fix(docker): single-server all-in-one panel with cores + local node

#2 Docker install now actually serves proxy traffic out of the box. New
panel-aio image bundles xray + sing-box; compose runs the panel (and
Caddy) with host networking so the in-process local node binds the proxy
inbound ports directly on the host — matching the native single-server
model. db/redis publish to 127.0.0.1; the installer writes LOCAL_NODE_HOST;
Caddy upstream is configurable (PANEL_UPSTREAM) for host mode. The lean
panel target remains for multi-node fleets.

Author: iPmartNetwork

README.md

@@ -307,6 +307,7 @@ the offender (reversible).
 | Topic | Link |
 |-------|------|
 | API Reference (OpenAPI 3.0) | [`docs/openapi.yaml`](docs/openapi.yaml) |
+| Protocols & Config Examples | [`docs/protocols.md`](docs/protocols.md) |
 | Environment Variables | [`.env.example`](.env.example) |
 | Docker Deploy | [`deploy/`](deploy/) |
 | CI/CD | [`.github/workflows/`](.github/workflows/) |

deploy/Caddyfile

@@ -20,13 +20,13 @@
 	# /index.html before reverse_proxy runs, breaking the API. reverse_proxy
 	# upgrades WebSocket/SSE transparently.
 	handle /api/* {
-		reverse_proxy panel:8080
+		reverse_proxy {$PANEL_UPSTREAM:panel:8080}
 	}
 	handle /sub/* {
-		reverse_proxy panel:8080
+		reverse_proxy {$PANEL_UPSTREAM:panel:8080}
 	}
 	handle /health {
-		reverse_proxy panel:8080
+		reverse_proxy {$PANEL_UPSTREAM:panel:8080}
 	}
 
 	# Everything else is the SPA, with client-side routing fallback.

deploy/Dockerfile

@@ -37,14 +37,26 @@ RUN apk add --no-cache curl tar && \
     tar -xzf /tmp/sb.tgz -C /tmp && \
     mv /tmp/sing-box-*/sing-box /usr/local/bin/sing-box && chmod +x /usr/local/bin/sing-box
 
-# ---- panel (control plane) ----
+# ---- panel (control plane, lean — for multi-node setups) ----
 FROM gcr.io/distroless/static-debian12 AS panel
 COPY --from=builder /out/panel /usr/local/bin/panel
 COPY --from=builder /src/migrations /migrations
 EXPOSE 8080
 USER nonroot:nonroot
 ENTRYPOINT ["/usr/local/bin/panel"]
 
+# ---- panel-aio (all-in-one: panel + xray + sing-box for a single-server,
+#      in-process local node). Used by the default single-server compose. ----
+FROM alpine:3.20 AS panel-aio
+RUN apk add --no-cache ca-certificates
+COPY --from=builder /out/panel /usr/local/bin/panel
+COPY --from=xray /xray/xray /usr/local/bin/xray
+COPY --from=singbox /usr/local/bin/sing-box /usr/local/bin/sing-box
+COPY --from=xray /xray/*.dat /etc/vortex/assets/
+ENV XRAY_LOCATION_ASSET=/etc/vortex/assets
+EXPOSE 8080
+ENTRYPOINT ["/usr/local/bin/panel"]
+
 # ---- node (agent + xray-core) ----
 FROM alpine:3.20 AS node
 RUN apk add --no-cache ca-certificates && adduser -D -u 10001 vortex

deploy/compose.yml

@@ -1,94 +1,92 @@
-# Full-stack VortexUI deployment: panel + Postgres/TimescaleDB + Redis + one node.
-# Generate mTLS certs first (make certs → deploy/certs), then:
+# Single-server VortexUI (Docker): an all-in-one panel that runs xray + sing-box
+# as an in-process local node, fronted by Caddy, with Postgres/TimescaleDB +
+# Redis. The panel and web use host networking so the proxy inbound ports (chosen
+# per inbound) bind directly on the host — the same model as a native install.
+#
 #   docker compose -f deploy/compose.yml up --build -d
 #   docker compose -f deploy/compose.yml exec panel /usr/local/bin/panel admin create \
 #       --username root --password 'change-me' --sudo
+#
+# For a multi-node fleet, run the lean `panel` target instead and add nodes in
+# the UI (each node a separate `vortex-node` install).
 services:
   db:
     image: timescale/timescaledb:latest-pg16
     environment:
       POSTGRES_USER: vortex
       POSTGRES_PASSWORD: ${DB_PASSWORD:-vortex}
       POSTGRES_DB: vortex
+    ports:
+      - "127.0.0.1:5432:5432" # reachable by the host-networked panel
     volumes:
       - db-data:/var/lib/postgresql/data
     healthcheck:
       test: ["CMD-SHELL", "pg_isready -U vortex"]
       interval: 5s
       timeout: 3s
       retries: 10
+    restart: unless-stopped
 
   redis:
     image: redis:7-alpine
     command: ["redis-server", "--save", "", "--appendonly", "no"]
+    ports:
+      - "127.0.0.1:6379:6379"
     healthcheck:
       test: ["CMD", "redis-cli", "ping"]
       interval: 5s
       timeout: 3s
       retries: 10
+    restart: unless-stopped
 
   panel:
     build:
       context: ..
       dockerfile: deploy/Dockerfile
-      target: panel
+      target: panel-aio
+    network_mode: host # bind :8080 + the proxy inbound ports directly on the host
     depends_on:
       db: {condition: service_healthy}
       redis: {condition: service_healthy}
     environment:
       VORTEX_HTTP_ADDR: ":8080"
-      VORTEX_DATABASE_URL: "postgres://vortex:${DB_PASSWORD:-vortex}@db:5432/vortex?sslmode=disable"
-      VORTEX_REDIS_URL: "redis://redis:6379/0"
+      VORTEX_DATABASE_URL: "postgres://vortex:${DB_PASSWORD:-vortex}@127.0.0.1:5432/vortex?sslmode=disable"
+      VORTEX_REDIS_URL: "redis://127.0.0.1:6379/0"
       VORTEX_JWT_SECRET: ${JWT_SECRET:?set JWT_SECRET (openssl rand -hex 32)}
       VORTEX_TLS_CERT: /certs/panel.crt
       VORTEX_TLS_KEY: /certs/panel.key
       VORTEX_TLS_CA: /certs/ca.crt
+      # In-process local node (single-server): the panel runs the core itself.
+      VORTEX_LOCAL_NODE: "true"
+      VORTEX_LOCAL_NODE_NAME: local
+      VORTEX_LOCAL_NODE_HOST: ${LOCAL_NODE_HOST:-127.0.0.1}
+      VORTEX_CORE: ${CORE:-xray}
+      VORTEX_CORE_BIN: /usr/local/bin/${CORE:-xray}
+      VORTEX_CORE_CONFIG: /etc/vortex/local-core.json
+      VORTEX_CORE_API_PORT: "10085"
     volumes:
       - ./certs:/certs:ro
-    # The panel is reached through the web reverse proxy; expose it directly only
-    # if you want to hit the raw API. Uncomment to publish on the host:
-    # ports:
-    #   - "8080:8080"
-    expose:
-      - "8080"
     restart: unless-stopped
 
-  # Web UI: serves the SPA, reverse-proxies /api + /sub to the panel, and
-  # terminates TLS. With SITE_ADDRESS set to a domain, Caddy auto-provisions a
-  # Let's Encrypt certificate; otherwise it serves plain HTTP on WEB_PORT.
+  # Web UI: serves the SPA, reverse-proxies /api + /sub to the panel on the host,
+  # and terminates TLS. With SITE_ADDRESS a domain, Caddy auto-provisions a
+  # Let's Encrypt certificate.
   web:
     build:
       context: ..
       dockerfile: deploy/web.Dockerfile
+    network_mode: host
     depends_on:
       - panel
     environment:
       SITE_ADDRESS: ${SITE_ADDRESS:-:80}
       ACME_EMAIL: ${ACME_EMAIL:-}
-    ports:
-      - "${WEB_PORT:-80}:80"
-      - "443:443"
+      PANEL_UPSTREAM: 127.0.0.1:8080
     volumes:
       - caddy-data:/data
       - caddy-config:/config
     restart: unless-stopped
 
-  node:
-    build:
-      context: ..
-      dockerfile: deploy/Dockerfile
-      target: node
-    environment:
-      VORTEX_NODE_LISTEN: ":50051"
-      VORTEX_CORE: xray
-      VORTEX_TLS_CERT: /certs/node.crt
-      VORTEX_TLS_KEY: /certs/node.key
-      VORTEX_TLS_CA: /certs/ca.crt
-    volumes:
-      - ./certs:/certs:ro
-    ports:
-      - "50051:50051"
-
 volumes:
   db-data:
   caddy-data: