Add member-manager; normalize its compose; fix postfix-net; add CUPS to chaos install

apps/member-manager/docker-compose.yml:
- Add container_name/hostname to redis (member-manager-redis) and sidekiq
  (member-manager-sidekiq) services
- Use ${IMAGE_VERSION:-latest} for web/sidekiq and ${REDIS_IMAGE_VERSION:-7-alpine}
  for internal redis
- Rename internal redis network mm-redis -> member-manager-redis-net
- Use service_healthy condition on redis depends_on
- Add .env.example, README.md, .rsync-exclude

apps/postfix/docker-compose.yml:
- Add postfix service to mail network; declare networks.mail: name: postfix-net
  so member-manager (and future services) can join it

bin/install-chaos.sh:
- Install and enable CUPS before Docker apps
- Add member-manager to Tier 2 (needs proxy, db, mail/postfix-net)
- Update Tier 0 comment: postfix now creates postfix-net

Made-with: Cursor

Author: romkey

apps/member-manager/.env.example

@@ -0,0 +1,21 @@
+# Rails environment
+RAILS_ENV=production
+SECRET_KEY_BASE=
+
+# Database (connects via postgres-net)
+DATABASE_URL=postgresql://member_manager:password@postgresql:5432/member_manager_production
+
+# Redis (internal member-manager-redis container)
+REDIS_URL=redis://member-manager-redis:6379/0
+
+# Outbound email via postfix (connects via postfix-net)
+SMTP_HOST=postfix
+SMTP_PORT=587
+SMTP_FROM=noreply@example.com
+
+# Application URL
+APP_HOST=member-manager.example.com
+
+# Image versions (optional, defaults shown)
+#IMAGE_VERSION=latest
+#REDIS_IMAGE_VERSION=7-alpine

apps/member-manager/.rsync-exclude

@@ -0,0 +1,71 @@
+# member-manager
+
+PDX Hackerspace member management application. Rails web app with a Sidekiq
+background job worker and a private Redis instance for job queuing.
+
+Image: [romkey/pdxhackerspace-member-manager](https://github.com/romkey/pdxhackerspace-member-manager)
+
+## Services
+
+| Container | Role |
+|-----------|------|
+| `member-manager` | Rails web server (port 3000, behind reverse proxy) |
+| `member-manager-sidekiq` | Sidekiq background job worker |
+| `member-manager-redis` | Private Redis instance for job queuing (not shared) |
+
+## Network dependencies
+
+| Network | Provided by | Purpose |
+|---------|-------------|---------|
+| `nginx-proxy-net` | nginx-proxy-manager | Reverse proxy access |
+| `postgres-net` | postgresql | Database |
+| `postfix-net` | postfix | Outbound email |
+
+## Configuration
+
+### Environment Variables
+
+Copy `.env.example` to `.env` and configure:
+
+```bash
+cp .env.example .env
+```
+
+| Variable | Description |
+|----------|-------------|
+| `RAILS_ENV` | Rails environment (`production`) |
+| `SECRET_KEY_BASE` | Rails secret key — generate with `openssl rand -hex 64` |
+| `DATABASE_URL` | PostgreSQL connection URL |
+| `REDIS_URL` | Redis connection URL (points to internal `member-manager-redis`) |
+| `SMTP_HOST` | SMTP server hostname (default: `postfix` via postfix-net) |
+| `SMTP_PORT` | SMTP port |
+| `SMTP_FROM` | From address for outgoing mail |
+| `APP_HOST` | Public hostname for URL generation |
+| `IMAGE_VERSION` | Web/sidekiq image tag (optional, defaults to `latest`) |
+| `REDIS_IMAGE_VERSION` | Redis image tag (optional, defaults to `7-alpine`) |
+
+## Usage
+
+### Starting the service
+
+```bash
+docker compose up -d
+```
+
+### Stopping the service
+
+```bash
+docker compose down
+```
+
+### Viewing logs
+
+```bash
+docker compose logs -f
+```
+
+### Running Rails tasks
+
+```bash
+docker compose exec web bundle exec rails <task>
+```

apps/member-manager/README.md

@@ -0,0 +1,83 @@
+services:
+  redis:
+    image: redis:${REDIS_IMAGE_VERSION:-7-alpine}
+    container_name: member-manager-redis
+    hostname: member-manager-redis
+    restart: unless-stopped
+    volumes:
+      - ../../lib/member-manager/redis:/data
+    networks:
+      - redis
+    healthcheck:
+      test: ["CMD", "redis-cli", "ping"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+
+  web:
+    image: ghcr.io/romkey/pdxhackerspace-member-manager:${IMAGE_VERSION:-latest}
+    container_name: member-manager
+    hostname: member-manager
+    command: ./bin/rails server -b 0.0.0.0 -p 3000
+    restart: unless-stopped
+    env_file:
+      - .env
+    networks:
+      - db
+      - proxy
+      - redis
+      - mail
+    volumes:
+      - ../../log/rsyslog/access:/tmp/access:ro
+      - ../../lib/member-manager/storage:/rails/storage:rw
+      - ../../lib/member-manager/access-backups:/access-backups:rw
+      - ./scripts:/opt/access:rw
+    depends_on:
+      redis:
+        condition: service_healthy
+    healthcheck:
+      test: ["CMD-SHELL", "curl -f http://localhost:3000/health/liveness || exit 1"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 40s
+
+  sidekiq:
+    image: ghcr.io/romkey/pdxhackerspace-member-manager:${IMAGE_VERSION:-latest}
+    container_name: member-manager-sidekiq
+    hostname: member-manager-sidekiq
+    command: bundle exec sidekiq
+    restart: unless-stopped
+    env_file:
+      - .env
+    networks:
+      - db
+      - redis
+      - mail
+    volumes:
+      - ../../log/rsyslog/access:/tmp/access:ro
+      - ../../lib/member-manager/storage:/rails/storage:rw
+      - ../../lib/member-manager/access-backups:/access-backups:rw
+      - ./scripts:/opt/access:rw
+    depends_on:
+      redis:
+        condition: service_healthy
+    healthcheck:
+      test: ["CMD-SHELL", "bundle exec rails runner 'exit(Sidekiq::ProcessSet.new.size > 0 ? 0 : 1)' || exit 1"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 30s
+
+networks:
+  redis:
+    name: member-manager-redis-net
+  proxy:
+    external: true
+    name: nginx-proxy-net
+  db:
+    external: true
+    name: postgres-net
+  mail:
+    external: true
+    name: postfix-net

apps/member-manager/docker-compose.yml

@@ -20,9 +20,15 @@ services:
     ports:
       - 25:25
       - 587:587
+    networks:
+      - mail
 
   mailq:
     <<: *base
     container_name: mailq
     restart: "no"
     command: mailq
+
+networks:
+  mail:
+    name: postfix-net

apps/postfix/docker-compose.yml

@@ -2,6 +2,7 @@
 #
 # install-chaos.sh
 # Configures and starts all core and chaos-host services in dependency order.
+# Also installs and enables CUPS for local printing.
 #
 # All networks used by services in this script are created by services within
 # this script. No external prerequisites required.
@@ -19,7 +20,7 @@ REPO_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
 #   ollama                creates: llama-net
 #   mdns-repeater         creates: mdns-net (and ipvlan_net)
 #   cloudflare-ddns       no networks
-#   postfix               no networks
+#   postfix               creates: postfix-net
 #   rsyslog               no networks
 #   snapserver            host network mode
 #
@@ -32,8 +33,9 @@ REPO_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
 #   cyberchef             needs: proxy
 #   peanut                needs: proxy
 #
-# Tier 2 - needs proxy + db, mariadb, mqtt, or llama
+# Tier 2 - needs proxy + db, mariadb, mqtt, llama, or mail
 #   invidious             needs: proxy, db
+#   member-manager        needs: proxy, db, mail
 #   partdb                needs: proxy, db
 #   planka                needs: proxy, db
 #   statping              needs: proxy, db
@@ -75,6 +77,7 @@ glances
 cyberchef
 peanut
 invidious
+member-manager
 partdb
 planka
 statping
@@ -92,6 +95,12 @@ mopidy
 db-backup
 "
 
+echo "==> Installing system packages..."
+sudo apt-get install -y cups
+sudo systemctl enable --now cups
+echo "CUPS installed and enabled."
+echo ""
+
 echo "==> Configuring all apps..."
 for app in $CHAOS_APPS; do
     echo "  Configuring $app..."