Update Docker configuration: change command to use entrypoint script, set superuser environment variables, and adjust NGINX settings for port and server name.

Dockerfile

@@ -43,6 +43,7 @@ WORKDIR /app
 COPY ./app .
 
 RUN python manage.py collectstatic --noinput
+RUN chmod +x /app/entrypoint.sh
 
 # =============================================
 # 5. Create non-root user
@@ -55,4 +56,4 @@ EXPOSE 80
 # =============================================
 # 6. Launch the app
 # =============================================
-CMD ["gunicorn", "keywarden.wsgi:application", "--bind", "0.0.0.0:8000", "--workers", "3"]
+CMD ["./entrypoint.sh"]

app/apps/core/management/__init__.py

@@ -0,0 +1,2 @@
+# Intentionally empty to mark package
+

app/apps/core/management/commands/__init__.py

@@ -0,0 +1,2 @@
+# Intentionally empty to mark package
+

app/apps/core/management/commands/ensure_admin.py

@@ -0,0 +1,68 @@
+import os
+
+from django.contrib.auth import get_user_model
+from django.core.management.base import BaseCommand
+
+
+class Command(BaseCommand):
+    help = "Ensure a Django superuser exists using environment variables"
+
+    def handle(self, *args, **options):
+        username = (
+            os.getenv("DJANGO_SUPERUSER_USERNAME")
+            or os.getenv("KEYWARDEN_ADMIN_USERNAME")
+        )
+        email = (
+            os.getenv("DJANGO_SUPERUSER_EMAIL")
+            or os.getenv("KEYWARDEN_ADMIN_EMAIL")
+        )
+        password = (
+            os.getenv("DJANGO_SUPERUSER_PASSWORD")
+            or os.getenv("KEYWARDEN_ADMIN_PASSWORD")
+        )
+
+        if not username or not email or not password:
+            self.stdout.write(
+                self.style.WARNING(
+                    "Superuser env vars not fully set; skipping ensure_admin. "
+                    "Set DJANGO_SUPERUSER_USERNAME, DJANGO_SUPERUSER_EMAIL, "
+                    "DJANGO_SUPERUSER_PASSWORD (or KEYWARDEN_ADMIN_*)."
+                )
+            )
+            return
+
+        User = get_user_model()
+
+        user, created = User.objects.get_or_create(username=username, defaults={
+            "email": email,
+            "is_staff": True,
+            "is_superuser": True,
+        })
+
+        if created:
+            user.set_password(password)
+            user.save()
+            self.stdout.write(self.style.SUCCESS(f"Superuser '{username}' created."))
+            return
+
+        changed = False
+
+        if user.email != email:
+            user.email = email
+            changed = True
+
+        # Ensure flags are correct
+        if not user.is_staff:
+            user.is_staff = True
+            changed = True
+        if not user.is_superuser:
+            user.is_superuser = True
+            changed = True
+
+        if changed:
+            user.save()
+            self.stdout.write(self.style.SUCCESS(f"Superuser '{username}' updated."))
+        else:
+            self.stdout.write(self.style.SUCCESS(f"Superuser '{username}' already present."))
+
+

app/entrypoint.sh

@@ -0,0 +1,9 @@
+#!/bin/sh
+set -eu
+
+python manage.py migrate --noinput
+python manage.py ensure_admin
+
+exec gunicorn keywarden.wsgi:application --bind 0.0.0.0:80 --workers 3
+
+

docker-compose.yml.example

@@ -38,7 +38,7 @@ services:
   keywarden:
     image: git.ntbx.io/boris/keywarden:latest
     container_name: keywarden
-    command: gunicorn keywarden.wsgi:application --bind 0.0.0.0:8000
+    command: sh ./entrypoint.sh
     ports:
       - "8000:80"
     depends_on:
@@ -47,6 +47,9 @@ services:
     environment:
       - DJANGO_SETTINGS_MODULE=keywarden.settings.dev
       - PYTHONPATH=/app
+      - DJANGO_SUPERUSER_USERNAME=${DJANGO_SUPERUSER_USERNAME}
+      - DJANGO_SUPERUSER_EMAIL=${DJANGO_SUPERUSER_EMAIL}
+      - DJANGO_SUPERUSER_PASSWORD=${DJANGO_SUPERUSER_PASSWORD}
     env_file:
       - .env
 

nginx/configs/sites/default.conf

@@ -1,8 +1,8 @@
 # Default NGINX Config
 server {
-    listen 80;
-    listen [::]:80;
-    server_name keywarden.dev.ntbx.io;
+    listen 8008;
+    listen [::]:8008;
+    server_name _;
 
     return 301 https://$host$request_uri;
 }
@@ -13,7 +13,7 @@ server {
     listen [::]:443 ssl;
         http2 on;
 
-    server_name keywarden.dev.ntbx.io;
+    server_name _;
 
     ssl_certificate /certs/certificate.pem;
     ssl_certificate_key /certs/key.pem;
@@ -22,7 +22,7 @@ server {
     client_max_body_size 50M;
 
     location / {
-        proxy_pass  http://keywarden:8000;
+        proxy_pass  http://keywarden:80;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;