From cdb5db6c68c33653f2d908c1212db5eaeddf35cc Mon Sep 17 00:00:00 2001
From: Marcel <marcel@familienarchiv>
Date: Mon, 11 May 2026 20:03:57 +0200
Subject: [PATCH] fix(compose): require IMPORT_HOST_DIR, no default
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Tobias and Markus both flagged that a shared default (/srv/familienarchiv/
import) invites silent collision when staging and prod cohabit one host.
Switch to ${IMPORT_HOST_DIR:?...} so compose refuses to start without an
explicit per-env path — collision becomes structurally impossible.

The error message points operators at docs/DEPLOYMENT.md so the recovery
step is one click away. IMPORT_HOST_DIR moves from "Optional" to the
main required-env-vars block in the header.

Addresses review feedback from Markus, Tobias, and Nora on #526.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 docker-compose.prod.yml | 23 ++++++++++++-----------
 1 file changed, 12 insertions(+), 11 deletions(-)

diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
index b4044014..e8687d45 100644
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -26,14 +26,15 @@
 #   MAIL_HOST, MAIL_PORT,       SMTP relay (production only; staging uses mailpit)
 #   MAIL_USERNAME, MAIL_PASSWORD
 #   APP_MAIL_FROM               sender address (e.g. noreply@raddatz.cloud)
-#
-# Optional env vars:
-#   IMPORT_HOST_DIR             absolute host path holding the ODS spreadsheet
-#                               and PDFs for /admin/system mass import. Mounted
-#                               read-only at /import inside the backend.
-#                               Defaults to /srv/familienarchiv/import. When the
-#                               path is empty the import API simply reports
-#                               "no spreadsheet found" — no crash.
+#   IMPORT_HOST_DIR             absolute host path holding ONLY the ODS
+#                               spreadsheet and PDFs for /admin/system mass
+#                               import — mounted read-only at /import inside
+#                               the backend. Compose refuses to start when
+#                               this var is unset, so staging and prod cannot
+#                               accidentally share an import source. Must be
+#                               readable by the backend container's UID
+#                               (currently root via the OpenJDK image — any
+#                               world-readable directory works).
 
 networks:
   archiv-net:
@@ -183,10 +184,10 @@ services:
       - "127.0.0.1:${PORT_BACKEND}:8080"
     # Host path holding the ODS spreadsheet + PDFs for the mass-import endpoint.
     # Read-only; MassImportService only reads (Files.list / Files.walk on /import).
-    # Outside the compose working dir on purpose — that dir is recreated per CI
-    # deploy. See IMPORT_HOST_DIR in the header for the env-var contract.
+    # Required — no default — so staging and prod cannot accidentally share an
+    # import source. CI workflows pin this per-env (see .gitea/workflows/).
     volumes:
-      - ${IMPORT_HOST_DIR:-/srv/familienarchiv/import}:/import:ro
+      - ${IMPORT_HOST_DIR:?Set IMPORT_HOST_DIR to a host path holding the mass-import payload (ODS + PDFs). See docs/DEPLOYMENT.md.}:/import:ro
     environment:
       SPRING_DATASOURCE_URL: jdbc:postgresql://db:5432/archiv
       SPRING_DATASOURCE_USERNAME: archiv