feat: implemented scalable regex for Nginx server_names across App and API.

API config is no longer injected via volume mount. app/config.py in the
aether_api_fastapi repo reads all settings directly from env vars (.env).
Updated README to reflect the new config location.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.dockerignore

@@ -0,0 +1,22 @@
+# Ignore Git
+.git
+.gitignore
+
+# Ignore Data Directories (CRITICAL for build speed and permissions)
+srv/
+logs/
+temp/
+tmp/
+backups/
+
+# Ignore Environment Files
+.env
+.env.*
+*.env
+
+# Ignore IDE settings
+.vscode/
+*.code-workspace
+
+# Ignore miscellaneous
+README.md

.env.default

@@ -1,125 +0,0 @@
-# One Sky IT's Aether Framework and System
-
-CONTAINER_WEB=ae_web_default
-CONTAINER_AE_API=ae_api_default
-CONTAINER_AE_APP=ae_app_default
-CONTAINER_PHP7=ae_php7_default
-CONTAINER_REDIS=ae_redis_default
-
-OSIT_ENV=development
-# OSIT_ENV=production
-# OSIT_ENV=testing
-
-AE_LOG_LVL=warning # Python loglevel: warning, info, debug, etc
-
-OSIT_WEB_HTTP_PORT=8080
-OSIT_WEB_HTTPS_PORT=4443
-# Max body size is for nginx gunicorn apps (AE app and AE API)
-OSIT_WEB_MAX_BODY_SIZE=5120M
-
-# For now this extra host variable is important for the AE Flask app to connect to the AE FastAPI API.
-DOCKER_AE_SERVER_EXTRA_HOST=example.oneskyit.com:192.168.32.20
-DOCKER_AE_APP_SERVER_EXTRA_HOST=example-app.oneskyit.com:192.168.32.20
-DOCKER_AE_API_SERVER_EXTRA_HOST=example-api.oneskyit.com:192.168.32.20
-DOCKER_AE_API_BAK_SERVER_EXTRA_HOST=example-bak-api.oneskyit.com:192.168.32.20
-DOCKER_AE_API_V5_SERVER_EXTRA_HOST=example-api-v5.oneskyit.com:192.168.32.20
-DOCKER_AE_APP_EXTRA_HOST=example-api.oneskyit.com:192.168.32.20 # This should be a static(ish) IP. It may need to be externally routable? prod-api.oneskyit.com:104.237.143.4
-DOCKER_AE_APP_EXTRA_HOST_V5=example-api-v5.oneskyit.com:192.168.32.20
-
-# This is the server name for nginx for each of these sites.
-# Only one server name per server_name in nginx with envsubst!!! A bug???
-DOCKER_AE_API_SERVER_NAME=example-api.oneskyit.com
-DOCKER_AE_API_V5_SERVER_NAME=example-api-v5.oneskyit.com
-DOCKER_AE_APP_SERVER_NAME=example-app.oneskyit.com
-DOCKER_PHPMYADMIN_SERVER_NAME=example-phpmyadmin.oneskyit.com
-DOCKER_OSIT_SERVER_NAME=example.oneskyit.com
-
-# This needs to be updated for each client's subdomain.
-# This is *not* currently working with the nginx Docker Compose. It uses envsubst with a template conf file.
-OSIT_NGINX_SERVER_NAMES=flask_gunicorn.localhost,demo.localhost,example.localhost,example.oneskyit.com,example-app.oneskyit.com,example-connect.oneskyit.com,*.example-connect.oneskyit.com,example-demo.oneskyit.com,*.example-demo.oneskyit.com
-
-
-# Aether general shared config options
-# For general shared config options like API access and use, database access and use, Redis, and SMTP
-# home development, live testing, live production, onsite development, onsite testing, onsite production???
-AE_CFG_ID=0
-
-AE_SERVER=example.oneskyit.com
-
-## Aether API access and use
-AE_API_PROTOCOL=https
-AE_API_SERVER=example-api.oneskyit.com
-AE_API_SERVER_INTERNAL=example-api.oneskyit.com
-AE_API_PORT=443
-AE_API_PATH=
-AE_API_SECRET_KEY=the-secret-api-key
-
-## Aether DB access and use
-AE_DB_SERVER=linode.oneskyit.com
-AE_DB_PORT=3306
-AE_DB_NAME=aether_dev
-AE_DB_USERNAME=osit_aether
-AE_DB_PASSWORD="the password with $$ escape"
-
-# wait_timeout (MariaDB) is how long to keep an idle DB connection
-AE_DB_WAIT_TIMEOUT=1800 # Not yet used!
-# connection_timeout (MariaDB) is how long to try and create a new DB connection; bad handshake
-AE_DB_CONNECTION_TIMEOUT=15
-# pool_recycle (SQLAlchemy) is how long to keep using a particular connection that has passed a certain age
-AE_DB_POOL_RECYCLE=1800
-
-AE_DB_V5_SERVER=linode.oneskyit.com
-AE_DB_V5_PORT=3306
-AE_DB_V5_NAME=aether_v5_dev
-AE_DB_V5_USERNAME=ae_v5
-AE_DB_V5_PASSWORD=""
-
-## Aether Redis access and use
-AE_REDIS_SERVER=redis
-AE_REDIS_PORT=6379
-
-## Aether SMTP access and use
-AE_SMTP_SERVER=linode.oneskyit.com
-AE_SMTP_PORT=465
-AE_SMTP_USERNAME=send_mail
-# AE_SMTP_PASSWORD="not currently used"
-
-
-# Gunicorn workers and threads:
-# https://docs.gunicorn.org/en/stable/design.html#how-many-workers
-
-# Aether API specific config options (FastAPI)
-# AE_API_CFG_ID=0 # NOT CURRENTLY NEED OR USED
-AE_API_ENV=development
-AE_API_DIR=/srv/aether_api
-AE_API_LOG_PATH="/logs/aether_api.log"
-AE_API_V5_LOG_PATH="/logs/aether_api_v5.log"
-AE_API_GUNICORN_PORT=5065
-AE_API_GUNICORN_TIMEOUT=2100 # (default=30; should be much higher)
-AE_API_GUNICORN_GRACEFUL_TIMEOUT=30 # (default=30)
-AE_API_GUNICORN_KEEPALIVE=30 # (default=2)
-AE_API_GUNICORN_WORKERS=2 # (default=2)
-AE_API_GUNICORN_THREADS=2 # (default=2)
-AE_API_RELOAD=False
-AE_API_JWT_KEY="ABC123 22 CHARS" # 22 characters; super secret Aether JWT signing key
-AE_API_ORIGINS_REGEX="(https://.*\.oneskyit\.com)|(https://.*\.oneskyit\.com:4443)|(https://.*\.oneskyit\.com:8443)" # default allows for some sane domains related to https://.*\.oneskyit\.com with some common extra ports
-
-# Aether app specific config (Flask with Svelte)
-AE_APP_CFG_ID=0
-AE_APP_ENV=development
-AE_APP_UX_MODE=default
-# AE_APP_UX_MODE=onsite
-# AE_APP_UX_MODE=native
-AE_APP_DIR=/srv/aether_app
-AE_APP_LOG_PATH="/logs/aether_app.log"
-AE_APP_GUNICORN_PORT=5055
-AE_APP_GUNICORN_TIMEOUT=1200 # (default=30; should be higher)
-AE_APP_GUNICORN_GRACEFUL_TIMEOUT=20 # (default=30)
-AE_APP_GUNICORN_KEEPALIVE=30 # (default=2)
-AE_APP_GUNICORN_WORKERS=2 # (default=2)
-AE_APP_GUNICORN_THREADS=1 # (default=1)
-AE_APP_RELOAD=True
-# Generate a new key with: # python -c 'import os; print(os.urandom(16))'
-AE_APP_CACHE_SECRET_KEY="$\x93\x12\xb4R\x80R\xb5\xe50\xa0k\xc8#RN"
-AE_APP_SESSION_LIFETIME=86400 # How long the browser cookies last in seconds (default=86400)
-AE_APP_CACHE_TIMEOUT=5 # How long the Flask app caching last in seconds (default=5)

.gitignore

@@ -65,21 +65,28 @@ venv.bak/
 environment/
 
 *.bak
+*.kate-swp
 .directory
+archives/
+archives_and_old/
 backups/
 bak/
 downloads/
 hold/
 log/
 # logs/
+logs/ae_api_blue/
+logs/ae_api_green/
+logs/ae_api_red/
 # logs/ae_api/
 # logs/ae_app/
 logs/apache2/
 logs/mailman2/
 # logs/php7/
 # logs/web/
-tmp/
+old/
 temp/
+tmp/
 
 # OSIT and Aether specific:
 
@@ -107,18 +114,29 @@ srv/mailman2/
 # srv/hosted_tmp_link/
 # srv/hosted_tmp_link
 
-srv/aether_api_ln/
+# srv/aether_api_ln/
-srv/aether_api_ln
+# srv/aether_api_ln
-srv/aether_app_ln/
+# srv/aether_app_ln/
-srv/aether_app_ln
+# srv/aether_app_ln
-srv/hosted_files_dev_ln/
+# srv/hosted_files_dev_ln/
-srv/hosted_files_dev_ln
+# srv/hosted_files_dev_ln
-srv/hosted_files_ln/
+# srv/hosted_files_ln/
-srv/hosted_files_ln
+# srv/hosted_files_ln
-srv/hosted_tmp_dev_ln/
+# srv/hosted_tmp_dev_ln/
-srv/hosted_tmp_dev_ln
+# srv/hosted_tmp_dev_ln
-srv/hosted_tmp_ln/
+# srv/hosted_tmp_ln/
-srv/hosted_tmp_ln
+# srv/hosted_tmp_ln
 
-srv/mariadb_ln/
+# srv/mariadb_ln/
-srv/mariadb_ln
+# srv/mariadb_ln
+
+srv/mariadb/
+srv/mariadb
+
+# Aether DB Snapshots and Backups
+srv/mariadb_bak_*
+backups/imported/
+backups/auto_backup_*
+
+srv/aether_api_v5_ln/
+srv/aether_api_v5_ln

CHEATSHEET.md

@@ -0,0 +1,41 @@
+# Aether Docker Cheat Sheet 🚀
+
+## 🚀 Deployment & Updates
+- **Full Rebuild:** `docker compose up -d --build`
+- **Rebuild SvelteKit only:** `docker compose up -d --build ae_app`
+- **Restart API (pick up Python changes):** `docker compose restart ae_api`
+- **Switch Build Mode:** Edit `.env` → `AE_APP_BUILD_MODE=prod` → `docker compose up -d --build ae_app`
+- **Shut everything down:** `npm run compose:down` (from `aether_app_sveltekit/`)
+
+## 🛠️ Management Links
+- **SvelteKit Frontend:** [http://localhost:8888](http://localhost:8888) (LAN HTTP via ae_web_dev)
+- **FastAPI Docs:** [https://dev-api.oneskyit.com/docs](https://dev-api.oneskyit.com/docs)
+- **Database (phpMyAdmin):** [http://localhost:8081](http://localhost:8081) (requires `--profile database`)
+- **Logs (Dozzle):** [http://localhost:8881](http://localhost:8881)
+
+## 🔌 Port Reference
+| Port | Variable              | Purpose                                          |
+|------|-----------------------|--------------------------------------------------|
+| 3001 | `AE_APP_GATEWAY_PORT` | App gateway — home nginx → ae_app replicas       |
+| 5060 | `AE_API_GATEWAY_PORT` | API gateway — home nginx → ae_api replicas       |
+| 8888 | `OSIT_WEB_HTTP_PORT`  | LAN HTTP direct access (no home server needed)   |
+| 8081 | `AE_PMA_PORT`         | phpMyAdmin (database profile only)               |
+| 8881 | —                     | Dozzle log viewer                                |
+| 3306 | `AE_DB_EXTERNAL_PORT` | MariaDB direct (database profile only)           |
+
+## 📈 Scaling
+Both services scale via Docker DNS round-robin inside `ae_web_dev`.
+Home server nginx **never needs to change** — it always points to the same port.
+
+- Edit `.env` → `AE_APP_REPLICAS=X` or `AE_API_REPLICAS=X`
+- Run `docker compose up -d` (or `up -d ae_app` for app-only)
+
+## 💾 Database Operations
+- **Manual Backup:** `./backup_db.sh` (hot backup, live container)
+- **Manual Restore:** `./restore_db.sh [path_to_file.gz]`
+- **Conference Export:** `./export_db.sh` (saves to `backups/conference_export/`)
+- **Automated Import:** Drop file in `backups/import/` → run `./check_and_import.sh`
+
+## 🧹 Maintenance
+- **Internal Logs:** Docker handles rotation automatically (10MB limit).
+- **Dozzle:** Live log viewer at port 8881 — no auth currently (LAN only).

Makefile

@@ -0,0 +1,34 @@
+# Aether Platform - Operations Makefile
+# Use these shortcuts for faster development and deployment.
+
+.PHONY: up down restart-api build-api build-ui logs ps
+
+# Start the entire stack
+up:
+	docker compose up -d
+
+# Stop the entire stack
+down:
+	docker compose down
+
+# FAST UPDATE: Pick up Python code changes without rebuilding
+# Since source is mounted as a volume, we just need to restart the container.
+# This takes ~2 seconds instead of ~60 seconds.
+restart-api:
+	docker compose restart ae_api
+
+# REBUILD API: Use this only when requirements.txt or Dockerfile changes.
+build-api:
+	docker compose up -d --build ae_api
+
+# REBUILD UI: Standard autonomous build for SvelteKit
+build-ui:
+	docker compose build ae_app && docker compose up -d ae_app
+
+# View combined logs
+logs:
+	docker compose logs -f --tail=100
+
+# Check service status
+ps:
+	docker compose ps

README.md

@@ -1,201 +1,136 @@
-This can be used to create a Docker server cluster for the Aether App using Flask, Aether API using FastAPI.
+# Aether Framework - Docker Environment (Unified V3)
+
+This repository provides the unified Docker orchestration and configuration for the Aether Platform. It manages the lifecycle of the Aether API (FastAPI), Aether App (SvelteKit), and supporting infrastructure (MariaDB, Redis, Nginx).
+
+## 🌐 Traffic Architecture
+
+Understanding this prevents configuration mistakes.
 
-## Initialize
-### Part 1
-* Create directory and clone the Aether environment.
-```bash
-sudo mkdir /srv/env
-sudo chown -R scott:scott /srv/env/
-git clone https://scott_idem@bitbucket.org/oneskyit/one-sky-it-container-environment.git /srv/env/test_aether
 ```
-* Using rsync is also an option. The symlinked directories will need to be copied separately.
+External Internet
-```bash
+      ↓
-sudo rsync -vhr -progress /srv/env/prod_aether/ /srv/env/bak_aether
+Home Server Nginx  (SSL termination, domain routing)
-rsync -av /srv/http/aether_app/ /srv/apps/prod_aether_app_flask
+      ↓                          ↓
-rsync -av /srv/http/aether_api/ /srv/apps/prod_aether_api_fastapi
+workstation:3001           workstation:5060
+(AE_APP_GATEWAY_PORT)      (AE_API_GATEWAY_PORT)
+      ↓                          ↓
+         ae_web_dev (Docker nginx, port 80)
+      ↓                          ↓
+  svelte_backend           fastapi_backend
+  (Docker DNS round-robin)  (Docker DNS round-robin)
+      ↓                          ↓
+ ae_app replicas          ae_api replicas
 ```
 
-### Part 2
+**Key points:**
-* Create links to needed for the srv/ directories. See the README.md file under srv/ for details.
+- Home server nginx terminates SSL and routes by domain name to one of two stable ports. It never needs to know about replicas.
-* Copy Let's Encrypt certificates to the conf/certs/ directory. See the README.md file under conf/certs/ for details.
+- `ae_web_dev` is the internal load balancer. It routes by `server_name` to the correct upstream, and Docker DNS automatically round-robins across all replicas.
-* Copy MariaDB database files to the srv/mariadb/ directory using rsync. The original files may need to be copied from the normal Arch Linux location (/var/lib/mysql) first and then possibly reset the root password.
+- SSL is terminated at the home server. Internal traffic (home server → workstation → containers) is plain HTTP — no internal certs needed.
-```bash
+- To scale, change `AE_APP_REPLICAS` or `AE_API_REPLICAS` in `.env` and run `docker compose up -d`. Home server nginx never changes.
-sudo rsync -vhr -progress /var/lib/mysql/ /srv/env/test_aether/srv/mariadb/
-sudo rsync -vhrz scott@linode.oneskyit.com:/srv/env/test_aether/srv/mariadb/ /srv/env/test_aether/srv/mariadb/
-sudo chown -R scott:scott /srv/env/test_aether/srv/mariadb/
-```
-
-### Part 3
-* Create the environment settings file and place it under the root of the Docker Compose directory. Copy the .env.default file as a template.
-```bash
-cp /srv/env/test_aether/.env /srv/env/test_aether/.env.bak
-cp /srv/env/test_aether/.env.default /srv/env/test_aether/.env
-```
-**/.env [very basic example]**
-The AE_CFG_ID and AE_APP_CFG_ID can be something generic (dev, test, prod a, prod b) when using Docker Compose.
-```cnf
-# One Sky IT's Aether Framework and System
-
-OSIT_ENV=development
-
-# Aether general shared config options
-AE_CFG_ID=0
-
-## Aether API access and use
-## Aether DB access and use
-AE_DB_PASSWORD="the password with $$ escape"
-## Aether Redis access and use
-## Aether SMTP access and use
-
-# Aether API specific config options (FastAPI)
-
-# Aether app specific config (Flask with Svelte)
-AE_APP_CFG_ID=0
-
-KEY="The Value"
-```
-
-#### Part 4 - Still figuring things out...
-Update /etc/hosts with something like this.
-```cnf
-127.0.0.1       dev-api.oneskyit.com dev-app.oneskyit.com
-127.0.0.1       dev-demo.oneskyit.com dev-businessgroup.oneskyit.com dev-ishlt.oneskyit.com
-```
-
-* Nothing in aether_flask_gunicorn_conf.py needs to be changed?
-* Nothing in aether_fastapi_gunicorn_conf.py needs to be changed?
-* Nothing in aether_api_config.py needs to be changed?
-* Nothing in aether_app_config.py needs to be changed?
-
-## Manage Docker Compose Environment
-```bash
-docker restart ae_api_dev
-docker restart ae_app_dev
-docker restart ae_mariadb_dev
-```
-
-## Clone Svelte App(s)
-
-### One Sky IT NPM library
-git clone https://scott_idem@bitbucket.org/oneskyit/one-sky-it-npm-library.git /srv/env/aether_npm_library
-
-### Actual Svelte apps (note the branches)
-Clone:
-* git clone https://scott_idem@bitbucket.org/oneskyit/one-sky-it-app-svelte.git /srv/env/aether_xxx_yyy_svelte
-* git clone https://scott_idem@bitbucket.org/oneskyit/one-sky-it-app-svelte.git ~/OSIT_dev/aether_xxx_yyy_svelte
-Module groups:
-* aether_app_core_svelte
-* aether_app_mods_svelte
-* aether_app_mod_events_svelte
-Note:
-Will need to change branches.
-```bash
-git branch --all
-git switch ae_core_dev
-git pull origin ae_core_dev
-
-git switch ae_mods_dev
-git pull origin ae_mods_dev
-
-git switch ae_mod_events_dev
-git pull origin ae_mod_events_dev
-
-git branch --all
-```
-Also... don't forget to npm update before you npm run build or dev.
-
-### Native Electron app
-git clone https://scott_idem@bitbucket.org/oneskyit/one-sky-it-app-native.git /srv/env/aether_app_native
-
-
-
-sdfasdfasd git clone https://scott_idem@bitbucket.org/oneskyit/one-sky-it-container-environment.git /srv/env/test_aether
-
 
+**Host ports exposed by ae_web_dev:**
+- `:3001` — App gateway (SvelteKit)
+- `:5060` — API gateway (FastAPI)
+- `:8888` — LAN HTTP (direct local access without going through home server)
+- `:443` — commented out; SSL terminates at home server, not internally
 
 ---
 
+## 🚀 Quick Start
 
-
+### 1. Initialize Directory Structure
-## More Notes
+Create the base directory and clone this environment:
-
-
 ```bash
-sudo ln -s /srv/apps/prod_aether_app_flask /srv/env/bak_aether/srv/aether_app_ln
+sudo mkdir -p /srv/env/aether
-sudo ln -s /srv/apps/prod_aether_api_fastapi /srv/env/bak_aether/srv/aether_api_ln
+sudo chown -R $USER:$USER /srv/env/aether
-sudo ln -s /mnt/data/speaker_ready/hosted_tmp /srv/env/bak_aether/srv/hosted_tmp_ln
+git clone https://bitbucket.org/oneskyit/one-sky-it-container-environment.git /srv/env/aether/container_env
-sudo ln -s /mnt/data/speaker_ready/hosted_files /srv/env/bak_aether/srv/hosted_files_ln
-
-ln -s /srv/http/dev_app.oneskyit.com /srv/env/test_aether/srv/aether_app_ln
-ln -s /srv/http/dev_fastapi.oneskyit.com /srv/env/test_aether/srv/aether_api_ln
-ln -s /mnt/data/speaker_ready/hosted_tmp /srv/env/test_aether/srv/hosted_tmp_ln
-ln -s /mnt/data/speaker_ready/hosted_files /srv/env/test_aether/srv/hosted_files_ln
-
-ls -lha /srv/env/test_aether/srv/aether_app_ln/
-ls -lha /srv/env/test_aether/srv/aether_api_ln/
-ls -lha /srv/env/test_aether/srv/hosted_tmp_ln/
-ls -lha /srv/env/test_aether/srv/hosted_files_ln/
-````
-
-### Part 2
-```bash
-sudo ls -lha /var/lib/mysql/
 ```
 
+### 2. Configure Environment Settings
+Copy the template and update it with your local paths and credentials:
+```bash
+cd /srv/env/aether/container_env
+cp env.default .env
+# Edit .env to match your host system (Paths, DB, Ports)
+vim .env
+```
 
+### 3. Configure Data & Source Paths
+The containers locate data and source code using absolute paths defined in your `.env` file. Ensure these variables point to the correct locations on your host system:
+- **`AE_API_SRC`**: Path to your `aether_api_fastapi` repository.
+- **`AE_APP_SRC`**: Path to your `aether_app_sveltekit` repository.
+- **`HOSTED_FILES_SRC`**: Path to the physical storage for images/documents.
+- **`HOSTED_TMP_SRC`**: Path for temporary file processing.
 
-## Common:
+### 4. Certificates & Database
-* conf/ = All config files
+*   **SSL:** Place your wild-card certificates in `conf/certs/` (matching the filenames in `docker-compose.yml`).
-* logs/ = All log files
+*   **Database:** Use the restoration scripts (see below) to import a MariaDB snapshot.
-* srv/ = All files and data directories that are being served up in some way.
- * srv/hosted_files = All hashed hosted files (/mnt/data_drive/srv/data/osit_app/hosted_files_dev/)
- * srv/static_files = All static files
- * ---
- * srv/aether_api = Aether API
- * srv/aether_app = Aether App
- * ---
- * srv/html_php = The default HTML and PHP directory
- * srv/oneskyit_site = One Sky IT, LLC main site
- * ---
- * srv/mailman2 = All Mailman2 files
- * srv/mariadb = All MariaDB database files
- * srv/nextcloud = All Nextcloud app files
 
-## Servics:
+---
-nginx
-php
-gunicorn
-mariadb
-phpmyadmin
 
-redis
+## 🛠️ Management Commands
-postfix?
-mailman?
-Nextcloud???
-Syncthing???
-restic???
-memcached???
 
+### Orchestration (Unified Stack)
+```bash
+docker compose up -d --build   # Build and start all services (Autonomous SvelteKit build)
+docker compose down            # Stop all services
+docker compose restart ae_app  # Restart the SvelteKit UI
+docker compose restart ae_api  # Restart the FastAPI Backend
+```
 
-## Setup
+### Deployment Workflow
-## Check for in use services and ports
+The SvelteKit application is built **inside** the container. You can control the build mode (which bakes in the correct `PUBLIC_` variables) via the `.env` file:
-Note that the Aether FastAPI will hang if redis is not found.
+- Set `AE_APP_BUILD_MODE=staging` for development/testing.
-sudo systemctl status mariadb.services
+- Set `AE_APP_BUILD_MODE=prod` for production.
-sudo systemctl status nginx.service
-sudo systemctl status php-fpm.service
-sudo systemctl status postfix.service
-sudo systemctl status redis.service
 
+Then run:
+```bash
+docker compose up -d --build ae_app
+```
 
-### Create links to Aether API and app directories
+---
-Make sure the docker-compose.yml file is updated with the correct paths.
 
-ln -s /home/scott/OSIT_dev/aether_api_fastapi /home/scott/OSIT_dev/aether_container_env/srv/aether_api_link
+## 🗄️ Database Management (Physical Backups)
-ln -s /home/scott/OSIT_dev/aether_app /home/scott/OSIT_dev/aether_container_env/srv/aether_app_link
+... (rest of the file remains the same) ...
 
-ln -s /mnt/data_drive/srv/data/osit_app/hosted_files /home/scott/OSIT_dev/aether_container_env/srv/hosted_files_link
+The system uses physical hot backups via `mariabackup` for maximum speed and data integrity.
-ln -s /mnt/data_drive/srv/data/osit_app/hosted_files_dev /home/scott/OSIT_dev/aether_container_env/srv/hosted_files_dev_link
 
-ln -s /mnt/data_drive/srv/data/osit_app/hosted_tmp /home/scott/OSIT_dev/aether_container_env/srv/hosted_tmp_link
+### User-Facing Scripts
-ln -s /mnt/data_drive/srv/data/osit_app/hosted_tmp_dev /home/scott/OSIT_dev/aether_container_env/srv/hosted_tmp_dev_link
+These scripts are located in the root directory:
 
+*   **`./backup_db.sh`**: Triggers an immediate hot backup. Results are stored in `backups/`.
+*   **`./export_db.sh`**: Creates a "Conference Ready" backup in `backups/conference_export/` with host-user ownership.
+*   **`./restore_db.sh [backup_file.gz]`**: Performs a full "Clean Slate" restoration.
+    *   *Warning:* This stops MariaDB, archives current data, and resets `root` passwords to match your `.env`.
+*   **`./check_and_import.sh`**: A watchdog script that monitors `backups/import/` for new snapshots and triggers automated restoration.
+
+---
+
+## 📂 Directory Map
+
+*   **`conf/`**: Configuration templates for Nginx and Gunicorn. API config now lives in the `aether_api_fastapi` repo as `app/config.py` and reads settings directly from env vars.
+*   **`logs/`**: Centralized logging for all containers.
+*   **`srv/`**: Mount points for data and source code (managed via symlinks).
+*   **`scripts/`**: Internal automation logic.
+*   **`backups/`**: Storage for MariaDB snapshots.
+
+---
+
+## 📝 Configuration Guidelines
+
+### Environment Profiles (`COMPOSE_PROFILES`)
+*   **`database`**: Includes MariaDB, phpMyAdmin, and the `ae_ops` maintenance service.
+*   **App-Only**: Leave empty if connecting to a remote/shared database server.
+
+### Aether Config ID (`AE_CFG_ID`)
+Specifies the record from the `cfg` table to load during the API bootstrap process:
+*   `1`: Default / Template
+*   `5`: Home Development
+*   `7`: Live Testing
+
+---
+
+## ⚠️ Security Notes
+*   Never commit the `.env` file (it is ignored by git).
+*   Ensure `AE_API_JWT_KEY` is a unique, high-entropy string in production.
+*   The API prioritizes `.env` credentials over DB settings for core infrastructure (SMTP/DB) to prevent accidental lockouts.

aether_api_v5_fastapi_gunicorn.Dockerfile

@@ -1,37 +0,0 @@
-# FROM tiangolo/uvicorn-gunicorn-fastapi:latest
-FROM tiangolo/uvicorn-gunicorn-fastapi:python3.11
-
-LABEL maintainer="Scott Idem <scott.idem@oneskyit.com>"
-
-WORKDIR /srv/aether_api
-
-# RUN apt install poppler-utils
-RUN apt-get update; \
-    apt-get install -y \
-        poppler-utils \
-    ; \
-    rm -rf /var/lib/apt/lists/*;
-
-# RUN set -ex; \
-#     \
-#     apt-get update; \
-#     apt-get install -y --no-install-recommends \
-#         poppler-utils \
-#     ; \
-#     rm -rf /var/lib/apt/lists/*;
-
-RUN pdftoppm -h
-
-COPY conf/aether_api_v5_fastapi_requirements.txt /tmp/requirements.txt
-
-RUN pip install --no-cache-dir -r /tmp/requirements.txt
-
-# RUN pip freeze
-# RUN mkdir /temp
-RUN pip freeze > /requirements_current.txt
-# COPY requirements_current.txt tmp/requirements_current.txt
-# RUN pip freeze > /logs/requirements_current.txt
-
-# COPY conf/aether_fastapi_requirements.txt /tmp/requirements.txt
-
-CMD ["gunicorn", "--conf", "/conf/gunicorn_fastapi_conf.py"]

aether_container_env.code-workspace

@@ -0,0 +1,8 @@
+{
+	"folders": [
+		{
+			"path": "."
+		}
+	],
+	"settings": {}
+}

aether_fastapi_gunicorn.Dockerfile

@@ -1,28 +0,0 @@
-# FROM tiangolo/uvicorn-gunicorn-fastapi:latest
-FROM tiangolo/uvicorn-gunicorn-fastapi:python3.11
-
-LABEL maintainer="Scott Idem <scott.idem@oneskyit.com>"
-
-WORKDIR /srv/aether_api
-
-RUN apt-get update; \
-    apt-get install -y \
-    imagemagick ffmpeg \
-    ; \
-    rm -rf /var/lib/apt/lists/*;
-
-# RUN apt-get update; \
-#     apt-get install -y \
-#         poppler-utils \
-#     ; \
-#     rm -rf /var/lib/apt/lists/*;
-
-# RUN pdftoppm -h
-
-COPY conf/aether_fastapi_requirements.txt /tmp/requirements.txt
-RUN pip install --no-cache-dir -r /tmp/requirements.txt
-
-RUN pip freeze > /aether_fastapi_requirements_current.txt
-RUN pip freeze > /tmp/aether_fastapi_requirements_current.txt
-
-CMD ["gunicorn", "--conf", "/conf/gunicorn_fastapi_conf.py"]

backup_db.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+# Aether MariaDB Backup Script (Physical Backup)
+set -e
+
+PROJECT_ROOT="/home/scott/OSIT_dev/aether_container_env"
+BACKUP_DIR="${PROJECT_ROOT}/backups"
+TIMESTAMP=$(date +%Y%m%d_%H%M)
+BACKUP_FILE="${BACKUP_DIR}/local_backup_${TIMESTAMP}.gz"
+
+echo "--- Starting Aether Local Database Backup ---"
+mkdir -p "${BACKUP_DIR}"
+
+# Increased open-files-limit to prevent OS error 24
+echo ">>> Backing up to ${BACKUP_FILE}..."
+docker exec ae_mariadb_dev mariabackup --user=root --password='$1sky.AE_dev.2023' \
+    --backup --stream=xbstream --open-files-limit=65535 | gzip > "${BACKUP_FILE}"
+
+echo "--- Backup Complete! ---"
+ls -lh "${BACKUP_FILE}"

check_and_import.sh

@@ -0,0 +1,29 @@
+#!/bin/bash
+# Aether Automated Import Watchdog
+# Checks 'backups/import/' for new database files and restores them.
+
+set -e
+
+PROJECT_ROOT="/home/scott/OSIT_dev/aether_container_env"
+IMPORT_DIR="${PROJECT_ROOT}/backups/import"
+ARCHIVE_DIR="${PROJECT_ROOT}/backups/imported"
+
+mkdir -p "$IMPORT_DIR" "$ARCHIVE_DIR"
+
+# Find the newest .gz file in the import directory
+NEW_BACKUP=$(ls -t "$IMPORT_DIR"/*.gz 2>/dev/null | head -n 1)
+
+if [ -n "$NEW_BACKUP" ]; then
+    echo "--- New Backup Detected: $(basename "$NEW_BACKUP") ---"
+    
+    # Run the restore
+    "${PROJECT_ROOT}/restore_db.sh" "$NEW_BACKUP"
+    
+    # Move to archive
+    echo ">>> Archiving imported file..."
+    mv "$NEW_BACKUP" "$ARCHIVE_DIR/"
+    
+    echo "--- Automated Import Finished ---"
+else
+    echo "No files found in $IMPORT_DIR. Nothing to do."
+fi

conf/aether_api_config.py

@@ -1,93 +0,0 @@
-# Configuration file for this FastAPI app.
-import os
-from pydantic import AnyHttpUrl, BaseSettings, EmailStr, HttpUrl, PostgresDsn, validator
-from typing import Any, Dict, List, Optional, Union
-
-
-# ### ### #
-
-
-class Settings(BaseSettings):
-    AETHER_CFG = {}
-    AETHER_CFG['id'] = os.getenv('AE_CFG_ID', None)
-    # AETHER_CFG['api_id'] = os.getenv('AE_API_CFG_ID', None) # NOT CURRENTLY NEED OR USED
-    
-    JWT_KEY = os.getenv('AE_API_JWT_KEY', '22 chars 00xXyYzZ99') # 22 characters; super secret Aether JWT signing key
-
-    # APP_NAME: str = "Aether API (FastAPI)"
-    # SUPER_EMAIL: EmailStr = 'Aether.Super@oneskyit.com'
-
-
-    # Database Connection
-    DB = {}
-    DB['server'] = os.getenv('AE_DB_SERVER', 'mariadb') # 'linode.oneskyit.com' # linode.oneskyit.com, vpn-linode linode.oneskyit.local
-    DB['port'] = os.getenv('AE_DB_PORT', '3306') # default = 3306
-    DB['name'] = os.getenv('AE_DB_NAME', None) # 'aether_dev' #onesky_ams_dev
-    DB['username'] = os.getenv('AE_DB_USERNAME', None) # 'osit_aether' # 'onesky_aether'
-    DB['password'] = os.getenv('AE_DB_PASSWORD', None) #
-    SQLALCHEMY_DB_URI = 'mysql://'+DB['username']+':'+DB['password']+'@'+DB['server']+'/'+DB['name']
-    
-    # DB['wait_timeout'] = int(os.getenv('AE_DB_WAIT_TIMEOUT', 1800)) # Not used yet! default = 28800; Time (seconds) that the server waits for a connection to become active before closing it.
-    DB['connect_timeout'] = int(os.getenv('AE_DB_CONNECTION_TIMEOUT', 20)) # default = 10; Time (seconds) that the server waits for a connection to become active before closing it.
-    DB['pool_recycle'] = int(os.getenv('AE_DB_POOL_RECYCLE', 1800)) # default = ?; Related to SQLAlchemy
-
-
-    # Aether API log files paths
-    LOG_PATH = {}
-    LOG_PATH['app'] = os.getenv('AE_API_LOG_PATH', 'admin/log/app.log') # 'admin/log/app.log', '../../logs/aether_api.log'
-    # LOG_PATH['app_warning'] = '/logs/aether_api_warning.log' # 'admin/log/app_warning.log' '../../logs/aether_api_warning.log'
-
-
-    # Redis
-    REDIS = {}
-    REDIS['server'] = os.getenv('AE_REDIS_SERVER', 'redis') # 'localhost' 'redis'
-    REDIS['port'] = os.getenv('AE_REDIS_PORT', '6379') # '6379'
-
-
-    # Send SMTP Email
-    SMTP = {}
-    # server
-    # port
-    # username
-    # password
-
-
-    # Server Hosted File Paths
-    FILES_PATH = {}
-    # hosted_files_root
-    # hosted_tmp_root
-
-
-    # CORS Origins
-    ORIGINS_REGEX = os.getenv('AE_API_ORIGINS_REGEX', '(https://.*\.oneskyit\.com)|(https://.*\.oneskyit\.com:4443)|(https://.*\.oneskyit\.com:8443)') # '(https://.*\.oneskyit\.com)|(http://.*\.oneskyit\.com)|(https://.*\.oneskyit\.com:4443)|(http://.*\.oneskyit\.com:8080)|(http://.*\.oneskyit\.com:8181)|(https://.*\.oneskyit\.com:8443)|(http://.*\.oneskyit\.local)|(http://.*\.oneskyit\.local:5000)|(http://.*.localhost)|(http://.*.localhost:5000)|(http://.*.localhost:8181)'
-    # A reasonable, but fairly open example regular expression for the CORS origins:
-    # '(https://.*\.oneskyit\.com)|(http://.*\.oneskyit\.com)|(http://.*\.oneskyit\.com:8181)|(https://.*\.oneskyit\.com:8443)|(http://.*\.oneskyit\.local)|(http://.*\.oneskyit\.local:5000)|(http://.*.localhost)|(http://.*.localhost:5000)|(http://.*.localhost:8181)'
-
-    ORIGINS = [
-        'https://oneskyit.com',
-        # 'http://app-local.oneskyit.com',
-        # 'http://192.168.32.20:3000',
-        # 'http://192.168.32.20:8080',
-
-        # 'http://localhost',
-        # 'http://localhost:3000',
-        # 'http://localhost:5000',
-        # 'http://localhost:7800',
-        # 'http://localhost:8080',
-        # 'http://localhost:8888',
-
-        # 'http://fastapi.localhost',
-
-        # 'http://svelte.oneskyit.local:5555',
-
-        # 'http://connect.localhost:5000', # Using localhost
-
-        # 'http://dev-svelte.oneskyit.local:5555',
-
-        # 'http://lci.internal:5000', # Using internal; just in case guess before LCI
-        # 'http://lci.oneskyit.internal:5000', # Using internal; just in case guess before LCI
-        # 'http://lci.oneskyit.internal', # Using internal; just in case guess before LCI
-        ]
-
-
-settings = Settings()

conf/aether_app_config.py

@@ -87,12 +87,12 @@ AETHER_CFG['app']['path_hosted_tmp_root']: str = None
 AETHER_CFG['api'] = {}
 AETHER_CFG['api']['protocol'] = os.getenv('AE_API_PROTOCOL', 'https') # 'https' # https
 AETHER_CFG['api']['server'] = os.getenv('AE_API_SERVER', None) # 'dev-api.oneskyit.com' # linode.oneskyit.com vpn-linode linode.oneskyit.local
-AETHER_CFG['api']['port'] = os.getenv('AE_API_PORT', '443') # '443' # default = 3306
+AETHER_CFG['api']['port'] = os.getenv('AE_API_PORT', '443')
 AETHER_CFG['api']['path'] = os.getenv('AE_API_PATH', '') # ''
 AETHER_CFG['api']['secret_key'] = os.getenv('AE_API_SECRET_KEY', None)
-AETHER_CFG['api']['protocol_backup'] = 'http' # https
+AETHER_CFG['api']['protocol_backup'] = 'https' # https
-AETHER_CFG['api']['server_backup'] = 'dev-fastapi.oneskyit.local' # linode.oneskyit.com vpn-linode linode.oneskyit.local
+AETHER_CFG['api']['server_backup'] = 'bak-api.oneskyit.com' # linode.oneskyit.com vpn-linode linode.oneskyit.local
-AETHER_CFG['api']['port_backup'] = '5005' # default = 3306
+AETHER_CFG['api']['port_backup'] = '443'
 AETHER_CFG['api']['path_backup'] = ''
 AETHER_CFG['api']['secret_key_backup'] = 'the secret backup key'
 AETHER_CFG['api']['temporary_token'] = {}

conf/aether_fastapi_gunicorn_conf.py

@@ -3,41 +3,25 @@ import os
 # Gunicorn config variables
 loglevel = os.getenv('AE_LOG_LVL', 'warning')
 
-accesslog = "/logs/gunicorn_access.log" # "-"  # stdout
+accesslog = "-"  # stdout
-errorlog = "/logs/gunicorn_error.log" # "-"  # stderr
+errorlog = "-"  # stderr
-# "logfile" does not seem to actually do anything
-# logfile = "/logs/gunicorn.log" # "-"  # stderr
 
+# ... (existing bind/chdir) ...
 bind = "0.0.0.0:5005"
-# bind = "unix:/tmp/gunicorn.sock"
-
 worker_tmp_dir = "/dev/shm"
-
 chdir = "/srv/aether_api"
-# home = /path/to/environment
 wsgi_app = "app.main:app"
-# module = "run_server"
-# callable = "app"
-# plugins = "python"
-# default_proc_name = "app.main:app"
 
-# Setting a long timeout since some FastAPI API requests may take a while
+# Numeric variables must be integers
-timeout = os.getenv('AE_API_GUNICORN_TIMEOUT', 2100) # default 30; 1200 is NOT enough; worker process silent then kill and restart
+timeout = int(os.getenv('AE_API_GUNICORN_TIMEOUT', 30))
-graceful_timeout = os.getenv('AE_API_GUNICORN_GRACEFUL_TIMEOUT', 20) # default 30; timeout after restart signal; tried 10 2023-07-11
+graceful_timeout = int(os.getenv('AE_API_GUNICORN_GRACEFUL_TIMEOUT', 30))
-keepalive = os.getenv('AE_API_GUNICORN_KEEPALIVE', 30) # default 2; setting higher because behind load balancer (nginx); tried 10 2023-07-11
+keepalive = int(os.getenv('AE_API_GUNICORN_KEEPALIVE', 4))
 
-# Reload does not work correctly with UvicornWorker
+reload = False
-# https://github.com/benoitc/gunicorn/issues/2339
+worker_class = "uvicorn.workers.UvicornWorker"
-# Disable reload if using more than one thread
-##### reload = True
 
-# reload_engine = "poll"
+workers = int(os.getenv('AE_API_GUNICORN_WORKERS', 2))
+threads = int(os.getenv('AE_API_GUNICORN_THREADS', 2))
 
-worker_class = "uvicorn.workers.UvicornWorker" # default "sync"
-# Works are processes, not threads
-# workers = 9 # default 1; use 10ish for production; 2 to 4 times the number of cores
-# threads = 1 # default 1; only affects Gthread worker type
-workers = os.getenv('AE_API_GUNICORN_WORKERS', 2)
-threads = os.getenv('AE_API_GUNICORN_THREADS', 2)
 
 # umask = '007'

conf/aether_fastapi_requirements.txt

@@ -1,71 +0,0 @@
-# Updated manually 2023-09-12 with a lot of trial and error.
-# A few are commented out even though they are actually used and required. Other packages already pull them in.
-# SQLAlchemy needs to be upgraded to 2.x. There are issues with async IO or something related to that.
-# https://docs.sqlalchemy.org/en/14/changelog/migration_20.html
-
-# aioredis # BAD! Not maintained!
-aiofiles
-# anyio
-argon2-cffi
-argon2-cffi-bindings
-# asgiref
-async-timeout
-baize # added 2023-08-17
-# certifi
-# cffi
-charset-normalizer
-click
-Deprecated
-dnspython
-email-validator
-et-xmlfile
-fastapi>=0.88.0
-greenlet>=2.0.2
-gunicorn>=20.1.0
-h11
-html2text>=2020.1.16
-httpcore
-httptools
-httpx
-idna
-itsdangerous
-# Jinja2>=3.1.2
-MarkupSafe
-mysqlclient
-numpy>=1.25.2
-openpyxl
-orjson
-# packaging
-pandas>=2.1.0
-passlib
-pdf2image>=1.16.3
-Pillow>=10.0.0
-pycparser
-pydantic>=1.10.12
-PyJWT>=2.8.0
-pyparsing
-python-dateutil
-python-dotenv
-python-multipart
-pytz
-PyYAML>=6.0.1
-qrcode>=7.4.2
-redis[hiredis] # redis==5.0.0 hiredis==2.2.3
-requests
-rfc3986
-six
-sniffio
-SQLAlchemy==1.4.49 # 1.4.47 is the newest (2.0.20) I am working with
-starlette>=0.22.0
-stripe>=6.4.0
-typing_extensions
-ujson
-urllib3
-uvicorn
-uvloop
-Wand
-watchfiles
-watchgod
-websockets>=11.0.3
-wrapt
-xlrd

conf/aether_fastapi_requirements_[freeze_2024-04-26_1240_fastapi110].txt

@@ -0,0 +1,67 @@
+aiofiles==23.2.1
+anyio==3.7.1
+argon2-cffi==23.1.0
+argon2-cffi-bindings==21.2.0
+async-timeout==4.0.3
+baize==0.20.8
+certifi==2024.2.2
+cffi==1.16.0
+charset-normalizer==3.3.2
+click==8.1.7
+Deprecated==1.2.14
+dnspython==2.6.1
+email_validator==2.1.1
+et-xmlfile==1.1.0
+fastapi==0.110.2
+greenlet==3.0.3
+gunicorn==21.2.0
+h11==0.14.0
+hiredis==2.3.2
+html2text==2024.2.26
+httpcore==1.0.5
+httptools==0.6.1
+httpx==0.27.0
+idna==3.7
+itsdangerous==2.2.0
+Jinja2==3.1.3
+MarkupSafe==2.1.5
+mysqlclient==2.2.4
+numpy==1.26.4
+openpyxl==3.1.2
+orjson==3.10.1
+packaging==24.0
+pandas==2.2.2
+passlib==1.7.4
+pdf2image==1.17.0
+pillow==10.3.0
+pycparser==2.22
+pydantic==1.10.15
+PyJWT==2.8.0
+pyparsing==3.1.2
+pypng==0.20220715.0
+python-dateutil==2.9.0.post0
+python-dotenv==1.0.1
+python-multipart==0.0.9
+pytz==2024.1
+PyYAML==6.0.1
+qrcode==7.4.2
+redis==5.0.4
+requests==2.31.0
+rfc3986==2.0.0
+six==1.16.0
+sniffio==1.3.1
+SQLAlchemy==1.4.52
+starlette==0.37.2
+stripe==9.4.0
+typing_extensions==4.11.0
+tzdata==2024.1
+ujson==5.9.0
+urllib3==2.2.1
+uvicorn==0.20.0
+uvloop==0.19.0
+Wand==0.6.13
+watchfiles==0.21.0
+watchgod==0.8.2
+websockets==12.0
+wrapt==1.16.0
+xlrd==2.0.1

conf/aether_fastapi_requirements_current.txt

@@ -1,4 +1,4 @@
-# Updated manually 2023-09-12 with a lot of trial and error.
+# Updated manually 2024-04-26 with a lot of trial and error.
 # A few are commented out even though they are actually used and required. Other packages already pull them in.
 # SQLAlchemy needs to be upgraded to 2.x. There are issues with async IO or something related to that.
 # https://docs.sqlalchemy.org/en/14/changelog/migration_20.html
@@ -19,9 +19,9 @@ Deprecated
 dnspython
 email-validator
 et-xmlfile
-fastapi>=0.88.0
+fastapi==0.94.1 # working 0.94.1, 0.88.0; not working >= 0.95.0
 greenlet>=2.0.2
-gunicorn>=20.1.0
+gunicorn>=22.0.0
 h11
 html2text>=2020.1.16
 httpcore
@@ -55,7 +55,7 @@ requests
 rfc3986
 six
 sniffio
-SQLAlchemy==1.4.49 # 1.4.47 is the newest (2.0.20) I am working with
+SQLAlchemy==1.4.49 # 1.4.49 is the newest (2.0.20) I am working with
 starlette>=0.22.0
 stripe>=6.4.0
 typing_extensions

conf/certs/README.md

@@ -1,4 +1,4 @@
-Create a links to the pem files
+Copy or create a links to the pem files
 * ./conf/certs/oneskyit.com_fullchain.pem
 * ./conf/certs/privkey.pem
 * ./conf/certs/ssl-dhparams.pem
@@ -8,6 +8,11 @@ Create a links to the pem files
 ssl-dhparams.pem should only need to be copied one time. The others need to be copied over after they expire.
 Does the ownership or other permissions need to change?
 ```bash
+sudo rsync -vhr -LK --archive -progress /etc/letsencrypt/live/ /home/scott/backups/letsencrypt_live_certs
+sudo chown scott:scott -R ~/backups/letsencrypt_live_certs
+
+
+
 sudo cp /etc/letsencrypt/live/oneskyit.com-0001/fullchain.pem /srv/env/test_aether/conf/certs/fullchain.pem
 sudo cp /etc/letsencrypt/live/oneskyit.com-0001/privkey.pem /srv/env/test_aether/conf/certs/privkey.pem
 sudo cp /etc/letsencrypt/ssl-dhparams.pem /srv/env/test_aether/conf/certs/ssl-dhparams.pem

conf/crontab

@@ -0,0 +1 @@
+55 * * * * bash /scripts/backup_internal.sh >> /logs/backup_cron.log 2>&1

conf/logrotate.conf

@@ -0,0 +1,12 @@
+# Logrotate configuration for Aether Docker Logs
+# To use: sudo ln -s /home/scott/OSIT_dev/aether_container_env/conf/logrotate.conf /etc/logrotate.d/aether
+
+/home/scott/OSIT_dev/aether_container_env/logs/*/*.log {
+    daily
+    rotate 7
+    missingok
+    notifempty
+    compress
+    delaycompress
+    copytruncate
+}

conf/mariadb/server.cnf

@@ -0,0 +1,42 @@
+[server]
+
+[mysqld]
+# Global defaults for Aether Dev (Overrides are in docker-compose.yml via .env)
+slow_query_log = ON
+long_query_time = 1
+expire_logs_days = 90
+max_binlog_size  = 512M
+wait_timeout = 1800
+net_read_timeout = 900
+net_write_timeout = 900
+interactive_timeout = 1800
+connect_timeout = 90
+max_allowed_packet = 128M
+key_buffer_size = 64M
+
+# Buffer Settings
+join_buffer_size         = 16M
+read_buffer_size         = 4M
+read_rnd_buffer_size     = 8M
+sort_buffer_size         = 16M
+innodb_sort_buffer_size  = 32M
+innodb_open_files        = 4096
+
+query_cache_type = ON
+query_cache_limit = 4M
+
+[galera]
+
+[embedded]
+
+[mariadb]
+plugin_load_add = server_audit
+server_audit=FORCE_PLUS_PERMANENT
+server_audit_file_path=/var/log/mysql/mariadb-audit.log
+server_audit_logging=ON
+server_audit_events = 'CONNECT,TABLE'
+
+# skip-name-resolve helps significantly with Docker network overhead
+skip-name-resolve
+
+[mariadb-10.11]

conf/nginx/site-enabled_aether-nextcloud.conf

@@ -23,8 +23,10 @@ server {
 }
 
 server {
-    listen 443      ssl http2;
+    listen 443 ssl;
-    listen [::]:443 ssl http2;
+    listen [::]:443 ssl;
+    http2 on;
+
     server_name nextcloud.oneskyit.com;
 
     access_log  /logs/nginx/access_oneskyit_nextcloud.log;

conf/nginx/site-enabled_aether-phpmyadmin.conf

@@ -1,7 +1,7 @@
 server {
     listen 80;
     listen [::]:80;
-    
+
     server_name ${DOCKER_PHPMYADMIN_SERVER_NAME};
     # server_name phpmyadmin-oneskyit.localhost phpmyadmin.oneskyit.com dev-phpmyadmin.oneskyit.com test-phpmyadmin.oneskyit.com;
 
@@ -25,12 +25,13 @@ server {
 server {
     listen 443 ssl;
     listen [::]:443 ssl;
-    
+    http2 on;
+
     # server_name ${DOCKER_PHPMYADMIN_SERVER_NAME};
     server_name phpmyadmin-oneskyit.localhost phpmyadmin.oneskyit.com dev-phpmyadmin.oneskyit.com test-phpmyadmin.oneskyit.com;
-    
+
     access_log  /logs/nginx/access_oneskyit_phpmyadmin.log;
-    
+
     include /etc/nginx/options-ssl-nginx.conf;
 
     ssl_certificate /etc/certs/fullchain.pem;

conf/nginx/site-enabled_aether_api_v5_fastapi_gunicorn.conf

@@ -1,7 +1,7 @@
 server {
     listen 80;
     listen [::]:80;
-    
+
     server_name ${DOCKER_AE_API_V5_SERVER_NAME} v5-fastapi.localhost api-v5.localhost;
     # server_name
     #     fastapi_gunicorn.localhost
@@ -31,13 +31,13 @@ server {
         fastcgi_connect_timeout 4s;
         fastcgi_send_timeout 5s;
         fastcgi_read_timeout 5s;
-        
+
         # proxy read timeout being too low will cause 504 Gateway Time-out on the client browser
         proxy_read_timeout 2100s;
 
         proxy_pass http://v5_fastapi_backend;
     }
-    
+
     location /ws {
         proxy_set_header Host $http_host;
         proxy_set_header X-Real-IP $remote_addr;
@@ -56,7 +56,7 @@ server {
         # proxy_headers_hash_max_size 1024;
 
         proxy_pass http://v5_fastapi_backend;
-        
+
         access_log  /logs/nginx/access_fastapi_gunicorn_ws.log;
         error_log  /logs/nginx/error_fastapi_gunicorn_ws.log;
     }
@@ -66,7 +66,8 @@ server {
 server {
     listen 443 ssl;
     listen [::]:443 ssl;
-    
+    http2 on;
+
     server_name ${DOCKER_AE_API_V5_SERVER_NAME} v5-fastapi.localhost api-v5.localhost;
     # server_name
     #     fastapi_gunicorn.localhost
@@ -105,13 +106,13 @@ server {
         fastcgi_connect_timeout 35s;
         fastcgi_send_timeout 35s;
         fastcgi_read_timeout 35s;
-        
+
         # proxy read timeout being too low will cause 504 Gateway Time-out on the client browser
         proxy_read_timeout 2100s;
 
         proxy_pass http://v5_fastapi_backend;
     }
-    
+
     location /ws {
         proxy_set_header Host $http_host;
         proxy_set_header X-Real-IP $remote_addr;
@@ -130,7 +131,7 @@ server {
         # proxy_headers_hash_max_size 1024;
 
         proxy_pass http://v5_fastapi_backend;
-        
+
         access_log  /logs/nginx/access_fastapi_gunicorn_ws.log;
         error_log  /logs/nginx/error_fastapi_gunicorn_ws.log;
     }

conf/nginx/site-enabled_aether_app_svelte_node.conf

@@ -0,0 +1,83 @@
+server {
+    listen 80;
+    listen [::]:80;
+
+    server_name
+        ${DOCKER_AE_APP_SERVER_NAME}
+        ~^(dev|test|bak|sr|prod)?-?(app|demo|connect|aacc|aapor|ascm|businessgroup|chow|cmsc|idaa|ishlt|lci|ncsd|npa|rli)\.oneskyit\.com$
+        app.localhost
+        demo.localhost
+        connect.localhost
+        svelte.localhost
+        dev.localhost
+        localhost
+        ;
+
+    access_log  /logs/nginx/access_svelte_node.log;
+    error_log  /logs/nginx/error_svelte_node.log;
+
+    client_max_body_size ${OSIT_WEB_MAX_BODY_SIZE};
+
+    location / {
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        proxy_redirect off;
+        proxy_buffering off;
+
+        proxy_read_timeout 1500s;
+
+        proxy_pass http://svelte_backend;
+    }
+}
+
+
+# server {
+#     listen 443 ssl;
+#     listen [::]:443 ssl;
+#     http2 on;
+# 
+#     server_name
+#         ${DOCKER_AE_APP_SERVER_NAME}
+#         ~^(dev|test|bak|sr|prod)?-?(app|demo|connect|aacc|aapor|ascm|businessgroup|chow|cmsc|idaa|ishlt|lci|ncsd|npa|rli)\.oneskyit\.com$
+#         app.localhost
+#         demo.localhost
+#         connect.localhost
+#         svelte.localhost
+#         dev.localhost
+#         localhost
+#         ;
+# 
+#     access_log  /logs/nginx/access_svelte_node.log;
+#     error_log  /logs/nginx/error_svelte_node.log;
+# 
+#     include /etc/nginx/options-ssl-nginx.conf;
+# 
+#     ssl_certificate /etc/certs/fullchain_wild.pem;
+#     ssl_certificate_key /etc/certs/privkey_wild.pem;
+#     ssl_dhparam /etc/certs/ssl-dhparams.pem;
+# 
+#     client_max_body_size ${OSIT_WEB_MAX_BODY_SIZE};
+# 
+#     location / {
+#         proxy_set_header Host $http_host;
+#         proxy_set_header X-Real-IP $remote_addr;
+#         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+#         proxy_set_header X-Forwarded-Proto $scheme;
+# 
+#         proxy_redirect off;
+#         proxy_buffering off;
+# 
+#         proxy_read_timeout 1500s;
+# 
+#         proxy_pass http://svelte_backend;
+#     }
+# }
+
+
+upstream svelte_backend {
+    ip_hash;
+    server ae_app:3000 weight=20 max_fails=3 fail_timeout=30s;
+}

conf/nginx/site-enabled_aether_fastapi_gunicorn.conf

@@ -1,11 +1,18 @@
+map $http_upgrade $connection_upgrade {
+    default upgrade;
+    '' close;
+}
+
 server {
     listen 80;
     listen [::]:80;
 
     server_name
         ${DOCKER_AE_API_SERVER_NAME}
-        fastapi.localhost
+        ~^(dev|test|bak|sr|prod)?-?(api|fastapi)\.oneskyit\.com$
         api.localhost
+        fastapi.localhost
+        localhost
         ;
 
     # server_name
@@ -21,21 +28,26 @@ server {
     client_max_body_size ${OSIT_WEB_MAX_BODY_SIZE}; # 5120M; #4096M or 4G; 5120M or 5G;
 
     location / {
+        # Based on recommendations here: https://www.uvicorn.org/deployment/#running-behind-nginx
         proxy_set_header Host $http_host;
-        proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
 
         proxy_redirect off;
         proxy_buffering off;
 
+        # I think "X-Real-IP" might be needed for some things?
+        proxy_set_header X-Real-IP $remote_addr;
+
         # This is needed for long running Python code. Default is 60 seconds
         # Increased from 1200 to 1500 on 2022-04-17
         # Increased from 1500 to 2000 on 2023-03-15
         # Increased proxy read timeout to 2100 and decreased fastcgi options to 35s on 2023-03-16
-        fastcgi_connect_timeout 4s;
+        # fastcgi_connect_timeout 4s;
-        fastcgi_send_timeout 5s;
+        # fastcgi_send_timeout 5s;
-        fastcgi_read_timeout 5s;
+        # fastcgi_read_timeout 5s;
 
         # proxy read timeout being too low will cause 504 Gateway Time-out on the client browser
         proxy_read_timeout 2100s;
@@ -65,64 +77,8 @@ server {
         access_log  /logs/nginx/access_fastapi_gunicorn_ws.log;
         error_log  /logs/nginx/error_fastapi_gunicorn_ws.log;
     }
-}
 
-
+    location /v3/ws {
-server {
-    listen 443 ssl;
-    listen [::]:443 ssl;
-
-    server_name
-        ${DOCKER_AE_API_SERVER_NAME}
-        fastapi.localhost
-        api.localhost
-        ;
-
-    # server_name
-    #     fastapi_gunicorn.localhost
-    #     dev-api.localhost
-    #     dev-api.oneskyit.com
-    #     test-api.oneskyit.com
-    #     ;
-
-    access_log  /logs/nginx/access_fastapi_gunicorn.log;
-    error_log  /logs/nginx/error_fastapi_gunicorn.log;
-
-    include /etc/nginx/options-ssl-nginx.conf;
-
-    ssl_certificate /etc/certs/fullchain_wild.pem;
-    ssl_certificate_key /etc/certs/privkey_wild.pem;
-    ssl_dhparam /etc/certs/ssl-dhparams.pem;
-
-    # include brotli.conf;
-    # include gzip.conf;
-
-    client_max_body_size ${OSIT_WEB_MAX_BODY_SIZE}; # 5120M; #4096M or 4G; 5120M or 5G;
-
-    location / {
-        proxy_set_header Host $http_host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-
-        proxy_redirect off;
-        proxy_buffering off;
-
-        # This is needed for long running Python code. Default is 60 seconds
-        # Increased from 1200 to 1500 on 2022-04-17
-        # Increased from 1500 to 2000 on 2023-03-15
-        # Increased proxy read timeout to 2100 and decreased fastcgi options to 35s on 2023-03-16
-        fastcgi_connect_timeout 35s;
-        fastcgi_send_timeout 35s;
-        fastcgi_read_timeout 35s;
-
-        # proxy read timeout being too low will cause 504 Gateway Time-out on the client browser
-        proxy_read_timeout 2100s;
-
-        proxy_pass http://fastapi_backend;
-    }
-
-    location /ws {
         proxy_set_header Host $http_host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -136,34 +92,126 @@ server {
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection "upgrade";
 
-        # proxy_read_timeout 600;
+        proxy_read_timeout 2100s;
-        # proxy_headers_hash_max_size 1024;
 
         proxy_pass http://fastapi_backend;
 
-        access_log  /logs/nginx/access_fastapi_gunicorn_ws.log;
+        access_log  /logs/nginx/access_fastapi_gunicorn_v3_ws.log;
-        error_log  /logs/nginx/error_fastapi_gunicorn_ws.log;
+        error_log  /logs/nginx/error_fastapi_gunicorn_v3_ws.log;
     }
 }
 
 
+# server {
+#     listen 443 ssl;
+#     listen [::]:443 ssl;
+#     http2 on;
+# 
+#     server_name
+#         ${DOCKER_AE_API_SERVER_NAME}
+#         fastapi.localhost
+#         api.localhost
+#         localhost
+#         ;
+# 
+#     # server_name
+#     #     fastapi_gunicorn.localhost
+#     #     dev-api.localhost
+#     #     dev-api.oneskyit.com
+#     #     test-api.oneskyit.com
+#     #     ;
+# 
+#     access_log  /logs/nginx/access_fastapi_gunicorn.log;
+#     error_log  /logs/nginx/error_fastapi_gunicorn.log;
+# 
+#     include /etc/nginx/options-ssl-nginx.conf;
+# 
+#     ssl_certificate /etc/certs/fullchain_wild.pem;
+#     ssl_certificate_key /etc/certs/privkey_wild.pem;
+#     ssl_dhparam /etc/certs/ssl-dhparams.pem;
+# 
+#     # include brotli.conf;
+#     # include gzip.conf;
+# 
+#     client_max_body_size ${OSIT_WEB_MAX_BODY_SIZE}; # 5120M; #4096M or 4G; 5120M or 5G;
+# 
+#     location / {
+#         # Based on recommendations here: https://www.uvicorn.org/deployment/#running-behind-nginx
+#         proxy_set_header Host $http_host;
+#         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+#         proxy_set_header X-Forwarded-Proto $scheme;
+#         proxy_set_header Upgrade $http_upgrade;
+#         proxy_set_header Connection $connection_upgrade;
+# 
+#         proxy_redirect off;
+#         proxy_buffering off;
+# 
+#         # I think "X-Real-IP" might be needed for some things?
+#         proxy_set_header X-Real-IP $remote_addr;
+# 
+#         # # This is needed for long running Python code. Default is 60 seconds
+#         # # Increased from 1200 to 1500 on 2022-04-17
+#         # # Increased from 1500 to 2000 on 2023-03-15
+#         # # Increased proxy read timeout to 2100 and decreased fastcgi options to 35s on 2023-03-16
+#         # fastcgi_connect_timeout 35s;
+#         # fastcgi_send_timeout 35s;
+#         # fastcgi_read_timeout 35s;
+# 
+#         # proxy read timeout being too low will cause 504 Gateway Time-out on the client browser
+#         proxy_read_timeout 2100s;
+# 
+#         proxy_pass http://fastapi_backend;
+#     }
+# 
+#     location /ws {
+#         proxy_set_header Host $http_host;
+#         proxy_set_header X-Real-IP $remote_addr;
+#         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+#         proxy_set_header X-Forwarded-Proto $scheme;
+# 
+#         proxy_http_version 1.1;
+# 
+#         proxy_redirect off;
+#         proxy_buffering off;
+# 
+#         proxy_set_header Upgrade $http_upgrade;
+#         proxy_set_header Connection "upgrade";
+# 
+#         # proxy_read_timeout 600;
+#         # proxy_headers_hash_max_size 1024;
+# 
+#         proxy_pass http://fastapi_backend;
+# 
+#         access_log  /logs/nginx/access_fastapi_gunicorn_ws.log;
+#         error_log  /logs/nginx/error_fastapi_gunicorn_ws.log;
+#     }
+# 
+#     location /v3/ws {
+#         proxy_set_header Host $http_host;
+#         proxy_set_header X-Real-IP $remote_addr;
+#         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+#         proxy_set_header X-Forwarded-Proto $scheme;
+# 
+#         proxy_http_version 1.1;
+# 
+#         proxy_redirect off;
+#         proxy_buffering off;
+# 
+#         proxy_set_header Upgrade $http_upgrade;
+#         proxy_set_header Connection "upgrade";
+# 
+#         proxy_read_timeout 2100s;
+# 
+#         proxy_pass http://fastapi_backend;
+# 
+#         access_log  /logs/nginx/access_fastapi_gunicorn_v3_ws.log;
+#         error_log  /logs/nginx/error_fastapi_gunicorn_v3_ws.log;
+#     }
+# }
+
+
 upstream fastapi_backend {
-    # sticky sessions
+    least_conn;
-    ip_hash;
+    server ae_api:5005 weight=20 max_fails=1 fail_timeout=5s;
-
+    keepalive 10;
-    # enable least connections balancing method
-    # least_conn;
-
-    # zone backend 64k;  # Use NGINX Plus' shared memory
-
-    # server webserver1 weight=1;
-    # server webserver2 weight=4;
-
-    # larger number will recieve more requests
-    # Example of 20 vs 10: 20 will recieve twice as many requests as 10
-    server aether_api_gunicorn:5005 weight=20 max_fails=3 fail_timeout=30s;
-    # server aether_api_gunicorn_bak:5005 weight=10 max_fails=1 fail_timeout=30s;
-
-    # maintain up to 20 idle connections to the group of upstream servers
-    # keepalive 20;
 }

conf/nginx/site-enabled_aether_flask_gunicorn.conf

@@ -33,15 +33,15 @@ server {
         dev-rli.oneskyit.com *.dev-rli.oneskyit.com
 
         sr-app.oneskyit.com
-        # sr-connect.oneskyit.com *.sr-connect.oneskyit.com
+        sr-connect.oneskyit.com *.sr-connect.oneskyit.com
-        # sr-demo.oneskyit.com *.sr-demo.oneskyit.com
+        sr-demo.oneskyit.com *.sr-demo.oneskyit.com
 
-        # sr-aacc.oneskyit.com *.sr-aacc.oneskyit.com
+        sr-aacc.oneskyit.com *.sr-aacc.oneskyit.com
-        # sr-aapor.oneskyit.com *.sr-aapor.oneskyit.com
+        sr-aapor.oneskyit.com *.sr-aapor.oneskyit.com
-        # sr-businessgroup.oneskyit.com *.sr-businessgroup.oneskyit.com
+        sr-businessgroup.oneskyit.com *.sr-businessgroup.oneskyit.com
-        # sr-cmsc.oneskyit.com *.sr-cmsc.oneskyit.com
+        sr-cmsc.oneskyit.com *.sr-cmsc.oneskyit.com
-        # sr-lci.oneskyit.com *.sr-lci.oneskyit.com
+        sr-lci.oneskyit.com *.sr-lci.oneskyit.com
-        # sr-ncsd.oneskyit.com *.sr-ncsd.oneskyit.com
+        sr-ncsd.oneskyit.com *.sr-ncsd.oneskyit.com
 
         test-app.oneskyit.com
         # test-idaa.oneskyit.com *.test-idaa.oneskyit.com
@@ -77,6 +77,7 @@ server {
 server {
     listen 443 ssl;
     listen [::]:443 ssl;
+    http2 on;
 
     # The Docker nginx envsubst with templates does not work for multiple server names.
     # server_name
@@ -101,23 +102,23 @@ server {
         dev-aapor.oneskyit.com *.dev-aapor.oneskyit.com
         dev-businessgroup.oneskyit.com *.dev-businessgroup.oneskyit.com
         dev-chow.oneskyit.com *.dev-chow.oneskyit.com
-        dev-cmsc.oneskyit.com *.dev-cmsc.oneskyit.com
+        # dev-cmsc.oneskyit.com *.dev-cmsc.oneskyit.com
         dev-idaa.oneskyit.com *.dev-idaa.oneskyit.com
         dev-ishlt.oneskyit.com *.dev-ishlt.oneskyit.com
         dev-lci.oneskyit.com *.dev-lci.oneskyit.com
-        dev-ncsd.oneskyit.com *.dev-ncsd.oneskyit.com
+        # dev-ncsd.oneskyit.com *.dev-ncsd.oneskyit.com
         dev-npa.oneskyit.com *.dev-npa.oneskyit.com
         dev-rli.oneskyit.com *.dev-rli.oneskyit.com
 
         sr-app.oneskyit.com
-        # sr-connect.oneskyit.com *.sr-connect.oneskyit.com
+        sr-connect.oneskyit.com *.sr-connect.oneskyit.com
-        # sr-demo.oneskyit.com *.sr-demo.oneskyit.com
+        sr-demo.oneskyit.com *.sr-demo.oneskyit.com
 
-        # sr-aacc.oneskyit.com *.sr-aacc.oneskyit.com
+        sr-aacc.oneskyit.com *.sr-aacc.oneskyit.com
-        # sr-aapor.oneskyit.com *.sr-aapor.oneskyit.com
+        sr-aapor.oneskyit.com *.sr-aapor.oneskyit.com
-        # sr-businessgroup.oneskyit.com *.sr-businessgroup.oneskyit.com
+        sr-businessgroup.oneskyit.com *.sr-businessgroup.oneskyit.com
         # sr-cmsc.oneskyit.com *.sr-cmsc.oneskyit.com
-        # sr-lci.oneskyit.com *.sr-lci.oneskyit.com
+        sr-lci.oneskyit.com *.sr-lci.oneskyit.com
         # sr-ncsd.oneskyit.com *.sr-ncsd.oneskyit.com
 
         test-app.oneskyit.com
@@ -130,8 +131,8 @@ server {
 
     include /etc/nginx/options-ssl-nginx.conf;
 
-    ssl_certificate /etc/certs/fullchain.pem;
+    ssl_certificate /etc/certs/fullchain_wild.pem;
-    ssl_certificate_key /etc/certs/privkey.pem;
+    ssl_certificate_key /etc/certs/privkey_wild.pem;
     ssl_dhparam /etc/certs/ssl-dhparams.pem;
 
     # include brotli.conf;
@@ -161,22 +162,6 @@ server {
 
 
 upstream flask_backend {
-    # sticky sessions
     ip_hash;
-
+    server app-node:3000 weight=20 max_fails=3 fail_timeout=30s;
-    # enable least connections balancing method
-    # least_conn;
-
-    # zone backend 64k;  # Use NGINX Plus' shared memory
-
-    # server webserver1 weight=1;
-    # server webserver2 weight=4;
-
-    # larger number will recieve more requests
-    # Example of 20 vs 10: 20 will recieve twice as many requests as 10
-    server aether_app_gunicorn:5005 weight=20 max_fails=3 fail_timeout=30s;
-    # server aether_app_gunicorn_bak:5005 weight=10 max_fails=1 fail_timeout=30s;
-
-    # maintain up to 20 idle connections to the group of upstream servers
-    # keepalive 20;
 }

conf/nginx/site-enabled_oneskyit.conf

@@ -1,8 +1,8 @@
 server {
     listen 80;
     listen [::]:80;
-    
+
-    server_name dev-docker.oneskyit.com test-docker.oneskyit.com prod-docker.oneskyit.com ${DOCKER_OSIT_SERVER_NAME};
+    server_name docker.oneskyit.com ${DOCKER_OSIT_SERVER_NAME};
     # server_name oneskyit.localhost;
 
     access_log  /logs/nginx/access_oneskyit.log;
@@ -46,9 +46,10 @@ server {
 server {
     listen 443 ssl;
     listen [::]:443 ssl;
-    
+    http2 on;
+
     # server_name docker.oneskyit.com ${DOCKER_OSIT_SERVER_NAME};
-    server_name docker.oneskyit.com dev-docker.oneskyit.com test-docker.oneskyit.com prod-docker.oneskyit.com ${DOCKER_OSIT_SERVER_NAME};
+    server_name docker.oneskyit.com ${DOCKER_OSIT_SERVER_NAME};
     # server_name docker.oneskyit.com dev.oneskyit.com test.oneskyit.com prod.oneskyit.com;
     # server_name docker.oneskyit.com;
 

conf/nginx/site.conf

@@ -1,114 +1,38 @@
+# Aether Platform - Default Nginx Site Config
+# This file handles the default (non-matching) requests.
+
 server {
     listen 80 default_server;
     server_name _;
-    return 301 https://$host$request_uri;
-}
 
-# server {
+    access_log /logs/nginx/access_docker_default.log;
-#     listen       80;
+    error_log  /logs/nginx/error_docker_default.log;
-#     server_name  _;
-# 
-#     access_log /logs/nginx/access_docker.log;
-#     error_log  /logs/nginx/error_docker.log;
-# 
-#     root   /srv/html_php;
-# 
-#     index  index.html index.htm index.php;
-# 
-#     # location / {
-#     #     # root   /usr/share/nginx/html;
-#     #     index  index.html index.htm;
-#     # }
-# 
-#     location ~ \.php$ {
-#         index  index.html index.htm index.php;
-# 
-#         try_files $uri =404;
-#         fastcgi_split_path_info ^(.+\.php)(/.+)$;
-#         fastcgi_pass php7:9000;
-#         fastcgi_index index.php;
-#         include fastcgi_params;
-#         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-#         fastcgi_param PATH_INFO $fastcgi_path_info;
-#     }
-# 
-#     #error_page  404              /404.html;
-# 
-#     # redirect server error pages to the static page /50x.html
-#     #
-#     # error_page   500 502 503 504  /50x.html;
-#     # location = /50x.html {
-#     #     root   /usr/share/nginx/html;
-#     # }
-# 
-#     # proxy the PHP scripts to Apache listening on 127.0.0.1:80
-#     #
-#     #location ~ \.php$ {
-#     #    proxy_pass   http://127.0.0.1;
-#     #}
-# 
-#     # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
-#     #
-#     #location ~ \.php$ {
-#     #    root           html;
-#     #    fastcgi_pass   127.0.0.1:9000;
-#     #    fastcgi_index  index.php;
-#     #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
-#     #    include        fastcgi_params;
-#     #}
-# 
-#     # deny access to .htaccess files, if Apache's document root
-#     # concurs with nginx's one
-#     #
-#     #location ~ /\.ht {
-#     #    deny  all;
-#     #}
-# }
 
-server {
+    # Just return a 404 for any non-matching domains
-    listen 443 ssl;
-    listen [::]:443 ssl;
-    
-    server_name _;
-
-    access_log  /logs/nginx/access_docker.log;
-    error_log  /logs/nginx/error_docker.log;
-
-    # Do not overflow the SSL send buffer (causes extra round trips)
-    # ssl_buffer_size 8k;
-
-    include /etc/nginx/options-ssl-nginx.conf;
-
-    ssl_certificate /etc/certs/fullchain.pem;
-    ssl_certificate_key /etc/certs/privkey.pem;
-    ssl_dhparam /etc/certs/ssl-dhparams.pem;
-    
     location / {
         return 404;
     }
-
-#     root /srv/html_php;
-# 
-#     index index.php index.html;
-# 
-#     # These two locations remove .html and .php from filenames.
-#     location / {
-#         try_files $uri $uri/ $uri.html $uri.php$is_args$query_string;
-#     }
-# 
-#     location ~ \.php$ {
-#         root /srv/html_php;
-# 
-#         # index  index.html index.htm index.php;
-# 
-#         try_files $uri =404;
-#         # try_files $uri $document_root$fastcgi_script_name =404;
-# 
-#         fastcgi_split_path_info ^(.+\.php)(/.+)$;
-#         fastcgi_pass php7:9000;
-#         fastcgi_index index.php;
-#         include fastcgi_params;
-#         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-#         fastcgi_param PATH_INFO $fastcgi_path_info;
-#     }
 }
+
+# SSL is disabled by default for internal containers.
+# If you need SSL termination INSIDE the container, uncomment this block
+# and ensure valid certs are in /etc/certs/
+#
+# server {
+#     listen 443 ssl;
+#     listen [::]:443 ssl;
+#     server_name _;
+#
+#     access_log  /logs/nginx/access_docker_ssl.log;
+#     error_log  /logs/nginx/error_docker_ssl.log;
+#
+#     include /etc/nginx/options-ssl-nginx.conf;
+#
+#     ssl_certificate /etc/certs/fullchain.pem;
+#     ssl_certificate_key /etc/certs/privkey.pem;
+#     ssl_dhparam /etc/certs/ssl-dhparams.pem;
+#
+#     location / {
+#         return 404;
+#     }
+# }

docker-compose.yml

@@ -1,349 +1,250 @@
-version: "3.9"
-
 services:
     web:
         restart: unless-stopped
         container_name: ${CONTAINER_WEB}
         build:
-            # context: ./builds
             context: ./
             dockerfile: aether_nginx.Dockerfile
         env_file:
             - ./.env
         environment:
-            # NOTE: This does not seem to work with nginx yet???
+            - PUID=1000
-            # NOTE: Use the template directory and .template extension for the .conf files.
+            - PGID=1000
-            # - NGINX_SERVER_NAMES="dev-demo.oneskyit.com dev-example.oneskyit.com"
+            - TZ=US/Eastern
-            # - NGINX_SERVER_NAMES="dev-idaa.oneskyit.com dev-ishlt.oneskyit.com"
+
-            # - AE_DOMAIN_LIST:'dev-aapor.oneskyit.com dev-businessgroup.oneskyt.com dev-cmsc.oneskyit.com dev-idaa.oneskyit.com dev-ishlt.oneskyit.com dev-ncsd.oneskyit.com dev-npa.oneskyit.com dev-rli.oneskyit.com'
+            - NGINX_SERVER_NAMES="flask_gunicorn.localhost demo.localhost dev.localhost dev.oneskyit.com dev-app.oneskyit.com dev-connect.oneskyit.com dev-demo.oneskyit.com dev-aacc.oneskyit.com dev-aapor.oneskyit.com dev-ascm.oneskyit.com dev-businessgroup.oneskyt.com dev-chow.oneskyit.com dev-cmsc.oneskyit.com dev-idaa.oneskyit.com dev-ishlt.oneskyit.com dev-lci.oneskyit.com dev-ncsd.oneskyit.com dev-npa.oneskyit.com dev-rli.oneskyit.com test-app.oneskyit.com test-api.oneskyit.com test-demo.oneskyit.com test-lci.oneskyit.com test-idaa.oneskyit.com"
-            # - NGINX_SERVER_NAMES="flask_gunicorn.localhost demo.localhost dev.localhost dev.oneskyit.com dev-app.oneskyit.com dev-connect.oneskyit.com *.dev-connect.oneskyit.com dev-demo.oneskyit.com *.dev-demo.oneskyit.com dev-aapor.oneskyit.com *.dev-aapor.oneskyit.com dev-businessgroup.oneskyt.com *.dev-businessgroup.oneskyt.com dev-cmsc.oneskyit.com *.dev-cmsc.oneskyit.com dev-idaa.oneskyit.com *.dev-idaa.oneskyit.com dev-ishlt.oneskyit.com *.dev-ishlt.oneskyit.com dev-ncsd.oneskyit.com *.dev-ncsd.oneskyit.com dev-npa.oneskyit.com *.dev-npa.oneskyit.com dev-rli.oneskyit.com *.dev-rli.oneskyit.com test-app.oneskyit.com"
-            - NGINX_SERVER_NAMES="flask_gunicorn.localhost demo.localhost dev.localhost dev.oneskyit.com dev-app.oneskyit.com dev-connect.oneskyit.com dev-demo.oneskyit.com dev-aacc.oneskyit.com dev-aapor.oneskyit.com dev-businessgroup.oneskyt.com dev-chow.oneskyit.com dev-cmsc.oneskyit.com dev-idaa.oneskyit.com dev-ishlt.oneskyit.com dev-lci.oneskyit.com dev-ncsd.oneskyit.com dev-npa.oneskyit.com dev-rli.oneskyit.com test-app.oneskyit.com"
         ports:
-            - "${OSIT_WEB_HTTP_PORT}:80"
+            - "${OSIT_WEB_HTTP_PORT}:80"   # LAN HTTP (local access without SSL)
-            - "${OSIT_WEB_HTTPS_PORT}:443"
+            # - "${OSIT_WEB_HTTPS_PORT}:443" # HTTPS — not needed internally; terminate SSL at home server
-            # - "80:80"
+            - "${AE_API_GATEWAY_PORT}:80"  # API gateway: home nginx → workstation:5060 → ae_api replicas
-            # - "443:443"
+            - "${AE_APP_GATEWAY_PORT}:80"  # App gateway: home nginx → workstation:3001 → ae_app replicas
-            # - "8181:80"
-            # - "8443:443"
-        # networks:
-        #   - local-net
         volumes:
             - ./srv/html_php:/srv/html_php
             - ./srv/oneskyit_site:/srv/oneskyit_site
-
+            - ${HOSTED_FILES_SRC}:/srv/hosted_files
-            - ./srv/hosted_files_ln:/srv/hosted_files
+            - ${HOSTED_TMP_SRC}:/srv/hosted_tmp
-            - ./srv/hosted_tmp_ln:/srv/hosted_tmp
-
-            # NOTE: Nextcloud Docker container requires (sort of) the path to be /var/www/html
-            # - ./srv/nextcloud:/srv/nextcloud
-            # - ./srv/nextcloud/app:/var/www/html
-            # - ./srv/nextcloud/apps:/var/www/html/apps
-            # - ./srv/nextcloud/config:/var/www/html/config
-            # - ./srv/nextcloud/data:/var/www/html/data
-
-            # - ./conf/nginx/nginx.conf:/etc/nginx/nginx.conf
             - ./conf/nginx/options-ssl-nginx.conf:/etc/nginx/options-ssl-nginx.conf
-            # - ./conf/nginx/other.conf:/etc/nginx/conf.d/other.conf
-
             - ./conf/nginx/site.conf:/etc/nginx/conf.d/0_site.conf
-
-            # - ./conf/nginx/site-enabled_aether-mailman2.conf:/etc/nginx/conf.d/site-enabled_aether-mailman2.conf
-            # - ./conf/nginx/site-enabled_aether-nextcloud.conf:/etc/nginx/conf.d/site-enabled_aether-nextcloud.conf
-            # - ./conf/nginx/site-enabled_aether-phpmyadmin.conf:/etc/nginx/templates/site-enabled_aether-phpmyadmin.conf.template
-
-            # - ./conf/nginx/site-enabled_oneskyit.conf:/etc/nginx/conf.d/site-enabled_oneskyit.conf
-            - ./conf/nginx/site-enabled_oneskyit.conf:/etc/nginx/templates/site-enabled_oneskyit.conf.template
-
             - ./conf/nginx/site-enabled_aether_fastapi_gunicorn.conf:/etc/nginx/templates/site-enabled_aether_fastapi_gunicorn.conf.template
-            # - ./conf/nginx/site-enabled_aether_api_v5_fastapi_gunicorn.conf:/etc/nginx/templates/site-enabled_aether_api_v5_fastapi_gunicorn.conf.template
+            - ./conf/nginx/site-enabled_aether_app_svelte_node.conf:/etc/nginx/templates/site-enabled_aether_app_svelte_node.conf.template
-            - ./conf/nginx/site-enabled_aether_flask_gunicorn.conf:/etc/nginx/templates/site-enabled_aether_flask_gunicorn.conf.template
+            # - ./conf/nginx/site-enabled_aether_flask_gunicorn.conf:/etc/nginx/templates/site-enabled_aether_flask_gunicorn.conf.template
-
             - ./conf/certs/oneskyit_wild_fullchain.pem:/etc/certs/fullchain_wild.pem
             - ./conf/certs/oneskyit_wild_privkey.pem:/etc/certs/privkey_wild.pem
             - ./conf/certs/oneskyit.com_fullchain.pem:/etc/certs/fullchain.pem
             - ./conf/certs/oneskyit.com_privkey.pem:/etc/certs/privkey.pem
             - ./conf/certs/ssl-dhparams.pem:/etc/certs/ssl-dhparams.pem
-
             - ./logs/web:/logs
-        # volumes_from:
-        #     - nextcloud25
         depends_on:
-            # - php7
+            - ae_api
-            - aether_api_gunicorn
+            - ae_app
-            # - aether_api_v5_gunicorn
+            # - aether_app_gunicorn
-            - aether_app_gunicorn
+        logging:
-        # links:
+            driver: "json-file"
-        #     # - nextcloud25
+            options:
-        #     - php7
+                max-size: "10m"
-        #     - aether_api_gunicorn
+                max-file: "3"
-        #     - aether_app_gunicorn
-        #     # - aether_api_gunicorn_bak
-        # stdin_open: true # docker run -i
-        # tty: true        # docker run -t
-
-    # mailman2:
-    #     image: d3fk/mailman2
-    #     container_name: ae_mailman2
-    #     # hostname: mails.oneskyit.com
-    #     hostname: mail.localhost
-    #     restart: unless-stopped
-    #     ports:
-    #         - "8889:80"
-    #         # - "8443:443"
-    #         - "2525:25"
-    #         - "25465:465"
-    #         - "25587:587"
-    #     # env_file:
-    #     #     - ./conf/mailman2.env
-    #     environment:
-    #         - EMAIL_HOST=mail.oneskyit.com
-    #         # - URL_HOST=lists.localhost
-    #         - URL_HOST=mailman2-oneskyit.localhost
-    #         - LIST_ADMIN=admin@oneskyit.com
-    #         - MASTER_PASSWORD=strong_pass_321
-    #         - URL_PATTERN=http
-    #         # - SSL_FROM_CONTAINER="true"
-    #         # - SSL_SELFSIGNED="true"
-    #         # - ENABLE_SPF_CHECK="true"
-    #         - URL_ROOT=lists/
-    #     extra_hosts:
-    #         - "mail.oneskyit.com:127.0.0.1"
-    #         # - "oneskyit.com:the linode ip"
-    #     volumes:
-    #         - ./srv/mailman2/archives:/var/lib/mailman/archives
-    #         - ./srv/mailman2/lists:/var/lib/mailman/lists
-    #         - ./srv/mailman2/keys:/etc/exim4/tls.d
-    #         - ./logs/mailman2/apache2:/var/log/apache2
-    #         - ./logs/mailman2/exim4:/var/log/exim4
-    #         - ./logs/mailman2/mailman:/var/log/mailman
-    #         # - ./logs/mailman2/mailman_error.log:/var/lib/mailman/logs/error
-    #
-    #         # - ./customcert.pem:/etc/ssl/certs/ssl-cert-snakeoil.pem
-    #         # - ./customcertkey.key:/etc/ssl/private/ssl-cert-snakeoil.key
-
-    # php7:
-    #     restart: always
-    #     container_name: ${CONTAINER_PHP7}
-    #     # image: php:fpm
-    #     build:
-    #         context: ./
-    #         dockerfile: php7.Dockerfile
-    #     volumes:
-    #         - ./srv/html_php:/srv/html_php
-    #         - ./srv/oneskyit_site:/srv/oneskyit_site
-    #         # - ./srv/nextcloud:/srv/nextcloud
-
-    #         - ./conf/php/custom_php7.ini:/usr/local/etc/php/conf.d/custom_php7.ini
-
-    #         - ./logs/php7:/logs
-    #     # ports:
-    #     #     - "9007:9000"
-    #     # networks:
-    #     #   - local-net
-
-    # phpmyadmin:
-    #     image: phpmyadmin
-    #     container_name: ae_phpmyadmin
-    #     restart: unless-stopped
-    #     depends_on:
-    #         - mariadb
-    #     ports:
-    #         - 8888:80
-    #     env_file:
-    #        - ./.env
-    #     environment:
-    #         - PMA_ARBITRARY=1
-    #         - UPLOAD_LIMIT=1G
-
-    # mariadb:
-    #     container_name: ae_mariadb_dev
-    #     # image: mariadb/server:latest
-    #     image: mariadb:10.9
-    #     # image: mariadb:10.6
-    #     restart: unless-stopped
-    #     # env_file:
-    #     #     - ./.env
-    #     #     - filename.env
-    #     # ports:
-    #     #     - "3307:3306"
-    #     volumes:
-    #         - ./srv/mariadb:/var/lib/mysql
-    #         # - ./conf/mariadb/password_reset.sql:/docker-entrypoint-initdb.d/init.sql:ro
-    #         # - ./conf/mariadb/password_reset.sql:/password_reset.sql:z
-    #         # - ./srv/mariadb_ln:/var/lib/mysql
-    #         # - ./conf/mariadb/my.cnf:/etc/my.cnf
-    #     environment:
-    #         - MARIADB_ROOT_PASSWORD=$$1sky.Adapting.7e2
-    #         # - MARIADB_ROOT_PASSWORD=CentauriStar123
-    #         # - MARIADB_DATABASE: 'my_env_db'
-    #         # - MYSQL_ROOT_PASSWORD=$$1sky.Adapting.7e2
-    #         # - MYSQL_ROOT_PASSWORD=CentauriStar123
-    #         # - MYSQL_PASSWORD=MyPassword
-    #         # - MYSQL_DATABASE=nextcloud
-    #         # - MYSQL_USER=nextcloud
-
-    # nextcloud25:
-    #     container_name: ae_nextcloud25_dev
-    #     build:
-    #         # context: ./builds
-    #         context: ./
-    #         dockerfile: nextcloud25_fpm.Dockerfile
-    #     # image: nextcloud:fpm
-    #     restart: unless-stopped
-    #     links:
-    #         - mariadb
-    #     depends_on:
-    #         - mariadb
-    #     volumes:
-    #         - ./srv/nextcloud/app:/var/www/html
-    #         - ./srv/nextcloud/apps:/var/www/html/apps
-    #         - ./srv/nextcloud/custom_apps:/var/www/html/custom_apps
-    #         - ./srv/nextcloud/config:/var/www/html/config
-    #         - ./srv/nextcloud/data:/var/www/html/data
-    #         - ./srv/nextcloud/themes:/var/www/html/themes
-    #     environment:
-    #         - MYSQL_PASSWORD=MyPassword.1248
-    #         - MYSQL_DATABASE=nextcloud
-    #         - MYSQL_USER=nextcloud
-    #         - MYSQL_HOST=mariadb
-    #         - NEXTCLOUD_TRUSTED_DOMAINS=oneskyit.com
 
     redis:
         restart: always
         container_name: ${CONTAINER_REDIS}
         image: redis
-        # ports:
+        command: redis-server --save "" --loglevel warning
-        #     # host to image
+        logging:
-        #     # default port is 6379
+            driver: "json-file"
-        #     - "${AE_REDIS_PORT}:6379"
+            options:
+                max-size: "10m"
+                max-file: "3"
 
-    aether_api_gunicorn:
+    mariadb:
+        restart: always
+        image: mariadb:10.11
+        container_name: ae_mariadb_dev
+        profiles: ["database"]
+        command: [
+            "mysqld",
+            "--max-connections=${MARIADB_MAX_CONNECTIONS}",
+            "--innodb-buffer-pool-size=${MARIADB_INNODB_BUFFER_POOL_SIZE}",
+            "--query-cache-size=${MARIADB_QUERY_CACHE_SIZE}",
+            "--tmp-table-size=${MARIADB_TMP_TABLE_SIZE}",
+            "--max-heap-table-size=${MARIADB_TMP_TABLE_SIZE}",
+            "--table-open-cache=${MARIADB_TABLE_OPEN_CACHE}"
+        ]
+        environment:
+            MYSQL_ROOT_PASSWORD: ${AE_DB_PASSWORD}
+            MYSQL_DATABASE: ${AE_DB_NAME}
+            MYSQL_USER: ${AE_DB_USERNAME}
+            MYSQL_PASSWORD: ${AE_DB_PASSWORD}
+        ports:
+            - "${AE_DB_EXTERNAL_PORT}:3306"
+        volumes:
+            - ./srv/mariadb:/var/lib/mysql
+            - ./conf/mariadb/server.cnf:/etc/mysql/conf.d/server.cnf
+        logging:
+            driver: "json-file"
+            options:
+                max-size: "10m"
+                max-file: "3"
+
+    phpmyadmin:
+        restart: always
+        image: phpmyadmin/phpmyadmin
+        container_name: ae_pma_dev
+        profiles: ["database"]
+        environment:
+            PMA_HOST: mariadb
+            UPLOAD_LIMIT: 64M
+        ports:
+            - "${AE_PMA_PORT}:80"
+        depends_on:
+            - mariadb
+        logging:
+            driver: "json-file"
+            options:
+                max-size: "10m"
+                max-file: "3"
+
+    ae_api:
         restart: always
-        container_name: ${CONTAINER_AE_API}
         build:
-            # context: ./builds
+            context: ${AE_API_SRC}
-            context: ./
+            dockerfile: Dockerfile
-            dockerfile: aether_fastapi_gunicorn.Dockerfile
+        scale: ${AE_API_REPLICAS}
         env_file:
             - ./.env
-        ports:
-            - "${AE_API_GUNICORN_PORT}:5005"
         extra_hosts:
-            - "${DOCKER_AE_SERVER_EXTRA_HOST}"
+            dev.oneskyit.com: "192.168.32.7"
-        # expose:
+            dev-app.oneskyit.com: "192.168.32.7"
-        #   - 5005
+            dev-api.oneskyit.com: "192.168.32.7"
-        # networks:
+            test-api.oneskyit.com: "104.237.143.4"
-        #   - local-net
+            vpn-db.oneskyit.com: "192.168.64.5"
+            linode.oneskyit.com: "104.237.143.4"
         volumes:
             - ./conf/aether_fastapi_gunicorn_conf.py:/conf/gunicorn_fastapi_conf.py
-            - ./conf/aether_fastapi_requirements_current.txt:/requirements_current.txt
-            - ./conf/aether_api_config.py:/srv/aether_api/app/config.py
-
             - ./logs/ae_api:/logs
-            # - ./logs/ae_api/aether_fastapi_gunicorn.log:/logs/gunicorn.log
+            - ${AE_API_SRC}:/srv/aether_api
-            # - ./logs/aether_fastapi_gunicorn_access.log:/logs/gunicorn_access.log
+            - ${HOSTED_FILES_SRC}:/srv/hosted_files
-            # - ./logs/aether_fastapi_gunicorn_error.log:/logs/gunicorn_error.log
+            - ${HOSTED_TMP_SRC}:/srv/hosted_tmp
-            # - ./logs/aether_api.log:/logs/aether_api.log
-            # - ./logs/ae_api/aether_api.log.1:/logs/aether_api.log.1
-            # - ./logs/ae_api/aether_api.log.2:/logs/aether_api.log.2
-            # - ./logs/ae_api/aether_api.log.3:/logs/aether_api.log.3
-            # - ./logs/ae_api/aether_api.log.4:/logs/aether_api.log.4
-            # - ./logs/ae_api/aether_api.log.5:/logs/aether_api.log.5
-            # - ./logs/ae_api/aether_api_warning.log:/logs/aether_api_warning.log
-
-            - ./srv/aether_api_ln:/srv/aether_api
-            - ./srv/hosted_files_ln:/srv/hosted_files
-            - ./srv/hosted_tmp_ln:/srv/hosted_tmp
-
-            # - ./tmp/ae_api:/tmp
-
             - ./temp/ae_api:/temp
-            # - ./temp/ae_api/aether_fastapi_requirements_current.txt:/temp/requirements_current.txt
-        # links:
-        #     - redis
         depends_on:
             - redis
-        stdin_open: true # docker run -i
+        stdin_open: true
-        tty: true        # docker run -t
+        tty: true
+        logging:
+            driver: "json-file"
+            options:
+                max-size: "10m"
+                max-file: "3"
 
-#     aether_api_v5_gunicorn:
+    ae_app:
-#         restart: always
-#         container_name: ae_api_v5_dev
-#         build:
-#             # context: ./builds
-#             context: ./
-#             dockerfile: aether_api_v5_fastapi_gunicorn.Dockerfile
-#         env_file:
-#             - ./.env
-#         ports:
-#             - "5067:5005"
-#         volumes:
-#             - ./conf/aether_api_v5_fastapi_gunicorn_conf.py:/conf/gunicorn_fastapi_conf.py
-#             - ./conf/aether_api_v5_fastapi_requirements_current.txt:/conf/requirements_current.txt
-#             - ./conf/aether_api_v5_fastapi_config.py:/srv/aether_api/app/config.py
-#
-#             - ./logs/ae_api_v5:/logs
-#
-#             - ./srv/aether_api_v5_ln:/srv/aether_api
-#             - ./srv/hosted_files_ln:/srv/hosted_files
-#             - ./srv/hosted_tmp_ln:/srv/hosted_tmp
-#
-#             # - ./tmp/ae_api:/tmp
-#
-#             - ./temp/ae_api:/temp
-#             # - ./temp/ae_api/aether_fastapi_requirements_current.txt:/temp/requirements_current.txt
-#         # links:
-#         #     - redis
-#         depends_on:
-#             - redis
-#         stdin_open: true # docker run -i
-#         tty: true        # docker run -t
-
-    aether_app_gunicorn:
         restart: always
-        container_name: ${CONTAINER_AE_APP}
         build:
-            # context: ./builds
+            context: ${AE_APP_SRC}
-            context: ./
+            dockerfile: Dockerfile
-            dockerfile: aether_flask_gunicorn.Dockerfile
+            target: deploy-node
-        # image: tiangolo/uvicorn-gunicorn:latest
+            args:
+                BUILD_MODE: ${AE_APP_BUILD_MODE:-staging}
+        scale: ${AE_APP_REPLICAS:-1}
         env_file:
             - ./.env
-        ports:
+        # No host ports — ae_web_dev proxies to ae_app:3000 via Docker DNS,
-            - "${AE_APP_GUNICORN_PORT}:5005"
+        # round-robining across all replicas. Scale freely with AE_APP_REPLICAS.
-        # expose:
-        #   - 5005
-        # networks:
-        #   - local-net
         extra_hosts:
-             - "${DOCKER_AE_SERVER_EXTRA_HOST}"
+            srv-nyx.oneskyit.com: "104.237.143.4"
-             - "${DOCKER_AE_API_SERVER_EXTRA_HOST}"
+            dev-app.oneskyit.com: "104.237.143.4"
-             - "${DOCKER_AE_API_BAK_SERVER_EXTRA_HOST}"
+            api.oneskyit.com: "104.237.143.4"
-             - "${DOCKER_AE_API_V5_SERVER_EXTRA_HOST}"
+            bak-api.oneskyit.com: "104.237.143.4"
-             # - dev-api.oneskyit.com:192.168.32.20
+            test-api.oneskyit.com: "104.237.143.4"
-        volumes:
+            dev-api.oneskyit.com: "192.168.32.7"
-            - ./conf/aether_flask_gunicorn_conf.py:/conf/gunicorn_flask_conf.py
+            home.oneskyit.com: "71.126.159.102"
-            - ./conf/aether_flask_requirements_current.txt:/requirements_current.txt
+            static.oneskyit.com: "104.237.143.4"
-            - ./conf/aether_app_config.py:/srv/aether_app/flask_config_v2.py
+            dev.oneskyit.com: "192.168.32.7"
-            - ./logs/ae_app:/logs
+        # volumes:
-            # - ./logs/aether_flask_gunicorn_access.log:/logs/gunicorn_access.log
+        #    # In production, the build happens INSIDE the container.
-            # - ./logs/aether_flask_gunicorn_error.log:/logs/gunicorn_error.log
+        #    # Mounting the host source here would override the internal build.
-            # - ./logs/aether_app.log:/logs/aether_app.log
+        #    # - ${AE_APP_SRC}:/app
-            # - ./logs/aether_app_warning.log:/logs/aether_app_warning.log
-            - ./srv/aether_app_ln:/srv/aether_app
-            - ./srv/hosted_files_ln:/srv/hosted_files
-            - ./srv/hosted_tmp_ln:/srv/hosted_tmp
-
-            - ./tmp/ae_app:/tmp
         depends_on:
-            - aether_api_gunicorn
+            - ae_api
-        stdin_open: true # docker run -i
+            - redis
-        tty: true        # docker run -t
 
-# networks:
+        logging:
-#   local-net:
+            driver: "json-file"
-#     driver: bridge
+            options:
+                max-size: "10m"
+                max-file: "3"
 
-# volumes:
+    # *Legacy* Aether Flask Application served with Gunicorn
-#   ./tmp/ae_app:
+    # *NOTE:* This legacy frontend using Flask is being replaced by the new one using SvelteKit.
-#     external: true
+    # aether_app_gunicorn:
+    #     # ... (same as before) ...
+    #     restart: always
+    #     container_name: ${CONTAINER_AE_APP}
+    #     build:
+    #         context: ./
+    #         dockerfile: aether_flask_gunicorn.Dockerfile
+    #     env_file:
+    #         - ./.env
+    #     ports:
+    #         - "${AE_APP_GUNICORN_PORT}:5005"
+    #     extra_hosts:
+    #          - "${DOCKER_AE_SERVER_EXTRA_HOST}"
+    #          - "${DOCKER_AE_API_SERVER_EXTRA_HOST}"
+    #          - "${DOCKER_AE_API_BAK_SERVER_EXTRA_HOST}"
+    #     volumes:
+    #         - ./conf/aether_flask_gunicorn_conf.py:/conf/gunicorn_flask_conf.py
+    #         - ./conf/aether_flask_requirements_current.txt:/requirements_current.txt
+    #         - ./conf/aether_app_config.py:/srv/aether_app/flask_config_v2.py
+    #         - ./logs/ae_app:/logs
+    #         - ${AE_APP_SRC}:/srv/aether_app
+    #         - ${HOSTED_FILES_SRC}:/srv/hosted_files
+    #         - ${HOSTED_TMP_SRC}:/srv/hosted_tmp
+    #         - ./tmp/ae_app:/tmp
+    #     depends_on:
+    #         - ae_api
+    #     stdin_open: true
+    #     tty: true
+    #     logging:
+    #         driver: "json-file"
+    #         options:
+    #             max-size: "10m"
+    #             max-file: "3"
+
+    dozzle:
+        container_name: ae_dozzle_dev
+        image: amir20/dozzle:latest
+        volumes:
+            - /var/run/docker.sock:/var/run/docker.sock
+        ports:
+            - "8881:8080"
+        restart: unless-stopped
+        logging:
+            driver: "json-file"
+            options:
+                max-size: "10m"
+                max-file: "3"
+
+    ae_ops:
+        # ... (same as before) ...
+        container_name: ae_ops_dev
+        image: alpine:latest
+        restart: always
+        profiles: ["database"]
+        env_file:
+            - ./.env
+        volumes:
+            - /var/run/docker.sock:/var/run/docker.sock
+            - ./backups:/backups
+            - ./scripts:/scripts
+            - ./logs:/logs
+            - ./conf/crontab:/etc/crontabs/root
+        command: sh -c "apk add --no-cache docker-cli bash && crond -f -l 2"
+        depends_on:
+            - mariadb
+        logging:
+            driver: "json-file"
+            options:
+                max-size: "10m"
+                max-file: "3"
+
+networks:
+  default:
+    name: ae_dev_net

documentation/TODO__Agents.md

@@ -0,0 +1,52 @@
+# Aether Platform - Strategic TODO (Agents & Operations)
+
+This document tracks high-impact architectural improvements to the Aether Docker Environment and its connected services. These tasks focus on stability, security, and developer experience (DX).
+
+---
+
+## 🛠️ Infrastructure & Orchestration
+
+### **1. Container Healthchecks (Self-Healing)**
+- [x] **FastAPI Healthcheck:** Added a `/health` endpoint to `aether_api_fastapi` that verifies DB and Redis connectivity.
+- [ ] **Docker Integration:** Update `docker-compose.yml` to use `healthcheck` for `ae_api` and `ae_app`. (Manual testing complete, next step is automation).
+- [ ] **Dependency Ordering:** Use `condition: service_healthy` in `depends_on` blocks to ensure services start in the correct order.
+
+### **2. Environment Abstraction & Safety**
+- [ ] **IP Abstraction:** Move the hardcoded workstation IP (`192.168.32.7`) to an `.env` variable (e.g., `AE_HOST_IP`) and reference it in `extra_hosts`.
+- [ ] **Env Validation:** Create a `scripts/validate_env.sh` to compare `.env` against `env.default` and catch missing keys or malformed values.
+- [ ] **Secret Scanning:** Implement a pre-commit hook or script to ensure no sensitive credentials (from `.env` or backups) are accidentally staged.
+
+### **3. Operational Tooling (The "Easy Button")**
+- [ ] **Master Makefile:** Create a `Makefile` in the orchestration root for common commands:
+    - `make up` / `make down`
+    - `make build-ui` / `make build-api`
+    - `make db-backup` / `make db-restore`
+    - `make logs`
+- [ ] **Unified Logs:** Enhance `ae_ops` to provide a consolidated view of critical system errors across all containers.
+
+---
+
+## 🐍 Backend (FastAPI) Modernization
+
+### **4. Configuration via Pydantic Settings**
+- [x] **Refactor `app/config.py`:** Switched from the mounted file pattern to `pydantic-settings`.
+- [x] **Environment Injection:** API now inherits all settings directly from Docker environment variables.
+- [ ] **V2 Migration:** (Long Term) Prepare for the upgrade to Pydantic V2 and SQLAlchemy 2.0.
+
+### **5. Dependency Management**
+- [x] **Lockfiles:** Created `requirements.lock` to ensure bit-identical builds across environments.
+- [x] **Pruning:** Conducted a final audit of the FastAPI base image and removed 6 redundant Python dependencies.
+
+---
+
+## 🌐 Frontend (SvelteKit) Enhancements
+
+### **6. Build & Runtime Optimization**
+- [ ] **Image Size:** Optimize the multi-stage Dockerfile to further reduce the final runtime image size.
+- [ ] **Cache Warming:** Implement a mechanism to warm the SvelteKit / Dexie cache on first load for better UX.
+
+---
+
+## 📝 Governance
+- This list is managed by **Scott Idem** and **Aether Agents**.
+- Tasks should be moved to the [Kanban Board] (via `ae_task_add`) when active work begins.

env.default

@@ -0,0 +1,179 @@
+# ------------------------------------------------------------------------------
+# AETHER FRAMEWORK - DOCKER ENVIRONMENT CONFIGURATION (TEMPLATE)
+# ------------------------------------------------------------------------------
+# Instructions: Copy this to .env and update the paths and credentials.
+# This file serves as the master reference for all available environment variables.
+# ------------------------------------------------------------------------------
+
+# ------------------------------------------------------------------------------
+# SYSTEM SETTINGS
+# ------------------------------------------------------------------------------
+# System timezone for all containers
+TZ=US/Eastern
+
+# Environment mode (development, testing, production)
+OSIT_ENV=development
+
+# Logging level for the API and background workers (debug, info, warning, error)
+AE_LOG_LVL=warning
+
+# Docker Compose Profiles
+# 'database' includes: mariadb, phpmyadmin, ae_ops
+# Comment out or leave empty for "app-only" nodes that connect to a remote DB
+COMPOSE_PROFILES=database
+
+# ------------------------------------------------------------------------------
+# CONTAINER NAMES
+# ------------------------------------------------------------------------------
+# Internal Docker container names (should be unique per environment)
+CONTAINER_WEB=ae_web_default
+CONTAINER_AE_API=ae_api_default
+CONTAINER_AE_APP=ae_app_default
+CONTAINER_REDIS=ae_redis_default
+CONTAINER_MARIADB=ae_mariadb_default
+CONTAINER_PMA=ae_pma_default
+
+# ------------------------------------------------------------------------------
+# NETWORK & PROXY SETTINGS
+# ------------------------------------------------------------------------------
+# Local Nginx listener ports on the host system
+OSIT_WEB_HTTP_PORT=8080
+OSIT_WEB_HTTPS_PORT=4443
+
+# Maximum allowed file upload size (Global for Nginx)
+OSIT_WEB_MAX_BODY_SIZE=5120M
+
+# Gateway Port for External Reverse Proxy
+# Used when a master proxy (e.g. Home Server) forwards traffic to this node
+AE_API_GATEWAY_PORT=5060
+
+# DNS Overrides (Injected into containers' /etc/hosts)
+# Format: DOMAIN:IP_ADDRESS
+# Useful for container-to-container routing when using real domain names
+DOCKER_AE_SERVER_EXTRA_HOST=example.oneskyit.com:127.0.0.1
+DOCKER_AE_APP_SERVER_EXTRA_HOST=example-app.oneskyit.com:127.0.0.1
+DOCKER_AE_API_SERVER_EXTRA_HOST=example-api.oneskyit.com:127.0.0.1
+DOCKER_AE_API_BAK_SERVER_EXTRA_HOST=example-bak-api.oneskyit.com:127.0.0.1
+DOCKER_AE_DB_SERVER_EXTRA_HOST=db.oneskyit.com:127.0.0.1
+
+# Nginx Server Names (Used in vhost configuration templates)
+DOCKER_AE_API_SERVER_NAME=example-api.oneskyit.com
+DOCKER_AE_APP_SERVER_NAME=example-app.oneskyit.com
+DOCKER_PHPMYADMIN_SERVER_NAME=example-phpmyadmin.oneskyit.com
+DOCKER_OSIT_SERVER_NAME=example-docker.oneskyit.com
+
+# ------------------------------------------------------------------------------
+# DATABASE SETTINGS (MariaDB)
+# ------------------------------------------------------------------------------
+# To use an EXTERNAL database:
+# 1. Set COMPOSE_PROFILES= (empty) above to disable local DB containers.
+# 2. Set AE_DB_SERVER to the external IP or Hostname.
+# 3. Ensure the external DB allows connections from this host's IP.
+
+# DB Hostname (use 'mariadb' for the local container, or a remote IP/FQDN)
+AE_DB_SERVER=mariadb
+AE_DB_PORT=3306
+
+# Port to expose on the host system if running a local MariaDB container
+AE_DB_EXTERNAL_PORT=3306
+
+# Database credentials
+AE_DB_NAME=aether_dev
+AE_DB_USERNAME=osit_aether
+AE_DB_PASSWORD="your-secure-password-here"
+AE_DB_ROOT_PASSWORD="your-mariadb-root-password-here"
+
+# Connection Tuning
+AE_DB_CONNECTION_TIMEOUT=15
+AE_DB_POOL_RECYCLE=1800
+
+# ------------------------------------------------------------------------------
+# REDIS SETTINGS
+# ------------------------------------------------------------------------------
+# Redis is used for caching, ID resolution, and messaging
+AE_REDIS_SERVER=redis
+AE_REDIS_PORT=6379
+
+# ------------------------------------------------------------------------------
+# API SETTINGS (FastAPI)
+# ------------------------------------------------------------------------------
+AE_API_ENV=development
+
+# Number of API container instances to run (Docker Compose Scaling)
+AE_API_REPLICAS=2
+
+# Gunicorn / Uvicorn Tuning
+AE_API_GUNICORN_PORT=5065
+AE_API_GUNICORN_TIMEOUT=2100
+AE_API_GUNICORN_WORKERS=2
+AE_API_GUNICORN_THREADS=2
+
+# Security & CORS
+# JWT_KEY should be a 22+ character secret string
+AE_API_JWT_KEY="your-22-char-secret-key"
+
+# Regex for allowed CORS origins
+AE_API_ORIGINS_REGEX="(https://.*\.oneskyit\.com)|(https://.*\.oneskyit\.com:4443)"
+
+# ------------------------------------------------------------------------------
+# APP SETTINGS (SvelteKit)
+# ------------------------------------------------------------------------------
+AE_APP_ENV=development
+AE_APP_BUILD_MODE=staging
+AE_APP_REPLICAS=1
+AE_APP_NODE_PORT=3001
+
+# ------------------------------------------------------------------------------
+# SMTP SETTINGS (Email)
+# ------------------------------------------------------------------------------
+# Core SMTP configuration for system notifications and user emails
+AE_SMTP_SERVER=smtp.example.com
+AE_SMTP_PORT=465
+AE_SMTP_USERNAME=send_mail
+AE_SMTP_PASSWORD="your-smtp-password-here"
+
+# ------------------------------------------------------------------------------
+# LEGACY APP SETTINGS (Flask)
+# ------------------------------------------------------------------------------
+AE_FLASK_APP_ENV=development
+AE_FLASK_APP_GUNICORN_PORT=5055
+AE_FLASK_APP_CACHE_SECRET_KEY="your-secret-key"
+AE_FLASK_APP_SESSION_LIFETIME=86400
+AE_FLASK_APP_CACHE_TIMEOUT=5
+
+# ------------------------------------------------------------------------------
+# SOURCE PATHS (Absolute paths on Host Machine)
+# ------------------------------------------------------------------------------
+# IMPORTANT: These paths must exist on the machine running Docker
+# They are mounted into containers as volumes for real-time development
+
+# Project Source Code
+AE_API_SRC=/path/to/aether_api_fastapi
+AE_APP_SRC=/path/to/aether_app_sveltekit
+AE_FLASK_APP_SRC=/path/to/aether_app_flask
+
+# Physical File Storage (Images, Documents, etc.)
+# NOTE: Shared between environments to ensure binary availability
+HOSTED_FILES_SRC=/path/to/hosted_files
+HOSTED_TMP_SRC=/path/to/hosted_tmp
+
+# ------------------------------------------------------------------------------
+# SERVICE TUNING & PERFORMANCE
+# ------------------------------------------------------------------------------
+# phpMyAdmin Host Port
+AE_PMA_PORT=8081
+
+# MariaDB Performance (Injected via Docker Compose command flags)
+MARIADB_MAX_CONNECTIONS=500
+MARIADB_INNODB_BUFFER_POOL_SIZE=512M
+MARIADB_QUERY_CACHE_SIZE=32M
+MARIADB_TMP_TABLE_SIZE=384M
+MARIADB_TABLE_OPEN_CACHE=4000
+
+# ------------------------------------------------------------------------------
+# AETHER SHARED CONFIG (DB Driven)
+# ------------------------------------------------------------------------------
+# Specifies which record from the 'cfg' table to use for shared settings
+# (SMTP, API routes, and external service keys)
+# common options: 1=Default, 5=Home Dev, 7=Live Test
+AE_CFG_ID=1

export_db.sh

@@ -0,0 +1,35 @@
+#!/bin/bash
+# Aether Conference Export Script
+# Manually triggers a hot backup for off-site use.
+
+set -e
+
+PROJECT_ROOT="/home/scott/OSIT_dev/aether_container_env"
+EXPORT_DIR="${PROJECT_ROOT}/backups/conference_export"
+TIMESTAMP=$(date +%Y%m%d_%H%M%S)
+EXPORT_FILE="conference_backup_${TIMESTAMP}.gz"
+
+mkdir -p "$EXPORT_DIR"
+
+echo "--- Starting Conference Database Export ---"
+
+# Trigger the internal backup script inside the ops container
+# This will create an 'auto_backup_...' file in the backups folder
+docker exec ae_ops_dev bash /scripts/backup_internal.sh
+
+# Find the most recent backup file created in the backups folder
+LATEST_BACKUP=$(ls -t "${PROJECT_ROOT}/backups"/auto_backup_*.gz | head -n 1)
+
+if [ -n "$LATEST_BACKUP" ]; then
+    echo ">>> Moving latest backup to export directory: ${EXPORT_FILE}"
+    mv "$LATEST_BACKUP" "${EXPORT_DIR}/${EXPORT_FILE}"
+    
+    # Ensure final ownership is correct
+    chown 1000:1000 "${EXPORT_DIR}/${EXPORT_FILE}"
+    
+    echo "--- Export Complete! ---"
+    echo "File location: ${EXPORT_DIR}/${EXPORT_FILE}"
+else
+    echo "ERROR: Failed to find the generated backup file."
+    exit 1
+fi

html_php/index.html

@@ -0,0 +1,44 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Aether Workstation Dashboard</title>
+    <style>
+        body { font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Helvetica, Arial, sans-serif; background: #1a1a1a; color: #e0e0e0; display: flex; justify-content: center; align-items: center; height: 100vh; margin: 0; }
+        .container { background: #2d2d2d; padding: 2rem; border-radius: 12px; box-shadow: 0 10px 30px rgba(0,0,0,0.5); width: 400px; }
+        h1 { color: #4CAF50; margin-top: 0; font-size: 1.5rem; border-bottom: 1px solid #444; padding-bottom: 1rem; }
+        .links { display: grid; gap: 1rem; margin-top: 1.5rem; }
+        a { background: #3d3d3d; color: #fff; text-decoration: none; padding: 1rem; border-radius: 8px; transition: transform 0.1s, background 0.2s; display: flex; align-items: center; justify-content: space-between; }
+        a:hover { background: #4d4d4d; transform: translateY(-2px); }
+        .port { font-family: monospace; color: #888; font-size: 0.9rem; }
+        .status { font-size: 0.8rem; color: #4CAF50; margin-top: 2rem; text-align: center; border-top: 1px solid #444; padding-top: 1rem; }
+    </style>
+</head>
+<body>
+    <div class="container">
+        <h1>Aether Dev Environment</h1>
+        <div class="links">
+            <a href="http://localhost:8881" target="_blank">
+                <span>Dozzle (Live Logs)</span>
+                <span class="port">:8881</span>
+            </a>
+            <a href="http://localhost:8081" target="_blank">
+                <span>phpMyAdmin (Database)</span>
+                <span class="port">:8081</span>
+            </a>
+            <a href="https://dev-api.oneskyit.com/docs" target="_blank">
+                <span>API Docs (Swagger)</span>
+                <span class="port">/docs</span>
+            </a>
+            <a href="https://dev-app.oneskyit.com" target="_blank">
+                <span>Aether App (Flask)</span>
+                <span class="port">:443</span>
+            </a>
+        </div>
+        <div class="status">
+            Workstation Mode • Arch Linux
+        </div>
+    </div>
+</body>
+</html>

html_php/index.php

@@ -0,0 +1,18 @@
+<html>
+<head>
+<title>Aether Docker Compose</title>
+<meta content="">
+<style></style>
+</head>
+<body>
+
+<h1>Running with Docker Compose</h1>
+
+<hr>
+
+<?php
+echo phpinfo();
+?>
+
+</body>
+</html>

php5.Dockerfile

@@ -1,3 +0,0 @@
-# FROM php:5.6.20
-FROM php:5-fpm
-RUN docker-php-ext-install mysqli

php7.Dockerfile

@@ -1,2 +0,0 @@
-FROM php:7-fpm
-RUN docker-php-ext-install mysqli

restore_db.sh

@@ -0,0 +1,86 @@
+#!/bin/bash
+# Aether MariaDB Restore Script (Physical Backup)
+set -e
+
+PROJECT_ROOT="/home/scott/OSIT_dev/aether_container_env"
+DEFAULT_BACKUP="${PROJECT_ROOT}/backups/mariadbbackup_1555.gz"
+BACKUP_FILE="${1:-$DEFAULT_BACKUP}"
+
+MARIADB_DATA="${PROJECT_ROOT}/srv/mariadb"
+RESTORE_TEMP="${PROJECT_ROOT}/srv/restore_temp"
+TIMESTAMP=$(date +%Y%m%d_%H%M%S)
+
+# Load env for password
+source "${PROJECT_ROOT}/.env"
+
+if [ ! -f "$BACKUP_FILE" ]; then
+    echo "ERROR: Backup file not found: $BACKUP_FILE"
+    exit 1
+fi
+
+# Convert to absolute path for Docker volume mounting
+BACKUP_FILE_ABS=$(readlink -f "$BACKUP_FILE")
+
+echo "--- Starting Aether Database Restore ---"
+
+# 1. Stop MariaDB
+echo ">>> Stopping MariaDB..."
+cd "${PROJECT_ROOT}" && docker compose stop mariadb
+
+# 2. Archive current data
+if [ -d "$MARIADB_DATA" ] && [ "$(ls -A $MARIADB_DATA)" ]; then
+    echo ">>> Archiving current data..."
+    BACKUP_DIR="${PROJECT_ROOT}/srv/mariadb_bak_${TIMESTAMP}"
+    mv "${MARIADB_DATA}" "${BACKUP_DIR}"
+    # Fix ownership of archived data so host user can manage it
+    docker run --rm -v "${BACKUP_DIR}":/bak alpine chown -R 1000:1000 /bak
+fi
+mkdir -p "${MARIADB_DATA}" "${RESTORE_TEMP}"
+
+# 3. Extract and Prepare
+echo ">>> Running extraction and preparation..."
+docker run --rm --user 0 \
+    -v "${BACKUP_FILE_ABS}":/backups/import.gz \
+    -v "${RESTORE_TEMP}":/restore \
+    -v "${PROJECT_ROOT}/scripts/restore_internal.sh":/restore.sh \
+    mariadb:10.11 bash -c "export BACKUP_FILE=/backups/import.gz && bash /restore.sh"
+
+# 4. Move prepared data (Using container to avoid permission issues)
+echo ">>> Moving prepared data..."
+docker run --rm --user 0 \
+    -v "${RESTORE_TEMP}":/src \
+    -v "${MARIADB_DATA}":/dst \
+    alpine sh -c "mv /src/* /dst/ 2>/dev/null || true; mv /src/.* /dst/ 2>/dev/null || true"
+rmdir "${RESTORE_TEMP}"
+
+# 5. Fix Permissions
+echo ">>> Fixing ownership (999:999)..."
+docker run --rm -v "${MARIADB_DATA}":/var/lib/mysql alpine chown -R 999:999 /var/lib/mysql
+
+# 6. Start MariaDB in Maintenance Mode to reset password
+echo ">>> Resetting passwords to match local .env..."
+docker run -d --name ae_mariadb_maint -v "${MARIADB_DATA}":/var/lib/mysql mariadb:10.11 --skip-grant-tables
+sleep 5
+# Maintenance SQL: Sets root password AND ensures app user exists with correct password/grants
+MAINT_SQL="FLUSH PRIVILEGES; 
+ALTER USER 'root'@'localhost' IDENTIFIED BY '${AE_DB_ROOT_PASSWORD}'; 
+GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY '${AE_DB_ROOT_PASSWORD}' WITH GRANT OPTION;
+CREATE USER IF NOT EXISTS '${AE_DB_USERNAME}'@'%' IDENTIFIED BY '${AE_DB_PASSWORD}';
+ALTER USER '${AE_DB_USERNAME}'@'%' IDENTIFIED BY '${AE_DB_PASSWORD}';
+GRANT ALL PRIVILEGES ON \`${AE_DB_NAME}\`.* TO '${AE_DB_USERNAME}'@'%';
+FLUSH PRIVILEGES;"
+
+docker exec ae_mariadb_maint mariadb -e "$MAINT_SQL"
+docker stop ae_mariadb_maint && docker rm ae_mariadb_maint
+
+# 7. Start MariaDB Normally
+echo ">>> Starting MariaDB container normally..."
+docker compose start mariadb
+
+echo "--- Restore and Password Reset Complete! ---"
+
+# 8. Cleanup Safety Snapshot (Only on success)
+if [ -n "$BACKUP_DIR" ] && [ -d "$BACKUP_DIR" ]; then
+    echo ">>> Removing safety snapshot (Restore successful)..."
+    rm -rf "$BACKUP_DIR"
+fi

scripts/backup_internal.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+# Aether Internal Backup Script (Runs inside the Cron Container)
+set -e
+
+# These are paths INSIDE the cron container
+BACKUP_DIR="/backups"
+TIMESTAMP=$(date +%Y%m%d_%H%M)
+BACKUP_FILE="${BACKUP_DIR}/auto_backup_${TIMESTAMP}.gz"
+
+echo "[$(date)] Starting Scheduled Backup..."
+
+# We use the Docker CLI inside this container to talk to the MariaDB container
+# The password is taken from the environment variable passed to this service
+docker exec ${CONTAINER_MARIADB} mariabackup --user=root --password="${AE_DB_ROOT_PASSWORD}" \
+    --backup --stream=xbstream --open-files-limit=65535 | gzip > "${BACKUP_FILE}"
+
+echo "[$(date)] Backup Complete: ${BACKUP_FILE}"
+
+# Ensure host user can manage the backup files
+chown 1000:1000 "${BACKUP_FILE}"
+
+# Optional: Clean up backups older than 7 days
+find "${BACKUP_DIR}" -name "auto_backup_*.gz" -mtime +7 -delete

scripts/restore_internal.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+set -e
+
+# Configuration
+BACKUP_FILE="${BACKUP_FILE:-/backups/import.gz}"
+RESTORE_DIR="/restore"
+
+echo ">>> Phase 0: Wiping restore directory..."
+rm -rf "${RESTORE_DIR:?}"/*
+
+echo ">>> Phase 1: Extracting ${BACKUP_FILE} to ${RESTORE_DIR}..."
+gunzip -c "${BACKUP_FILE}" | mbstream -x -C "${RESTORE_DIR}"
+
+echo ">>> Phase 2: Metadata Check..."
+cd "${RESTORE_DIR}"
+if [ -f "mariadb_backup_checkpoints" ] && [ ! -f "xtrabackup_checkpoints" ]; then
+    echo ">>> Linking mariadb_backup_checkpoints to xtrabackup_checkpoints..."
+    ln -sf mariadb_backup_checkpoints xtrabackup_checkpoints
+fi
+if [ -f "mariadb_backup_info" ] && [ ! -f "xtrabackup_info" ]; then
+    echo ">>> Linking mariadb_backup_info to xtrabackup_info..."
+    ln -sf mariadb_backup_info xtrabackup_info
+fi
+
+echo ">>> Phase 3: Decompressing data..."
+mariabackup --decompress --target-dir="${RESTORE_DIR}" --open-files-limit=65535
+
+echo ">>> Phase 4: Preparing backup (Applying logs)..."
+mariabackup --prepare --target-dir="${RESTORE_DIR}" --open-files-limit=65535
+
+echo ">>> Restore preparation complete!"

srv/aether_api_v5_ln

@@ -1 +0,0 @@
-/home/scott/OSIT_dev/aether_api_v5_fastapi

srv/mariadb/.gitignore

@@ -1,4 +0,0 @@
-# Ignore everything in this directory
-*
-# Except for this file
-!.gitignore

srv/nextcloud/.gitignore

@@ -1,4 +0,0 @@
-# Ignore everything in this directory
-*
-# Except for this file
-!.gitignore