Production hardening with infrastructure upgrades and enhanced offline deployment

[davidamacey]

Summary

This release significantly improves production security, reliability, and user experience with comprehensive infrastructure modernization and air-gapped deployment enhancements.

Infrastructure Upgrades 🏗️

• PostgreSQL: 14-alpine → 17.5-alpine (security patches, performance improvements)
• Redis: 7-alpine → 8.2.2-alpine3.22 (latest stable release)
• MinIO: latest → RELEASE.2025-09-07T16-13-09Z (pinned for reproducibility)
• Nginx: alpine → 1.29.2-alpine3.22 (security updates)
• PyTorch: Simplified CUDA wheel installation (removed +cu128 suffix for compatibility)

Security Hardening 🔒

• Non-root frontend container: Nginx now runs as unprivileged user on port 8080
• Enhanced Docker security scanning:
  • Fixed multi-arch scanning by pulling fresh amd64 images before Trivy/Dockle
  • Added 600s timeout to Dockle for large image scans
  • Improved cache control with NO_CACHE environment variable
• LLM provider environment variables: Added missing vLLM and Ollama configuration

Offline Deployment Improvements 📦

• Automatic version syncing: Infrastructure image versions automatically sync from docker-compose.yml to offline compose
• Enhanced model download process:
  • Fixed PyAnnote model download to use full WhisperX pipeline (matches backend behavior)
  • Proper root user execution in Docker for cache path compatibility
  • Added sudo handling for Docker-created files
  • Better error handling and progress reporting
• New standalone model downloader: scripts/download-models.sh for pre-caching models before Docker startup

User Experience Enhancements ✨

• Interactive HuggingFace token setup:
  • Setup script now prompts for HF token during installation
  • Automatic model pre-download if token provided (eliminates 10-30 min first-use delay)
  • Clear instructions for obtaining token with skip option
  • Model downloads happen before Docker starts, ensuring instant readiness
• Improved documentation:
  • Updated README with hardware detection and automatic model caching details
  • Better explanations of token requirements and offline capabilities
  • Clearer setup instructions

Technical Changes

• Docker Compose: All services use pinned versions for reproducibility
• Build script: Enhanced cache control, improved security scan workflow
• Model download: Complete rewrite to match production backend behavior exactly
• Setup script: Downloads model downloader scripts with retry logic and validation

Breaking Changes ⚠️

• Frontend container now uses port 8080 instead of 80 (non-privileged port)
• Update any external configurations that reference frontend:80 to frontend:8080

Migration Notes

For existing installations:

1. Pull latest images: docker compose pull
2. Restart services: ./opentranscribe.sh restart
3. Monitor logs for any issues: ./opentranscribe.sh logs

Test Plan

• Test infrastructure upgrades (PostgreSQL, Redis, MinIO, Nginx)
• Verify non-root frontend container runs correctly on port 8080
• Test security scanning with multi-arch images
• Verify offline package builder with automatic version syncing
• Test model download script with HuggingFace token
• Validate setup script with interactive token prompt
• Test model pre-download before Docker startup
• Verify all LLM provider environment variables work
• Test existing installations migration path

🤖 Generated with Claude Code