bunker-admin
91db29402c
Gitea SSO: cookie-based single sign-on via nginx auth_request — sets cml_session cookie on login/refresh, validates via /api/auth/gitea-sso-validate, injects X-WEBAUTH-USER header for reverse proxy auth. Dedicated GITEA_SSO_SECRET and SERVICE_PASSWORD_SALT env vars isolate secret rotation. Security fixes from March 30 audit: IDOR on ticketed events (requireEventOwnership middleware), IDOR on action items (admin/assignee/creator check), path traversal on photos (resolve-based validation), CSV upload size limit (5MB), shared calendar email exposure removed. Gitea provisioner: auto-sync docs repo collaborator access based on role (CONTENT_ROLES get write, SUPER_ADMIN gets admin). Gitea client extended with collaborator management API methods. Production hardening: NODE_ENV defaults to production in docker-compose.prod.yml, Grafana anonymous auth disabled, install.sh branch ref updated to main. Admin UI: moved docs reset from toolbar to MkDocs Settings danger zone, improved collab Ctrl+S to explicitly save + cache-bust preview. MkDocs site rebuild with updated repo data, upgrade screenshots, and content. Bunker Admin
4.9 KiB
title, description, icon, tags, search
| title | description | icon | tags | search | |||||
|---|---|---|---|---|---|---|---|---|---|
| Getting Started | Install and configure Changemaker Lite from scratch. | material/rocket-launch |
|
|
Getting Started
This guide walks you through installing Changemaker Lite, running your first deployment, and logging into the admin dashboard.
{ loading=lazy }
Prerequisites
- Docker 24+ and Docker Compose v2
- OpenSSL (for secret generation)
- A Linux server (Ubuntu 22.04+ recommended) or macOS for development
- At least 2 GB RAM and 10 GB disk space
- A domain name (optional, but recommended for production)
Quick Install (Pre-built Images)
The fastest way to deploy — no source code, no compilation:
curl -fsSL https://gitea.bnkops.com/admin/changemaker.lite/raw/branch/main/scripts/install.sh | bash
This downloads a lightweight release package (~2 MB), runs the configuration wizard, and pulls pre-built Docker images. First startup takes ~2 minutes. See Installation for details.
Quick Start (From Source)
For development or customization, clone the full repository:
git clone https://gitea.bnkops.com/admin/changemaker.lite
cd changemaker.lite
bash config.sh
docker compose up -d
Open http://localhost:3000 and sign in with the admin email and password you configured. The API container automatically runs database migrations and seeding on first startup — no manual steps needed.
!!! warning "Change your password" If you used the wizard's generated password, change it immediately from the admin dashboard.
For the full setup walkthrough, see Installation.
Configuration Wizard
The config.sh wizard produces a fully populated .env file in 14 steps:
| Step | What It Does |
|---|---|
| 1. Prerequisites | Verifies Docker, Docker Compose, and OpenSSL |
| 2. Environment file | Creates .env from .env.example (backs up existing) |
| 3. Domain | Sets root domain + 14 derived variables, updates mkdocs.yml |
| 4. Admin credentials | Email + password (enforces 12+ chars, mixed case, digit) |
| 5. Secrets | Auto-generates 21 unique secrets (JWT, encryption, database, service passwords) |
| 6. Email | MailHog (dev) or production SMTP, optionally shared with Listmonk |
| 7. Feature flags | 9 toggles: Media, Listmonk, Payments, Chat, Events, Meet, SMS, Docs Comments, Bunker Ops |
| 8. Tunnel | Pangolin credentials for secure public access |
| 9. CORS | Auto-calculated allowed origins from domain |
| 10. Nginx | Renders .conf.template files with domain substitution |
| 11. Homepage | Generates services.yaml with 27 service entries |
| 12. Permissions | Creates 12 directories with container-friendly permissions |
| 13. Upgrade watcher | Installs systemd units for GUI-triggered upgrades (optional, requires sudo) |
| 14. Summary | Displays configuration summary + next steps |
See Installation for detailed documentation of each step.
Services
Changemaker Lite includes 30+ Docker services organized into 8 categories:
| Category | Services | Startup |
|---|---|---|
| Core | API, Admin, PostgreSQL, Redis, Nginx | docker compose up -d v2-postgres redis api admin nginx |
| Media | Fastify media API | docker compose up -d media-api |
| Communication | Rocket.Chat, Gancio, Jitsi Meet | Individual docker compose up -d commands |
| Newsletter & Email | Listmonk, MailHog | docker compose up -d listmonk-app |
| Developer Tools | Code Server, MkDocs, Gitea, NocoDB, n8n | Individual docker compose up -d commands |
| Utilities | Mini QR, Excalidraw, Vaultwarden, Homepage | docker compose up -d mini-qr excalidraw vaultwarden homepage |
| Monitoring | Prometheus, Grafana, Alertmanager, exporters | docker compose --profile monitoring up -d |
| Infrastructure | Newt tunnel, Docker socket proxy | Auto-starts with tunnel configuration |
See Services Overview for the complete catalog with ports, feature flags, and detailed descriptions.
Next Steps
- Installation — detailed setup walkthrough and manual configuration
- Services Overview — complete service catalog (30+ containers)
- Environment Variables — complete
.envreference - First Steps — create your first campaign and add locations
- Updates & Upgrades — keep your installation current
- Control Panel (CCP) — multi-instance management
- Features at a Glance — visual overview of every module
- Admin Guide — full administration reference
- Deployment — production setup with SSL and tunneling