From f9b22d96317f94f93501ecfa5ac95b2cf6d2e756 Mon Sep 17 00:00:00 2001
From: Yury Kossakovsky <kossakovsky93@gmail.com>
Date: Tue, 19 Aug 2025 14:25:07 -0600
Subject: [PATCH] Add Postiz configuration and environment variables

- Updated .env.example to include new environment variables for Postiz, including authentication and social media integration settings.
- Modified Caddyfile to implement basic authentication for the Postiz service.
- Enhanced docker-compose.yml to incorporate Postiz environment variables and ensure proper service configuration.
- Updated scripts to generate Postiz-related secrets and included them in the final report for user reference.
---
 .env.example                   | 60 ++++++++++++++++++++++++++
 Caddyfile                      |  3 ++
 docker-compose.yml             | 77 ++++++++++++++++++++++++----------
 scripts/03_generate_secrets.sh | 19 ++++++++-
 scripts/06_final_report.sh     |  4 +-
 5 files changed, 139 insertions(+), 24 deletions(-)

diff --git a/.env.example b/.env.example
index e747eb0..c4ee19d 100644
--- a/.env.example
+++ b/.env.example
@@ -322,3 +322,63 @@ PROMETHEUS_PASSWORD_HASH=
 SEARXNG_PASSWORD_HASH=
 COMFYUI_PASSWORD_HASH=
 RAGAPP_PASSWORD_HASH=
+
+############
+# Postiz configuration
+# Reference: https://docs.postiz.com/configuration/reference
+# To protect Postiz via Caddy basic auth (optional), set these:
+############
+
+POSTIZ_USERNAME=
+POSTIZ_PASSWORD=
+POSTIZ_PASSWORD_HASH=
+
+############
+# Postiz Social Media Integrations
+# Leave blank if not used. Provide credentials from each platform.
+############
+
+X_API_KEY=
+X_API_SECRET=
+
+LINKEDIN_CLIENT_ID=
+LINKEDIN_CLIENT_SECRET=
+
+REDDIT_CLIENT_ID=
+REDDIT_CLIENT_SECRET=
+
+GITHUB_CLIENT_ID=
+GITHUB_CLIENT_SECRET=
+
+BEEHIIVE_API_KEY=
+BEEHIIVE_PUBLICATION_ID=
+
+THREADS_APP_ID=
+THREADS_APP_SECRET=
+
+FACEBOOK_APP_ID=
+FACEBOOK_APP_SECRET=
+
+YOUTUBE_CLIENT_ID=
+YOUTUBE_CLIENT_SECRET=
+
+TIKTOK_CLIENT_ID=
+TIKTOK_CLIENT_SECRET=
+
+PINTEREST_CLIENT_ID=
+PINTEREST_CLIENT_SECRET=
+
+DRIBBBLE_CLIENT_ID=
+DRIBBBLE_CLIENT_SECRET=
+
+DISCORD_CLIENT_ID=
+DISCORD_CLIENT_SECRET=
+DISCORD_BOT_TOKEN_ID=
+
+SLACK_ID=
+SLACK_SECRET=
+SLACK_SIGNING_SECRET=
+
+MASTODON_URL=https://mastodon.social
+MASTODON_CLIENT_ID=
+MASTODON_CLIENT_SECRET=
diff --git a/Caddyfile b/Caddyfile
index 68b11e4..9cff214 100644
--- a/Caddyfile
+++ b/Caddyfile
@@ -68,6 +68,9 @@
 
 # Postiz
 {$POSTIZ_HOSTNAME} {
+    basic_auth {
+        {$POSTIZ_USERNAME} {$POSTIZ_PASSWORD_HASH}
+    }
     reverse_proxy postiz:5000
 }
 
diff --git a/docker-compose.yml b/docker-compose.yml
index c3df1f5..b1aae27 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -201,32 +201,34 @@ services:
       - caddy-data:/data:rw
       - caddy-config:/config:rw
     environment:
-      - N8N_HOSTNAME=${N8N_HOSTNAME}
-      - WEBUI_HOSTNAME=${WEBUI_HOSTNAME}
-      - FLOWISE_HOSTNAME=${FLOWISE_HOSTNAME}
+      - COMFYUI_HOSTNAME=${COMFYUI_HOSTNAME}
+      - COMFYUI_PASSWORD_HASH=${COMFYUI_PASSWORD_HASH}
+      - COMFYUI_USERNAME=${COMFYUI_USERNAME}
       - DIFY_HOSTNAME=${DIFY_HOSTNAME}
-      - RAGAPP_HOSTNAME=${RAGAPP_HOSTNAME}
-      - RAGAPP_USERNAME=${RAGAPP_USERNAME}
-      - RAGAPP_PASSWORD_HASH=${RAGAPP_PASSWORD_HASH}
-      - SUPABASE_HOSTNAME=${SUPABASE_HOSTNAME}
-      - SEARXNG_HOSTNAME=${SEARXNG_HOSTNAME}
-      - LANGFUSE_HOSTNAME=${LANGFUSE_HOSTNAME}
-      - WEAVIATE_HOSTNAME=${WEAVIATE_HOSTNAME}
-      - QDRANT_HOSTNAME=${QDRANT_HOSTNAME}
-      - NEO4J_HOSTNAME=${NEO4J_HOSTNAME}
-      - LETSENCRYPT_EMAIL=${LETSENCRYPT_EMAIL:-internal}
-      - PROMETHEUS_HOSTNAME=${PROMETHEUS_HOSTNAME}
+      - FLOWISE_HOSTNAME=${FLOWISE_HOSTNAME}
       - GRAFANA_HOSTNAME=${GRAFANA_HOSTNAME}
+      - LANGFUSE_HOSTNAME=${LANGFUSE_HOSTNAME}
+      - LETSENCRYPT_EMAIL=${LETSENCRYPT_EMAIL:-internal}
       - LETTA_HOSTNAME=${LETTA_HOSTNAME}
-      - PROMETHEUS_USERNAME=${PROMETHEUS_USERNAME}
-      - PROMETHEUS_PASSWORD_HASH=${PROMETHEUS_PASSWORD_HASH}
-      - SEARXNG_USERNAME=${SEARXNG_USERNAME}
-      - SEARXNG_PASSWORD_HASH=${SEARXNG_PASSWORD_HASH}
+      - N8N_HOSTNAME=${N8N_HOSTNAME}
+      - NEO4J_HOSTNAME=${NEO4J_HOSTNAME}
       - PORTAINER_HOSTNAME=${PORTAINER_HOSTNAME}
       - POSTIZ_HOSTNAME=${POSTIZ_HOSTNAME}
-      - COMFYUI_HOSTNAME=${COMFYUI_HOSTNAME}
-      - COMFYUI_USERNAME=${COMFYUI_USERNAME}
-      - COMFYUI_PASSWORD_HASH=${COMFYUI_PASSWORD_HASH}
+      - POSTIZ_PASSWORD_HASH=${POSTIZ_PASSWORD_HASH}
+      - POSTIZ_USERNAME=${POSTIZ_USERNAME}
+      - PROMETHEUS_HOSTNAME=${PROMETHEUS_HOSTNAME}
+      - PROMETHEUS_PASSWORD_HASH=${PROMETHEUS_PASSWORD_HASH}
+      - PROMETHEUS_USERNAME=${PROMETHEUS_USERNAME}
+      - QDRANT_HOSTNAME=${QDRANT_HOSTNAME}
+      - RAGAPP_HOSTNAME=${RAGAPP_HOSTNAME}
+      - RAGAPP_PASSWORD_HASH=${RAGAPP_PASSWORD_HASH}
+      - RAGAPP_USERNAME=${RAGAPP_USERNAME}
+      - SEARXNG_HOSTNAME=${SEARXNG_HOSTNAME}
+      - SEARXNG_PASSWORD_HASH=${SEARXNG_PASSWORD_HASH}
+      - SEARXNG_USERNAME=${SEARXNG_USERNAME}
+      - SUPABASE_HOSTNAME=${SUPABASE_HOSTNAME}
+      - WEAVIATE_HOSTNAME=${WEAVIATE_HOSTNAME}
+      - WEBUI_HOSTNAME=${WEBUI_HOSTNAME}
     cap_drop:
       - ALL
     cap_add:
@@ -613,6 +615,39 @@ services:
       - DATABASE_URL=postgresql://postgres:${POSTGRES_PASSWORD}@postgres:5432/postgres?schema=postiz
       - REDIS_URL=redis://redis:6379
       - JWT_SECRET=${JWT_SECRET}
+      - DISABLE_REGISTRATION=true
+      # Social Media API Settings
+      - X_API_KEY=${X_API_KEY}
+      - X_API_SECRET=${X_API_SECRET}
+      - LINKEDIN_CLIENT_ID=${LINKEDIN_CLIENT_ID}
+      - LINKEDIN_CLIENT_SECRET=${LINKEDIN_CLIENT_SECRET}
+      - REDDIT_CLIENT_ID=${REDDIT_CLIENT_ID}
+      - REDDIT_CLIENT_SECRET=${REDDIT_CLIENT_SECRET}
+      - GITHUB_CLIENT_ID=${GITHUB_CLIENT_ID}
+      - GITHUB_CLIENT_SECRET=${GITHUB_CLIENT_SECRET}
+      - BEEHIIVE_API_KEY=${BEEHIIVE_API_KEY}
+      - BEEHIIVE_PUBLICATION_ID=${BEEHIIVE_PUBLICATION_ID}
+      - THREADS_APP_ID=${THREADS_APP_ID}
+      - THREADS_APP_SECRET=${THREADS_APP_SECRET}
+      - FACEBOOK_APP_ID=${FACEBOOK_APP_ID}
+      - FACEBOOK_APP_SECRET=${FACEBOOK_APP_SECRET}
+      - YOUTUBE_CLIENT_ID=${YOUTUBE_CLIENT_ID}
+      - YOUTUBE_CLIENT_SECRET=${YOUTUBE_CLIENT_SECRET}
+      - TIKTOK_CLIENT_ID=${TIKTOK_CLIENT_ID}
+      - TIKTOK_CLIENT_SECRET=${TIKTOK_CLIENT_SECRET}
+      - PINTEREST_CLIENT_ID=${PINTEREST_CLIENT_ID}
+      - PINTEREST_CLIENT_SECRET=${PINTEREST_CLIENT_SECRET}
+      - DRIBBBLE_CLIENT_ID=${DRIBBBLE_CLIENT_ID}
+      - DRIBBBLE_CLIENT_SECRET=${DRIBBBLE_CLIENT_SECRET}
+      - DISCORD_CLIENT_ID=${DISCORD_CLIENT_ID}
+      - DISCORD_CLIENT_SECRET=${DISCORD_CLIENT_SECRET}
+      - DISCORD_BOT_TOKEN_ID=${DISCORD_BOT_TOKEN_ID}
+      - SLACK_ID=${SLACK_ID}
+      - SLACK_SECRET=${SLACK_SECRET}
+      - SLACK_SIGNING_SECRET=${SLACK_SIGNING_SECRET}
+      - MASTODON_URL=${MASTODON_URL}
+      - MASTODON_CLIENT_ID=${MASTODON_CLIENT_ID}
+      - MASTODON_CLIENT_SECRET=${MASTODON_CLIENT_SECRET}
     depends_on:
       postgres:
         condition: service_healthy
diff --git a/scripts/03_generate_secrets.sh b/scripts/03_generate_secrets.sh
index 296242c..b26e675 100755
--- a/scripts/03_generate_secrets.sh
+++ b/scripts/03_generate_secrets.sh
@@ -53,6 +53,7 @@ declare -A VARS_TO_GENERATE=(
     ["DIFY_SECRET_KEY"]="secret:64" # Dify application secret key (maps to SECRET_KEY in Dify)
     ["COMFYUI_PASSWORD"]="password:32" # Added ComfyUI basic auth password
     ["RAGAPP_PASSWORD"]="password:32" # Added RAGApp basic auth password
+    ["POSTIZ_PASSWORD"]="password:32" # Added Postiz basic auth password
 )
 
 # Initialize existing_env_vars and attempt to read .env if it exists
@@ -372,6 +373,7 @@ generated_values["N8N_WORKER_COUNT"]="$N8N_WORKER_COUNT"
 generated_values["WEAVIATE_USERNAME"]="$USER_EMAIL" # Set Weaviate username for Caddy
 generated_values["COMFYUI_USERNAME"]="$USER_EMAIL" # Set ComfyUI username for Caddy
 generated_values["RAGAPP_USERNAME"]="$USER_EMAIL" # Set RAGApp username for Caddy
+generated_values["POSTIZ_USERNAME"]="$USER_EMAIL" # Set Postiz username for Caddy
 
 if [[ -n "$OPENAI_API_KEY" ]]; then
     generated_values["OPENAI_API_KEY"]="$OPENAI_API_KEY"
@@ -397,6 +399,7 @@ found_vars["WEAVIATE_USERNAME"]=0
 found_vars["NEO4J_AUTH_USERNAME"]=0
 found_vars["COMFYUI_USERNAME"]=0
 found_vars["RAGAPP_USERNAME"]=0
+found_vars["POSTIZ_USERNAME"]=0
 
 # Read template, substitute domain, generate initial values
 while IFS= read -r line || [[ -n "$line" ]]; do
@@ -443,7 +446,7 @@ while IFS= read -r line || [[ -n "$line" ]]; do
             # This 'else' block is for lines from template not covered by existing values or VARS_TO_GENERATE.
             # Check if it is one of the user input vars - these are handled by found_vars later if not in template.
             is_user_input_var=0 # Reset for each line
-            user_input_vars=("FLOWISE_USERNAME" "DASHBOARD_USERNAME" "LETSENCRYPT_EMAIL" "RUN_N8N_IMPORT" "PROMETHEUS_USERNAME" "SEARXNG_USERNAME" "OPENAI_API_KEY" "LANGFUSE_INIT_USER_EMAIL" "N8N_WORKER_COUNT" "WEAVIATE_USERNAME" "NEO4J_AUTH_USERNAME" "COMFYUI_USERNAME" "RAGAPP_USERNAME")
+            user_input_vars=("FLOWISE_USERNAME" "DASHBOARD_USERNAME" "LETSENCRYPT_EMAIL" "RUN_N8N_IMPORT" "PROMETHEUS_USERNAME" "SEARXNG_USERNAME" "OPENAI_API_KEY" "LANGFUSE_INIT_USER_EMAIL" "N8N_WORKER_COUNT" "WEAVIATE_USERNAME" "NEO4J_AUTH_USERNAME" "COMFYUI_USERNAME" "RAGAPP_USERNAME" "POSTIZ_USERNAME")
             for uivar in "${user_input_vars[@]}"; do
                 if [[ "$varName" == "$uivar" ]]; then
                     is_user_input_var=1
@@ -525,7 +528,7 @@ if [[ -z "${generated_values[SERVICE_ROLE_KEY]}" ]]; then
 fi
 
 # Add any custom variables that weren't found in the template
-for var in "FLOWISE_USERNAME" "DASHBOARD_USERNAME" "LETSENCRYPT_EMAIL" "RUN_N8N_IMPORT" "OPENAI_API_KEY" "PROMETHEUS_USERNAME" "SEARXNG_USERNAME" "LANGFUSE_INIT_USER_EMAIL" "N8N_WORKER_COUNT" "WEAVIATE_USERNAME" "NEO4J_AUTH_USERNAME" "COMFYUI_USERNAME" "RAGAPP_USERNAME"; do
+for var in "FLOWISE_USERNAME" "DASHBOARD_USERNAME" "LETSENCRYPT_EMAIL" "RUN_N8N_IMPORT" "OPENAI_API_KEY" "PROMETHEUS_USERNAME" "SEARXNG_USERNAME" "LANGFUSE_INIT_USER_EMAIL" "N8N_WORKER_COUNT" "WEAVIATE_USERNAME" "NEO4J_AUTH_USERNAME" "COMFYUI_USERNAME" "RAGAPP_USERNAME" "POSTIZ_USERNAME"; do
     if [[ ${found_vars["$var"]} -eq 0 && -v generated_values["$var"] ]]; then
         # Before appending, check if it's already in TMP_ENV_FILE to avoid duplicates
         if ! grep -q -E "^${var}=" "$TMP_ENV_FILE"; then
@@ -661,6 +664,18 @@ fi
 _update_or_add_env_var "RAGAPP_PASSWORD_HASH" "$FINAL_RAGAPP_HASH"
 
 
+# --- POSTIZ ---
+POSTIZ_PLAIN_PASS="${generated_values["POSTIZ_PASSWORD"]}"
+FINAL_POSTIZ_HASH="${generated_values[POSTIZ_PASSWORD_HASH]}"
+if [[ -z "$FINAL_POSTIZ_HASH" && -n "$POSTIZ_PLAIN_PASS" ]]; then
+    NEW_HASH=$(_generate_and_get_hash "$POSTIZ_PLAIN_PASS")
+    if [[ -n "$NEW_HASH" ]]; then
+        FINAL_POSTIZ_HASH="$NEW_HASH"
+        generated_values["POSTIZ_PASSWORD_HASH"]="$NEW_HASH"
+    fi
+fi
+_update_or_add_env_var "POSTIZ_PASSWORD_HASH" "$FINAL_POSTIZ_HASH"
+
 if [ $? -eq 0 ]; then # This $? reflects the status of the last mv command from the last _update_or_add_env_var call.
     # For now, assuming if we reached here and mv was fine, primary operations were okay.
     echo ".env file generated successfully in the project root ($OUTPUT_FILE)."
diff --git a/scripts/06_final_report.sh b/scripts/06_final_report.sh
index b4c6b11..74741cf 100755
--- a/scripts/06_final_report.sh
+++ b/scripts/06_final_report.sh
@@ -140,7 +140,9 @@ if is_profile_active "postiz"; then
   echo "================================= Postiz =============================="
   echo
   echo "Host: ${POSTIZ_HOSTNAME:-<hostname_not_set>}"
-  echo "Note: Configure Postgres/Redis in /config/.env inside the container on first run."
+  echo "Internal Access (from other containers): http://postiz:5000"
+  echo "User: ${POSTIZ_USERNAME:-<not_set_in_env>}"
+  echo "Password: ${POSTIZ_PASSWORD:-<not_set_in_env>}"
 fi
 
 if is_profile_active "ragapp"; then