Open Project

[dmBunting]

It would be great to have a service deployment for Open Project! https://www.openproject.org/

[luksak]

I would be super grateful to have an OpenProject template. Has anyone got it working?

[openforge-kt]

I managed to get it working, but I can't verify if this is safe and secure because it involves setting HSTS config to false.
Deploy as empty docker-compose:

networks:
  frontend: null
  backend: null
volumes:
  opdata: null
x-op-restart-policy:
  restart: unless-stopped
x-op-image:
  image: 'openproject/openproject:${TAG:-16-slim}'
x-op-app:
  image: 'openproject/openproject:${TAG:-16-slim}'
  restart: unless-stopped
  environment:
    OPENPROJECT_HTTPS: '${OPENPROJECT_HTTPS:-true}'
    OPENPROJECT_HOST__NAME: '${OPENPROJECT_HOST__NAME:-localhost:8080}'
    OPENPROJECT_HSTS: '${OPENPROJECT_HSTS:-true}'
    RAILS_CACHE_STORE: memcache
    OPENPROJECT_CACHE__MEMCACHE__SERVER: 'cache:11211'
    OPENPROJECT_RAILS__RELATIVE__URL__ROOT: '${OPENPROJECT_RAILS__RELATIVE__URL__ROOT:-}'
    DATABASE_URL: '${DATABASE_URL:-postgres://postgres:p4ssw0rd@db/openproject?pool=20&encoding=unicode&reconnect=true}'
    RAILS_MIN_THREADS: '${RAILS_MIN_THREADS:-4}'
    RAILS_MAX_THREADS: '${RAILS_MAX_THREADS:-16}'
    IMAP_ENABLED: '${IMAP_ENABLED:-false}'
  volumes:
    - 'openproject:/var/openproject/assets'
services:
  cache:
    image: memcached
    restart: unless-stopped
    networks:
      - backend
  web:
    image: 'openproject/openproject:${TAG:-16-slim}'
    restart: unless-stopped
    environment:
      OPENPROJECT_HTTPS: '${OPENPROJECT_HTTPS:-true}'
      OPENPROJECT_HOST__NAME: '${OPENPROJECT_HOST__NAME:-localhost:8080}'
      OPENPROJECT_HSTS: '${OPENPROJECT_HSTS:-true}'
      RAILS_CACHE_STORE: memcache
      OPENPROJECT_CACHE__MEMCACHE__SERVER: 'cache:11211'
      OPENPROJECT_RAILS__RELATIVE__URL__ROOT: '${OPENPROJECT_RAILS__RELATIVE__URL__ROOT:-}'
      DATABASE_URL: '${DATABASE_URL:-postgres://postgres:p4ssw0rd@db/openproject?pool=20&encoding=unicode&reconnect=true}'
      RAILS_MIN_THREADS: '${RAILS_MIN_THREADS:-4}'
      RAILS_MAX_THREADS: '${RAILS_MAX_THREADS:-16}'
      IMAP_ENABLED: '${IMAP_ENABLED:-false}'
    volumes:
      - 'openproject:/var/openproject/assets'
    command: ./docker/prod/web
    networks:
      - frontend
      - backend
    depends_on:
      - cache
      - seeder
    labels:
      - autoheal=true
    healthcheck:
      test:
        - CMD
        - curl
        - '-f'
        - 'http://localhost:8080${OPENPROJECT_RAILS__RELATIVE__URL__ROOT:-}/health_checks/default'
      interval: 10s
      timeout: 3s
      retries: 3
      start_period: 30s
  autoheal:
    image: 'willfarrell/autoheal:1.2.0'
    volumes:
      - '/var/run/docker.sock:/var/run/docker.sock'
    environment:
      AUTOHEAL_CONTAINER_LABEL: autoheal
      AUTOHEAL_START_PERIOD: 600
      AUTOHEAL_INTERVAL: 30
  worker:
    image: 'openproject/openproject:${TAG:-16-slim}'
    restart: unless-stopped
    environment:
      OPENPROJECT_HTTPS: '${OPENPROJECT_HTTPS:-true}'
      OPENPROJECT_HOST__NAME: '${OPENPROJECT_HOST__NAME:-localhost:8080}'
      OPENPROJECT_HSTS: '${OPENPROJECT_HSTS:-true}'
      RAILS_CACHE_STORE: memcache
      OPENPROJECT_CACHE__MEMCACHE__SERVER: 'cache:11211'
      OPENPROJECT_RAILS__RELATIVE__URL__ROOT: '${OPENPROJECT_RAILS__RELATIVE__URL__ROOT:-}'
      DATABASE_URL: '${DATABASE_URL:-postgres://postgres:p4ssw0rd@db/openproject?pool=20&encoding=unicode&reconnect=true}'
      RAILS_MIN_THREADS: '${RAILS_MIN_THREADS:-4}'
      RAILS_MAX_THREADS: '${RAILS_MAX_THREADS:-16}'
      IMAP_ENABLED: '${IMAP_ENABLED:-false}'
    volumes:
      - 'openproject:/var/openproject/assets'
    command: ./docker/prod/worker
    networks:
      - backend
    depends_on:
      - cache
      - seeder
  cron:
    image: 'openproject/openproject:${TAG:-16-slim}'
    restart: unless-stopped
    environment:
      OPENPROJECT_HTTPS: '${OPENPROJECT_HTTPS:-true}'
      OPENPROJECT_HOST__NAME: '${OPENPROJECT_HOST__NAME:-localhost:8080}'
      OPENPROJECT_HSTS: '${OPENPROJECT_HSTS:-true}'
      RAILS_CACHE_STORE: memcache
      OPENPROJECT_CACHE__MEMCACHE__SERVER: 'cache:11211'
      OPENPROJECT_RAILS__RELATIVE__URL__ROOT: '${OPENPROJECT_RAILS__RELATIVE__URL__ROOT:-}'
      DATABASE_URL: '${DATABASE_URL:-postgres://postgres:p4ssw0rd@db/openproject?pool=20&encoding=unicode&reconnect=true}'
      RAILS_MIN_THREADS: '${RAILS_MIN_THREADS:-4}'
      RAILS_MAX_THREADS: '${RAILS_MAX_THREADS:-16}'
      IMAP_ENABLED: '${IMAP_ENABLED:-false}'
    volumes:
      - 'openproject:/var/openproject/assets'
    command: ./docker/prod/cron
    networks:
      - backend
    depends_on:
      - cache
      - seeder
  seeder:
    image: 'openproject/openproject:${TAG:-16-slim}'
    restart: on-failure
    environment:
      OPENPROJECT_HTTPS: '${OPENPROJECT_HTTPS:-true}'
      OPENPROJECT_HOST__NAME: '${OPENPROJECT_HOST__NAME:-localhost:8080}'
      OPENPROJECT_HSTS: '${OPENPROJECT_HSTS:-true}'
      RAILS_CACHE_STORE: memcache
      OPENPROJECT_CACHE__MEMCACHE__SERVER: 'cache:11211'
      OPENPROJECT_RAILS__RELATIVE__URL__ROOT: '${OPENPROJECT_RAILS__RELATIVE__URL__ROOT:-}'
      DATABASE_URL: '${DATABASE_URL:-postgres://postgres:p4ssw0rd@db/openproject?pool=20&encoding=unicode&reconnect=true}'
      RAILS_MIN_THREADS: '${RAILS_MIN_THREADS:-4}'
      RAILS_MAX_THREADS: '${RAILS_MAX_THREADS:-16}'
      IMAP_ENABLED: '${IMAP_ENABLED:-false}'
    volumes:
      - 'openproject:/var/openproject/assets'
    command: ./docker/prod/seeder
    networks:
      - backend

I removed the DB because I wanted to use an external one, but you're free to leave it in if you prefer.

For env vars I only used these, I configured the rest (SMTP) in the dashboard:

DATABASE_URL=postgres://<pguser>:<pgpw>@<pghost>:<pghost>/<pgdb>?pool=20&encoding=unicode&reconnect=true
IMAP_ENABLED=true
OPENPROJECT_HOST__NAME=kanban.example.com
OPENPROJECT_HSTS=false
OPENPROJECT_HTTPS=true
OPENPROJECT_RAILS__RELATIVE__URL__ROOT=
OPENPROJECT_SECRET_KEY_BASE=<secret value>
RAILS_MAX_THREADS=16
RAILS_MIN_THREADS=4

[openforge-kt]

I forgot to mention, for the "Seeder" service, I recommend checking the "Exclude from service status" box, as it's intended behavior is to be shut down after initial setup

[R2Pitou]

I've just wasted 3 hours trying to get Open Project to load as much as a login page... I'm so glad I decided to give Coolify a go before trying to run a single deployment that isn't in the recipe book (2 / 3 deployments I really should get working)
Absolute nightmare to work with, and no amount of Gemini / ChatGPT or my own thinking power will be enough to wrap around the coolify "magic"
--autonuke

services:
  db:
    image: 'postgres:13'
    restart: always
    volumes:
      - 'openproject_data_final:/var/lib/postgresql/data'
    environment:
      POSTGRES_PASSWORD: supersecretpassword
      POSTGRES_DB: openproject
    healthcheck:
      test:
        - CMD-SHELL
        - 'pg_isready -U postgres'
      interval: 5s
      timeout: 5s
      retries: 20
  web:
    image: 'openproject/community:13'
    restart: always
    depends_on:
      db:
        condition: service_healthy
    environment:
      - SERVICE_URL_WEB_8080
      - 'DATABASE_URL=postgres://postgres:supersecretpassword@db:5432/openproject'
      - OPENPROJECT_HTTPS=true
      - OPENPROJECT_HSTS=true
      - 'OPENPROJECT_HOST__NAME=${COOLIFY_FQDN_WEB:-localhost}'
      - SECRET_KEY_BASE=saltsomethingfunhere
      - OPENPROJECT_WEB_WORKERS=4
      - OPENPROJECT_WEB_MAX_THREADS=32
    volumes:
      - 'openproject_static:/var/openproject/assets'
      - 'openproject_storage:/var/openproject/files'
    healthcheck:
      test:
        - CMD
        - 'true'
      interval: 30s
      start_period: 0s
volumes:
  openproject_data_final: null
  openproject_static: null
  openproject_storage: null

[ruppdi75]

holy cow!! after 6 hours of engineering I could make it happen: Open Project is up and running in Coolify.

here is how you can also achieve it:

OpenProject Deployment on Coolify - Complete Guide

Tested and working with OpenProject 16, Coolify v4.0.0-beta.460, January 2026

After spending considerable time troubleshooting OpenProject deployment on Coolify, I've documented a working configuration that addresses all the common pitfalls. This guide will help you deploy OpenProject successfully in under 30 minutes.

---

Table of Contents

1. Prerequisites
2. Key Insights (Read First!)
3. Step-by-Step Deployment
4. Working Docker Compose Configuration
5. Post-Deployment Configuration
6. Troubleshooting

---

Prerequisites

• Coolify instance (v4.x) with a connected server
• Domain pointing to your Coolify server (e.g., openproject.yourdomain.com)
• Valid SSL certificate (Coolify handles this automatically via Traefik)

---

Key Insights (Read First!)

Before you start, understand these critical points that differ from standard Docker Compose deployments:

1. Do NOT Define Networks

Coolify automatically creates an isolated network for each service stack. Do not define networks: in your docker-compose.yml - it will cause conflicts.

# ❌ DON'T DO THIS
networks:
  frontend:
  backend:
✅ CORRECT: Simply omit the networks section entirely

2. YAML Anchors Create Phantom Services

The official OpenProject docker-compose.yml uses YAML anchors (x-op-app:). Coolify interprets these as separate services, creating a phantom "Open Project" service that will show as "Exited" and cause routing issues.

3. Domain Must Point to the "web" Service

The domain configuration must be set on the web service, not on any phantom service created by YAML anchors.

4. Disable "Connect To Predefined Network"

In Coolify's Service Stack settings, keep "Connect To Predefined Network" disabled for isolated deployments.

5. The Seeder Service is Supposed to Exit

The seeder service runs once to initialize the database, then exits. Status "Exited" is correct behavior - enable "Exclude from service status" for this service.

6. No Health Check for Memcached Alpine

The memcached:alpine image doesn't include netcat, so health checks using nc will fail. Omit the health check for the cache service.

7. Do NOT Hardcode SMTP/IMAP in Environment Variables

If you define SMTP settings via environment variables, they become read-only in the OpenProject admin UI. Configure email via the UI instead for flexibility.

---

Step-by-Step Deployment

Step 1: Create New Service Stack

1. In Coolify, go to Projects → Select your project
2. Click + New → Docker Compose
3. Select Empty Docker Compose

Step 2: Configure Service Stack Settings

1. Service Name: openproject (or your preferred name)
2. Connect To Predefined Network: ☐ Leave UNCHECKED

Step 3: Edit Compose File

Click "Edit Compose File" and paste the working configuration below.

Important: Replace these placeholders with secure values:

• YOUR_SECURE_POSTGRES_PASSWORD - Generate a strong password
• YOUR_SECRET_KEY_BASE_MIN_64_CHARS - Generate with openssl rand -hex 64
• openproject.yourdomain.com - Your actual domain

Step 4: Save and Deploy

1. Click Save
2. Click Deploy
3. Wait 2-3 minutes for all containers to start

Step 5: Configure Domain on Web Service

After deployment:

1. Go to the web service → Settings
2. In Domains, enter: https://openproject.yourdomain.com
3. Click Save
4. Click Deploy again to apply routing

Step 6: Handle Phantom Services

If you see an "Open Project" service (from YAML anchors):

1. Click its Settings
2. Remove any domain if present
3. Enable "Exclude from service status"
4. Click Save

Do the same for the Seeder service (enable "Exclude from service status").

Step 7: Verify Deployment

1. Open https://openproject.yourdomain.com
2. Login with default credentials: admin / admin
3. Change the admin password immediately!

---

Working Docker Compose Configuration

# OpenProject Docker Compose for Coolify
# Version: OpenProject 16-slim
# Last tested: January 2026
#
# IMPORTANT FOR COOLIFY:
# - Do NOT add networks: section
# - Keep "Connect To Predefined Network" DISABLED
# - Set domain on the "web" service (not on any phantom service)
# - Enable "Exclude from service status" for seeder service
# - Configure SMTP/IMAP via OpenProject Admin UI, not here
volumes:

pgdata:

opdata:
services:

db:

image: postgres:16

restart: unless-stopped

stop_grace_period: "3s"

volumes:

- pgdata:/var/lib/postgresql/data

environment:

POSTGRES_PASSWORD: YOUR_SECURE_POSTGRES_PASSWORD

POSTGRES_DB: openproject

healthcheck:

test: ["CMD-SHELL", "pg_isready -U postgres -d openproject"]

interval: 10s

timeout: 5s

retries: 5

start_period: 30s
cache:

image: memcached:alpine

restart: unless-stopped

command: ["-l", "0.0.0.0"]

# Note: No healthcheck - memcached:alpine lacks netcat
seeder:

image: openproject/openproject:16-slim

restart: "no"

command: ./docker/prod/seeder

environment:

OPENPROJECT_HTTPS: "true"

OPENPROJECT_HOST__NAME: "openproject.yourdomain.com"

OPENPROJECT_HSTS: "true"

RAILS_CACHE_STORE: "memcache"

OPENPROJECT_CACHE__MEMCACHE__SERVER: "cache:11211"

DATABASE_URL: "postgres://postgres:YOUR_SECURE_POSTGRES_PASSWORD@db/openproject?pool=20&encoding=unicode&reconnect=true"

SECRET_KEY_BASE: "YOUR_SECRET_KEY_BASE_MIN_64_CHARS"

volumes:

- opdata:/var/openproject/assets

depends_on:

db:

condition: service_healthy

cache:

condition: service_started
web:

image: openproject/openproject:16-slim

restart: unless-stopped

command: ./docker/prod/web

environment:

OPENPROJECT_HTTPS: "true"

OPENPROJECT_HOST__NAME: "openproject.yourdomain.com"

OPENPROJECT_HSTS: "true"

RAILS_CACHE_STORE: "memcache"

OPENPROJECT_CACHE__MEMCACHE__SERVER: "cache:11211"

DATABASE_URL: "postgres://postgres:YOUR_SECURE_POSTGRES_PASSWORD@db/openproject?pool=20&encoding=unicode&reconnect=true"

SECRET_KEY_BASE: "YOUR_SECRET_KEY_BASE_MIN_64_CHARS"

RAILS_MIN_THREADS: "4"

RAILS_MAX_THREADS: "16"

volumes:

- opdata:/var/openproject/assets

depends_on:

db:

condition: service_healthy

cache:

condition: service_started

seeder:

condition: service_completed_successfully

healthcheck:

test: ["CMD", "curl", "-f", "http://localhost:8080/health_checks/default"]

interval: 30s

timeout: 10s

retries: 3

start_period: 120s
worker:

image: openproject/openproject:16-slim

restart: unless-stopped

command: ./docker/prod/worker

environment:

OPENPROJECT_HTTPS: "true"

OPENPROJECT_HOST__NAME: "openproject.yourdomain.com"

OPENPROJECT_HSTS: "true"

RAILS_CACHE_STORE: "memcache"

OPENPROJECT_CACHE__MEMCACHE__SERVER: "cache:11211"

DATABASE_URL: "postgres://postgres:YOUR_SECURE_POSTGRES_PASSWORD@db/openproject?pool=20&encoding=unicode&reconnect=true"

SECRET_KEY_BASE: "YOUR_SECRET_KEY_BASE_MIN_64_CHARS"

RAILS_MIN_THREADS: "4"

RAILS_MAX_THREADS: "16"

volumes:

- opdata:/var/openproject/assets

depends_on:

db:

condition: service_healthy

cache:

condition: service_started

seeder:

condition: service_completed_successfully
cron:

image: openproject/openproject:16-slim

restart: unless-stopped

command: ./docker/prod/cron

environment:

OPENPROJECT_HTTPS: "true"

OPENPROJECT_HOST__NAME: "openproject.yourdomain.com"

OPENPROJECT_HSTS: "true"

RAILS_CACHE_STORE: "memcache"

OPENPROJECT_CACHE__MEMCACHE__SERVER: "cache:11211"

DATABASE_URL: "postgres://postgres:YOUR_SECURE_POSTGRES_PASSWORD@db/openproject?pool=20&encoding=unicode&reconnect=true"

SECRET_KEY_BASE: "YOUR_SECRET_KEY_BASE_MIN_64_CHARS"

RAILS_MIN_THREADS: "4"

RAILS_MAX_THREADS: "16"

volumes:

- opdata:/var/openproject/assets

depends_on:

db:

condition: service_healthy

cache:

condition: service_started

seeder:

condition: service_completed_successfully

---

Post-Deployment Configuration

Email Configuration (SMTP)

Do NOT configure SMTP via environment variables - it locks the settings in the UI and makes them read-only.

Instead, configure via OpenProject Admin UI:

1. Login as admin
2. Go to Administration → Emails and notifications → Email notifications
3. Configure your SMTP provider:

For Port 587 (STARTTLS) - Recommended

Setting	Value
SMTP Server	smtp.yourprovider.com
SMTP Port	587
SMTP Authentication	login
Username	your@email.com
Password	yourpassword
Automatically use STARTTLS	☑ Enabled
Use SSL connection	☐ Disabled

⚠️ Important: Do not mix SSL and STARTTLS settings! Port 587 requires STARTTLS, Port 465 requires SSL. Mixing them causes "wrong version number" errors.

Incoming Email (IMAP) - Optional

To create work packages via email, configure under Administration → Emails and notifications → Incoming emails.

---

Troubleshooting

"no available server" Error

Cause: Domain is assigned to a non-running service (usually the phantom "Open Project" from YAML anchors).

Solution:

1. Remove domain from phantom service
2. Add domain to the web service
3. Click Save, then Deploy

Container "cache" is Unhealthy

Cause: Health check uses netcat which isn't available in memcached:alpine.

Solution: Remove the health check from the cache service (as shown in the config above).

Seeder Shows "Exited" Status

This is normal! The seeder runs once to initialize the database, then exits.

Solution: Enable "Exclude from service status" for the seeder service in Coolify.

SSL/STARTTLS Email Errors ("wrong version number")

Cause: Mismatched SSL/STARTTLS settings for the SMTP port.

Solution:

• Port 587 → Enable STARTTLS, Disable SSL
• Port 465 → Enable SSL, Disable STARTTLS

SMTP Settings Are Grayed Out / Read-Only

Cause: SMTP is configured via environment variables in docker-compose.yml.

Solution: Remove all OPENPROJECT_SMTP__* and OPENPROJECT_EMAIL__* variables from your docker-compose.yml, redeploy, then configure via the OpenProject Admin UI.

Database Connection Errors After Restart

Cause: Services starting before database is ready.

Solution: The configuration above uses depends_on with condition: service_healthy to ensure proper startup order.

---

Architecture Overview

Internet
    │
    ▼
┌─────────────────┐
│  Traefik Proxy  │  (Coolify's reverse proxy)
│  (Port 443 SSL) │
└────────┬────────┘
         │
         ▼
┌─────────────────────────────────────────────┐
│         Coolify Auto-Generated Network       │
│                                              │
│  ┌─────────┐  ┌─────────┐  ┌─────────────┐  │
│  │   web   │  │ worker  │  │    cron     │  │
│  │ :8080   │  │         │  │             │  │
│  └────┬────┘  └────┬────┘  └──────┬──────┘  │
│       │            │              │         │
│       └────────────┼──────────────┘         │
│                    │                        │
│              ┌─────┴─────┐                  │
│              │           │                  │
│         ┌────▼───┐  ┌────▼────┐             │
│         │   db   │  │  cache  │             │
│         │ :5432  │  │ :11211  │             │
│         └────────┘  └─────────┘             │
│                                              │
└──────────────────────────────────────────────┘

---

Credits

This guide was created after extensive troubleshooting and testing. Special thanks to the Coolify and OpenProject communities.

If this guide helped you, please consider:

• ⭐ Starring the OpenProject and Coolify repositories
• 📝 Contributing improvements to this guide
• 💬 Sharing your experience in the discussion thread

---

Author: Dimitri Rupp
Date: January 2026
License: MIT - Feel free to share and adapt

[R2Pitou]

Wow! This looks... extensive!
I had to nuke the coolify server for an actual production one, but once I spin a new staging environment, might give your method a try!
Also: "no available server" did my head in to a point that my original comment is absolutely bitter. 🫠

[HichemTab-tech]

@ruppdi75 Thanks man, Thank you all!!

[ruppdi75]

Thank you very much @AndreaDev237 for updating the guide.💪💪👍👍
I hope, this will help many other devops.

[AndreaDev237]

Thank you @ruppdi75 in the first place for the amazing guide you've made.
Thanks to you i was able to run OpenProject on Coolify without any issue and it was super easy to upgrade it for the last OpenProject version.
I will test the configuration the next weeks to see if everything will stay smooth.
If yes i think we can try to make a pull request on service and docs section to make our solutions available inside coolify (if you are ok with that)
Thanks again for the amazing work!

[ruppdi75]

This makes me really happy. I am glad to be of help, @AndreaDev237
This is exactly how I understand teamwork - one does the engineering, one adds the update.
Next time, the other one is doing the engineering and the collegue is adding the update.
Thats the way how solutions get build! 💪💪💪💪👍👍👍👍
So nice working together with you.

[AndreaDev237]

I've updated the guide provided by the amazing @ruppdi75 for OpenProject 1.7 (with hocuspocus and live doc editing)

There is also an optimized version for very small VPS Instance (like CX22 on hetzner who is half of the minimum requirements of OpenProject).
That Docker compose optimize the resource consumption to be "lighter as possible".
In my experiments is usable and stable but with 5-6 simultaneous users the speed drop start to be noticeable (but it will be still usable).

OpenProject 17 on Coolify — Deployment Guide

Based on Dimitri Rupp's original guide (OpenProject 16, Jan 2026)
Updated for OpenProject 17 with Hocuspocus collaborative editing, March 2026

---

What Changed from v16 to v17

Area	v16 (Dimitri's guide)	v17 (this guide)
Image tag	16-slim	17-slim
PostgreSQL	postgres:16	postgres:17 (recommended for new installs)
Collaborative editing	Not present	Hocuspocus service added
All hardcoded values	Fixed in YAML	Extracted as ${ENV_VAR:-default} for Coolify UI
Proxy / Autoheal	Removed (Coolify handles)	Same — still removed
Relative URL root	Not supported	Supported via OPENPROJECT_RAILS__RELATIVE__URL__ROOT
IMAP toggle	Not present	IMAP_ENABLED env var

---

Coolify Golden Rules (unchanged from v16)

These pitfalls still apply exactly as Dimitri documented them:

1. NO networks: section — Coolify auto-creates an isolated network per stack
2. NO YAML anchors (x-op-*) — Coolify interprets them as phantom services
3. Domain goes on web service — not on any phantom or other service
4. Hocuspocus needs its own subdomain — path-based routing (/hocuspocus) doesn't work with Traefik in Coolify
5. "Connect To Predefined Network" = UNCHECKED
6. Seeder exits intentionally — enable "Exclude from service status"
7. No healthcheck on memcached — the image lacks netcat
8. SMTP/IMAP via Admin UI, not env vars — env vars lock the settings as read-only
9. POSTGRES_PASSWORD must be hex-only — characters like /=+ break the DATABASE_URL

---

Environment Variables Reference

Set these in Coolify UI → Service Stack → Environment Variables.

Required

Variable	Description	Example
POSTGRES_PASSWORD	PostgreSQL password (hex only, no /=+)	openssl rand -hex 32
SECRET_KEY_BASE	Rails secret (min 64 chars)	openssl rand -hex 64
OPENPROJECT_HOST__NAME	Your domain (no protocol)	openproject.yourdomain.com
COLLABORATIVE_SERVER_URL	Hocuspocus WebSocket URL (subdomain!)	wss://hocuspocus.yourdomain.com
COLLABORATIVE_SERVER_SECRET	Shared secret for Hocuspocus	openssl rand -hex 32

Optional

Variable	Default	Description
TAG	17-slim	OpenProject image tag
HOCUSPOCUS_TAG	latest	Hocuspocus image tag
POSTGRES_VERSION	17	PostgreSQL major version
OPENPROJECT_HTTPS	true	Enable HTTPS
OPENPROJECT_HSTS	true	Enable HSTS header
RAILS_MIN_THREADS	4	Puma min threads
RAILS_MAX_THREADS	16	Puma max threads
IMAP_ENABLED	false	Enable inbound email
OPENPROJECT_RAILS__RELATIVE__URL__ROOT	(empty)	Sub-path, e.g. /openproject
OPENPROJECT_ADDITIONAL__HOST__NAMES	web	Extra hostnames (for internal routing)

---

Step-by-Step Deployment

1. Create Service Stack

In Coolify: Projects → your project → + New → Docker Compose → Empty Docker Compose

2. Configure Stack Settings

• Service Name: openproject
• Connect To Predefined Network: ☐ UNCHECKED

3. Set Environment Variables

In Coolify UI, add at minimum:

POSTGRES_PASSWORD=<hex-only-password>
SECRET_KEY_BASE=<your-64-char-hex>
OPENPROJECT_HOST__NAME=openproject.yourdomain.com
COLLABORATIVE_SERVER_URL=wss://hocuspocus.yourdomain.com
COLLABORATIVE_SERVER_SECRET=<your-32-char-hex>

⚠️ POSTGRES_PASSWORD must be hex-only (use openssl rand -hex 32). Characters like /, =, + break the DATABASE_URL parser and cause the seeder to fail silently with exit code 2.

4. Paste Docker Compose

Click "Edit Compose File" and paste the contents of docker-compose.yml.

5. Save & Deploy

Click Save, then Deploy. Wait 2–3 minutes.

6. Configure Domain on Web Service

After deployment:

1. Go to web service → Settings
2. In Domains, enter: https://openproject.yourdomain.com
3. Save, then Deploy again

7. Configure Domain on Hocuspocus Service

Hocuspocus needs its own subdomain. Path-based routing (/hocuspocus) does not work in Coolify because Traefik routes all traffic for a domain to a single service. The official OpenProject compose uses a dedicated proxy for this, which we removed since Coolify has Traefik.

1. Create a DNS A record: hocuspocus.yourdomain.com → same IP as your server
2. In Coolify, go to Hocuspocus service → Settings
3. In Domains, enter: https://hocuspocus.yourdomain.com
4. Leave "Strip Prefixes" checked (default)
5. Save, then Deploy again
6. Coolify will auto-generate the SSL certificate via Traefik

⚠️ The COLLABORATIVE_SERVER_URL env var must match this subdomain: wss://hocuspocus.yourdomain.com

8. Handle Phantom / Seeder Services

If you see phantom services (from any residual YAML anchor parsing):

• Remove any domain from them
• Enable "Exclude from service status"

Do the same for the seeder service (it's supposed to show "Exited").

9. Verify & Secure

1. Open https://openproject.yourdomain.com
2. Login: admin / admin
3. Change the admin password immediately
4. Test collaborative editing in a work package description

---

Hocuspocus (Collaborative Editing)

OpenProject 17 introduces real-time collaborative editing via Hocuspocus. The setup requires:

• The hocuspocus service running alongside web
• A shared COLLABORATIVE_SERVER_SECRET between the OpenProject services and Hocuspocus
• The WebSocket URL (COLLABORATIVE_SERVER_URL) must be reachable from browsers

Why a Subdomain is Required on Coolify

The official OpenProject docker-compose includes a proxy service that routes /hocuspocus requests to the Hocuspocus container and everything else to the web container. Since Coolify uses Traefik as its reverse proxy and we removed the proxy service, this path-based routing doesn't work — Traefik sends all traffic for a domain to whichever service has that domain assigned.

The solution is to give Hocuspocus its own subdomain (e.g. hocuspocus.yourdomain.com). This way:

• openproject.yourdomain.com → Traefik → web container (:8080)
• hocuspocus.yourdomain.com → Traefik → hocuspocus container (:1234)

Both get automatic SSL via Coolify, and WebSocket upgrades work out of the box.

Checklist

1. DNS A record for hocuspocus.yourdomain.com pointing to the server IP
2. Domain https://hocuspocus.yourdomain.com set on the Hocuspocus service in Coolify
3. COLLABORATIVE_SERVER_URL=wss://hocuspocus.yourdomain.com in the service stack env vars
4. COLLABORATIVE_SERVER_SECRET identical across web, worker, and hocuspocus
5. OPENPROJECT_URL inside hocuspocus is http://web:8080 (internal, not your public domain)

---

Architecture (v17)

Internet
    │
    ├─── openproject.yourdomain.com ──┐
    │                                  │
    ├─── hocuspocus.yourdomain.com ───┐│
    │                                 ││
    ▼                                 ││
┌──────────────────┐                  ││
│  Traefik (Coolify)│                  ││
│  Port 443 SSL    │                  ││
└────────┬─────────┘                  ││
         │                            ││
         ▼                            ▼▼
┌──────────────────────────────────────────────────┐
│            Coolify Auto-Generated Network         │
│                                                   │
│  ┌─────────┐  ┌─────────┐  ┌──────┐  ┌────────┐ │
│  │   web   │◄─│ worker  │  │ cron │  │hocuspocus│ │
│  │  :8080  │  │         │  │      │  │  :1234  │ │
│  └────┬────┘  └────┬────┘  └──┬───┘  └────┬────┘ │
│       │            │          │            │      │
│       └────────────┼──────────┘            │      │
│                    │                       │      │
│              ┌─────┴─────┐                 │      │
│              │           │                 │      │
│         ┌────▼───┐  ┌────▼────┐            │      │
│         │   db   │  │  cache  │            │      │
│         │ :5432  │  │ :11211  │            │      │
│         └────────┘  └─────────┘            │      │
│                                            │      │
│            web ◄───── hocuspocus ──────────┘      │
│          (internal HTTP for auth callbacks)        │
└───────────────────────────────────────────────────┘

---

Troubleshooting

All of Dimitri's original troubleshooting tips still apply. Additional v17 items:

Collaborative Editing: "real-time text collaboration server is unreachable"

Cause: Hocuspocus is not reachable from the browser. This is almost always a routing issue.

Solution: Hocuspocus needs its own subdomain in Coolify (see Hocuspocus section above). Path-based routing (wss://yourdomain.com/hocuspocus) does not work because Traefik routes all traffic for a domain to a single service (web). You must:

1. Create a DNS record for hocuspocus.yourdomain.com
2. Set https://hocuspocus.yourdomain.com as domain on the Hocuspocus service in Coolify
3. Set COLLABORATIVE_SERVER_URL=wss://hocuspocus.yourdomain.com

Seeder Exits with Code 2 (No Logs)

Cause: Usually a malformed DATABASE_URL. The most common trigger is a POSTGRES_PASSWORD containing URL-special characters (/, =, +, @). These break the URL parser and Rails crashes before writing any log output.

Solution: Use hex-only passwords: openssl rand -hex 32. If the volume pgdata was already created with the old password, delete it and redeploy from scratch.

Server Hangs at 100% CPU During Seeding

Cause: The first-time seeder runs database migrations + data seeding + asset tasks. On a 2 vCPU server this can saturate both cores for 5–15 minutes, making the entire server (including other Coolify apps) unresponsive.

Solution: Wait 15 minutes. If still stuck, reboot the server. The seeder will re-run on next deploy. For small servers (2 vCPU / 4GB), consider deploying during low-traffic hours.

Collaborative Editing Not Syncing

Symptoms: Editor opens but changes don't appear for other users, or cursors don't show.

Check:

1. COLLABORATIVE_SERVER_SECRET must be identical across web, worker, and hocuspocus
2. Hocuspocus container must be running and healthy (check Coolify logs)
3. OPENPROJECT_URL inside hocuspocus must be http://web:8080 (internal, not your public domain)
4. Hocuspocus logs should show Ready. — if not, the container didn't start properly

PostgreSQL Migration from 13 to 17

If upgrading an existing v16 installation that used Postgres 13:

• Follow the official migration guide
• Do NOT just change POSTGRES_VERSION — data directory format is incompatible

---

Docker Compose File (standard file)

# ============================================================================
# OpenProject 17 - Docker Compose for Coolify
# ============================================================================
# Based on: Official OpenProject 17 docker-compose.yml
# Adapted for Coolify following Dimitri Rupp's deployment guide (Jan 2026)
# Updated: March 2026 for OpenProject 17
#
# COOLIFY-SPECIFIC RULES:
#   - NO networks: section (Coolify creates its own isolated network)
#   - NO YAML anchors / x-op-* (Coolify treats them as phantom services)
#   - NO proxy service (Coolify's Traefik handles reverse proxy + SSL)
#   - NO autoheal service (Coolify manages container lifecycle)
#   - "Connect To Predefined Network" must be UNCHECKED in Coolify
#   - Set domain on the "web" service in Coolify UI
#   - Set domain on "hocuspocus" service too (separate subdomain!)
#   - Enable "Exclude from service status" for the seeder service
#   - Configure SMTP/IMAP via OpenProject Admin UI, NOT via env vars
#
# ENV VARIABLES (set in Coolify UI → Service Stack → Environment Variables):
#   Required:
#     POSTGRES_PASSWORD        - Strong password (hex only! no / = + chars)
#     SECRET_KEY_BASE          - Min 64 chars, generate with: openssl rand -hex 64
#     OPENPROJECT_HOST__NAME   - Your domain, e.g. openproject.yourdomain.com
#     COLLABORATIVE_SERVER_URL - Hocuspocus WebSocket URL (use subdomain!), e.g. wss://hocuspocus.yourdomain.com
#     COLLABORATIVE_SERVER_SECRET - Shared secret for Hocuspocus
#   Optional:
#     TAG                      - OpenProject image tag (default: 17-slim)
#     POSTGRES_VERSION         - PostgreSQL version (default: 17)
#     RAILS_MIN_THREADS        - Min Puma threads (default: 4)
#     RAILS_MAX_THREADS        - Max Puma threads (default: 16)
#     OPENPROJECT_HTTPS        - Enable HTTPS (default: true)
#     OPENPROJECT_HSTS         - Enable HSTS header (default: true)
#     IMAP_ENABLED             - Enable email receiving (default: false)
#     HOCUSPOCUS_TAG           - Hocuspocus image tag (default: latest)
# ============================================================================

volumes:
  pgdata:
  opdata:

services:
  # --------------------------------------------------------------------------
  # PostgreSQL Database
  # --------------------------------------------------------------------------
  db:
    image: postgres:${POSTGRES_VERSION:-17}
    restart: unless-stopped
    stop_grace_period: "3s"
    volumes:
      - pgdata:/var/lib/postgresql/data
    environment:
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-CHANGE_ME_IMMEDIATELY}
      POSTGRES_DB: openproject
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U postgres -d openproject"]
      interval: 10s
      timeout: 5s
      retries: 5
      start_period: 30s

  # --------------------------------------------------------------------------
  # Memcached (session/fragment cache)
  # NOTE: No healthcheck — memcached:alpine lacks netcat, plain memcached
  #       also doesn't ship with a reliable check command.
  # --------------------------------------------------------------------------
  cache:
    image: memcached
    restart: unless-stopped
    command: ["-l", "0.0.0.0"]

  # --------------------------------------------------------------------------
  # Database Seeder (runs once, then exits — this is expected behavior)
  # → In Coolify: enable "Exclude from service status" for this service
  # --------------------------------------------------------------------------
  seeder:
    image: openproject/openproject:${TAG:-17-slim}
    restart: "no"
    command: "./docker/prod/seeder"
    environment:
      OPENPROJECT_HTTPS: "${OPENPROJECT_HTTPS:-true}"
      OPENPROJECT_HOST__NAME: "${OPENPROJECT_HOST__NAME:-localhost}"
      OPENPROJECT_HSTS: "${OPENPROJECT_HSTS:-true}"
      OPENPROJECT_RAILS__CACHE__STORE: "memcache"
      OPENPROJECT_CACHE__MEMCACHE__SERVER: "cache:11211"
      OPENPROJECT_RAILS__RELATIVE__URL__ROOT: "${OPENPROJECT_RAILS__RELATIVE__URL__ROOT:-}"
      DATABASE_URL: "postgres://postgres:${POSTGRES_PASSWORD:-CHANGE_ME_IMMEDIATELY}@db/openproject?pool=20&encoding=unicode&reconnect=true"
      SECRET_KEY_BASE: "${SECRET_KEY_BASE:-GENERATE_ME_WITH_openssl_rand_hex_64}"
    volumes:
      - opdata:/var/openproject/assets
    depends_on:
      db:
        condition: service_healthy
      cache:
        condition: service_started

  # --------------------------------------------------------------------------
  # Web (Puma application server)
  # → In Coolify: set your domain (https://openproject.yourdomain.com) on THIS service
  # --------------------------------------------------------------------------
  web:
    image: openproject/openproject:${TAG:-17-slim}
    restart: unless-stopped
    command: "./docker/prod/web"
    environment:
      OPENPROJECT_HTTPS: "${OPENPROJECT_HTTPS:-true}"
      OPENPROJECT_HOST__NAME: "${OPENPROJECT_HOST__NAME:-localhost}"
      OPENPROJECT_ADDITIONAL__HOST__NAMES: "${OPENPROJECT_ADDITIONAL__HOST__NAMES:-web}"
      OPENPROJECT_HSTS: "${OPENPROJECT_HSTS:-true}"
      OPENPROJECT_RAILS__CACHE__STORE: "memcache"
      OPENPROJECT_CACHE__MEMCACHE__SERVER: "cache:11211"
      OPENPROJECT_RAILS__RELATIVE__URL__ROOT: "${OPENPROJECT_RAILS__RELATIVE__URL__ROOT:-}"
      OPENPROJECT_COLLABORATIVE__EDITING__HOCUSPOCUS__URL: "${COLLABORATIVE_SERVER_URL}"
      OPENPROJECT_COLLABORATIVE__EDITING__HOCUSPOCUS__SECRET: "${COLLABORATIVE_SERVER_SECRET:-OVERRIDE_ME_PLEASE}"
      DATABASE_URL: "postgres://postgres:${POSTGRES_PASSWORD:-CHANGE_ME_IMMEDIATELY}@db/openproject?pool=20&encoding=unicode&reconnect=true"
      RAILS_MIN_THREADS: ${RAILS_MIN_THREADS:-4}
      RAILS_MAX_THREADS: ${RAILS_MAX_THREADS:-16}
      IMAP_ENABLED: "${IMAP_ENABLED:-false}"
      SECRET_KEY_BASE: "${SECRET_KEY_BASE:-GENERATE_ME_WITH_openssl_rand_hex_64}"
    volumes:
      - opdata:/var/openproject/assets
    depends_on:
      db:
        condition: service_healthy
      cache:
        condition: service_started
      seeder:
        condition: service_completed_successfully
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8080${OPENPROJECT_RAILS__RELATIVE__URL__ROOT:-}/health_checks/default"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 120s

  # --------------------------------------------------------------------------
  # Background Worker (async jobs, notifications, etc.)
  # --------------------------------------------------------------------------
  worker:
    image: openproject/openproject:${TAG:-17-slim}
    restart: unless-stopped
    command: "./docker/prod/worker"
    environment:
      OPENPROJECT_HTTPS: "${OPENPROJECT_HTTPS:-true}"
      OPENPROJECT_HOST__NAME: "${OPENPROJECT_HOST__NAME:-localhost}"
      OPENPROJECT_HSTS: "${OPENPROJECT_HSTS:-true}"
      OPENPROJECT_RAILS__CACHE__STORE: "memcache"
      OPENPROJECT_CACHE__MEMCACHE__SERVER: "cache:11211"
      OPENPROJECT_RAILS__RELATIVE__URL__ROOT: "${OPENPROJECT_RAILS__RELATIVE__URL__ROOT:-}"
      OPENPROJECT_COLLABORATIVE__EDITING__HOCUSPOCUS__URL: "${COLLABORATIVE_SERVER_URL}"
      OPENPROJECT_COLLABORATIVE__EDITING__HOCUSPOCUS__SECRET: "${COLLABORATIVE_SERVER_SECRET:-OVERRIDE_ME_PLEASE}"
      DATABASE_URL: "postgres://postgres:${POSTGRES_PASSWORD:-CHANGE_ME_IMMEDIATELY}@db/openproject?pool=20&encoding=unicode&reconnect=true"
      RAILS_MIN_THREADS: ${RAILS_MIN_THREADS:-4}
      RAILS_MAX_THREADS: ${RAILS_MAX_THREADS:-16}
      IMAP_ENABLED: "${IMAP_ENABLED:-false}"
      SECRET_KEY_BASE: "${SECRET_KEY_BASE:-GENERATE_ME_WITH_openssl_rand_hex_64}"
    volumes:
      - opdata:/var/openproject/assets
    depends_on:
      db:
        condition: service_healthy
      cache:
        condition: service_started
      seeder:
        condition: service_completed_successfully

  # --------------------------------------------------------------------------
  # Cron (scheduled tasks — email fetching, cleanup, etc.)
  # --------------------------------------------------------------------------
  cron:
    image: openproject/openproject:${TAG:-17-slim}
    restart: unless-stopped
    command: "./docker/prod/cron"
    environment:
      OPENPROJECT_HTTPS: "${OPENPROJECT_HTTPS:-true}"
      OPENPROJECT_HOST__NAME: "${OPENPROJECT_HOST__NAME:-localhost}"
      OPENPROJECT_HSTS: "${OPENPROJECT_HSTS:-true}"
      OPENPROJECT_RAILS__CACHE__STORE: "memcache"
      OPENPROJECT_CACHE__MEMCACHE__SERVER: "cache:11211"
      OPENPROJECT_RAILS__RELATIVE__URL__ROOT: "${OPENPROJECT_RAILS__RELATIVE__URL__ROOT:-}"
      DATABASE_URL: "postgres://postgres:${POSTGRES_PASSWORD:-CHANGE_ME_IMMEDIATELY}@db/openproject?pool=20&encoding=unicode&reconnect=true"
      RAILS_MIN_THREADS: ${RAILS_MIN_THREADS:-4}
      RAILS_MAX_THREADS: ${RAILS_MAX_THREADS:-16}
      IMAP_ENABLED: "${IMAP_ENABLED:-false}"
      SECRET_KEY_BASE: "${SECRET_KEY_BASE:-GENERATE_ME_WITH_openssl_rand_hex_64}"
    volumes:
      - opdata:/var/openproject/assets
    depends_on:
      db:
        condition: service_healthy
      cache:
        condition: service_started
      seeder:
        condition: service_completed_successfully

  # --------------------------------------------------------------------------
  # Hocuspocus (collaborative real-time editing — NEW in OpenProject 17)
  # --------------------------------------------------------------------------
  hocuspocus:
    image: openproject/hocuspocus:${HOCUSPOCUS_TAG:-latest}
    restart: unless-stopped
    environment:
      SECRET: ${COLLABORATIVE_SERVER_SECRET:-OVERRIDE_ME_PLEASE}
      OPENPROJECT_URL: "http://web:8080"
      OPENPROJECT_HTTPS: "${OPENPROJECT_HTTPS:-true}"
    depends_on:
      web:
        condition: service_healthy

Docker Compose Optimized for very small VPS Instance (Like CX22 on hetzner who is half the minimum requirements of OpenProject.)

# ============================================================================
# OpenProject 17 - Docker Compose for Coolify
# ============================================================================
# OPTIMIZED FOR: 2 vCPU / 4GB RAM (Hetzner CX22 or similar)
#
# Based on: Official OpenProject 17 docker-compose.yml
# Adapted for Coolify following Dimitri Rupp's deployment guide (Jan 2026)
# Updated: March 2026 for OpenProject 17
#
# NOTE: OpenProject minimum requirements are 4 CPU / 4GB RAM.
# This config runs on 2 vCPU by reducing threads and adding resource limits.
# Suitable for small teams (≤10 concurrent users).
#
# COOLIFY-SPECIFIC RULES:
#   - NO networks: section (Coolify creates its own isolated network)
#   - NO YAML anchors / x-op-* (Coolify treats them as phantom services)
#   - NO proxy service (Coolify's Traefik handles reverse proxy + SSL)
#   - NO autoheal service (Coolify manages container lifecycle)
#   - "Connect To Predefined Network" must be UNCHECKED in Coolify
#   - Set domain on the "web" service in Coolify UI
#   - Set domain on "hocuspocus" service too (separate subdomain!)
#   - Enable "Exclude from service status" for the seeder service
#   - Configure SMTP/IMAP via OpenProject Admin UI, NOT via env vars
#
# ENV VARIABLES (set in Coolify UI → Service Stack → Environment Variables):
#   Required:
#     POSTGRES_PASSWORD        - Strong password (hex only! no / = + chars)
#     SECRET_KEY_BASE          - Min 64 chars, generate with: openssl rand -hex 64
#     OPENPROJECT_HOST__NAME   - Your domain, e.g. openproject.yourdomain.com
#     COLLABORATIVE_SERVER_URL - Hocuspocus WebSocket URL (use subdomain!), e.g. wss://hocuspocus.yourdomain.com
#     COLLABORATIVE_SERVER_SECRET - Shared secret for Hocuspocus
#   Optional:
#     TAG                      - OpenProject image tag (default: 17-slim)
#     POSTGRES_VERSION         - PostgreSQL version (default: 17)
#     RAILS_MIN_THREADS        - Min Puma threads (default: 2)
#     RAILS_MAX_THREADS        - Max Puma threads (default: 4)
#     OPENPROJECT_HTTPS        - Enable HTTPS (default: true)
#     OPENPROJECT_HSTS         - Enable HSTS header (default: true)
#     IMAP_ENABLED             - Enable email receiving (default: false)
#     HOCUSPOCUS_TAG           - Hocuspocus image tag (default: latest)
#
# RESOURCE BUDGET (total limits sum):
#   CPU:    ~2.3 vCPU max (theoretical peak, never all at once)
#   Memory: ~3.5 GB max (leaves ~500MB for OS + Traefik + Coolify agent)
# ============================================================================

volumes:
  pgdata:
  opdata:

services:
  # --------------------------------------------------------------------------
  # PostgreSQL Database
  # --------------------------------------------------------------------------
  db:
    image: postgres:${POSTGRES_VERSION:-17}
    restart: unless-stopped
    stop_grace_period: "3s"
    volumes:
      - pgdata:/var/lib/postgresql/data
    environment:
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-CHANGE_ME_IMMEDIATELY}
      POSTGRES_DB: openproject
    # Postgres tuning for low-memory systems
    command:
      - "postgres"
      - "-c"
      - "shared_buffers=256MB"
      - "-c"
      - "work_mem=4MB"
      - "-c"
      - "maintenance_work_mem=64MB"
      - "-c"
      - "effective_cache_size=512MB"
      - "-c"
      - "max_connections=50"
    deploy:
      resources:
        limits:
          cpus: "0.5"
          memory: 768M
        reservations:
          memory: 384M
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U postgres -d openproject"]
      interval: 10s
      timeout: 5s
      retries: 5
      start_period: 30s

  # --------------------------------------------------------------------------
  # Memcached (session/fragment cache)
  # --------------------------------------------------------------------------
  cache:
    image: memcached
    restart: unless-stopped
    command: ["-l", "0.0.0.0", "-m", "64"]
    deploy:
      resources:
        limits:
          cpus: "0.1"
          memory: 96M

  # --------------------------------------------------------------------------
  # Database Seeder (runs once, then exits — this is expected behavior)
  # → In Coolify: enable "Exclude from service status" for this service
  # NOTE: No CPU limit on seeder — one-time job, let it finish fast.
  # --------------------------------------------------------------------------
  seeder:
    image: openproject/openproject:${TAG:-17-slim}
    restart: "no"
    command: "./docker/prod/seeder"
    environment:
      OPENPROJECT_HTTPS: "${OPENPROJECT_HTTPS:-true}"
      OPENPROJECT_HOST__NAME: "${OPENPROJECT_HOST__NAME:-localhost}"
      OPENPROJECT_HSTS: "${OPENPROJECT_HSTS:-true}"
      OPENPROJECT_RAILS__CACHE__STORE: "memcache"
      OPENPROJECT_CACHE__MEMCACHE__SERVER: "cache:11211"
      OPENPROJECT_RAILS__RELATIVE__URL__ROOT: "${OPENPROJECT_RAILS__RELATIVE__URL__ROOT:-}"
      DATABASE_URL: "postgres://postgres:${POSTGRES_PASSWORD:-CHANGE_ME_IMMEDIATELY}@db/openproject?pool=20&encoding=unicode&reconnect=true"
      SECRET_KEY_BASE: "${SECRET_KEY_BASE:-GENERATE_ME_WITH_openssl_rand_hex_64}"
    deploy:
      resources:
        limits:
          memory: 1G
    volumes:
      - opdata:/var/openproject/assets
    depends_on:
      db:
        condition: service_healthy
      cache:
        condition: service_started

  # --------------------------------------------------------------------------
  # Web (Puma application server)
  # → In Coolify: set your domain (https://openproject.yourdomain.com) here
  #
  # KEY TUNING: RAILS_MIN_THREADS=2, RAILS_MAX_THREADS=4
  # Default is 4/16 which spawns too many threads for 2 vCPU.
  # With 2-4 threads Puma uses ~400-600MB instead of 1GB+.
  # --------------------------------------------------------------------------
  web:
    image: openproject/openproject:${TAG:-17-slim}
    restart: unless-stopped
    command: "./docker/prod/web"
    environment:
      OPENPROJECT_HTTPS: "${OPENPROJECT_HTTPS:-true}"
      OPENPROJECT_HOST__NAME: "${OPENPROJECT_HOST__NAME:-localhost}"
      OPENPROJECT_ADDITIONAL__HOST__NAMES: "${OPENPROJECT_ADDITIONAL__HOST__NAMES:-web}"
      OPENPROJECT_HSTS: "${OPENPROJECT_HSTS:-true}"
      OPENPROJECT_RAILS__CACHE__STORE: "memcache"
      OPENPROJECT_CACHE__MEMCACHE__SERVER: "cache:11211"
      OPENPROJECT_RAILS__RELATIVE__URL__ROOT: "${OPENPROJECT_RAILS__RELATIVE__URL__ROOT:-}"
      OPENPROJECT_COLLABORATIVE__EDITING__HOCUSPOCUS__URL: "${COLLABORATIVE_SERVER_URL}"
      OPENPROJECT_COLLABORATIVE__EDITING__HOCUSPOCUS__SECRET: "${COLLABORATIVE_SERVER_SECRET:-OVERRIDE_ME_PLEASE}"
      DATABASE_URL: "postgres://postgres:${POSTGRES_PASSWORD:-CHANGE_ME_IMMEDIATELY}@db/openproject?pool=20&encoding=unicode&reconnect=true"
      RAILS_MIN_THREADS: ${RAILS_MIN_THREADS:-2}
      RAILS_MAX_THREADS: ${RAILS_MAX_THREADS:-4}
      IMAP_ENABLED: "${IMAP_ENABLED:-false}"
      SECRET_KEY_BASE: "${SECRET_KEY_BASE:-GENERATE_ME_WITH_openssl_rand_hex_64}"
      # Reduce Ruby/glibc memory bloat
      MALLOC_ARENA_MAX: "2"
      RUBY_GC_HEAP_GROWTH_FACTOR: "1.1"
    deploy:
      resources:
        limits:
          cpus: "0.8"
          memory: 1280M
        reservations:
          memory: 512M
    volumes:
      - opdata:/var/openproject/assets
    depends_on:
      db:
        condition: service_healthy
      cache:
        condition: service_started
      seeder:
        condition: service_completed_successfully
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8080${OPENPROJECT_RAILS__RELATIVE__URL__ROOT:-}/health_checks/default"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 120s

  # --------------------------------------------------------------------------
  # Background Worker (async jobs, notifications, etc.)
  # --------------------------------------------------------------------------
  worker:
    image: openproject/openproject:${TAG:-17-slim}
    restart: unless-stopped
    command: "./docker/prod/worker"
    environment:
      OPENPROJECT_HTTPS: "${OPENPROJECT_HTTPS:-true}"
      OPENPROJECT_HOST__NAME: "${OPENPROJECT_HOST__NAME:-localhost}"
      OPENPROJECT_HSTS: "${OPENPROJECT_HSTS:-true}"
      OPENPROJECT_RAILS__CACHE__STORE: "memcache"
      OPENPROJECT_CACHE__MEMCACHE__SERVER: "cache:11211"
      OPENPROJECT_RAILS__RELATIVE__URL__ROOT: "${OPENPROJECT_RAILS__RELATIVE__URL__ROOT:-}"
      OPENPROJECT_COLLABORATIVE__EDITING__HOCUSPOCUS__URL: "${COLLABORATIVE_SERVER_URL}"
      OPENPROJECT_COLLABORATIVE__EDITING__HOCUSPOCUS__SECRET: "${COLLABORATIVE_SERVER_SECRET:-OVERRIDE_ME_PLEASE}"
      DATABASE_URL: "postgres://postgres:${POSTGRES_PASSWORD:-CHANGE_ME_IMMEDIATELY}@db/openproject?pool=20&encoding=unicode&reconnect=true"
      RAILS_MIN_THREADS: ${RAILS_MIN_THREADS:-2}
      RAILS_MAX_THREADS: ${RAILS_MAX_THREADS:-4}
      IMAP_ENABLED: "${IMAP_ENABLED:-false}"
      SECRET_KEY_BASE: "${SECRET_KEY_BASE:-GENERATE_ME_WITH_openssl_rand_hex_64}"
      MALLOC_ARENA_MAX: "2"
      RUBY_GC_HEAP_GROWTH_FACTOR: "1.1"
    deploy:
      resources:
        limits:
          cpus: "0.5"
          memory: 768M
        reservations:
          memory: 256M
    volumes:
      - opdata:/var/openproject/assets
    depends_on:
      db:
        condition: service_healthy
      cache:
        condition: service_started
      seeder:
        condition: service_completed_successfully

  # --------------------------------------------------------------------------
  # Cron (scheduled tasks — very lightweight, only wakes up periodically)
  # --------------------------------------------------------------------------
  cron:
    image: openproject/openproject:${TAG:-17-slim}
    restart: unless-stopped
    command: "./docker/prod/cron"
    environment:
      OPENPROJECT_HTTPS: "${OPENPROJECT_HTTPS:-true}"
      OPENPROJECT_HOST__NAME: "${OPENPROJECT_HOST__NAME:-localhost}"
      OPENPROJECT_HSTS: "${OPENPROJECT_HSTS:-true}"
      OPENPROJECT_RAILS__CACHE__STORE: "memcache"
      OPENPROJECT_CACHE__MEMCACHE__SERVER: "cache:11211"
      OPENPROJECT_RAILS__RELATIVE__URL__ROOT: "${OPENPROJECT_RAILS__RELATIVE__URL__ROOT:-}"
      DATABASE_URL: "postgres://postgres:${POSTGRES_PASSWORD:-CHANGE_ME_IMMEDIATELY}@db/openproject?pool=20&encoding=unicode&reconnect=true"
      RAILS_MIN_THREADS: ${RAILS_MIN_THREADS:-2}
      RAILS_MAX_THREADS: ${RAILS_MAX_THREADS:-4}
      IMAP_ENABLED: "${IMAP_ENABLED:-false}"
      SECRET_KEY_BASE: "${SECRET_KEY_BASE:-GENERATE_ME_WITH_openssl_rand_hex_64}"
      MALLOC_ARENA_MAX: "2"
    deploy:
      resources:
        limits:
          cpus: "0.2"
          memory: 512M
        reservations:
          memory: 128M
    volumes:
      - opdata:/var/openproject/assets
    depends_on:
      db:
        condition: service_healthy
      cache:
        condition: service_started
      seeder:
        condition: service_completed_successfully

  # --------------------------------------------------------------------------
  # Hocuspocus (collaborative real-time editing — Node.js, lightweight)
  # --------------------------------------------------------------------------
  hocuspocus:
    image: openproject/hocuspocus:${HOCUSPOCUS_TAG:-latest}
    restart: unless-stopped
    environment:
      SECRET: ${COLLABORATIVE_SERVER_SECRET:-OVERRIDE_ME_PLEASE}
      OPENPROJECT_URL: "http://web:8080"
      OPENPROJECT_HTTPS: "${OPENPROJECT_HTTPS:-true}"
    deploy:
      resources:
        limits:
          cpus: "0.2"
          memory: 256M
    depends_on:
      web:
        condition: service_healthy