Docker Tips

Providing Assets

Mount static assets using volumes:

-v ~/my-custom-logo.svg:/app/src/assets/logo.svg

Running Commands

Use exec to run commands inside a container:

docker exec -it domain-locker-app /bin/sh

To view running containers:

docker ps

Healthchecks

Domain Locker defines healthchecks for the app and database. View health status:

docker inspect --format '{{json .State.Health}}' domain-locker-app

Use Autoheal to restart unhealthy containers:

docker run -d \
  --name autoheal \
  --restart=always \
  -e AUTOHEAL_CONTAINER_LABEL=all \
  -v /var/run/docker.sock:/var/run/docker.sock \
  willfarrell/autoheal

Logs and Performance

Logs

docker logs domain-locker-app --follow

Stats

docker stats

Use cAdvisor, Prometheus, or Grafana for container metrics.

Auto-Start at Boot

All containers use restart: unless-stopped to start after reboot or crash.

Updating

Manual Update

docker compose pull

docker compose up -d

Auto Updates

Use Watchtower:

docker run -d \
  --name watchtower \
  --restart=unless-stopped \
  -v /var/run/docker.sock:/var/run/docker.sock \
  containrrr/watchtower

Backing Up

Back up the Postgres data volume:

docker run --rm \
  -v domain_locker_postgres_data:/volume \
  -v /tmp:/backup alpine \
  tar -cjf /backup/pgdata.tar.bz2 -C /volume .

Automate with cron or use offen/docker-volume-backup for scheduled backups.

And store backups offsite using rclone, restic, or S3-compatible services.

Secrets Management

Avoid hardcoding secrets in docker-compose.yml. Use a .env file:

DL_PG_PASSWORD=strongpassword
DL_JWT_SECRET=random-long-token

Restrict .env file permissions to prevent leaks:

chmod 600 .env

For production, consider Docker Secrets or Kubernetes Secrets.

Authentication

Domain Locker supports Supabase Auth. Enable RLS and secure JWT handling. Set DL_JWT_SECRET and use HTTPS in production.

Remote Access

Use secure tools for access:

Tailscale for mesh VPN
Cloudflare Tunnel for public URLs
Never expose Postgres directly to the internet

SSL Certificates

Use a reverse proxy with automatic HTTPS:

With Traefik

Labels:

labels:
  - "traefik.enable=true"
  - "traefik.http.routers.domainlocker.rule=Host(`locker.example.com`)"
  - "traefik.http.routers.domainlocker.entrypoints=https"
  - "traefik.http.routers.domainlocker.tls=true"
  - "traefik.http.services.domainlocker.loadbalancer.server.port=3000"

Ensure acme and a certResolver are configured in Traefik.

With Caddy

locker.example.com {
  reverse_proxy localhost:3000
}

Caddy will handle certs via Let's Encrypt automatically.

Custom Domain

Set an A or CNAME record pointing to your server.

Use the domain in your proxy config (e.g. Traefik or Caddy).

Optionally edit /etc/hosts for local testing:

127.0.0.1 locker.local

Monitoring

Recommended tools:

GlitchTip for error reporting
Uptime Kuma for uptime
Grafana + Prometheus for metrics
Loki for logs
Docker Scout for image security insights

Metrics and Observability

Expose metrics for dashboards and alerting:

Add Prometheus exporter sidecars
Log to file, and ship to Grafana Loki or ELK stack
Consider OpenTelemetry if integrating with external tools

Compose Management

Starting

docker compose up -d

Stopping

docker compose down

Use --env-file to override env vars:

docker compose --env-file .env.production up -d

Kubernetes Setup (Optional)

Use Helm for deploys. Define:

Separate deployments for app, db, and updater
Use ConfigMaps for config and Secrets for sensitive values
Ingress controller (e.g. Traefik or NGINX) with TLS enabled
PersistentVolumeClaim for Postgres storage
HorizontalPodAutoscaler for load-based scaling

Running a Modified Version

Clone the repo
Install dependencies:

yarn install

Build:

yarn build

Build Docker image:

docker build -t domain-locker .

Run locally:

docker run -p 3000:3000 domain-locker

CI/CD Recommendations

Use GitHub Actions or GitLab CI to build and push Docker images
Pin image versions in production
Run vulnerability scans with Trivy or Snyk
Publish images to DockerHub and GHCR

Security Best Practices

Never run containers as root
Set user with USER appuser
Use read-only file systems where possible
Keep your base images minimal (e.g. Alpine)
Limit exposed ports
Enable logging and monitoring
Regularly rotate secrets

Helpful Tools

Portainer – GUI for container management
Lazydocker – Terminal UI for Docker
Watchtower – Auto-updates
Uptime Kuma – Status monitoring
pgAdmin / Postico – Database browsing
Snyk / Trivy – Image scanning
Caddy – Simple TLS reverse proxy