wip

Author: axadrn

content/docs/deploying.md

@@ -40,9 +40,10 @@ If your app needs runtime variables:
 
 Then restart or redeploy the pod to apply changes.
 
-## 4. Add a Domain
+## 4. Add a Domain (Optional)
 
-Your pod needs a domain to be accessible. You have two options:
+Add a domain only if this pod should be reachable publicly (from browser/users).
+You have two options:
 
 - **Auto-generated** - Instant subdomain like `pod-abc123.1.2.3.4.sslip.io`
 - **Custom** - Your own domain like `myapp.example.com` (requires [DNS setup](/docs/domains))
@@ -58,7 +59,29 @@ Hit "Deploy" and watch the build logs. The process:
 3. Start the container
 4. Route traffic via Traefik
 
-Once complete, your app is live at the domain URL.
+Once complete:
+- with domain: your app is live at the domain URL
+- without domain: your app is internal-only (pod-to-pod on the project network)
+
+## 6. Internal Pod-to-Pod Communication
+
+Pods can communicate internally without public domains.
+
+- Internal hostnames are created automatically on deploy/restart
+- Current format: `<pod-slug>-<podID8>` (example: `api-gateway-9b77346e`)
+- A secondary readable alias is also added: `<pod-slug>-<project-slug>`
+
+Use internal calls like:
+
+```bash
+http://api-gateway-9b77346e:8080
+```
+
+Important:
+- Hostname and port are separate. You must call `host:port`.
+- Browser clients cannot resolve internal Docker DNS names directly.
+- Internal DNS names are for server-side/container-side calls only.
+- Existing running containers get the new aliases after deploy/restart.
 
 ## Managing Your Pod
 

content/docs/domains.md

@@ -39,11 +39,31 @@ After setting the server domain:
 
 ## Pod Domains
 
-Each pod needs at least one domain to be accessible.
+Pod domains are optional.
+
+- If a pod should be public, add at least one domain.
+- If a pod is internal-only (pod-to-pod), you can run it without any domain.
 
 Domain changes are not applied to a running container automatically.
 After adding, editing, or deleting pod domains, run **Deploy** or **Restart** to apply routing changes.
 
+### Internal-Only Pods
+
+Internal-only pods communicate over the project Docker network using internal DNS aliases.
+
+- Primary alias format: `<pod-slug>-<podID8>`
+- Secondary alias format: `<pod-slug>-<project-slug>`
+
+Example:
+
+```bash
+http://api-gateway-9b77346e:8080
+```
+
+Note:
+- Internal aliases are intended for container/server-side communication.
+- Browser clients cannot resolve these internal DNS names directly.
+
 ### Auto-Generated Domains
 
 The quickest way to get started. Deeploy generates a subdomain using [sslip.io](https://sslip.io):

internal/server/app/app.go

@@ -62,7 +62,7 @@ func New(cfg *config.Config) (*App, error) {
 	podEnvVarService := service.NewPodEnvVarService(podEnvVarRepo, encryptor)
 	podDomainService := service.NewPodDomainService(podDomainRepo)
 	gitTokenService := service.NewGitTokenService(gitTokenRepo, encryptor)
-	deployService := service.NewDeployService(podRepo, podDomainRepo, podEnvVarService, gitTokenService, dockerService)
+	deployService := service.NewDeployService(podRepo, projectRepo, podDomainRepo, podEnvVarService, gitTokenService, dockerService)
 	traefikService := service.NewTraefikService(serverSettingsRepo, cfg.TraefikConfigDir, cfg.IsDevelopment())
 
 	return &App{

internal/server/docker/docker.go

@@ -194,10 +194,6 @@ func (d *DockerService) RunContainer(ctx context.Context, opts RunContainerOptio
 	//─────────────────────────────────────────────────────────────────────────
 
 	labels := map[string]string{
-		// Enable Traefik for this container
-		// Without this, Traefik ignores the container completely
-		"traefik.enable": "true",
-
 		// Deeploy metadata for container identification
 		"deeploy.pod.id": opts.PodID,
 	}
@@ -209,44 +205,49 @@ func (d *DockerService) RunContainer(ctx context.Context, opts RunContainerOptio
 	if d.isDevelopment {
 		entrypoint = "web"
 	}
+	port := 8080
+	if len(opts.Domains) > 0 {
+		port = opts.Domains[0].Port
+	}
+
+	if opts.AttachEdge {
+		// Enable Traefik only for public pods.
+		labels["traefik.enable"] = "true"
 
-	// Create a router for each domain
-	// Each domain gets its own router but shares the same service (load balancer)
-	for i, domain := range opts.Domains {
-		routerName := fmt.Sprintf("%s-%d", opts.PodID, i)
+		// Create a router for each domain
+		// Each domain gets its own router but shares the same service (load balancer)
+		for i, domain := range opts.Domains {
+			routerName := fmt.Sprintf("%s-%d", opts.PodID, i)
 
-		// Routing rule: Which domain goes to this container?
-		// Host(`example.com`) matches requests with that exact Host header
-		labels["traefik.http.routers."+routerName+".rule"] = fmt.Sprintf("Host(`%s`)", domain.Domain)
+			// Routing rule: Which domain goes to this container?
+			// Host(`example.com`) matches requests with that exact Host header
+			labels["traefik.http.routers."+routerName+".rule"] = fmt.Sprintf("Host(`%s`)", domain.Domain)
 
-		// Service: Where to forward the traffic
-		// @docker suffix is required because Traefik auto-appends it to Docker services
-		labels["traefik.http.routers."+routerName+".service"] = opts.PodID + "@docker"
+			// Service: Where to forward the traffic
+			// @docker suffix is required because Traefik auto-appends it to Docker services
+			labels["traefik.http.routers."+routerName+".service"] = opts.PodID + "@docker"
 
-		// Entrypoint: Which port to listen on (web=80, websecure=443)
-		labels["traefik.http.routers."+routerName+".entrypoints"] = entrypoint
+			// Entrypoint: Which port to listen on (web=80, websecure=443)
+			labels["traefik.http.routers."+routerName+".entrypoints"] = entrypoint
 
-		// SSL/TLS: Only in production (not development)
-		// certresolver=letsencrypt tells Traefik to automatically get a certificate
-		// from Let's Encrypt using the HTTP challenge
-		if !d.isDevelopment {
-			labels["traefik.http.routers."+routerName+".tls.certresolver"] = "letsencrypt"
+			// SSL/TLS: Only in production (not development)
+			// certresolver=letsencrypt tells Traefik to automatically get a certificate
+			// from Let's Encrypt using the HTTP challenge
+			if !d.isDevelopment {
+				labels["traefik.http.routers."+routerName+".tls.certresolver"] = "letsencrypt"
+			}
 		}
-	}
 
-	// Service configuration: One service for all routers
-	// All domains for this pod route to the same container/port
-	port := 8080
-	if len(opts.Domains) > 0 {
-		port = opts.Domains[0].Port
-	}
-	labels["traefik.http.services."+opts.PodID+".loadbalancer.server.port"] = fmt.Sprintf("%d", port)
+		// Service configuration: One service for all routers
+		// All domains for this pod route to the same container/port
+		labels["traefik.http.services."+opts.PodID+".loadbalancer.server.port"] = fmt.Sprintf("%d", port)
 
-	// Health checks: Traefik pings each container every 2 seconds
-	// Only containers that respond get traffic. This ensures zero-downtime
-	// during redeploys - new container only gets traffic once it's ready.
-	labels["traefik.http.services."+opts.PodID+".loadbalancer.healthcheck.path"] = "/"
-	labels["traefik.http.services."+opts.PodID+".loadbalancer.healthcheck.interval"] = "2s"
+		// Health checks: Traefik pings each container every 2 seconds
+		// Only containers that respond get traffic. This ensures zero-downtime
+		// during redeploys - new container only gets traffic once it's ready.
+		labels["traefik.http.services."+opts.PodID+".loadbalancer.healthcheck.path"] = "/"
+		labels["traefik.http.services."+opts.PodID+".loadbalancer.healthcheck.interval"] = "2s"
+	}
 
 	// Container config
 	config := &container.Config{
@@ -264,12 +265,25 @@ func (d *DockerService) RunContainer(ctx context.Context, opts RunContainerOptio
 		RestartPolicy: container.RestartPolicy{Name: "unless-stopped"},
 	}
 
-	// Network config - join the deeploy network so Traefik can reach this container
-	networkConfig := &network.NetworkingConfig{
-		EndpointsConfig: map[string]*network.EndpointSettings{
-			NetworkName: {},
+	if opts.ProjectNetwork == "" {
+		return "", fmt.Errorf("project network is required")
+	}
+	if err := d.EnsureNetwork(ctx, opts.ProjectNetwork); err != nil {
+		return "", fmt.Errorf("failed to ensure project network: %w", err)
+	}
+
+	endpoints := map[string]*network.EndpointSettings{
+		opts.ProjectNetwork: {
+			Aliases: opts.InternalAliases,
 		},
 	}
+	if opts.AttachEdge {
+		endpoints[NetworkName] = &network.EndpointSettings{}
+	}
+
+	networkConfig := &network.NetworkingConfig{
+		EndpointsConfig: endpoints,
+	}
 
 	// Create container
 	resp, err := d.client.ContainerCreate(ctx, config, hostConfig, networkConfig, nil, opts.ContainerName)
@@ -286,6 +300,25 @@ func (d *DockerService) RunContainer(ctx context.Context, opts RunContainerOptio
 	return resp.ID, nil
 }
 
+// EnsureNetwork creates a Docker network if it does not already exist.
+func (d *DockerService) EnsureNetwork(ctx context.Context, name string) error {
+	_, err := d.client.NetworkInspect(ctx, name, network.InspectOptions{})
+	if err == nil {
+		return nil
+	}
+
+	_, err = d.client.NetworkCreate(ctx, name, network.CreateOptions{})
+	if err != nil {
+		// Another deploy may have created the network in the meantime.
+		if _, inspectErr := d.client.NetworkInspect(ctx, name, network.InspectOptions{}); inspectErr == nil {
+			return nil
+		}
+		return err
+	}
+
+	return nil
+}
+
 // StopContainer stops a running container.
 func (d *DockerService) StopContainer(ctx context.Context, containerID string) error {
 	timeout := 30
@@ -409,11 +442,14 @@ type DomainConfig struct {
 
 // RunContainerOptions holds options for running a container.
 type RunContainerOptions struct {
-	ImageName     string
-	ContainerName string
-	PodID         string
-	Domains       []DomainConfig
-	EnvVars       map[string]string
+	ImageName       string
+	ContainerName   string
+	PodID           string
+	Domains         []DomainConfig
+	EnvVars         map[string]string
+	ProjectNetwork  string
+	AttachEdge      bool
+	InternalAliases []string
 }
 
 func mapToEnvSlice(m map[string]string) []string {