Make Docker production containers compatible with NERSC Spin

[tomvothecoder]

Description

• Closes [DevOps] Make Docker dev setup compatible with NERSC Spin #67

Steps to Complete

Environment Files

• Stores examples in /examples
• Store local env files in /local
• Update README.md with changes to environment setup
• Update setup-env-files command with appropriate changes

Docker Files

• Only keep db service in docker-compose.local.yml
• Remove dev_docker env files

Backend

1. Dockerfile
   • Remove appuser setup
     • Causes issues with root ownership of app data on Spin
     • Told it was probably okay to remove but need to follow up with John Riner for confirmation
2. config.py
   • Accept OS environment variables (set on Rancher), in addition to env file (for local dev)
3. Rancher environment variables
   • SSL/cert setup
   • Frontend origin and redirect setup
   • Authentication setup -- create another OAuth app on GitHub

Frontend

1. Dockerfile
   • Remove node_modules mounting for hot reload
     • Error where incorrect node_modules is referenced on Spin (requires volume mount, which is unnecessary)
   • Remove VITE_API_URL env var setting
2. nginx-backend-not-found.conf
   • Encapsulate location blocks inside server{...}
3. vite.config.ts
   • Update certificate setup for local path

Checklist

• Code follows project style guidelines
• Self-reviewed code
• No new warnings
• Tests added or updated (if needed)
• All tests pass (locally and CI/CD)
• Documentation/comments updated (if needed)
• Breaking change noted (if applicable)

Deployment Notes (if any)

01/08/26

• I successfully deployed the db, backend, and frontend services at NERSC Spin. All of them use the correct Docker images, env variables are set up, and ports are exposed for the ingress. The ingress is also set up correctly.
• The backend successfully receives REST API requests over HTTPS
• The frontend fails to redirect on the browser from HTTP -> HTTPS due to missing domain and certificate for HTTPS
  • Options:
    • Now: Deploy on Vercel and configure to use backend deployed at NERSC Spin - still fails with CORS
      • You cannot call a Spin internal ingress hostname with a private TLS certificate directly from a Vercel-hosted browser app — you must use a publicly trusted hostname or proxy the requests.
    • Long term: Get a real domain + certificate, then host frontend on Spin (get one from E3SM domain e.g., simboard.e3sm.org

Follow-up Tasks

• [DevOps]: Automate Container Builds to NERSC Registry via GitHub Actions (Dev & Prod CI/CD) #80
• [DevOps]: Request HTTPS domains and institutional TLS certificates for SimBoard (dev & prod) #79

[Copilot]

Pull request overview

This PR refactors SimBoard's Docker infrastructure to support deployment on NERSC Spin by simplifying the environment management system from multiple environments (dev/dev_docker/prod) to a cleaner local/production split, removing Traefik dependencies, and enabling the backend to accept OS-level environment variables.

Key changes:

• Consolidated environment configuration from .envs/{dev,dev_docker,prod}/ to .envs/{example,local}/ with cleaner separation between templates and developer-specific values
• Updated backend configuration to load env files only in development mode (ENV=development), relying on OS environment variables in production
• Removed non-root user from backend container to accommodate NERSC Spin's volume permission model
• Simplified frontend API configuration to use relative paths in production and configurable origins in development
• Removed Traefik from docker-compose.yml and consolidated Docker development setup into docker-compose.local.yml
• Updated certificate naming from dev.key/dev.crt to local.key/local.crt for clarity
• Reorganized Makefile commands to remove env parameter complexity

Reviewed changes

Copilot reviewed 24 out of 27 changed files in this pull request and generated 16 comments.

Show a summary per file

File	Description
frontend/vite.config.ts	Refactored to load env files only in development mode; simplified cert path handling
frontend/src/api/api.ts	Changed API URL construction to use relative paths in production, absolute in dev
frontend/package.json	Removed TypeScript compilation from build script
frontend/nginx.conf	Added backend route blocking; improved SPA fallback logic
frontend/nginx-backend-not-found.conf	Removed (consolidated into nginx.conf)
frontend/Dockerfile	Removed VITE_API_URL build arg; removed separate nginx-backend-not-found.conf copy; removed security upgrade
backend/app/core/config.py	Simplified env file loading to check ENV variable instead of CI/APP_ENV
backend/tests/core/test_config.py	Updated tests for new ENV-based logic and directory structure
backend/Dockerfile	Changed to non-editable wheel installation; removed non-root user setup
docker-compose.yml	Removed Traefik, simplified to backend/frontend services with env variable support
docker-compose.local.yml	New file for local PostgreSQL service only
docker-compose.dev.yml	Removed (no longer needed)
Makefile	Removed env parameter; consolidated commands; updated to use docker-compose.local.yml
README.md	Updated cert paths; added NERSC Spin build instructions; updated directory structure docs
.gitignore	Updated cert script name reference
.github/workflows/backend-ci.yml	Removed CI and APP_ENV variables (now uses ENV=test)
certs/generate-local-certs.sh	Renamed from generate-dev-certs.sh; updated output filenames
.envs/ structure	Reorganized to example/ (templates) and local/ (gitignored developer values)

Comments suppressed due to low confidence (1)

.envs/example/backend.production.env.example:18

• The production env file example includes 'CI=true' which forces the config to skip loading the env file. This is confusing as it contradicts the purpose of the file. Either remove this line or add a clear comment explaining that this is only needed when running locally with production-mode docker-compose to simulate the CI environment behavior.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.