feat: add custom health check commands per app

Add configurable health check commands per app via a new
'healthcheck_command' field. When set, the command is passed
to Docker as a CMD-SHELL health check on the container.
When empty, the image's default health check is used.

Changes:
- Add migration 007 for healthcheck_command column on apps table
- Add HealthcheckCommand field to App model with full CRUD support
- Add buildHealthcheck() to docker client for CMD-SHELL config
- Pass health check command through CreateContainerOptions
- Add health check command input to app create/edit UI forms
- Extract optionalNullString helper to reduce handler complexity
- Update README features list

closes #81

README.md

@@ -8,8 +8,7 @@ A simple self-hosted PaaS that auto-deploys Docker containers from Git repositor
 - Per-app SSH keypairs for read-only deploy keys
 - Per-app UUID-based webhook URLs for Gitea integration
 - Branch filtering - only deploy on configured branch changes
-- Environment variables, labels, and volume mounts per app
+- Environment variables, labels, volume mounts, and custom health checks per app
-- Private Docker registry authentication for base images
 - Docker builds via socket access
 - Notifications via ntfy and Slack-compatible webhooks
 - Simple server-rendered UI with Tailwind CSS

internal/database/migrations/007_add_healthcheck_command.sql

@@ -0,0 +1,2 @@
+-- Add custom health check command per app
+ALTER TABLE apps ADD COLUMN healthcheck_command TEXT;

internal/database/migrations/007_add_registry_credentials.sql

@@ -1,11 +0,0 @@
--- Add registry credentials for private Docker registry authentication during builds
-CREATE TABLE registry_credentials (
-    id INTEGER PRIMARY KEY,
-    app_id TEXT NOT NULL REFERENCES apps(id) ON DELETE CASCADE,
-    registry TEXT NOT NULL,
-    username TEXT NOT NULL,
-    password TEXT NOT NULL,
-    UNIQUE(app_id, registry)
-);
-
-CREATE INDEX idx_registry_credentials_app_id ON registry_credentials(app_id);

internal/docker/auth_test.go

@@ -1,96 +0,0 @@
-package docker //nolint:testpackage // tests unexported buildAuthConfigs
-
-import (
-	"testing"
-)
-
-func TestBuildAuthConfigsEmpty(t *testing.T) {
-	t.Parallel()
-
-	result := buildAuthConfigs(nil)
-	if len(result) != 0 {
-		t.Errorf("expected empty map, got %d entries", len(result))
-	}
-}
-
-func TestBuildAuthConfigsSingle(t *testing.T) {
-	t.Parallel()
-
-	auths := []RegistryAuth{
-		{
-			Registry: "registry.example.com",
-			Username: "user",
-			Password: "pass",
-		},
-	}
-
-	result := buildAuthConfigs(auths)
-
-	if len(result) != 1 {
-		t.Fatalf("expected 1 entry, got %d", len(result))
-	}
-
-	cfg, ok := result["registry.example.com"]
-	if !ok {
-		t.Fatal("expected registry.example.com key")
-	}
-
-	if cfg.Username != "user" {
-		t.Errorf("expected username 'user', got %q", cfg.Username)
-	}
-
-	if cfg.Password != "pass" {
-		t.Errorf("expected password 'pass', got %q", cfg.Password)
-	}
-
-	if cfg.ServerAddress != "registry.example.com" {
-		t.Errorf("expected server address 'registry.example.com', got %q", cfg.ServerAddress)
-	}
-}
-
-func TestBuildAuthConfigsMultiple(t *testing.T) {
-	t.Parallel()
-
-	auths := []RegistryAuth{
-		{Registry: "ghcr.io", Username: "ghuser", Password: "ghtoken"},
-		{Registry: "docker.io", Username: "dkuser", Password: "dktoken"},
-	}
-
-	result := buildAuthConfigs(auths)
-
-	if len(result) != 2 {
-		t.Fatalf("expected 2 entries, got %d", len(result))
-	}
-
-	ghcr := result["ghcr.io"]
-	if ghcr.Username != "ghuser" || ghcr.Password != "ghtoken" {
-		t.Errorf("unexpected ghcr.io config: %+v", ghcr)
-	}
-
-	dkr := result["docker.io"]
-	if dkr.Username != "dkuser" || dkr.Password != "dktoken" {
-		t.Errorf("unexpected docker.io config: %+v", dkr)
-	}
-}
-
-func TestRegistryAuthStruct(t *testing.T) {
-	t.Parallel()
-
-	auth := RegistryAuth{
-		Registry: "registry.example.com",
-		Username: "testuser",
-		Password: "testpass",
-	}
-
-	if auth.Registry != "registry.example.com" {
-		t.Errorf("expected registry 'registry.example.com', got %q", auth.Registry)
-	}
-
-	if auth.Username != "testuser" {
-		t.Errorf("expected username 'testuser', got %q", auth.Username)
-	}
-
-	if auth.Password != "testpass" {
-		t.Errorf("expected password 'testpass', got %q", auth.Password)
-	}
-}

internal/docker/client.go

@@ -13,6 +13,7 @@ import (
 	"regexp"
 	"strconv"
 	"strings"
+	"time"
 
 	dockertypes "github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/container"
@@ -20,7 +21,6 @@ import (
 	"github.com/docker/docker/api/types/image"
 	"github.com/docker/docker/api/types/mount"
 	"github.com/docker/docker/api/types/network"
-	"github.com/docker/docker/api/types/registry"
 	"github.com/docker/docker/client"
 	"github.com/docker/docker/pkg/archive"
 	"github.com/docker/go-connections/nat"
@@ -106,20 +106,12 @@ func (c *Client) IsConnected() bool {
 	return c.docker != nil
 }
 
-// RegistryAuth contains authentication credentials for a Docker registry.
-type RegistryAuth struct {
-	Registry string
-	Username string
-	Password string //nolint:gosec // credential field required for registry auth
-}
-
 // BuildImageOptions contains options for building an image.
 type BuildImageOptions struct {
 	ContextDir     string
 	DockerfilePath string
 	Tags           []string
 	LogWriter      io.Writer // Optional writer for build output
-	RegistryAuths  []RegistryAuth // Optional registry credentials for pulling private base images
 }
 
 // BuildImage builds a Docker image from a context directory.
@@ -154,6 +146,7 @@ type CreateContainerOptions struct {
 	Volumes            []VolumeMount
 	Ports              []PortMapping
 	Network            string
+	HealthcheckCommand string // Custom health check shell command (empty = use image default)
 }
 
 // VolumeMount represents a volume mount.
@@ -170,21 +163,6 @@ type PortMapping struct {
 	Protocol      string // "tcp" or "udp"
 }
 
-// buildAuthConfigs converts RegistryAuth slices into Docker's AuthConfigs map.
-func buildAuthConfigs(auths []RegistryAuth) map[string]registry.AuthConfig {
-	configs := make(map[string]registry.AuthConfig, len(auths))
-
-	for _, auth := range auths {
-		configs[auth.Registry] = registry.AuthConfig{
-			Username:      auth.Username,
-			Password:      auth.Password,
-			ServerAddress: auth.Registry,
-		}
-	}
-
-	return configs
-}
-
 // buildPortConfig converts port mappings to Docker port configuration.
 func buildPortConfig(ports []PortMapping) (nat.PortSet, nat.PortMap) {
 	exposedPorts := make(nat.PortSet)
@@ -209,6 +187,29 @@ func buildPortConfig(ports []PortMapping) (nat.PortSet, nat.PortMap) {
 	return exposedPorts, portBindings
 }
 
+// healthcheckInterval is the time between health check attempts.
+const healthcheckInterval = 30 * time.Second
+
+// healthcheckTimeout is the maximum time a single health check can take.
+const healthcheckTimeout = 10 * time.Second
+
+// healthcheckStartPeriod is the grace period before health checks start counting failures.
+const healthcheckStartPeriod = 15 * time.Second
+
+// healthcheckRetries is the number of consecutive failures needed to mark unhealthy.
+const healthcheckRetries = 3
+
+// buildHealthcheck creates a Docker health check config from a shell command string.
+func buildHealthcheck(command string) *container.HealthConfig {
+	return &container.HealthConfig{
+		Test:        []string{"CMD-SHELL", command},
+		Interval:    healthcheckInterval,
+		Timeout:     healthcheckTimeout,
+		StartPeriod: healthcheckStartPeriod,
+		Retries:     healthcheckRetries,
+	}
+}
+
 // CreateContainer creates a new container.
 func (c *Client) CreateContainer(
 	ctx context.Context,
@@ -242,14 +243,22 @@ func (c *Client) CreateContainer(
 	// Convert ports to exposed ports and port bindings
 	exposedPorts, portBindings := buildPortConfig(opts.Ports)
 
-	// Create container
+	// Build container config
-	resp, err := c.docker.ContainerCreate(ctx,
+	containerConfig := &container.Config{
-		&container.Config{
 		Image:        opts.Image,
 		Env:          envSlice,
 		Labels:       opts.Labels,
 		ExposedPorts: exposedPorts,
-		},
+	}
+
+	// Apply custom health check if configured
+	if opts.HealthcheckCommand != "" {
+		containerConfig.Healthcheck = buildHealthcheck(opts.HealthcheckCommand)
+	}
+
+	// Create container
+	resp, err := c.docker.ContainerCreate(ctx,
+		containerConfig,
 		&container.HostConfig{
 			Mounts:       mounts,
 			PortBindings: portBindings,
@@ -537,18 +546,12 @@ func (c *Client) performBuild(
 	}()
 
 	// Build image
-	buildOpts := dockertypes.ImageBuildOptions{
+	resp, err := c.docker.ImageBuild(ctx, tarArchive, dockertypes.ImageBuildOptions{
 		Dockerfile: opts.DockerfilePath,
 		Tags:       opts.Tags,
 		Remove:     true,
 		NoCache:    false,
-	}
+	})
-
-	if len(opts.RegistryAuths) > 0 {
-		buildOpts.AuthConfigs = buildAuthConfigs(opts.RegistryAuths)
-	}
-
-	resp, err := c.docker.ImageBuild(ctx, tarArchive, buildOpts)
 	if err != nil {
 		return "", fmt.Errorf("failed to build image: %w", err)
 	}

internal/docker/validation_test.go

@@ -4,6 +4,7 @@ import (
 	"errors"
 	"log/slog"
 	"testing"
+	"time"
 )
 
 func TestValidBranchRegex(t *testing.T) {
@@ -146,3 +147,52 @@ func TestCloneRepoRejectsInjection(t *testing.T) { //nolint:funlen // table-driv
 		})
 	}
 }
+
+func TestBuildHealthcheck(t *testing.T) {
+	t.Parallel()
+
+	t.Run("creates CMD-SHELL health check", func(t *testing.T) {
+		t.Parallel()
+
+		cmd := "curl -f http://localhost:8080/healthz || exit 1"
+		hc := buildHealthcheck(cmd)
+
+		if len(hc.Test) != 2 {
+			t.Fatalf("expected 2 test elements, got %d", len(hc.Test))
+		}
+
+		if hc.Test[0] != "CMD-SHELL" {
+			t.Errorf("expected Test[0]=%q, got %q", "CMD-SHELL", hc.Test[0])
+		}
+
+		if hc.Test[1] != cmd {
+			t.Errorf("expected Test[1]=%q, got %q", cmd, hc.Test[1])
+		}
+	})
+
+	t.Run("sets expected intervals", func(t *testing.T) {
+		t.Parallel()
+
+		hc := buildHealthcheck("true")
+
+		expectedInterval := 30 * time.Second
+		if hc.Interval != expectedInterval {
+			t.Errorf("expected Interval=%v, got %v", expectedInterval, hc.Interval)
+		}
+
+		expectedTimeout := 10 * time.Second
+		if hc.Timeout != expectedTimeout {
+			t.Errorf("expected Timeout=%v, got %v", expectedTimeout, hc.Timeout)
+		}
+
+		expectedStartPeriod := 15 * time.Second
+		if hc.StartPeriod != expectedStartPeriod {
+			t.Errorf("expected StartPeriod=%v, got %v", expectedStartPeriod, hc.StartPeriod)
+		}
+
+		expectedRetries := 3
+		if hc.Retries != expectedRetries {
+			t.Errorf("expected Retries=%d, got %d", expectedRetries, hc.Retries)
+		}
+	})
+}

internal/handlers/app.go

@@ -57,6 +57,7 @@ func (h *Handlers) HandleAppCreate() http.HandlerFunc { //nolint:funlen // valid
 		dockerNetwork := request.FormValue("docker_network")
 		ntfyTopic := request.FormValue("ntfy_topic")
 		slackWebhook := request.FormValue("slack_webhook")
+		healthcheckCommand := request.FormValue("healthcheck_command")
 
 		data := h.addGlobals(map[string]any{
 			"Name":               name,
@@ -66,6 +67,7 @@ func (h *Handlers) HandleAppCreate() http.HandlerFunc { //nolint:funlen // valid
 			"DockerNetwork":      dockerNetwork,
 			"NtfyTopic":          ntfyTopic,
 			"SlackWebhook":       slackWebhook,
+			"HealthcheckCommand": healthcheckCommand,
 		}, request)
 
 		if name == "" || repoURL == "" {
@@ -109,6 +111,7 @@ func (h *Handlers) HandleAppCreate() http.HandlerFunc { //nolint:funlen // valid
 				DockerNetwork:      dockerNetwork,
 				NtfyTopic:          ntfyTopic,
 				SlackWebhook:       slackWebhook,
+				HealthcheckCommand: healthcheckCommand,
 			},
 		)
 		if createErr != nil {
@@ -148,7 +151,6 @@ func (h *Handlers) HandleAppDetail() http.HandlerFunc {
 		labels, _ := application.GetLabels(request.Context())
 		volumes, _ := application.GetVolumes(request.Context())
 		ports, _ := application.GetPorts(request.Context())
-		registryCreds, _ := application.GetRegistryCredentials(request.Context())
 		deployments, _ := application.GetDeployments(
 			request.Context(),
 			recentDeploymentsLimit,
@@ -169,7 +171,6 @@ func (h *Handlers) HandleAppDetail() http.HandlerFunc {
 			"Labels":           labels,
 			"Volumes":          volumes,
 			"Ports":            ports,
-			"RegistryCredentials": registryCreds,
 			"Deployments":      deployments,
 			"LatestDeployment": latestDeployment,
 			"WebhookURL":       webhookURL,
@@ -210,6 +211,11 @@ func (h *Handlers) HandleAppEdit() http.HandlerFunc {
 	}
 }
 
+// optionalNullString returns a valid NullString if the value is non-empty, or an empty NullString.
+func optionalNullString(value string) sql.NullString {
+	return sql.NullString{String: value, Valid: value != ""}
+}
+
 // HandleAppUpdate handles app updates.
 func (h *Handlers) HandleAppUpdate() http.HandlerFunc { //nolint:funlen // validation adds necessary length
 	tmpl := templates.GetParsed()
@@ -259,24 +265,10 @@ func (h *Handlers) HandleAppUpdate() http.HandlerFunc { //nolint:funlen // valid
 		application.RepoURL = request.FormValue("repo_url")
 		application.Branch = request.FormValue("branch")
 		application.DockerfilePath = request.FormValue("dockerfile_path")
-
+		application.DockerNetwork = optionalNullString(request.FormValue("docker_network"))
-		if network := request.FormValue("docker_network"); network != "" {
+		application.NtfyTopic = optionalNullString(request.FormValue("ntfy_topic"))
-			application.DockerNetwork = sql.NullString{String: network, Valid: true}
+		application.SlackWebhook = optionalNullString(request.FormValue("slack_webhook"))
-		} else {
+		application.HealthcheckCommand = optionalNullString(request.FormValue("healthcheck_command"))
-			application.DockerNetwork = sql.NullString{}
-		}
-
-		if ntfy := request.FormValue("ntfy_topic"); ntfy != "" {
-			application.NtfyTopic = sql.NullString{String: ntfy, Valid: true}
-		} else {
-			application.NtfyTopic = sql.NullString{}
-		}
-
-		if slack := request.FormValue("slack_webhook"); slack != "" {
-			application.SlackWebhook = sql.NullString{String: slack, Valid: true}
-		} else {
-			application.SlackWebhook = sql.NullString{}
-		}
 
 		saveErr := application.Save(request.Context())
 		if saveErr != nil {
@@ -1384,126 +1376,3 @@ func formatDeployKey(pubKey string, createdAt time.Time, appName string) string
 
 	return parts[0] + " " + parts[1] + " " + comment
 }
-
-// HandleRegistryCredentialAdd handles adding a registry credential.
-func (h *Handlers) HandleRegistryCredentialAdd() http.HandlerFunc {
-	return func(writer http.ResponseWriter, request *http.Request) {
-		appID := chi.URLParam(request, "id")
-
-		application, findErr := models.FindApp(request.Context(), h.db, appID)
-		if findErr != nil || application == nil {
-			http.NotFound(writer, request)
-
-			return
-		}
-
-		parseErr := request.ParseForm()
-		if parseErr != nil {
-			http.Error(writer, "Bad Request", http.StatusBadRequest)
-
-			return
-		}
-
-		registryURL := strings.TrimSpace(request.FormValue("registry"))
-		username := strings.TrimSpace(request.FormValue("username"))
-		password := request.FormValue("password")
-
-		if registryURL == "" || username == "" || password == "" {
-			http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)
-
-			return
-		}
-
-		cred := models.NewRegistryCredential(h.db)
-		cred.AppID = appID
-		cred.Registry = registryURL
-		cred.Username = username
-		cred.Password = password
-
-		saveErr := cred.Save(request.Context())
-		if saveErr != nil {
-			h.log.Error("failed to save registry credential", "error", saveErr)
-		}
-
-		http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)
-	}
-}
-
-// HandleRegistryCredentialEdit handles editing an existing registry credential.
-func (h *Handlers) HandleRegistryCredentialEdit() http.HandlerFunc {
-	return func(writer http.ResponseWriter, request *http.Request) {
-		appID := chi.URLParam(request, "id")
-		credIDStr := chi.URLParam(request, "credID")
-
-		credID, parseErr := strconv.ParseInt(credIDStr, 10, 64)
-		if parseErr != nil {
-			http.NotFound(writer, request)
-
-			return
-		}
-
-		cred, findErr := models.FindRegistryCredential(request.Context(), h.db, credID)
-		if findErr != nil || cred == nil || cred.AppID != appID {
-			http.NotFound(writer, request)
-
-			return
-		}
-
-		formErr := request.ParseForm()
-		if formErr != nil {
-			http.Error(writer, "Bad Request", http.StatusBadRequest)
-
-			return
-		}
-
-		registryURL := strings.TrimSpace(request.FormValue("registry"))
-		username := strings.TrimSpace(request.FormValue("username"))
-		password := request.FormValue("password")
-
-		if registryURL == "" || username == "" || password == "" {
-			http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)
-
-			return
-		}
-
-		cred.Registry = registryURL
-		cred.Username = username
-		cred.Password = password
-
-		saveErr := cred.Save(request.Context())
-		if saveErr != nil {
-			h.log.Error("failed to update registry credential", "error", saveErr)
-		}
-
-		http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)
-	}
-}
-
-// HandleRegistryCredentialDelete handles deleting a registry credential.
-func (h *Handlers) HandleRegistryCredentialDelete() http.HandlerFunc {
-	return func(writer http.ResponseWriter, request *http.Request) {
-		appID := chi.URLParam(request, "id")
-		credIDStr := chi.URLParam(request, "credID")
-
-		credID, parseErr := strconv.ParseInt(credIDStr, 10, 64)
-		if parseErr != nil {
-			http.NotFound(writer, request)
-
-			return
-		}
-
-		cred, findErr := models.FindRegistryCredential(request.Context(), h.db, credID)
-		if findErr != nil || cred == nil || cred.AppID != appID {
-			http.NotFound(writer, request)
-
-			return
-		}
-
-		deleteErr := cred.Delete(request.Context())
-		if deleteErr != nil {
-			h.log.Error("failed to delete registry credential", "error", deleteErr)
-		}
-
-		http.Redirect(writer, request, "/apps/"+appID, http.StatusSeeOther)
-	}
-}

internal/models/app.go

@@ -14,7 +14,7 @@ import (
 const appColumns = `id, name, repo_url, branch, dockerfile_path, webhook_secret,
 			ssh_private_key, ssh_public_key, image_id, status,
 			docker_network, ntfy_topic, slack_webhook, webhook_secret_hash,
-			previous_image_id, created_at, updated_at`
+			previous_image_id, healthcheck_command, created_at, updated_at`
 
 // AppStatus represents the status of an app.
 type AppStatus string
@@ -47,6 +47,7 @@ type App struct {
 	DockerNetwork      sql.NullString
 	NtfyTopic          sql.NullString
 	SlackWebhook       sql.NullString
+	HealthcheckCommand sql.NullString
 	CreatedAt          time.Time
 	UpdatedAt          time.Time
 }
@@ -119,11 +120,6 @@ func (a *App) GetWebhookEvents(
 	return FindWebhookEventsByAppID(ctx, a.db, a.ID, limit)
 }
 
-// GetRegistryCredentials returns all registry credentials for the app.
-func (a *App) GetRegistryCredentials(ctx context.Context) ([]*RegistryCredential, error) {
-	return FindRegistryCredentialsByAppID(ctx, a.db, a.ID)
-}
-
 func (a *App) exists(ctx context.Context) bool {
 	if a.ID == "" {
 		return false
@@ -147,14 +143,14 @@ func (a *App) insert(ctx context.Context) error {
 			id, name, repo_url, branch, dockerfile_path, webhook_secret,
 			ssh_private_key, ssh_public_key, image_id, status,
 			docker_network, ntfy_topic, slack_webhook, webhook_secret_hash,
-			previous_image_id
+			previous_image_id, healthcheck_command
-		) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`
+		) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`
 
 	_, err := a.db.Exec(ctx, query,
 		a.ID, a.Name, a.RepoURL, a.Branch, a.DockerfilePath, a.WebhookSecret,
 		a.SSHPrivateKey, a.SSHPublicKey, a.ImageID, a.Status,
 		a.DockerNetwork, a.NtfyTopic, a.SlackWebhook, a.WebhookSecretHash,
-		a.PreviousImageID,
+		a.PreviousImageID, a.HealthcheckCommand,
 	)
 	if err != nil {
 		return err
@@ -169,7 +165,7 @@ func (a *App) update(ctx context.Context) error {
 			name = ?, repo_url = ?, branch = ?, dockerfile_path = ?,
 			image_id = ?, status = ?,
 			docker_network = ?, ntfy_topic = ?, slack_webhook = ?,
-			previous_image_id = ?,
+			previous_image_id = ?, healthcheck_command = ?,
 			updated_at = CURRENT_TIMESTAMP
 		WHERE id = ?`
 
@@ -177,7 +173,7 @@ func (a *App) update(ctx context.Context) error {
 		a.Name, a.RepoURL, a.Branch, a.DockerfilePath,
 		a.ImageID, a.Status,
 		a.DockerNetwork, a.NtfyTopic, a.SlackWebhook,
-		a.PreviousImageID,
+		a.PreviousImageID, a.HealthcheckCommand,
 		a.ID,
 	)
 
@@ -192,7 +188,7 @@ func (a *App) scan(row *sql.Row) error {
 		&a.ImageID, &a.Status,
 		&a.DockerNetwork, &a.NtfyTopic, &a.SlackWebhook,
 		&a.WebhookSecretHash,
-		&a.PreviousImageID,
+		&a.PreviousImageID, &a.HealthcheckCommand,
 		&a.CreatedAt, &a.UpdatedAt,
 	)
 }
@@ -210,7 +206,7 @@ func scanApps(appDB *database.Database, rows *sql.Rows) ([]*App, error) {
 			&app.ImageID, &app.Status,
 			&app.DockerNetwork, &app.NtfyTopic, &app.SlackWebhook,
 			&app.WebhookSecretHash,
-			&app.PreviousImageID,
+			&app.PreviousImageID, &app.HealthcheckCommand,
 			&app.CreatedAt, &app.UpdatedAt,
 		)
 		if scanErr != nil {

internal/models/models_test.go

@@ -23,7 +23,6 @@ const (
 	testBranch    = "main"
 	testValue     = "value"
 	testEventType = "push"
-	testUser      = "user"
 )
 
 func setupTestDB(t *testing.T) (*database.Database, func()) {
@@ -705,69 +704,34 @@ func TestAppGetWebhookEvents(t *testing.T) {
 	assert.Len(t, events, 1)
 }
 
-// RegistryCredential Tests.
+// App HealthcheckCommand Tests.
 
-func TestRegistryCredentialCreateAndFind(t *testing.T) {
+func TestAppHealthcheckCommand(t *testing.T) {
+	t.Parallel()
+
+	t.Run("saves and loads healthcheck command", func(t *testing.T) {
 		t.Parallel()
 
 		testDB, cleanup := setupTestDB(t)
 		defer cleanup()
 
 		app := createTestApp(t, testDB)
-
+		app.HealthcheckCommand = sql.NullString{
-	cred := models.NewRegistryCredential(testDB)
+			String: "curl -f http://localhost:8080/healthz || exit 1",
-	cred.AppID = app.ID
+			Valid:  true,
-	cred.Registry = "registry.example.com"
-	cred.Username = "myuser"
-	cred.Password = "mypassword"
-
-	err := cred.Save(context.Background())
-	require.NoError(t, err)
-	assert.NotZero(t, cred.ID)
-
-	creds, err := models.FindRegistryCredentialsByAppID(
-		context.Background(), testDB, app.ID,
-	)
-	require.NoError(t, err)
-	require.Len(t, creds, 1)
-	assert.Equal(t, "registry.example.com", creds[0].Registry)
-	assert.Equal(t, "myuser", creds[0].Username)
-	assert.Equal(t, "mypassword", creds[0].Password)
 		}
 
-func TestRegistryCredentialUpdate(t *testing.T) {
+		err := app.Save(context.Background())
-	t.Parallel()
-
-	testDB, cleanup := setupTestDB(t)
-	defer cleanup()
-
-	app := createTestApp(t, testDB)
-
-	cred := models.NewRegistryCredential(testDB)
-	cred.AppID = app.ID
-	cred.Registry = "old.registry.com"
-	cred.Username = "olduser"
-	cred.Password = "oldpass"
-
-	err := cred.Save(context.Background())
 		require.NoError(t, err)
 
-	cred.Registry = "new.registry.com"
+		found, err := models.FindApp(context.Background(), testDB, app.ID)
-	cred.Username = "newuser"
-	cred.Password = "newpass"
-
-	err = cred.Save(context.Background())
-	require.NoError(t, err)
-
-	found, err := models.FindRegistryCredential(context.Background(), testDB, cred.ID)
 		require.NoError(t, err)
 		require.NotNil(t, found)
-	assert.Equal(t, "new.registry.com", found.Registry)
+		assert.True(t, found.HealthcheckCommand.Valid)
-	assert.Equal(t, "newuser", found.Username)
+		assert.Equal(t, "curl -f http://localhost:8080/healthz || exit 1", found.HealthcheckCommand.String)
-	assert.Equal(t, "newpass", found.Password)
+	})
-}
 
-func TestRegistryCredentialDelete(t *testing.T) {
+	t.Run("null when not set", func(t *testing.T) {
 		t.Parallel()
 
 		testDB, cleanup := setupTestDB(t)
@@ -775,55 +739,35 @@ func TestRegistryCredentialDelete(t *testing.T) {
 
 		app := createTestApp(t, testDB)
 
-	cred := models.NewRegistryCredential(testDB)
+		found, err := models.FindApp(context.Background(), testDB, app.ID)
-	cred.AppID = app.ID
-	cred.Registry = "delete.registry.com"
-	cred.Username = testUser
-	cred.Password = "pass"
-
-	err := cred.Save(context.Background())
 		require.NoError(t, err)
+		require.NotNil(t, found)
+		assert.False(t, found.HealthcheckCommand.Valid)
+	})
 
-	err = cred.Delete(context.Background())
+	t.Run("can be cleared", func(t *testing.T) {
-	require.NoError(t, err)
-
-	creds, err := models.FindRegistryCredentialsByAppID(
-		context.Background(), testDB, app.ID,
-	)
-	require.NoError(t, err)
-	assert.Empty(t, creds)
-}
-
-func TestRegistryCredentialFindByIDNotFound(t *testing.T) {
-	t.Parallel()
-
-	testDB, cleanup := setupTestDB(t)
-	defer cleanup()
-
-	found, err := models.FindRegistryCredential(context.Background(), testDB, 99999)
-	require.NoError(t, err)
-	assert.Nil(t, found)
-}
-
-func TestAppGetRegistryCredentials(t *testing.T) {
 		t.Parallel()
 
 		testDB, cleanup := setupTestDB(t)
 		defer cleanup()
 
 		app := createTestApp(t, testDB)
+		app.HealthcheckCommand = sql.NullString{String: "true", Valid: true}
 
-	cred := models.NewRegistryCredential(testDB)
+		err := app.Save(context.Background())
-	cred.AppID = app.ID
-	cred.Registry = "ghcr.io"
-	cred.Username = testUser
-	cred.Password = "token"
-	_ = cred.Save(context.Background())
-
-	creds, err := app.GetRegistryCredentials(context.Background())
 		require.NoError(t, err)
-	assert.Len(t, creds, 1)
+
-	assert.Equal(t, "ghcr.io", creds[0].Registry)
+		// Clear it
+		app.HealthcheckCommand = sql.NullString{}
+
+		err = app.Save(context.Background())
+		require.NoError(t, err)
+
+		found, err := models.FindApp(context.Background(), testDB, app.ID)
+		require.NoError(t, err)
+		require.NotNil(t, found)
+		assert.False(t, found.HealthcheckCommand.Valid)
+	})
 }
 
 // Cascade Delete Tests.
@@ -871,13 +815,6 @@ func TestCascadeDelete(t *testing.T) {
 		deploy.Status = models.DeploymentStatusSuccess
 		_ = deploy.Save(context.Background())
 
-		regCred := models.NewRegistryCredential(testDB)
-		regCred.AppID = app.ID
-		regCred.Registry = "registry.example.com"
-		regCred.Username = testUser
-		regCred.Password = "pass"
-		_ = regCred.Save(context.Background())
-
 		// Delete app.
 		err := app.Delete(context.Background())
 		require.NoError(t, err)
@@ -907,11 +844,6 @@ func TestCascadeDelete(t *testing.T) {
 			context.Background(), testDB, app.ID, 10,
 		)
 		assert.Empty(t, deployments)
-
-		regCreds, _ := models.FindRegistryCredentialsByAppID(
-			context.Background(), testDB, app.ID,
-		)
-		assert.Empty(t, regCreds)
 	})
 }
 

internal/models/registry_credential.go

@@ -1,130 +0,0 @@
-package models
-
-import (
-	"context"
-	"database/sql"
-	"errors"
-	"fmt"
-
-	"sneak.berlin/go/upaas/internal/database"
-)
-
-// RegistryCredential represents authentication credentials for a private Docker registry.
-type RegistryCredential struct {
-	db *database.Database
-
-	ID       int64
-	AppID    string
-	Registry string
-	Username string
-	Password string //nolint:gosec // credential field required for registry auth
-}
-
-// NewRegistryCredential creates a new RegistryCredential with a database reference.
-func NewRegistryCredential(db *database.Database) *RegistryCredential {
-	return &RegistryCredential{db: db}
-}
-
-// Save inserts or updates the registry credential in the database.
-func (r *RegistryCredential) Save(ctx context.Context) error {
-	if r.ID == 0 {
-		return r.insert(ctx)
-	}
-
-	return r.update(ctx)
-}
-
-// Delete removes the registry credential from the database.
-func (r *RegistryCredential) Delete(ctx context.Context) error {
-	_, err := r.db.Exec(ctx, "DELETE FROM registry_credentials WHERE id = ?", r.ID)
-
-	return err
-}
-
-func (r *RegistryCredential) insert(ctx context.Context) error {
-	query := "INSERT INTO registry_credentials (app_id, registry, username, password) VALUES (?, ?, ?, ?)"
-
-	result, err := r.db.Exec(ctx, query, r.AppID, r.Registry, r.Username, r.Password)
-	if err != nil {
-		return err
-	}
-
-	id, err := result.LastInsertId()
-	if err != nil {
-		return err
-	}
-
-	r.ID = id
-
-	return nil
-}
-
-func (r *RegistryCredential) update(ctx context.Context) error {
-	query := "UPDATE registry_credentials SET registry = ?, username = ?, password = ? WHERE id = ?"
-
-	_, err := r.db.Exec(ctx, query, r.Registry, r.Username, r.Password, r.ID)
-
-	return err
-}
-
-// FindRegistryCredential finds a registry credential by ID.
-//
-//nolint:nilnil // returning nil,nil is idiomatic for "not found" in Active Record
-func FindRegistryCredential(
-	ctx context.Context,
-	db *database.Database,
-	id int64,
-) (*RegistryCredential, error) {
-	cred := NewRegistryCredential(db)
-
-	row := db.QueryRow(ctx,
-		"SELECT id, app_id, registry, username, password FROM registry_credentials WHERE id = ?",
-		id,
-	)
-
-	err := row.Scan(&cred.ID, &cred.AppID, &cred.Registry, &cred.Username, &cred.Password)
-	if err != nil {
-		if errors.Is(err, sql.ErrNoRows) {
-			return nil, nil
-		}
-
-		return nil, fmt.Errorf("scanning registry credential: %w", err)
-	}
-
-	return cred, nil
-}
-
-// FindRegistryCredentialsByAppID finds all registry credentials for an app.
-func FindRegistryCredentialsByAppID(
-	ctx context.Context,
-	db *database.Database,
-	appID string,
-) ([]*RegistryCredential, error) {
-	query := `
-		SELECT id, app_id, registry, username, password FROM registry_credentials
-		WHERE app_id = ? ORDER BY registry`
-
-	rows, err := db.Query(ctx, query, appID)
-	if err != nil {
-		return nil, fmt.Errorf("querying registry credentials by app: %w", err)
-	}
-
-	defer func() { _ = rows.Close() }()
-
-	var creds []*RegistryCredential
-
-	for rows.Next() {
-		cred := NewRegistryCredential(db)
-
-		scanErr := rows.Scan(
-			&cred.ID, &cred.AppID, &cred.Registry, &cred.Username, &cred.Password,
-		)
-		if scanErr != nil {
-			return nil, scanErr
-		}
-
-		creds = append(creds, cred)
-	}
-
-	return creds, rows.Err()
-}

internal/server/routes.go

@@ -98,11 +98,6 @@ func (s *Server) SetupRoutes() {
 			// Ports
 			r.Post("/apps/{id}/ports", s.handlers.HandlePortAdd())
 			r.Post("/apps/{id}/ports/{portID}/delete", s.handlers.HandlePortDelete())
-
-			// Registry Credentials
-			r.Post("/apps/{id}/registry-credentials", s.handlers.HandleRegistryCredentialAdd())
-			r.Post("/apps/{id}/registry-credentials/{credID}/edit", s.handlers.HandleRegistryCredentialEdit())
-			r.Post("/apps/{id}/registry-credentials/{credID}/delete", s.handlers.HandleRegistryCredentialDelete())
 		})
 	})
 

internal/service/app/app.go

@@ -53,6 +53,7 @@ type CreateAppInput struct {
 	DockerNetwork      string
 	NtfyTopic          string
 	SlackWebhook       string
+	HealthcheckCommand string
 }
 
 // CreateApp creates a new application with generated SSH keys and webhook secret.
@@ -100,6 +101,10 @@ func (svc *Service) CreateApp(
 		app.SlackWebhook = sql.NullString{String: input.SlackWebhook, Valid: true}
 	}
 
+	if input.HealthcheckCommand != "" {
+		app.HealthcheckCommand = sql.NullString{String: input.HealthcheckCommand, Valid: true}
+	}
+
 	saveErr := app.Save(ctx)
 	if saveErr != nil {
 		return nil, fmt.Errorf("failed to save app: %w", saveErr)
@@ -119,6 +124,7 @@ type UpdateAppInput struct {
 	DockerNetwork      string
 	NtfyTopic          string
 	SlackWebhook       string
+	HealthcheckCommand string
 }
 
 // UpdateApp updates an existing application.
@@ -144,6 +150,10 @@ func (svc *Service) UpdateApp(
 		String: input.SlackWebhook,
 		Valid:  input.SlackWebhook != "",
 	}
+	app.HealthcheckCommand = sql.NullString{
+		String: input.HealthcheckCommand,
+		Valid:  input.HealthcheckCommand != "",
+	}
 
 	saveErr := app.Save(ctx)
 	if saveErr != nil {

internal/service/deploy/deploy.go

@@ -830,13 +830,6 @@ func (svc *Service) buildImage(
 	logWriter := newDeploymentLogWriter(ctx, deployment)
 	defer logWriter.Close()
 
-	// Fetch registry credentials for private base images
-	registryAuths, err := svc.buildRegistryAuths(ctx, app)
-	if err != nil {
-		svc.log.Warn("failed to fetch registry credentials", "error", err, "app", app.Name)
-		// Continue without auth — public images will still work
-	}
-
 	// BuildImage creates a tar archive from the local filesystem,
 	// so it needs the container path where files exist, not the host path.
 	imageID, err := svc.docker.BuildImage(ctx, docker.BuildImageOptions{
@@ -844,7 +837,6 @@ func (svc *Service) buildImage(
 		DockerfilePath: app.DockerfilePath,
 		Tags:           []string{imageTag},
 		LogWriter:      logWriter,
-		RegistryAuths:  registryAuths,
 	})
 	if err != nil {
 		svc.notify.NotifyBuildFailed(ctx, app, deployment, err)
@@ -1102,6 +1094,11 @@ func (svc *Service) buildContainerOptions(
 		network = app.DockerNetwork.String
 	}
 
+	healthcheckCmd := ""
+	if app.HealthcheckCommand.Valid {
+		healthcheckCmd = app.HealthcheckCommand.String
+	}
+
 	return docker.CreateContainerOptions{
 		Name:               "upaas-" + app.Name,
 		Image:              imageID.String(),
@@ -1110,6 +1107,7 @@ func (svc *Service) buildContainerOptions(
 		Volumes:            buildVolumeMounts(volumes),
 		Ports:              buildPortMappings(ports),
 		Network:            network,
+		HealthcheckCommand: healthcheckCmd,
 	}, nil
 }
 
@@ -1235,34 +1233,6 @@ func (svc *Service) failDeployment(
 	_ = app.Save(ctx)
 }
 
-// buildRegistryAuths fetches registry credentials for an app and converts them
-// to Docker RegistryAuth objects for use during image builds.
-func (svc *Service) buildRegistryAuths(
-	ctx context.Context,
-	app *models.App,
-) ([]docker.RegistryAuth, error) {
-	creds, err := app.GetRegistryCredentials(ctx)
-	if err != nil {
-		return nil, fmt.Errorf("failed to get registry credentials: %w", err)
-	}
-
-	if len(creds) == 0 {
-		return nil, nil
-	}
-
-	auths := make([]docker.RegistryAuth, 0, len(creds))
-
-	for _, cred := range creds {
-		auths = append(auths, docker.RegistryAuth{
-			Registry: cred.Registry,
-			Username: cred.Username,
-			Password: cred.Password,
-		})
-	}
-
-	return auths, nil
-}
-
 // writeLogsToFile writes the deployment logs to a file on disk.
 // Structure: DataDir/logs/<hostname>/<appname>/<appname>_<sha>_<timestamp>.log.txt
 func (svc *Service) writeLogsToFile(app *models.App, deployment *models.Deployment) {

internal/service/deploy/deploy_container_test.go

@@ -2,6 +2,7 @@ package deploy_test
 
 import (
 	"context"
+	"database/sql"
 	"log/slog"
 	"os"
 	"testing"
@@ -43,3 +44,64 @@ func TestBuildContainerOptionsUsesImageID(t *testing.T) {
 		t.Errorf("expected Name=%q, got %q", "upaas-myapp", opts.Name)
 	}
 }
+
+func TestBuildContainerOptionsHealthcheckSet(t *testing.T) {
+	t.Parallel()
+
+	db := database.NewTestDatabase(t)
+
+	app := models.NewApp(db)
+	app.Name = "hc-app"
+	app.HealthcheckCommand = sql.NullString{
+		String: "curl -f http://localhost:8080/healthz || exit 1",
+		Valid:  true,
+	}
+
+	err := app.Save(context.Background())
+	if err != nil {
+		t.Fatalf("failed to save app: %v", err)
+	}
+
+	log := slog.New(slog.NewTextHandler(os.Stderr, nil))
+	svc := deploy.NewTestService(log)
+
+	opts, err := svc.BuildContainerOptionsExported(
+		context.Background(), app, "sha256:test",
+	)
+	if err != nil {
+		t.Fatalf("buildContainerOptions returned error: %v", err)
+	}
+
+	expected := "curl -f http://localhost:8080/healthz || exit 1"
+	if opts.HealthcheckCommand != expected {
+		t.Errorf("expected HealthcheckCommand=%q, got %q", expected, opts.HealthcheckCommand)
+	}
+}
+
+func TestBuildContainerOptionsHealthcheckEmpty(t *testing.T) {
+	t.Parallel()
+
+	db := database.NewTestDatabase(t)
+
+	app := models.NewApp(db)
+	app.Name = "no-hc-app"
+
+	err := app.Save(context.Background())
+	if err != nil {
+		t.Fatalf("failed to save app: %v", err)
+	}
+
+	log := slog.New(slog.NewTextHandler(os.Stderr, nil))
+	svc := deploy.NewTestService(log)
+
+	opts, err := svc.BuildContainerOptionsExported(
+		context.Background(), app, "sha256:test",
+	)
+	if err != nil {
+		t.Fatalf("buildContainerOptions returned error: %v", err)
+	}
+
+	if opts.HealthcheckCommand != "" {
+		t.Errorf("expected empty HealthcheckCommand, got %q", opts.HealthcheckCommand)
+	}
+}

templates/app_detail.html

@@ -154,69 +154,6 @@
         <div class="hidden">{{ .CSRFField }}</div>
     </div>
 
-    <!-- Registry Credentials -->
-    <div class="card p-6 mb-6">
-        <h2 class="section-title mb-4">Registry Credentials</h2>
-        <p class="text-sm text-gray-500 mb-3">Authenticate to private Docker registries when pulling base images during builds.</p>
-        {{if .RegistryCredentials}}
-        <div class="overflow-x-auto mb-4">
-            <table class="table">
-                <thead class="table-header">
-                    <tr>
-                        <th>Registry</th>
-                        <th>Username</th>
-                        <th>Password</th>
-                        <th class="text-right">Actions</th>
-                    </tr>
-                </thead>
-                <tbody class="table-body">
-                    {{range .RegistryCredentials}}
-                    <tr x-data="{ editing: false }">
-                        <template x-if="!editing">
-                            <td class="font-mono">{{.Registry}}</td>
-                        </template>
-                        <template x-if="!editing">
-                            <td class="font-mono">{{.Username}}</td>
-                        </template>
-                        <template x-if="!editing">
-                            <td class="font-mono text-gray-400">••••••••</td>
-                        </template>
-                        <template x-if="!editing">
-                            <td class="text-right">
-                                <button @click="editing = true" class="text-primary-600 hover:text-primary-800 text-sm mr-2">Edit</button>
-                                <form method="POST" action="/apps/{{$.App.ID}}/registry-credentials/{{.ID}}/delete" class="inline" x-data="confirmAction('Delete this registry credential?')" @submit="confirm($event)">
-                                    {{ $.CSRFField }}
-                                    <button type="submit" class="text-error-500 hover:text-error-700 text-sm">Delete</button>
-                                </form>
-                            </td>
-                        </template>
-                        <template x-if="editing">
-                            <td colspan="4">
-                                <form method="POST" action="/apps/{{$.App.ID}}/registry-credentials/{{.ID}}/edit" class="flex gap-2 items-center">
-                                    {{ $.CSRFField }}
-                                    <input type="text" name="registry" value="{{.Registry}}" required class="input flex-1 font-mono text-sm" placeholder="registry.example.com">
-                                    <input type="text" name="username" value="{{.Username}}" required class="input flex-1 font-mono text-sm" placeholder="username">
-                                    <input type="password" name="password" required class="input flex-1 font-mono text-sm" placeholder="password">
-                                    <button type="submit" class="btn-primary text-sm">Save</button>
-                                    <button type="button" @click="editing = false" class="text-gray-500 hover:text-gray-700 text-sm">Cancel</button>
-                                </form>
-                            </td>
-                        </template>
-                    </tr>
-                    {{end}}
-                </tbody>
-            </table>
-        </div>
-        {{end}}
-        <form method="POST" action="/apps/{{.App.ID}}/registry-credentials" class="flex flex-col sm:flex-row gap-2">
-            {{ .CSRFField }}
-            <input type="text" name="registry" placeholder="registry.example.com" required class="input flex-1 font-mono text-sm">
-            <input type="text" name="username" placeholder="username" required class="input flex-1 font-mono text-sm">
-            <input type="password" name="password" placeholder="password" required class="input flex-1 font-mono text-sm">
-            <button type="submit" class="btn-primary">Add</button>
-        </form>
-    </div>
-
     <!-- Labels -->
     <div class="card p-6 mb-6">
         <h2 class="section-title mb-4">Docker Labels</h2>

templates/app_edit.html

@@ -114,6 +114,19 @@
                 >
             </div>
 
+            <div class="form-group">
+                <label for="healthcheck_command" class="label">Health Check Command</label>
+                <input
+                    type="text"
+                    id="healthcheck_command"
+                    name="healthcheck_command"
+                    value="{{if .App.HealthcheckCommand.Valid}}{{.App.HealthcheckCommand.String}}{{end}}"
+                    class="input font-mono"
+                    placeholder="curl -f http://localhost:8080/healthz || exit 1"
+                >
+                <p class="text-sm text-gray-500 mt-1">Custom shell command to check container health. Leave empty to use the image's default health check.</p>
+            </div>
+
             <div class="flex justify-end gap-3 pt-4">
                 <a href="/apps/{{.App.ID}}" class="btn-secondary">Cancel</a>
                 <button type="submit" class="btn-primary">Save Changes</button>

templates/app_new.html

@@ -117,6 +117,19 @@
                 >
             </div>
 
+            <div class="form-group">
+                <label for="healthcheck_command" class="label">Health Check Command</label>
+                <input
+                    type="text"
+                    id="healthcheck_command"
+                    name="healthcheck_command"
+                    value="{{.HealthcheckCommand}}"
+                    class="input font-mono"
+                    placeholder="curl -f http://localhost:8080/healthz || exit 1"
+                >
+                <p class="text-sm text-gray-500 mt-1">Custom shell command to check container health. Leave empty to use the image's default health check.</p>
+            </div>
+
             <div class="flex justify-end gap-3 pt-4">
                 <a href="/" class="btn-secondary">Cancel</a>
                 <button type="submit" class="btn-primary">Create App</button>