+    COMPOSE_DIR=/srv/env/prod_aether
+    BUILD_MODE=prod
+    APP_BRANCH=${2:-ae_app_3x_llm}
+    API_BRANCH=${3:-development}
+elif [ "$ENV" = "test" ]; then
+    APP_DIR=/srv/apps/test_aether_app_sveltekit
+    API_DIR=/srv/apps/test_aether_api_fastapi
+    COMPOSE_DIR=/srv/env/test_aether
+    BUILD_MODE=test
+    APP_BRANCH=${2:-ae_app_3x_llm}
+    API_BRANCH=${3:-development}
+else
+    echo "Unknown environment: '$ENV' (expected: prod or test)"
+    exit 1
+fi
+
+echo ""
+echo "========================================"
+echo "  Aether Deploy: $ENV"
+echo "  App:   $APP_DIR  [$APP_BRANCH]"
+echo "  API:   $API_DIR  [$API_BRANCH]"
+echo "  Mode:  $BUILD_MODE"
+echo "========================================"
+echo ""
+
+# --- Pull repos ---
+echo "[1/4] Pulling container env..."
+ensure_bitbucket_ssh_remote "$COMPOSE_DIR"
+git -C "$COMPOSE_DIR" pull --ff-only
+
+echo ""
+echo "[2/4] Pulling app ($APP_BRANCH)..."
+ensure_bitbucket_ssh_remote "$APP_DIR"
+git -C "$APP_DIR" pull --ff-only origin "$APP_BRANCH"
+
+echo ""
+echo "[3/4] Pulling API ($API_BRANCH)..."
+ensure_bitbucket_ssh_remote "$API_DIR"
+git -C "$API_DIR" pull --ff-only origin "$API_BRANCH"
+
+# --- Build and deploy ---
+echo ""
+echo "[4/4] Building and deploying..."
+cd "$COMPOSE_DIR"
+docker compose build --build-arg BUILD_MODE="$BUILD_MODE" ae_app
+docker compose up -d ae_app
+docker compose restart ae_api
+
+echo ""
+echo "========================================"
+echo "  Done: $ENV deployed successfully"
+echo "========================================"
+
+if [ "$ENV" = "prod" ]; then
+    echo ""
+    echo "  bak_aether uses the same code dirs — if its containers"
+    echo "  are running, restart them:"
+    echo "    cd /srv/env/bak_aether && docker compose restart ae_app ae_api"
+fi
+
+echo ""

docker-compose.yml

@@ -13,7 +13,7 @@ services:
         environment:
             - PUID=1000
             - PGID=1000
-            - TZ=US/Eastern
+            - TZ=${TZ}
 
             - NGINX_SERVER_NAMES="demo.localhost dev.localhost dev.oneskyit.com dev-app.oneskyit.com dev-connect.oneskyit.com dev-demo.oneskyit.com dev-aacc.oneskyit.com dev-aapor.oneskyit.com dev-ascm.oneskyit.com dev-businessgroup.oneskyt.com dev-chow.oneskyit.com dev-cmsc.oneskyit.com dev-idaa.oneskyit.com dev-ishlt.oneskyit.com dev-lci.oneskyit.com dev-ncsd.oneskyit.com dev-npa.oneskyit.com dev-rli.oneskyit.com test-app.oneskyit.com test-api.oneskyit.com test-demo.oneskyit.com test-lci.oneskyit.com test-idaa.oneskyit.com scott.oneskyit.com dgr.oneskyit.com"
         ports:
@@ -30,7 +30,6 @@ services:
             - ./conf/nginx/site.conf:/etc/nginx/conf.d/0_site.conf
             - ./conf/nginx/site-enabled_aether_fastapi_gunicorn.conf:/etc/nginx/templates/site-enabled_aether_fastapi_gunicorn.conf.template
             - ./conf/nginx/site-enabled_aether_app_svelte_node.conf:/etc/nginx/templates/site-enabled_aether_app_svelte_node.conf.template
-            # - ./conf/nginx/site-enabled_aether_flask_gunicorn.conf:/etc/nginx/templates/site-enabled_aether_flask_gunicorn.conf.template
             - ./conf/certs/oneskyit_wild_fullchain.pem:/etc/certs/fullchain_wild.pem
             - ./conf/certs/oneskyit_wild_privkey.pem:/etc/certs/privkey_wild.pem
             - ./conf/certs/oneskyit.com_fullchain.pem:/etc/certs/fullchain.pem
@@ -40,7 +39,6 @@ services:
         depends_on:
             - ae_api
             - ae_app
-            # - aether_app_gunicorn
         logging:
             driver: "json-file"
             options:
@@ -54,6 +52,8 @@ services:
         networks:
             - default
             - shared
+        environment:
+            - TZ=${TZ}
         command: redis-server --save "" --loglevel warning
         logging:
             driver: "json-file"
@@ -64,7 +64,7 @@ services:
     mariadb:
         restart: always
         image: mariadb:10.11
-        container_name: ae_mariadb_dev
+        container_name: ${CONTAINER_MARIADB:-ae_mariadb_dev}
         profiles: ["database"]
         networks:
             - shared
@@ -82,6 +82,7 @@ services:
             MYSQL_DATABASE: ${AE_DB_NAME}
             MYSQL_USER: ${AE_DB_USERNAME}
             MYSQL_PASSWORD: ${AE_DB_PASSWORD}
+            TZ: ${TZ}
         ports:
             - "${AE_DB_EXTERNAL_PORT}:3306"
         volumes:
@@ -96,13 +97,14 @@ services:
     phpmyadmin:
         restart: always
         image: phpmyadmin/phpmyadmin
-        container_name: ae_pma_dev
+        container_name: ${CONTAINER_PMA:-ae_pma_dev}
         profiles: ["database"]
         networks:
             - shared
         environment:
             PMA_HOST: mariadb
             UPLOAD_LIMIT: 64M
+            TZ: ${TZ}
         ports:
             - "${AE_PMA_PORT}:80"
         depends_on:
@@ -161,7 +163,7 @@ services:
             dockerfile: Dockerfile
             target: deploy-node
             args:
-                BUILD_MODE: ${AE_APP_BUILD_MODE:-staging}
+                BUILD_MODE: ${AE_APP_BUILD_MODE:-dev}
         scale: ${AE_APP_REPLICAS:-1}
         networks:
             - default
@@ -180,10 +182,8 @@ services:
             home.oneskyit.com: "71.126.159.102"
             static.oneskyit.com: "104.237.143.4"
             dev.oneskyit.com: "192.168.32.7"
-        # volumes:
-        #    # In production, the build happens INSIDE the container.
-        #    # Mounting the host source here would override the internal build.
-        #    # - ${AE_APP_SRC}:/app
+        volumes:
+            - ./logs/ae_app:/logs
         depends_on:
             - ae_api
             - redis
@@ -197,10 +197,12 @@ services:
     dozzle:
         container_name: ${CONTAINER_DOZZLE:-ae_dozzle_dev}
         image: amir20/dozzle:latest
+        environment:
+            - TZ=${TZ}
         volumes:
             - /var/run/docker.sock:/var/run/docker.sock
         ports:
-            - "${AE_DOZZLE_PORT:-8881}:8080"
+            - "127.0.0.1:${AE_DOZZLE_PORT:-8881}:8080"
         restart: unless-stopped
         logging:
             driver: "json-file"
@@ -209,8 +211,7 @@ services:
                 max-file: "3"
 
     ae_ops:
-        # ... (same as before) ...
-        container_name: ae_ops_dev
+        container_name: ${CONTAINER_AE_OPS:-ae_ops_dev}
         image: alpine:latest
         restart: always
         profiles: ["database"]
@@ -224,7 +225,8 @@ services:
             - ./scripts:/scripts
             - ./logs:/logs
             - ./conf/crontab:/etc/crontabs/root
-        command: sh -c "apk add --no-cache docker-cli bash && crond -f -l 2"
+            - ./conf/logrotate.conf:/etc/logrotate.conf
+        command: sh -c "apk add --no-cache docker-cli bash logrotate && adduser -u 1000 -D aether && cp /etc/logrotate.conf /etc/logrotate.internal.conf && chown root:root /etc/logrotate.internal.conf && crond -f -l 2"
         depends_on:
             - mariadb
         logging: