Merged my code wih official compose file

docker-stacks/app-server/penpot.yml

@@ -1,45 +1,89 @@
+x-flags: &penpot-flags
+  # Merged disable-sandbox into the flags array to protect the headless engine
+  PENPOT_FLAGS: disable-email-verification enable-smtp enable-prepl-server disable-secure-session-cookies enable-mcp disable-sandbox
+
+x-uri: &penpot-public-uri
+  PENPOT_PUBLIC_URI: ${PENPOT_PUBLIC_URI}
+
+x-body-size: &penpot-http-body-size
+  PENPOT_HTTP_SERVER_MAX_BODY_SIZE: 367001600
+  PENPOT_HTTP_SERVER_MAX_MULTIPART_BODY_SIZE: 367001600
+
+x-secret-key: &penpot-secret-key
+  PENPOT_SECRET_KEY: ${PENPOT_SECRET_KEY}
+
 networks:
   penpot-net:
     driver: bridge
 
+volumes:
+  penpot_assets:
+
 services:
-  penpot-backend:
-    image: penpotapp/backend:latest
-    restart: always
-    networks:
-      - penpot-net
-    environment:
-      - PENPOT_DATABASE_URI=${PENPOT_DATABASE_URI}
-      - PENPOT_REDIS_URI=${PENPOT_REDIS_URI}
-      - PENPOT_SECRET_KEY=${PENPOT_SECRET_KEY}
-      - PENPOT_EXPORTER_SECRET_KEY=${PENPOT_EXPORTER_SECRET_KEY}
-      - PENPOT_PUBLIC_URI=${PENPOT_PUBLIC_URI}
-    ports:
-      - "6060:6060"
-
-  penpot-exporter:
-    image: penpotapp/exporter:latest
-    restart: always
-    networks:
-      - penpot-net
-    shm_size: '2gb'
-    environment:
-      - PENPOT_PUBLIC_URI=${PENPOT_PUBLIC_URI}
-      - PENPOT_SECRET_KEY=${PENPOT_SECRET_KEY}
-      - PENPOT_EXPORTER_SECRET_KEY=${PENPOT_EXPORTER_SECRET_KEY}
-      - PENPOT_REDIS_URL=${PENPOT_REDIS_URI}
-      - PENPOT_REDIS_URI=${PENPOT_REDIS_URI}
-      - PENPOT_FLAGS=disable-sandbox
-
   penpot-frontend:
-    image: penpotapp/frontend:latest
+    image: "penpotapp/frontend:${PENPOT_VERSION:-latest}"
     restart: always
-    networks:
-      - penpot-net
-    environment:
-      - PENPOT_FLAGS=enable-all-flags
     ports:
-      - "8084:80"    
+      - "8084:80" # Binds your port 8084 layout mapping to Penpot frontend
+    volumes:
+      - penpot_assets:/opt/data/assets
     depends_on:
       - penpot-backend
       - penpot-exporter
+      - penpot-mcp
+    networks:
+      - penpot-net
+    environment:
+      << : [*penpot-flags, *penpot-http-body-size, *penpot-public-uri]
+
+  penpot-backend:
+    image: "penpotapp/backend:${PENPOT_VERSION:-latest}"
+    restart: always
+    volumes:
+      - penpot_assets:/opt/data/assets
+    networks:
+      - penpot-net
+    ports:
+      - "6060:6060"
+    environment:
+      << : [*penpot-flags, *penpot-public-uri, *penpot-http-body-size, *penpot-secret-key]
+      
+      # Security Handshake Key for internal Exporter validation routines
+      PENPOT_EXPORTER_SECRET_KEY: ${PENPOT_EXPORTER_SECRET_KEY}
+
+      ## Database connection parameters pointing directly to your external LXC
+      # Note: Ensure the raw string value assigned to this variable inside your .env 
+      # has special characters URL-encoded (e.g. postgresql://penpot:ddlO%26%40jdw72%23zA@...)
+      PENPOT_DATABASE_URI: ${PENPOT_DATABASE_URI}
+
+      ## Valkey/Redis parameters routed directly to your active k3s node
+      PENPOT_REDIS_URI: ${PENPOT_REDIS_URI}
+
+      ## Storage Settings
+      PENPOT_OBJECTS_STORAGE_BACKEND: fs
+      PENPOT_OBJECTS_STORAGE_FS_DIRECTORY: /opt/data/assets
+
+      ## Telemetry & Optional settings
+      PENPOT_TELEMETRY_ENABLED: "false"
+
+  penpot-mcp:
+    image: "penpotapp/mcp:${PENPOT_VERSION:-latest}"
+    restart: always
+    networks:
+      - penpot-net
+
+  penpot-exporter:
+    image: "penpotapp/exporter:${PENPOT_VERSION:-latest}"
+    restart: always
+    shm_size: '2gb' # Retained to protect Puppeteer rendering processes from memory crashes
+    networks:
+      - penpot-net
+    environment:
+      << : [*penpot-secret-key]
+      PENPOT_EXPORTER_SECRET_KEY: ${PENPOT_EXPORTER_SECRET_KEY}
+      PENPOT_PUBLIC_URI: http://penpot-frontend:8080
+
+      ## Valkey/Redis variables duplicated to satisfy background exporter sub-engines
+      PENPOT_REDIS_URI: ${PENPOT_REDIS_URI}
+      PENPOT_REDIS_URL: ${PENPOT_REDIS_URI}
+      PENPOT_FLAGS: disable-sandbox