From 1469a565deb7d772b28f69d520e23bca1109c2ba Mon Sep 17 00:00:00 2001
From: Dries Peeters <dries.peeters96@gmail.com>
Date: Wed, 7 Jan 2026 20:04:46 +0100
Subject: [PATCH] feat: improve Docker compose setup and HTTPS certificate
 generation

- Update docker-compose files with improved service configuration
- Add Dockerfile.certgen for automated certificate generation
- Enhance HTTPS auto-setup documentation
- Update Docker compose setup documentation
---
 docker-compose.https-auto.yml                    |  9 ++++++---
 docker-compose.remote.yml                        |  7 ++++---
 docker-compose.yml                               |  9 ++++++---
 docker/Dockerfile.certgen                        | 10 ++++++++++
 docs/admin/configuration/DOCKER_COMPOSE_SETUP.md |  1 +
 docs/admin/security/README_HTTPS_AUTO.md         |  5 ++++-
 6 files changed, 31 insertions(+), 10 deletions(-)
 create mode 100644 docker/Dockerfile.certgen

diff --git a/docker-compose.https-auto.yml b/docker-compose.https-auto.yml
index 74bea322..9a398a91 100644
--- a/docker-compose.https-auto.yml
+++ b/docker-compose.https-auto.yml
@@ -1,12 +1,15 @@
 services:
   # Certificate generator - runs once to create certificates
   certgen:
-    image: alpine:latest
+    build:
+      context: .
+      dockerfile: docker/Dockerfile.certgen
     container_name: timetracker-certgen
     volumes:
       - ./nginx/ssl:/certs
-      - ./scripts:/scripts:ro
-    command: sh /scripts/generate-certs.sh
+    environment:
+      - HOST_IP=${HOST_IP:-192.168.1.100}
+    command: /generate-certs.sh
     restart: "no"
 
   nginx:
diff --git a/docker-compose.remote.yml b/docker-compose.remote.yml
index 56614e29..633876d0 100644
--- a/docker-compose.remote.yml
+++ b/docker-compose.remote.yml
@@ -1,14 +1,15 @@
 services:
   # Certificate generator - runs once to create self-signed certs with SANs
   certgen:
-    image: alpine:latest
+    build:
+      context: .
+      dockerfile: docker/Dockerfile.certgen
     container_name: timetracker-certgen-remote
     volumes:
       - ./nginx/ssl:/certs
-      - ./scripts:/scripts:ro
     environment:
       - HOST_IP=${HOST_IP:-192.168.1.100}
-    command: sh /scripts/generate-certs.sh
+    command: /generate-certs.sh
     restart: "no"
 
   # HTTPS reverse proxy (TLS terminates here)
diff --git a/docker-compose.yml b/docker-compose.yml
index b3c63758..9582ad16 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,12 +1,15 @@
 services:
   # Certificate generator - runs once to create self-signed certs with SANs
   certgen:
-    image: alpine:latest
+    build:
+      context: .
+      dockerfile: docker/Dockerfile.certgen
     container_name: timetracker-certgen
     volumes:
       - ./nginx/ssl:/certs
-      - ./scripts:/scripts:ro
-    command: sh /scripts/generate-certs.sh
+    environment:
+      - HOST_IP=${HOST_IP:-192.168.1.100}
+    command: /generate-certs.sh
     restart: "no"
 
   # HTTPS reverse proxy (TLS terminates here)
diff --git a/docker/Dockerfile.certgen b/docker/Dockerfile.certgen
new file mode 100644
index 00000000..ef38c7af
--- /dev/null
+++ b/docker/Dockerfile.certgen
@@ -0,0 +1,10 @@
+FROM alpine:latest
+
+# Install openssl for certificate generation
+RUN apk add --no-cache openssl
+
+# Copy certificate generation script
+COPY scripts/generate-certs.sh /generate-certs.sh
+RUN chmod +x /generate-certs.sh
+
+CMD ["/generate-certs.sh"]
diff --git a/docs/admin/configuration/DOCKER_COMPOSE_SETUP.md b/docs/admin/configuration/DOCKER_COMPOSE_SETUP.md
index ab234506..4da1f486 100644
--- a/docs/admin/configuration/DOCKER_COMPOSE_SETUP.md
+++ b/docs/admin/configuration/DOCKER_COMPOSE_SETUP.md
@@ -51,6 +51,7 @@ docker-compose logs app --tail=100
 
 ### 4) Optional services
 - Reverse proxy (HTTPS): See `docker-compose.yml` (services `certgen` and `nginx`).
+  - **Note**: The `certgen` service is now self-contained and works with Portainer and other container orchestration tools without requiring host filesystem mounts.
 - Monitoring stack: Prometheus, Grafana, Loki, Promtail are available in `docker-compose.yml`.
 
 ---
diff --git a/docs/admin/security/README_HTTPS_AUTO.md b/docs/admin/security/README_HTTPS_AUTO.md
index 27735b8d..ad4de3ea 100644
--- a/docs/admin/security/README_HTTPS_AUTO.md
+++ b/docs/admin/security/README_HTTPS_AUTO.md
@@ -188,12 +188,15 @@ After first startup with mkcert:
 ### Certificate Generation
 
 The `certgen` init container:
+- Uses a self-contained Docker image with the certificate generation script built-in
 - Runs before nginx starts
 - Checks for existing certificates in `nginx/ssl/`
-- If missing, generates new ones
+- If missing, generates new ones using OpenSSL
 - Exits (runs only once)
 - nginx starts after successful completion
 
+**Note**: The certgen service no longer requires host volume mounts for scripts, making it compatible with Portainer and other container orchestration tools.
+
 ### Persistence
 
 Certificates are stored in `nginx/ssl/` on your host machine: