mirror of
https://github.com/DRYTRIX/TimeTracker.git
synced 2026-01-05 19:20:21 -06:00
e4789cc26e
Implement comprehensive analytics and monitoring system with PostHog integration, complete observability stack (Prometheus, Grafana, Loki, Promtail), and CI/CD workflows for automated builds. Features: - Add PostHog telemetry integration with privacy-focused event tracking - Implement installation flow for opt-in telemetry configuration - Add telemetry management UI in admin panel with detailed transparency - Track key user events across all major features (projects, tasks, timer, etc.) Infrastructure: - Set up Prometheus for metrics collection - Configure Grafana for visualization dashboards - Integrate Loki and Promtail for log aggregation - Add separate analytics docker-compose configuration CI/CD: - Add GitHub Actions workflows for building and publishing Docker images - Implement separate dev and production build pipelines - Configure automated image publishing to registry Documentation: - Restructure documentation into organized docs/ directory - Add comprehensive guides for telemetry, analytics, and local development - Create transparency documentation for tracked events - Add CI/CD and build configuration guides Code improvements: - Integrate telemetry hooks across all route handlers - Add feature flags and configuration management - Refactor test suite for analytics functionality - Clean up root directory by moving docs and removing test artifacts Breaking changes: - Requires new environment variables for PostHog configuration - Docker compose setup now supports analytics stack Changes: 73 files changed, 955 insertions(+), 14126 deletions(-)
7.8 KiB
7.8 KiB
🚀 Automatic HTTPS Setup
One-Command HTTPS Startup
HTTPS is now completely automatic! Just run one command and everything is configured:
Windows
start-https.bat
Linux/Mac
bash start-https.sh
That's it! 🎉
What Happens Automatically
When you run the startup script:
- ✅ Detects your local IP (e.g., 192.168.1.100)
- ✅ Creates nginx HTTPS configuration automatically
- ✅ Generates SSL certificates (init container runs once)
- ✅ Updates security settings to strict mode
- ✅ Starts all services with HTTPS enabled
No manual steps required!
Two Certificate Options
Option 1: Self-Signed Certificates (Default)
- ✅ Works immediately, zero setup
- ✅ Fully functional HTTPS
- ⚠️ Browser shows security warning (safe to click through)
When to use: Quick testing, development
Option 2: mkcert (Trusted Certificates)
- ✅ No browser warnings!
- ✅ Trusted by all browsers
- 📋 Requires one-time mkcert installation
When to use: Cleaner experience, demos, regular development
Quick Start
First Time Setup
1. Create .env file:
cp env.example .env
# Edit .env with your settings
2. Start with HTTPS:
Windows:
start-https.bat
Linux/Mac:
bash start-https.sh
3. Choose certificate method when prompted:
- Press
1for self-signed (default) - Press
2for mkcert (if installed)
4. Access your app:
https://localhost
https://192.168.1.100 (your actual IP)
Self-Signed Certificates (Option 1)
What You'll See
Browser will show: "Your connection is not private"
How to Proceed
- Click "Advanced"
- Click "Proceed to localhost (unsafe)"
- That's it! You're in.
Why It's Safe
- Certificates are generated by YOU
- Traffic is encrypted
- Warning is just because it's self-signed
- Perfect for development
mkcert Certificates (Option 2)
Prerequisites
Install mkcert first:
Windows:
choco install mkcert
macOS:
brew install mkcert
Linux:
# See HTTPS_MKCERT_GUIDE.md
One-Time CA Installation
After first startup with mkcert:
-
Find the CA certificate:
nginx/ssl/rootCA.pem -
Install it:
Windows:
- Double-click
rootCA.pem - Install to "Trusted Root Certification Authorities"
- Restart browser
macOS:
- Double-click
rootCA.pem - Add to Keychain
- Mark as "Always Trust"
Linux:
sudo cp nginx/ssl/rootCA.pem /usr/local/share/ca-certificates/mkcert.crt sudo update-ca-certificates - Double-click
-
Restart browser
-
Access app - No warnings! ✅
How It Works
Architecture
┌─────────────────┐
│ start-https │ ← You run this
│ script │
└────────┬────────┘
│
↓
┌─────────────────┐
│ Init Container│ ← Generates certificates (runs once)
│ (certgen) │ • Checks if certs exist
└────────┬────────┘ • Creates them if missing
│ • Self-signed or mkcert
↓
┌─────────────────┐
│ nginx (HTTPS) │ ← Reverse proxy with SSL
│ Port 443 │ • Terminates SSL
└────────┬────────┘ • Proxies to app
│
↓
┌─────────────────┐
│ TimeTracker │ ← Your application
│ App (HTTP) │ • Runs on port 8080
│ Port 8080 │ • Behind nginx
└─────────────────┘
Certificate Generation
The certgen init container:
- Runs before nginx starts
- Checks for existing certificates in
nginx/ssl/ - If missing, generates new ones
- Exits (runs only once)
- nginx starts after successful completion
Persistence
Certificates are stored in nginx/ssl/ on your host machine:
- Persists across container restarts
- Regenerated only if deleted
- Valid for 10 years
File Structure
After automatic startup:
TimeTracker/
├── nginx/
│ ├── conf.d/
│ │ └── https.conf # Auto-generated nginx config
│ └── ssl/
│ ├── cert.pem # SSL certificate
│ ├── key.pem # Private key
│ └── rootCA.pem # CA cert (mkcert only)
├── docker-compose.yml # Base config
├── docker-compose.https-auto.yml # HTTPS with self-signed
├── docker-compose.https-mkcert.yml # HTTPS with mkcert
├── start-https.sh # Auto-start script (Linux/Mac)
├── start-https.bat # Auto-start script (Windows)
└── .env # Config (auto-updated)
Commands
Start with HTTPS (Automatic)
bash start-https.sh # Linux/Mac
start-https.bat # Windows
Start with HTTPS (Manual)
# Self-signed certificates
docker-compose -f docker-compose.yml -f docker-compose.https-auto.yml up -d
# mkcert certificates (if mkcert installed)
docker-compose -f docker-compose.yml -f docker-compose.https-mkcert.yml up -d
View Logs
docker-compose logs -f
docker-compose logs nginx
docker-compose logs certgen
Stop Services
docker-compose down
Regenerate Certificates
# Delete existing certs
rm -rf nginx/ssl/*
# Restart - new certs will be generated
bash start-https.sh
Environment Variables
After automatic setup, your .env will include:
# HTTPS Security Settings (auto-configured)
WTF_CSRF_SSL_STRICT=true
SESSION_COOKIE_SECURE=true
CSRF_COOKIE_SECURE=true
These settings:
- ✅ Enable strict CSRF protection
- ✅ Require HTTPS for cookies
- ✅ Fix all CSRF cookie issues
- ✅ Provide production-grade security
Troubleshooting
nginx Won't Start
Check if certificates exist:
ls -la nginx/ssl/
Should see:
cert.pemkey.pem
If missing, check certgen logs:
docker-compose logs certgen
Browser Still Shows Warning (mkcert)
CA not installed or browser not restarted:
- Install
nginx/ssl/rootCA.pem(see instructions above) - Completely close and restart browser
- Clear browser cache
Different IP Address
Update and restart:
export HOST_IP=192.168.1.XXX # Your actual IP
bash start-https.sh
Port 443 Already in Use
Find what's using it:
# Windows
netstat -ano | findstr :443
# Linux/Mac
lsof -i :443
Stop the conflicting service or change port in nginx config
Access from Other Devices
Using Self-Signed Certificates
- Access
https://192.168.1.100from device - Click through security warning
- Done!
Using mkcert Certificates
- Copy
nginx/ssl/rootCA.pemto device - Install as trusted CA (see device-specific instructions)
- Access
https://192.168.1.100 - No warnings! ✅
Production Deployment
For production with a real domain, use Let's Encrypt:
- See
docs/HTTPS_SETUP_GUIDE.mdfor Caddy (automatic) - Or use Traefik, nginx + certbot
Summary
🎉 What You Get
✅ One-command setup - bash start-https.sh
✅ Automatic certificate generation
✅ Auto-configuration of nginx and security settings
✅ Choice of certificate types
✅ Persistent certificates across restarts
✅ No manual steps for basic setup
🚀 Quick Reference
# Start everything with HTTPS
bash start-https.sh
# Access
https://localhost
https://192.168.1.100
# View logs
docker-compose logs -f
# Stop
docker-compose down
That's it! Enjoy automatic HTTPS! 🔒