From d6e2bd30a2741e5d9e2e0fc0460886a80d3b148a Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Tue, 13 Jan 2026 23:02:50 +0530
Subject: [PATCH 1/4] Replace vulnerable minio with stable version on compose
 template

---
 docker-compose.template.yml | 38 +++++++++++++++++++++++++++++--------
 1 file changed, 30 insertions(+), 8 deletions(-)

diff --git a/docker-compose.template.yml b/docker-compose.template.yml
index 90d15049a3..c395897f80 100644
--- a/docker-compose.template.yml
+++ b/docker-compose.template.yml
@@ -4,6 +4,29 @@ name: cap-so-docker-template
 # IT IS NOT MEANT FOR PRODUCTION DEPLOYMENT WITHOUT MODIFICATIONS TO ENVIRONMENT VARIABLES
 # IT IS MEANT FOR LOCAL EVALUATION AND DEVELOPMENT PURPOSES ONLY
 
+# Storage Configuration:
+# Option 1: Remote S3-compatible storage (AWS S3, Cloudflare R2, etc.)
+# Set these environment variables:
+# - CAP_AWS_ACCESS_KEY: Your S3/R2 access key
+# - CAP_AWS_SECRET_KEY: Your S3/R2 secret key  
+# - CAP_AWS_BUCKET: Your S3/R2 bucket name
+# - CAP_AWS_REGION: Your S3/R2 region (e.g., us-east-1, auto for R2)
+# - CAP_AWS_ENDPOINT: Your S3/R2 endpoint URL
+# - S3_PUBLIC_ENDPOINT: Public endpoint for your bucket (same as CAP_AWS_ENDPOINT for most cases)
+# - S3_INTERNAL_ENDPOINT: Internal endpoint (same as CAP_AWS_ENDPOINT for most cases)
+# - S3_PATH_STYLE: true for R2/most S3-compatible, false for AWS S3 virtual-hosted style
+#
+# Option 2: Local MinIO storage (included on this compose)
+# Deploy MinIO as a separate service in the same network or and set:
+# - CAP_AWS_ACCESS_KEY: MinIO root user
+# - CAP_AWS_SECRET_KEY: MinIO root password
+# - CAP_AWS_BUCKET: Your bucket name (e.g., capso)
+# - CAP_AWS_REGION: us-east-1 (or any region)
+# - CAP_AWS_ENDPOINT: http://minio:9000 (internal MinIO endpoint)
+# - S3_PUBLIC_ENDPOINT: http://your-minio-domain:9000 (public MinIO endpoint)
+# - S3_INTERNAL_ENDPOINT: http://minio:9000 (internal MinIO endpoint)
+# - S3_PATH_STYLE: true
+
 services:
   cap-web:
     container_name: cap-web
@@ -21,8 +44,8 @@ services:
       CAP_AWS_SECRET_KEY: capS3root
       CAP_AWS_BUCKET: capso
       CAP_AWS_REGION: us-east-1
-      S3_PUBLIC_ENDPOINT: http://localhost:3902
-      S3_INTERNAL_ENDPOINT: http://minio:3902
+      S3_PUBLIC_ENDPOINT: http://localhost:9000
+      S3_INTERNAL_ENDPOINT: http://minio:9000
       MEDIA_SERVER_URL: http://cap-media-server:3456
       # CHANGE THESE TO YOUR OWN VALUES
       MEDIA_SERVER_WEBHOOK_SECRET: fe337b52749070bb7b5d2c78cff9948439ea73cbc1869ba39d350e6c24db53b1
@@ -61,19 +84,18 @@ services:
   # Local S3 Strorage
   minio:
     container_name: cap-minio-storage
-    image: "bitnami/minio:latest"
+    image: ghcr.io/coollabsio/minio:RELEASE.2025-10-15T17-29-55Z # Released on 15 October 2025 (includes fix for CVE-2025-62506)
     restart: unless-stopped
+    command: 'server /data --console-address ":9001"'
     ports:
-      - "3902:3902"
-      - "3903:3903"
+      - "9000:9000" # API
+      - "9001:9001" # Console
     environment:
-      - MINIO_API_PORT_NUMBER=3902
-      - MINIO_CONSOLE_PORT_NUMBER=3903
       # CHANGE THESE TO YOUR OWN VALUES
       - MINIO_ROOT_USER=capS3root
       - MINIO_ROOT_PASSWORD=capS3root
     volumes:
-      - minio-data:/bitnami/minio/data
+      - minio-data:/data
       - minio-certs:/certs
 volumes:
   ps-mysql:

From db6637ff866f36c5f13bd4277564233be8479d02 Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Tue, 13 Jan 2026 23:45:58 +0530
Subject: [PATCH 2/4] Add healthcheck to services on compose template

---
 docker-compose.template.yml | 26 +++++++++++++++++++++++++-
 1 file changed, 25 insertions(+), 1 deletion(-)

diff --git a/docker-compose.template.yml b/docker-compose.template.yml
index c395897f80..d5dab247f0 100644
--- a/docker-compose.template.yml
+++ b/docker-compose.template.yml
@@ -49,9 +49,14 @@ services:
       MEDIA_SERVER_URL: http://cap-media-server:3456
       # CHANGE THESE TO YOUR OWN VALUES
       MEDIA_SERVER_WEBHOOK_SECRET: fe337b52749070bb7b5d2c78cff9948439ea73cbc1869ba39d350e6c24db53b1
-
     ports:
       - 3000:3000
+    healthcheck:
+      test: ["CMD-SHELL", "wget --spider -q http://127.0.0.1:3000/ || exit 1"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+      start_period: 10s
 
   ps-mysql:
     container_name: cap-primary-db
@@ -69,6 +74,12 @@ services:
       ]
     ports:
       - "3306:3306"
+    healthcheck:
+      test: ["CMD", "mysqladmin", "ping", "-h", "localhost"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+      start_period: 20s
     volumes:
       - ps-mysql:/var/lib/mysql
 
@@ -80,6 +91,13 @@ services:
       PORT: 3456
     ports:
       - "3456:3456"
+    # TO DO: Enable healthcheck after media server image is published (wget mostly works but double check if wget is present inside container)
+    # healthcheck:
+    #   test: ["CMD-SHELL", "wget --spider -q http://127.0.0.1:3456/ || exit 1"]
+    #   interval: 10s
+    #   timeout: 5s
+    #   retries: 5
+    #   start_period: 10s
 
   # Local S3 Strorage
   minio:
@@ -94,6 +112,12 @@ services:
       # CHANGE THESE TO YOUR OWN VALUES
       - MINIO_ROOT_USER=capS3root
       - MINIO_ROOT_PASSWORD=capS3root
+    healthcheck:
+        test: ["CMD", "mc", "ready", "local"]
+        interval: 10s
+        timeout: 5s
+        retries: 5
+        start_period: 10s
     volumes:
       - minio-data:/data
       - minio-certs:/certs

From 43277fc188498fc67fdb3d072f41cd8b47e33412 Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Wed, 14 Jan 2026 00:29:52 +0530
Subject: [PATCH 3/4] Fix typo compose template

Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
---
 docker-compose.template.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker-compose.template.yml b/docker-compose.template.yml
index d5dab247f0..9ee4247aea 100644
--- a/docker-compose.template.yml
+++ b/docker-compose.template.yml
@@ -99,7 +99,7 @@ services:
     #   retries: 5
     #   start_period: 10s
 
-  # Local S3 Strorage
+  # Local S3 Storage
   minio:
     container_name: cap-minio-storage
     image: ghcr.io/coollabsio/minio:RELEASE.2025-10-15T17-29-55Z # Released on 15 October 2025 (includes fix for CVE-2025-62506)

From d8c11152ef4e1eaaee6bed6671d7ca319163fd0c Mon Sep 17 00:00:00 2001
From: ShadowArcanist <162910371+ShadowArcanist@users.noreply.github.com>
Date: Wed, 14 Jan 2026 00:33:59 +0530
Subject: [PATCH 4/4] Fix typo on S3 storage notes on compose template

Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
---
 docker-compose.template.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker-compose.template.yml b/docker-compose.template.yml
index 9ee4247aea..92ceb84b09 100644
--- a/docker-compose.template.yml
+++ b/docker-compose.template.yml
@@ -17,7 +17,7 @@ name: cap-so-docker-template
 # - S3_PATH_STYLE: true for R2/most S3-compatible, false for AWS S3 virtual-hosted style
 #
 # Option 2: Local MinIO storage (included on this compose)
-# Deploy MinIO as a separate service in the same network or and set:
+# Deploy MinIO as a separate service in the same network and set:
 # - CAP_AWS_ACCESS_KEY: MinIO root user
 # - CAP_AWS_SECRET_KEY: MinIO root password
 # - CAP_AWS_BUCKET: Your bucket name (e.g., capso)