From fa72cfb5eceacb9abd06630bafcd070d8e517ff0 Mon Sep 17 00:00:00 2001
From: Gronod <gordon@i3omb.com>
Date: Sun, 17 May 2026 17:42:55 +0100
Subject: [PATCH] fix: healthcheck respects TLS_ENABLED at runtime

When TLS_ENABLED=false (e.g. behind a reverse proxy) the healthcheck
was still hitting https://localhost which fails on plain HTTP, keeping
the container perpetually in 'starting' state on TrueNAS SCALE.

Use a shell conditional so the correct protocol is used at runtime:
  - TLS_ENABLED=false  -> wget http://localhost:${PORT}/health
  - TLS_ENABLED=true (default) -> wget --no-check-certificate https://...
---
 Dockerfile          | 8 ++++----
 docker-compose.yaml | 6 +++---
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index c5c8e09..1ed08eb 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -49,10 +49,10 @@ USER node
 
 EXPOSE 3001
 
-# HEALTHCHECK — Docker will restart the container if this fails 3 times
-# --no-check-certificate handles self-signed / snakeoil certs.
-# Remove that flag when using a CA-signed certificate.
+# HEALTHCHECK — Docker will restart the container if this fails 3 times.
+# Respects TLS_ENABLED at runtime: uses https (with --no-check-certificate
+# to handle self-signed/snakeoil certs) when TLS is on, plain http when off.
 HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
-  CMD wget -qO- --no-check-certificate https://localhost:3001/health || exit 1
+  CMD /bin/sh -c '[ "${TLS_ENABLED:-true}" = "false" ] && wget -qO- http://localhost:${PORT:-3001}/health || wget -qO- --no-check-certificate https://localhost:${PORT:-3001}/health'
 
 CMD ["node", "server/index.js"]
diff --git a/docker-compose.yaml b/docker-compose.yaml
index 5478d3c..5bb2895 100644
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -47,9 +47,9 @@ services:
       - ALL                     # drop all Linux capabilities
     cap_add: []                 # add back none — Node.js needs no special caps
     healthcheck:
-      # Uses --no-check-certificate for self-signed / snakeoil certs.
-      # Remove that flag if using a CA-signed certificate.
-      test: ["CMD", "wget", "-qO-", "--no-check-certificate", "https://localhost:3001/health"]
+      # Respects TLS_ENABLED: uses http when set to false, https otherwise.
+      # --no-check-certificate handles self-signed / snakeoil certs.
+      test: ["CMD", "/bin/sh", "-c", "[ \"${TLS_ENABLED:-true}\" = \"false\" ] && wget -qO- http://localhost:${PORT:-3001}/health || wget -qO- --no-check-certificate https://localhost:${PORT:-3001}/health"]
       interval: 30s
       timeout: 5s
       retries: 3