When deploying Plunk to AWS ECS Fargate, several issues arise because the container runs as non-root user plunk (uid 1001):
- Wiki (port 1000) and SMTP (ports 465/587) crash-loop on privileged ports
Fargate containers run as non-root by default. Ports below 1024 require root or CAP_NET_BIND_SERVICE. The wiki hardcodes port 1000 and SMTP hardcodes 465/587 in the PM2 ecosystem config (docker-entrypoint-nginx.sh), causing immediate EACCES: permission denied
crash-loops.
These ports are not configurable via environment variables.
- No way to disable optional services
The SERVICE env var only supports api, worker, web, and all. When running SERVICE=all (required for the nginx reverse proxy setup), all 7 services start unconditionally — including wiki and SMTP which may not be needed.
There's no DISABLE_SMTP or DISABLE_WIKI env var to skip them. The crash-loops are cosmetic (PM2 keeps restarting them without killing healthy services), but they waste resources and pollute logs.
- Nginx port 80 also fails as non-root
NGINX_PORT env var exists in setup-nginx.sh and works, but it's not documented anywhere. Users deploying to non-root environments have no way to discover it. Also, NGINX_PORT can't be set to 8080 because the API upstream already uses that port — this conflict
isn't obvious.
- NEXT_PUBLIC_* env vars not inlined by Turbopack
The Dockerfile passes NEXT_PUBLIC_API_URI etc. at build time, but Turbopack (Next.js 15) doesn't inline them into client-side JS bundles. The built output contains:
let uf = process.env.NEXT_PUBLIC_API_URI || "http://localhost:8080"
Instead of the expected inlined value. The process.env reference works server-side but falls back to localhost:8080 in the browser. The sed replacement in replace-urls-optimized.sh expects the placeholder URL to be baked in, so it finds nothing to replace in
client chunks.
Suggested fixes
- Make wiki and SMTP ports configurable via WIKI_PORT and SMTP_PORT env vars (default to current values for backwards compat)
- Add DISABLE_SMTP and DISABLE_WIKI env vars to conditionally exclude them from the PM2 ecosystem
- Document NGINX_PORT in self-hosting docs and note the port 8080 conflict with the API upstream
- Add env block to next.config.js for all Next.js apps to force Turbopack to inline NEXT_PUBLIC_* vars at build time:
env: {
NEXT_PUBLIC_API_URI: process.env.NEXT_PUBLIC_API_URI,
NEXT_PUBLIC_DASHBOARD_URI: process.env.NEXT_PUBLIC_DASHBOARD_URI,
NEXT_PUBLIC_LANDING_URI: process.env.NEXT_PUBLIC_LANDING_URI,
NEXT_PUBLIC_WIKI_URI: process.env.NEXT_PUBLIC_WIKI_URI,
}
Environment
- AWS ECS Fargate (linux/amd64)
- Plunk Docker image built from next branch
- Container runs as non-root user plunk (uid 1001)
When deploying Plunk to AWS ECS Fargate, several issues arise because the container runs as non-root user plunk (uid 1001):
Fargate containers run as non-root by default. Ports below 1024 require root or CAP_NET_BIND_SERVICE. The wiki hardcodes port 1000 and SMTP hardcodes 465/587 in the PM2 ecosystem config (docker-entrypoint-nginx.sh), causing immediate EACCES: permission denied
crash-loops.
These ports are not configurable via environment variables.
The SERVICE env var only supports api, worker, web, and all. When running SERVICE=all (required for the nginx reverse proxy setup), all 7 services start unconditionally — including wiki and SMTP which may not be needed.
There's no DISABLE_SMTP or DISABLE_WIKI env var to skip them. The crash-loops are cosmetic (PM2 keeps restarting them without killing healthy services), but they waste resources and pollute logs.
NGINX_PORT env var exists in setup-nginx.sh and works, but it's not documented anywhere. Users deploying to non-root environments have no way to discover it. Also, NGINX_PORT can't be set to 8080 because the API upstream already uses that port — this conflict
isn't obvious.
The Dockerfile passes NEXT_PUBLIC_API_URI etc. at build time, but Turbopack (Next.js 15) doesn't inline them into client-side JS bundles. The built output contains:
let uf = process.env.NEXT_PUBLIC_API_URI || "http://localhost:8080"
Instead of the expected inlined value. The process.env reference works server-side but falls back to localhost:8080 in the browser. The sed replacement in replace-urls-optimized.sh expects the placeholder URL to be baked in, so it finds nothing to replace in
client chunks.
Suggested fixes
env: {
NEXT_PUBLIC_API_URI: process.env.NEXT_PUBLIC_API_URI,
NEXT_PUBLIC_DASHBOARD_URI: process.env.NEXT_PUBLIC_DASHBOARD_URI,
NEXT_PUBLIC_LANDING_URI: process.env.NEXT_PUBLIC_LANDING_URI,
NEXT_PUBLIC_WIKI_URI: process.env.NEXT_PUBLIC_WIKI_URI,
}
Environment