Prepare repository for public deployment

- Replace ReportLab PDF export with LibreOffice headless for proper DOCX formatting preservation
- Add libreoffice-writer + fonts-liberation to backend Dockerfile
- Proxy public CV PDFs through frontend (/cv/[slug]) instead of redirecting to MinIO storage directly
- Fix docker-compose: route backend/worker to internal MinIO URL (http://cvfs-minio:9000), remove MinIO from public network, parameterize all domain/env vars
- Add storage cleanup (MinIO artifact deletion) when a document is deleted
- Add docker-compose.standalone.yml for self-deployment without Traefik/dokploy
- Update .env.example with comprehensive self-deployment documentation

https://claude.ai/code/session_017HGM9VPptZG52asT5pbL6Y

docker-compose.standalone.yml

@@ -0,0 +1,148 @@
+version: "3.8"
+
+# Standalone deployment — no Traefik/reverse-proxy required.
+# Usage: docker compose -f docker-compose.standalone.yml up -d
+# Configure via a .env file (copy .env.example and fill in values).
+
+networks:
+  cvfs-network:
+
+services:
+  webapp:
+    container_name: "cvfs-webapp"
+    build:
+      context: ./
+      dockerfile: ./docker/webapp.Dockerfile
+      args:
+        NEXT_PUBLIC_AUTHENTIK_ISSUER: ${NEXT_PUBLIC_AUTHENTIK_ISSUER:-}
+        NEXT_PUBLIC_AUTHENTIK_CLIENT_ID: ${NEXT_PUBLIC_AUTHENTIK_CLIENT_ID:-}
+        NEXT_PUBLIC_BASE_URL: ${PUBLIC_BASE_URL:-http://localhost:3000}
+        API_BASE_URL: http://cvfs-backend:8080
+    environment:
+      - API_BASE_URL=http://cvfs-backend:8080
+      - AUTHENTIK_ISSUER=${AUTHENTIK_ISSUER:-}
+      - AUTHENTIK_CLIENT_ID=${AUTHENTIK_CLIENT_ID:-}
+      - AUTHENTIK_CLIENT_SECRET=${AUTHENTIK_CLIENT_SECRET:-}
+      - NEXT_PUBLIC_AUTHENTIK_ISSUER=${NEXT_PUBLIC_AUTHENTIK_ISSUER:-}
+      - NEXT_PUBLIC_AUTHENTIK_CLIENT_ID=${NEXT_PUBLIC_AUTHENTIK_CLIENT_ID:-}
+      - NEXT_PUBLIC_BASE_URL=${PUBLIC_BASE_URL:-http://localhost:3000}
+    ports:
+      - "${WEBAPP_PORT:-3000}:3000"
+    networks:
+      - cvfs-network
+    depends_on:
+      - backend
+    restart: unless-stopped
+
+  backend:
+    container_name: "cvfs-backend"
+    build:
+      context: ./
+      dockerfile: ./docker/backend-fastapi.Dockerfile
+    environment:
+      - BACKEND_PORT=8080
+      - DATABASE_URL=postgresql+asyncpg://postgres:${POSTGRES_PASSWORD:-postgres}@cvfs-postgres:5432/resume_branches
+      - MINIO_ENDPOINT=http://cvfs-minio:9000
+      - MINIO_BUCKET=${MINIO_BUCKET:-resume-branches}
+      - MINIO_REGION=${MINIO_REGION:-us-east-1}
+      - MINIO_ROOT_USER=${MINIO_ROOT_USER:-minioadmin}
+      - MINIO_ROOT_PASSWORD=${MINIO_ROOT_PASSWORD:-minioadmin}
+      - PUBLIC_BASE_URL=${PUBLIC_BASE_URL:-http://localhost:3000}
+      - CV_PUBLIC_DOMAIN=${CV_PUBLIC_DOMAIN:-localhost}
+      - CORS_ORIGINS=${CORS_ORIGINS:-http://localhost:3000}
+      - REDIS_URL=redis://cvfs-redis:6379/0
+      - CELERY_BROKER_URL=redis://cvfs-redis:6379/0
+      - CELERY_RESULT_BACKEND=redis://cvfs-redis:6379/0
+      - ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY:-}
+      - AUTH_OIDC_ISSUER=${AUTH_OIDC_ISSUER:-}
+      - AUTH_OIDC_AUDIENCE=${AUTH_OIDC_AUDIENCE:-}
+      - AUTH_DISABLE_VERIFICATION=${AUTH_DISABLE_VERIFICATION:-true}
+    ports:
+      - "${BACKEND_PORT:-8080}:8080"
+    depends_on:
+      - postgres
+      - minio
+      - redis
+    networks:
+      - cvfs-network
+    restart: unless-stopped
+
+  worker:
+    container_name: "cvfs-worker"
+    build:
+      context: ./
+      dockerfile: ./docker/worker.Dockerfile
+    environment:
+      - REDIS_URL=redis://cvfs-redis:6379/0
+      - CELERY_BROKER_URL=redis://cvfs-redis:6379/0
+      - CELERY_RESULT_BACKEND=redis://cvfs-redis:6379/0
+      - MINIO_ENDPOINT=http://cvfs-minio:9000
+      - MINIO_BUCKET=${MINIO_BUCKET:-resume-branches}
+      - MINIO_REGION=${MINIO_REGION:-us-east-1}
+      - MINIO_ROOT_USER=${MINIO_ROOT_USER:-minioadmin}
+      - MINIO_ROOT_PASSWORD=${MINIO_ROOT_PASSWORD:-minioadmin}
+      - PYTHONPATH=/app
+      - ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY:-}
+    depends_on:
+      - redis
+      - minio
+    networks:
+      - cvfs-network
+    restart: unless-stopped
+
+  redis:
+    container_name: "cvfs-redis"
+    image: redis:7-alpine
+    volumes:
+      - redis_data:/data
+    networks:
+      - cvfs-network
+    restart: unless-stopped
+
+  postgres:
+    image: postgres:15-alpine
+    container_name: "cvfs-postgres"
+    environment:
+      POSTGRES_DB: resume_branches
+      POSTGRES_USER: postgres
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-postgres}
+    volumes:
+      - postgres_data:/var/lib/postgresql/data
+    networks:
+      - cvfs-network
+    restart: unless-stopped
+
+  minio:
+    image: minio/minio:latest
+    container_name: "cvfs-minio"
+    environment:
+      - MINIO_ROOT_USER=${MINIO_ROOT_USER:-minioadmin}
+      - MINIO_ROOT_PASSWORD=${MINIO_ROOT_PASSWORD:-minioadmin}
+    volumes:
+      - minio_data:/data
+    command: server /data --console-address ":9001"
+    ports:
+      - "${MINIO_CONSOLE_PORT:-9001}:9001"
+    networks:
+      - cvfs-network
+    restart: unless-stopped
+
+  create-bucket:
+    image: minio/mc
+    container_name: "cvfs-create-bucket"
+    depends_on:
+      - minio
+    networks:
+      - cvfs-network
+    entrypoint: >
+      /bin/sh -c "
+      sleep 5;
+      mc alias set myminio http://cvfs-minio:9000 $${MINIO_ROOT_USER:-minioadmin} $${MINIO_ROOT_PASSWORD:-minioadmin};
+      mc mb myminio/$${MINIO_BUCKET:-resume-branches} --ignore-existing;
+      exit 0;
+      "
+
+volumes:
+  redis_data:
+  postgres_data:
+  minio_data: