maevsi · dargmuesli · Apr 4, 2026 · Feb 20, 2026 · Feb 20, 2026 · Feb 20, 2026
@@ -1,3 +1,68 @@
+## [17.0.0-beta.6](https://github.com/maevsi/stack/compare/17.0.0-beta.5...17.0.0-beta.6) (2026-04-03)
+
+### Bug Fixes
+
+* schedule release ([ea30303](https://github.com/maevsi/stack/commit/ea30303b47eadec1d99300c7f4393ab428274e91))
+* schedule release ([241dd6d](https://github.com/maevsi/stack/commit/241dd6d5d51f6b21066423a2057a50a4d7eed22a))
+
+## [17.0.0-beta.5](https://github.com/maevsi/stack/compare/17.0.0-beta.4...17.0.0-beta.5) (2026-04-03)
+
+### ⚠ BREAKING CHANGES
+
+* **postgraphile:** upgrade to v2
+
+### Features
+
+* **postgraphile:** upgrade to v2 ([66a6a3f](https://github.com/maevsi/stack/commit/66a6a3f982dec6a3679f1fe4ab8d1bf8fd8cbd77))
+
+## [17.0.0-beta.4](https://github.com/maevsi/stack/compare/17.0.0-beta.3...17.0.0-beta.4) (2026-03-11)
+
+### Bug Fixes
+
+* schedule release ([d2d69dc](https://github.com/maevsi/stack/commit/d2d69dcd3cd0df930fce71afe2b689d63772a12b))
+
+## [17.0.0-beta.3](https://github.com/maevsi/stack/compare/17.0.0-beta.2...17.0.0-beta.3) (2026-02-23)
+
+### Features
+
+* **zammad:** add ([f913dfc](https://github.com/maevsi/stack/commit/f913dfc894724e19195853138cc6610419a5ab42))
+
+### Bug Fixes
+
+* **deps:** lockfile maintenance ([0785ef9](https://github.com/maevsi/stack/commit/0785ef9d90e3b32b86da13fae2052f4879d3985d))
+* **deps:** update ghcr.io/maevsi/vibetype to v13.3.3 ([a175137](https://github.com/maevsi/stack/commit/a1751375c4bcaae957fd32e920cd7a62e10114fa))
+* **elasticsearch:** correct security configuration ([ccda936](https://github.com/maevsi/stack/commit/ccda936b5d1d7c24450027e260d9b49c27abbfbd))
+* **elasticsearch:** set memory ([e257b75](https://github.com/maevsi/stack/commit/e257b75a3500aee4b0028bca4777905d14ca7cf0))
+* **vibetype:** move allowed headers from postgraphile ([421ae19](https://github.com/maevsi/stack/commit/421ae19e65001039c15c94db5e91ce3610bd230f))
+* **zammad-init:** restart on failure only ([3fb38d9](https://github.com/maevsi/stack/commit/3fb38d9d88cc8dd4db0baa55345c3e8e14e0ad70))
+* **zammad-nginx:** resolve certificate ([e95bf06](https://github.com/maevsi/stack/commit/e95bf068fd2b4ad34c810815ab2e638b33cddb01))
+* **zammad:** set nginx server scheme ([f035ac5](https://github.com/maevsi/stack/commit/f035ac5ed555b00983612de0c73abdca5accc34d))
+
+### Performance Improvements
+
+* **elasticsearch:** add resource constraints ([3ae4d73](https://github.com/maevsi/stack/commit/3ae4d73975b3afe8b5177cad84c476c358c230a4))
+
+## [17.0.0-beta.2](https://github.com/maevsi/stack/compare/17.0.0-beta.1...17.0.0-beta.2) (2026-02-20)
+
+### ⚠ BREAKING CHANGES
+
+* **postgraphile:** upgrade to v5
+
+### Features
+
+* **postgraphile:** upgrade to v5 ([0113383](https://github.com/maevsi/stack/commit/011338398447c002aaf4682f06aeaee238f3b3b8))
+
+## [17.0.0-beta.1](https://github.com/maevsi/stack/compare/16.0.8...17.0.0-beta.1) (2026-02-20)
+
+### ⚠ BREAKING CHANGES
+
+* **postgraphile:** change forward authorization path
+
+### Features
+
+* **postgraphile:** change forward authorization path ([0e9cc64](https://github.com/maevsi/stack/commit/0e9cc64501ec547b5bddef83dda8a202a94ff203))
+* **vibetype:** allow csrf token access control header ([1ccdd94](https://github.com/maevsi/stack/commit/1ccdd94c7f87fc570212f6cf8c5ad281632e743f))
+
 ## [16.1.12](https://github.com/maevsi/stack/compare/16.1.11...16.1.12) (2026-03-29)
 
 ### Bug Fixes

@@ -372,6 +372,10 @@ This project is deployed in accordance to the [DargStack template](https://githu
 
     The container manager's data.
 
+ - ### `postgraphile_data`
+
+    The GraphQL API's data.
+
  - ### `postgres_data`
 
     The database's data.

@@ -21,5 +21,5 @@
     "prepare": "husky && ./src/development/certificates/mkcert.sh"
   },
   "type": "module",
-  "version": "16.1.12"
+  "version": "17.0.0-beta.6"
 }
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgIYyEMm+hZzEnXhJLGUx9lwr3cKs
+W2uJ+zLvei380CrUEPARnWQNR/V0usS0EFypTQllniuCpbLG6un87kxh6w==
+-----END PUBLIC KEY-----
@@ -1,51 +1,5 @@
------BEGIN RSA PRIVATE KEY-----
-MIIJKQIBAAKCAgEAtBuHX2uH5GviLbocSUBKaRE4iKEjjEoB1eh7VQdBoKi1Wd+D
-NUilVyCtq0ootPSDR/8yOTa8W396Wu1xm07+xDAyFzsilIppu8DNcJo28Gb3PZCm
-4nXmITPkknVSKf80hosgauoe7itqDxgMASYTU8CgBH8zXPaowhqzjz0M/T9RqD1m
-RzMn3NEprDnaVAsh11r3DSandHjsnlgKCf1dlh4ixCZ6zUhtb0sT6GxuJaGjNVev
-LbPLuugMTu3d484FwbND+AmpAjIgdnX5lJQneT7HxgnaiwLDazSwLM0jmiyEvnrm
-SPJZ2sgp87XS0VTVwMYk3M3RCy/3RiamJG5v7qZuVr4L87cXWvLHCwV5dGaPu0Dc
-3/75lcKcWy+BtBQUI+n+om1EitLtUo+lxE9aSyG6bhYQNu+XMRwY768TrzrvBwYt
-5JxoO9y3ybIFzoi/mufkp2NY7XB7CHfMcrn3XzCBbXJwt0Zlu2K1R8FPVN0Slsjt
-OVQun1al9cjC808hihjpiiGpKURoaFsxkh4B8n2Qli/fl5BQVAPClmFbsvToSzy+
-ENEDpXc53eve5Dhzx5SB/qe0DwlljDdc2W8nhozYHaOtnLnhG/TU9mmOliw5jmsH
-b5m1OMdBXMEhrGv4hkHJNg9+hCSJDzvbFRkNY95lZj/fbtFrSHR5WwdsgI8CAwEA
-AQKCAgEAjxyMvbJpAYUD7MfEcCQovEHVxSMdZvzrZnhbf53LdQh5SZeD35QA5TFv
-Lfs4S0k7A7twweuPUbkClTu1GO51G5kcRD9V4+fzyh+SXpX7b5yxenb1VF7QZLOi
-PQoCJqLFrt7f/HRZ7XALz0CRUVxa4SLfQ5N7UbQhNlMXOIsPRi/JB8D6AztPwnNl
-BJfXtw49bqy2P/nl93OauNtF5tgvQ/hgMbJNw854PoXOpNF72GUOlXU+GjeSe8qk
-9RanSLtM8bQrHu02ISuJhfeKQJhUoU/UV7U+tVSVyRrNnlvGnVwggmaPk4kXAvQn
-+aIRiQo66vnHErhsEdKkTlapj6s9PnMmtwNJcv/Bp8/621Pr3mqG4WtZrYxMYFzN
-5tXwjkQQRpLRyi0pwu6IHj9w+y83oJKi6HTo//tJbKEzqx1jjhl4FiNwKMDfxlpp
-eN52c723DELgc9AhRCXP50z2OnjByeI296bj+Vyv0noDDSLK5pq4Hm9Ck62NCfsV
-YqCmvVu5JwFP+MYUECNRH6d98wsWhgKvAJe37JH9BEjxvW3oLB4XofSqGrFePNEM
-jRdnLdJxFC0AfWVMu4JW1MvcZct7nkFd91YGKzZRlasbnRVQ4qHTYhojwiM2LF8E
-aLxKOKegxfRFBkfHSzxzXAA2o4r2pJo2WZI+lBuBd6TmTX21ZLkCggEBAOiIkB9k
-oOOe0UyVDkEJTk62y5LdrEG3KpEjaW12qFP1IGgqP5gDqhDQQ4WB4Pqzl1uoqy2L
-WafpfEH2lBTeYMV4Wg5WkgZIrCRthhdwoDqluUttN612VuT4QlLvnB37zdDzkzfL
-asnCKmXfaOSU/qvHcUvS6SgnwKVWBqFSB2VWBgLGVH2Ty/Yc9TpMraSZA2ATnieR
-7aZy1zegwp7n3sO3mmY0w7A+7YoUms1+Ibe5aNmyw/ThDJBkx+UG0nv9qpoA4yNH
-+S355EJyYdUNoh0d8D3COk72YjcODmiB+6W0qoPQ3SeQ2X/6+xvFNkx2/34+nhcy
-tNNqBkeKe2IpkzUCggEBAMZIjpAPiT/7rb0/ea8DZAmdOhjER5NOic3gz6RN7oqj
-MQ2ktzxfGJez+wnjaqv1xF+qwZi69JwflK3FWIZR3G1wlO5pKMkef5l1N/VLvW2k
-opfx+82sVXi/Cx7w8o6IAS60ZjyxTWhnYQ695QIKP79+poWJ3zi9sBpsj7hHbPco
-tu4kJKVpXOVcmMluSqrn+3kT7Xlpqy6qnFBggRHLJD9okM3TLU3znHRUFhViova3
-kyD65qViITUCIMDmigfCbFYLVGEdNyMDBH0OGSUaSwY0d/KS+43JxLeh84ylHPYZ
-tfPiQxCxn2VyD2h4XkNIdgoY7f/NbkzjkLEdSdc0GTMCggEBAJzgdQsY4opt/RpD
-fUhXNONZ42GD99Cl+CvOzjOxV8K8n05nIlw2LKgHOWZ6xwOb4cNOuZ2SY7wqg1Al
-QKYLmRHgLjF6Ki3fHXO+CDcMHq0yXR4L4wI90kXLT0OQr6xy0tnjWjDMJZFUUzJD
-VQrRkjbl6QOUmQQkPY3Nyc9P/flZ3dhFYX8PFQ1HYBIi5Qskx+grlAlyI/ilhZjb
-9jEqkVlNJvdJJbRj3/HGEOIN9EV06s3kEtvEcKuBsnJK9fn8mvonGxYUWoGwE1TY
-wjPwbKxkJE4mGRxokL4/12yeNN4IUvl3EZy91l7HPl3v4MAZkCjlqdZQuTngT7g4
-LyF8lvkCggEAQJIUSvmkOn/dPknTeJjkFPVsm/AfVus2mSLiu6DdU6x9JvJC8ZgO
-TCjCUaALduBcCMN0tCX9znHCWyxu/Z7e54zIEzOPop8Z8oFnravyjigVAuI8m+fJ
-Fb8xAex5MM09hVYeDRm4GY3A36obT6TCybuWwtn5JWMwXAqKavpnk71ghQCkJnG/
-XLngz4fpLOrKy80fgnBU3KeWq94hagf7T+LfdQeWM1Jn2sIfRuuOIkX51b2fKrBg
-HAELZYYt4QUBfqvF2LJI6E/tQEQ9EAYV9HlVrlsLLEtOknZc96o1WjdZN4ixSlht
-jf2s4tp/5+1K81LW/nyJtOROlD7zcu92XQKCAQAUgxlfDbjBz64DrpyJDhHQq89X
-WH0+zXhwuWiQwzlbSQUJnKnVwPwcnKD/zxK601fWT26C01l3senX49zy/KZI1BtD
-mco+Mr+wKGNPcOoVhhzYTDk6R+jfsyel0uXcky6LPncCLgsq7UpVylONaDO5m+fL
-2wUg67tJu13zHMSWml5+o51jY/Qn/UjsSyEj7gQHq4xM2ottb6fh3CgmMvJKjrAP
-juM36ePNpeQMBHf9Djt7a/tuN0OZdGo4sjBSJ9fEAoMGtxZ1nQyu06ncBQMtlqeD
-+pzL73569phIJDX7E11wczzx/QObJ4dMznCgqEfpzlSNOhPl+bqyzAdVXO4V
------END RSA PRIVATE KEY-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIIDGfDCPfJsxMzMBBupP1pG7aL/xpYshE5qsXLqbDNWmoAoGCCqGSM49
+AwEHoUQDQgAEgIYyEMm+hZzEnXhJLGUx9lwr3cKsW2uJ+zLvei380CrUEPARnWQN
+R/V0usS0EFypTQllniuCpbLG6un87kxh6w==
+-----END EC PRIVATE KEY-----
@@ -1 +1,5 @@
-<ssh-keygen -t rsa -b 4096 -m PEM -f jwt-secret.secret>
+<openssl ecparam -name prime256v1 -genkey -noout -out jwt-secret.secret>
+# <openssl ec -in jwt-secret.secret -pubout -out jwt-secret.secret.pub>
+
+# Optional: convert to PKCS#8 (some libraries expect PKCS#8)
+# <openssl pkcs8 -topk8 -nocrypt -in jwt-secret.secret -out jwt-secret.pk8.pem>
@@ -359,7 +359,7 @@ services:
     deploy:
       labels:
         - traefik.enable=true
-        - traefik.http.middlewares.postgraphile_auth.forwardauth.address=http://vibetype:3000/api/service/traefik/authentication
+        - traefik.http.middlewares.postgraphile_auth.forwardauth.address=http://vibetype:3000/api/internal/service/postgraphile/authentication
         - traefik.http.middlewares.postgraphile_auth.forwardauth.forwardBody=true
         - traefik.http.middlewares.postgraphile_auth.forwardauth.preserveRequestMethod=true
         - traefik.http.middlewares.postgraphile_cors.headers.accessControlAllowCredentials=true
@@ -370,25 +370,28 @@ services:
         - traefik.http.routers.postgraphile.rule=Host(`postgraphile.${STACK_DOMAIN}`)
         - traefik.http.routers.postgraphile_secure.entryPoints=web-secure
         - traefik.http.routers.postgraphile_secure.middlewares=postgraphile_auth,postgraphile_cors
-        - traefik.http.routers.postgraphile_secure.rule=Host(`postgraphile.${STACK_DOMAIN}`)
+        - traefik.http.routers.postgraphile_secure.rule=Host(`postgraphile.${STACK_DOMAIN}`) && Path(`/graphql`)
         - traefik.http.routers.postgraphile_secure.tls.options=mintls13@file #DARGSTACK-REMOVE
         - traefik.http.routers.postgraphile_secure_graphiql.entryPoints=web-secure
-        - traefik.http.routers.postgraphile_secure_graphiql.rule=Host(`postgraphile.${STACK_DOMAIN}`) && Path(`/graphiql`)
+        - traefik.http.routers.postgraphile_secure_graphiql.rule=Host(`postgraphile.${STACK_DOMAIN}`)
         - traefik.http.routers.postgraphile_secure_graphiql.tls.options=mintls13@file #DARGSTACK-REMOVE
-        - traefik.http.services.postgraphile.loadbalancer.server.port=5000
-    environment:
-      POSTGRAPHILE_CONNECTION_FILE: /run/secrets/postgraphile_connection
-      POSTGRAPHILE_JWT_PUBLIC_KEY_FILE: /run/config/postgraphile_jwt-public-key
-      POSTGRAPHILE_JWT_SECRET_KEY_FILE: /run/secrets/postgraphile_jwt-secret
-      POSTGRAPHILE_OWNER_CONNECTION_FILE: /run/secrets/postgraphile_owner-connection
-    image: ghcr.io/maevsi/postgraphile:1.0.19
+        - traefik.http.services.postgraphile.loadbalancer.server.port=5678
+    # # Use the DEBUG environment variable for extended debugging.
+    # environment:
+    #   DEBUG: graphile-build:warn,graphile-build-pg:sql
+    image: maevsi/postgraphile:dev
     secrets:
-      - postgraphile_connection
-      - postgraphile_jwt-secret
-      - postgraphile_owner-connection
+      - source: postgraphile_connection
+        target: /run/environment-variables/POSTGRAPHILE_CONNECTION
+      - source: postgraphile_jwt-secret
+        target: /run/environment-variables/POSTGRAPHILE_JWT_SECRET_KEY
+      - source: postgraphile_owner-connection
+        target: /run/environment-variables/POSTGRAPHILE_OWNER_CONNECTION
     volumes:
-      - ./configurations/postgraphile/jwtRS256.key.pub:/run/config/postgraphile_jwt-public-key:ro
-      - ../production/configurations/postgraphile/.postgraphilerc.js:/postgraphile/.postgraphilerc.js:ro
+      - ../../../postgraphile/:/srv/app/ #DARGSTACK-REMOVE
+      - ./configurations/postgraphile/jwtES256.key.pub:/run/environment-variables/POSTGRAPHILE_JWT_PUBLIC_KEY:ro
+      - pnpm_data:/srv/.pnpm-store/ #DARGSTACK-REMOVE
+      - postgraphile_data:/srv/app/node_modules #DARGSTACK-REMOVE
   postgres:
     # You can access the database via `adminer`.
     command: -c vibetype.jwt_expiry_duration='1 month' -c wal_level=logical
@@ -451,7 +454,7 @@ services:
       - reccoom_openai-api-key
     volumes:
       - ../../../reccoom/:/srv/app/ #DARGSTACK-REMOVE
-      - ./configurations/postgraphile/jwtRS256.key.pub:/run/configurations/jwtRS256.key.pub:ro
+      - ./configurations/postgraphile/jwtES256.key.pub:/run/configurations/jwtES256.key.pub:ro
   reccoom_postgres:
     # You can access reccoom's database via `adminer`.
     environment:
@@ -640,7 +643,7 @@ services:
       - ./certificates/:/srv/certificates/ #DARGSTACK-REMOVE
       - ../../../vibetype/:/srv/app/ #DARGSTACK-REMOVE
       - vibetype_data:/srv/app/node_modules #DARGSTACK-REMOVE
-      - ./configurations/postgraphile/jwtRS256.key.pub:/run/environment-variables/NUXT_PUBLIC_VIO_AUTH_JWT_PUBLIC_KEY:ro
+      - ./configurations/postgraphile/jwtES256.key.pub:/run/environment-variables/NUXT_PUBLIC_VIO_AUTH_JWT_PUBLIC_KEY:ro
   zammad-backup:
     # You cannot access the helpdesk backup service via a web interface.
     <<: *zammad-service
@@ -713,6 +716,9 @@ volumes:
   portainer_data:
     # The container manager's data.
     {}
+  postgraphile_data:
+    # The GraphQL API's data.
+    {}
   postgres_data:
     # The database's data.
     {}

@@ -43,6 +43,7 @@ services:
         - (( append ))
         - traefik.http.routers.postgraphile.middlewares=postgraphile_auth,postgraphile_cors
         - traefik.http.routers.postgraphile_secure.tls.certresolver=default
+    image: maevsi/postgraphile:2.0.0
   postgres_backup:
     # You cannot access the database backup directly.
     environment:
@@ -72,7 +73,7 @@ services:
         - (( append ))
         - traefik.http.routers.redpanda_secure.tls.certresolver=default
   sqitch:
-    image: ghcr.io/maevsi/sqitch:10.0.6
+    image: ghcr.io/maevsi/sqitch:11.0.0
     volumes: (( prune ))
   traefik:
     command:
@@ -118,7 +119,7 @@ services:
         - (( append ))
         - traefik.http.routers.vibetype.middlewares=vibetype_cors,vibetype_redirectregex
         - traefik.http.routers.vibetype_secure.tls.certresolver=default
-    image: ghcr.io/maevsi/vibetype:13.3.3
+    image: ghcr.io/maevsi/vibetype:14.0.0
     user: (( prune ))
   # vibetype_beta:
   #   # You can access the main project frontend's beta version at [beta.app.localhost](https://beta.app.localhost/).
@@ -161,7 +162,7 @@ services:
   #     - source: postgres_role_service_vibetype_username
   #       target: /run/environment-variables/PGUSER
   #   volumes:
-  #     - ./configurations/postgraphile/jwtRS256.key.pub:/run/environment-variables/NUXT_PUBLIC_VIO_AUTH_JWT_PUBLIC_KEY:ro
+  #     - ./configurations/postgraphile/jwtES256.key.pub:/run/environment-variables/NUXT_PUBLIC_VIO_AUTH_JWT_PUBLIC_KEY:ro
   zammad-nginx:
     deploy:
       labels: