feat: Docker self-hosting setup with migration service and auth bypass

- Fix Dockerfiles to copy pnpm-lock.yaml (frozen-lockfile compliance)
- Add migrate target to API Dockerfile using builder stage
- Add migrate service to docker-compose that runs before API starts
- Add AUTH_DISABLED env var bypass to auth middleware for dev/Docker
- Proxy /api/ from nginx to API container (no CORS needed)
- Include initial Drizzle migration (0000_colossal_colossus.sql)
- Add .env.example with all configurable variables
- Update README with Docker self-hosting instructions

Closes #7

Co-Authored-By: Paperclip <noreply@paperclip.ing>

apps/api/Dockerfile

@@ -4,7 +4,7 @@ WORKDIR /app
 
 # Install deps
 FROM base AS deps
-COPY package.json pnpm-workspace.yaml ./
+COPY package.json pnpm-workspace.yaml pnpm-lock.yaml ./
 COPY apps/api/package.json apps/api/
 COPY packages/db/package.json packages/db/
 COPY packages/types/package.json packages/types/
@@ -22,7 +22,7 @@ RUN corepack enable && corepack prepare pnpm@9.15.4 --activate
 WORKDIR /app
 ENV NODE_ENV=production
 
-COPY package.json pnpm-workspace.yaml ./
+COPY package.json pnpm-workspace.yaml pnpm-lock.yaml ./
 COPY apps/api/package.json apps/api/
 COPY packages/db/package.json packages/db/
 COPY packages/types/package.json packages/types/
@@ -34,3 +34,7 @@ COPY --from=builder /app/packages/types packages/types
 
 EXPOSE 3000
 CMD ["node", "apps/api/dist/index.js"]
+
+# Migrate stage — runs drizzle-kit migrate against the database
+FROM builder AS migrate
+CMD ["pnpm", "db:migrate"]

apps/api/src/middleware/auth.ts

@@ -24,6 +24,12 @@ export interface JwtPayload {
 }
 
 export const authMiddleware: MiddlewareHandler = async (c, next) => {
+  if (process.env.AUTH_DISABLED === "true") {
+    c.set("jwtPayload", { sub: "dev-user" } as JwtPayload);
+    await next();
+    return;
+  }
+
   const authorization = c.req.header("Authorization");
   if (!authorization?.startsWith("Bearer ")) {
     return c.json({ error: "Unauthorized" }, 401);

apps/web/Dockerfile

@@ -4,7 +4,7 @@ WORKDIR /app
 
 # Install deps
 FROM base AS deps
-COPY package.json pnpm-workspace.yaml ./
+COPY package.json pnpm-workspace.yaml pnpm-lock.yaml ./
 COPY apps/web/package.json apps/web/
 COPY packages/types/package.json packages/types/
 RUN pnpm install --frozen-lockfile

apps/web/nginx.conf

@@ -9,6 +9,15 @@ server {
         add_header Cache-Control "public, immutable";
     }
 
+    # Proxy API calls to the API service
+    location /api/ {
+        proxy_pass http://api:3000/api/;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    }
+
     # SPA fallback — serve index.html for all routes
     location / {
         try_files $uri $uri/ /index.html;