fix: simplify CI to docker build only (closes #130 )

2026-02-26 02:09:28 -08:00
57 changed files with 254 additions and 3381 deletions
--- a/.gitea/workflows/check.yml
+++ b/.gitea/workflows/check.yml
@@ -10,7 +10,7 @@ jobs:
  check:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4, 2024-10-13
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
-      - name: Build (runs make check inside Dockerfile)
+      - name: Build (runs make check via Dockerfile)
        run: docker build .
--- a/22
+++ b/22
@@ -1,23 +1,10 @@
 # Build stage
-# golang:1.25-alpine
+FROM golang@sha256:f6751d823c26342f9506c03797d2527668d095b0a15f1862cddb4d927a7a4ced AS builder # golang:1.25-alpine
 FROM golang@sha256:f6751d823c26342f9506c03797d2527668d095b0a15f1862cddb4d927a7a4ced AS builder
 RUN apk add --no-cache git make gcc musl-dev
-# Install golangci-lint v2 (pre-built binary — go install fails in alpine due to missing linker)
+# Install golangci-lint v2
-RUN set -e; \
+RUN go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@5d1e709b7be35cb2025444e19de266b056b7b7ee # v2.10.1
    GOLANGCI_VERSION="2.10.1"; \
    case "$(uname -m)" in \
        x86_64)  ARCH="amd64"; SHA256="dfa775874cf0561b404a02a8f4481fc69b28091da95aa697259820d429b09c99" ;; \
        aarch64) ARCH="arm64"; SHA256="6652b42ae02915eb2f9cb2a2e0cac99514c8eded8388d88ae3e06e1a52c00de8" ;; \
        *) echo "unsupported arch: $(uname -m)" >&2; exit 1 ;; \
    esac; \
    wget -q -O /tmp/golangci-lint.tar.gz \
        "https://github.com/golangci/golangci-lint/releases/download/v${GOLANGCI_VERSION}/golangci-lint-${GOLANGCI_VERSION}-linux-${ARCH}.tar.gz"; \
    echo "${SHA256}  /tmp/golangci-lint.tar.gz" | sha256sum -c -; \
    tar -xzf /tmp/golangci-lint.tar.gz -C /usr/local/bin --strip-components=1 "golangci-lint-${GOLANGCI_VERSION}-linux-${ARCH}/golangci-lint"; \
    rm /tmp/golangci-lint.tar.gz; \
    golangci-lint version
 RUN go install golang.org/x/tools/cmd/goimports@009367f5c17a8d4c45a961a3a509277190a9a6f0 # v0.42.0
 WORKDIR /src
@@ -33,8 +20,7 @@ RUN make check
 RUN make build
 # Runtime stage
-# alpine:3.19
+FROM alpine@sha256:6baf43584bcb78f2e5847d1de515f23499913ac9f12bdf834811a3145eb11ca1 # alpine:3.19
 FROM alpine@sha256:6baf43584bcb78f2e5847d1de515f23499913ac9f12bdf834811a3145eb11ca1
 RUN apk add --no-cache ca-certificates tzdata git openssh-client docker-cli
--- a/README.md
+++ b/README.md
@@ -157,8 +157,8 @@ Environment variables:
 | Variable | Description | Default |
 |----------|-------------|---------|
 | `PORT` | HTTP listen port | 8080 |
-| `UPAAS_DATA_DIR` | Data directory for SQLite and keys | `./data` (local dev only — use absolute path for Docker) |
+| `UPAAS_DATA_DIR` | Data directory for SQLite and keys | ./data |
-| `UPAAS_HOST_DATA_DIR` | Host path for DATA_DIR (when running in container) | *(none — must be set to an absolute path)* |
+| `UPAAS_HOST_DATA_DIR` | Host path for DATA_DIR (when running in container) | same as DATA_DIR |
 | `UPAAS_DOCKER_HOST` | Docker socket path | unix:///var/run/docker.sock |
 | `DEBUG` | Enable debug logging | false |
 | `SENTRY_DSN` | Sentry error reporting DSN | "" |
@@ -176,35 +176,8 @@ docker run -d \
  upaas
 ```
-### Docker Compose
+**Important**: When running µPaaS inside a container, set `UPAAS_HOST_DATA_DIR` to the host path
-
+that maps to `UPAAS_DATA_DIR`. This is required for Docker bind mounts during builds to work correctly.
 ```yaml
 services:
  upaas:
    build: .
    restart: unless-stopped
    ports:
      - "8080:8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ${HOST_DATA_DIR}:/var/lib/upaas
    environment:
      - UPAAS_HOST_DATA_DIR=${HOST_DATA_DIR}
      # Optional: uncomment to enable debug logging
      # - DEBUG=true
      # Optional: Sentry error reporting
      # - SENTRY_DSN=https://...
      # Optional: Prometheus metrics auth
      # - METRICS_USERNAME=prometheus
      # - METRICS_PASSWORD=secret
 ```
 **Important**: You **must** set `HOST_DATA_DIR` to an **absolute path** on the host before running
 `docker compose up`. This value is bind-mounted into the container and passed as `UPAAS_HOST_DATA_DIR`
 so that Docker bind mounts during builds resolve correctly. Relative paths (e.g. `./data`) will break
 container builds because the Docker daemon resolves paths relative to the host, not the container.
 Example: `HOST_DATA_DIR=/srv/upaas/data docker compose up -d`
 Session secrets are automatically generated on first startup and persisted to `$UPAAS_DATA_DIR/session.key`.
--- a/cmd/upaasd/main.go
+++ b/cmd/upaasd/main.go
@@ -4,20 +4,20 @@ package main
 import (
 	"go.uber.org/fx"
-	"sneak.berlin/go/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/config"
-	"sneak.berlin/go/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/database"
-	"sneak.berlin/go/upaas/internal/docker"
+	"git.eeqj.de/sneak/upaas/internal/docker"
-	"sneak.berlin/go/upaas/internal/globals"
+	"git.eeqj.de/sneak/upaas/internal/globals"
-	"sneak.berlin/go/upaas/internal/handlers"
+	"git.eeqj.de/sneak/upaas/internal/handlers"
-	"sneak.berlin/go/upaas/internal/healthcheck"
+	"git.eeqj.de/sneak/upaas/internal/healthcheck"
-	"sneak.berlin/go/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/logger"
-	"sneak.berlin/go/upaas/internal/middleware"
+	"git.eeqj.de/sneak/upaas/internal/middleware"
-	"sneak.berlin/go/upaas/internal/server"
+	"git.eeqj.de/sneak/upaas/internal/server"
-	"sneak.berlin/go/upaas/internal/service/app"
+	"git.eeqj.de/sneak/upaas/internal/service/app"
-	"sneak.berlin/go/upaas/internal/service/auth"
+	"git.eeqj.de/sneak/upaas/internal/service/auth"
-	"sneak.berlin/go/upaas/internal/service/deploy"
+	"git.eeqj.de/sneak/upaas/internal/service/deploy"
-	"sneak.berlin/go/upaas/internal/service/notify"
+	"git.eeqj.de/sneak/upaas/internal/service/notify"
-	"sneak.berlin/go/upaas/internal/service/webhook"
+	"git.eeqj.de/sneak/upaas/internal/service/webhook"
 	_ "github.com/joho/godotenv/autoload"
 )
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -0,0 +1,20 @@
 services:
  upaas:
    build: .
    restart: unless-stopped
    ports:
      - "8080:8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - upaas-data:/var/lib/upaas
    # environment:
      # Optional: uncomment to enable debug logging
      # - DEBUG=true
      # Optional: Sentry error reporting
      # - SENTRY_DSN=https://...
      # Optional: Prometheus metrics auth
      # - METRICS_USERNAME=prometheus
      # - METRICS_PASSWORD=secret
 volumes:
  upaas-data:
--- a/go.mod
+++ b/go.mod
@@ -1,4 +1,4 @@
-module sneak.berlin/go/upaas
+module git.eeqj.de/sneak/upaas
 go 1.25
@@ -19,7 +19,6 @@ require (
 	github.com/stretchr/testify v1.11.1
 	go.uber.org/fx v1.24.0
 	golang.org/x/crypto v0.46.0
 	golang.org/x/time v0.12.0
 )
 require (
@@ -75,6 +74,7 @@ require (
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	golang.org/x/sys v0.39.0 // indirect
 	golang.org/x/text v0.32.0 // indirect
 	golang.org/x/time v0.12.0 // indirect
 	google.golang.org/protobuf v1.36.10 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	gotest.tools/v3 v3.5.2 // indirect
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -13,8 +13,8 @@ import (
 	"github.com/spf13/viper"
 	"go.uber.org/fx"
-	"sneak.berlin/go/upaas/internal/globals"
+	"git.eeqj.de/sneak/upaas/internal/globals"
-	"sneak.berlin/go/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/logger"
 )
 // defaultPort is the default HTTP server port.
--- a/internal/database/database.go
+++ b/internal/database/database.go
@@ -14,8 +14,8 @@ import (
 	_ "github.com/mattn/go-sqlite3" // SQLite driver
 	"go.uber.org/fx"
-	"sneak.berlin/go/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/config"
-	"sneak.berlin/go/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/logger"
 )
 // dataDirPermissions is the file permission for the data directory.
--- a/internal/database/hash_test.go
+++ b/internal/database/hash_test.go
@@ -5,7 +5,7 @@ import (
 	"github.com/stretchr/testify/assert"
-	"sneak.berlin/go/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/database"
 )
 func TestHashWebhookSecret(t *testing.T) {
--- a/internal/database/migrations.go
+++ b/internal/database/migrations.go
@@ -113,9 +113,9 @@ func (d *Database) applyMigration(ctx context.Context, filename string) error {
 		return fmt.Errorf("failed to record migration: %w", err)
 	}
-	err = transaction.Commit()
+	commitErr := transaction.Commit()
-	if err != nil {
+	if commitErr != nil {
-		return fmt.Errorf("failed to commit migration: %w", err)
+		return fmt.Errorf("failed to commit migration: %w", commitErr)
 	}
 	return nil
--- a/internal/database/testing.go
+++ b/internal/database/testing.go
@@ -5,8 +5,8 @@ import (
 	"os"
 	"testing"
-	"sneak.berlin/go/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/config"
-	"sneak.berlin/go/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/logger"
 )
 // NewTestDatabase creates an in-memory Database for testing.
--- a/internal/docker/client.go
+++ b/internal/docker/client.go
@@ -14,7 +14,7 @@ import (
 	"strconv"
 	"strings"
-	dockertypes "github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/filters"
 	"github.com/docker/docker/api/types/image"
@@ -25,9 +25,8 @@ import (
 	"github.com/docker/go-connections/nat"
 	"go.uber.org/fx"
-	"sneak.berlin/go/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/config"
-
+	"git.eeqj.de/sneak/upaas/internal/logger"
 	"sneak.berlin/go/upaas/internal/logger"
 )
 // sshKeyPermissions is the file permission for SSH private keys.
@@ -117,7 +116,7 @@ type BuildImageOptions struct {
 func (c *Client) BuildImage(
 	ctx context.Context,
 	opts BuildImageOptions,
-) (ImageID, error) {
+) (string, error) {
 	if c.docker == nil {
 		return "", ErrNotConnected
 	}
@@ -189,7 +188,7 @@ func buildPortConfig(ports []PortMapping) (nat.PortSet, nat.PortMap) {
 func (c *Client) CreateContainer(
 	ctx context.Context,
 	opts CreateContainerOptions,
-) (ContainerID, error) {
+) (string, error) {
 	if c.docker == nil {
 		return "", ErrNotConnected
 	}
@@ -242,18 +241,18 @@ func (c *Client) CreateContainer(
 		return "", fmt.Errorf("failed to create container: %w", err)
 	}
-	return ContainerID(resp.ID), nil
+	return resp.ID, nil
 }
 // StartContainer starts a container.
-func (c *Client) StartContainer(ctx context.Context, containerID ContainerID) error {
+func (c *Client) StartContainer(ctx context.Context, containerID string) error {
 	if c.docker == nil {
 		return ErrNotConnected
 	}
 	c.log.Info("starting container", "id", containerID)
-	err := c.docker.ContainerStart(ctx, containerID.String(), container.StartOptions{})
+	err := c.docker.ContainerStart(ctx, containerID, container.StartOptions{})
 	if err != nil {
 		return fmt.Errorf("failed to start container: %w", err)
 	}
@@ -262,7 +261,7 @@ func (c *Client) StartContainer(ctx context.Context, containerID ContainerID) er
 }
 // StopContainer stops a container.
-func (c *Client) StopContainer(ctx context.Context, containerID ContainerID) error {
+func (c *Client) StopContainer(ctx context.Context, containerID string) error {
 	if c.docker == nil {
 		return ErrNotConnected
 	}
@@ -271,7 +270,7 @@ func (c *Client) StopContainer(ctx context.Context, containerID ContainerID) err
 	timeout := stopTimeoutSeconds
-	err := c.docker.ContainerStop(ctx, containerID.String(), container.StopOptions{Timeout: &timeout})
+	err := c.docker.ContainerStop(ctx, containerID, container.StopOptions{Timeout: &timeout})
 	if err != nil {
 		return fmt.Errorf("failed to stop container: %w", err)
 	}
@@ -282,7 +281,7 @@ func (c *Client) StopContainer(ctx context.Context, containerID ContainerID) err
 // RemoveContainer removes a container.
 func (c *Client) RemoveContainer(
 	ctx context.Context,
-	containerID ContainerID,
+	containerID string,
 	force bool,
 ) error {
 	if c.docker == nil {
@@ -291,7 +290,7 @@ func (c *Client) RemoveContainer(
 	c.log.Info("removing container", "id", containerID, "force", force)
-	err := c.docker.ContainerRemove(ctx, containerID.String(), container.RemoveOptions{Force: force})
+	err := c.docker.ContainerRemove(ctx, containerID, container.RemoveOptions{Force: force})
 	if err != nil {
 		return fmt.Errorf("failed to remove container: %w", err)
 	}
@@ -302,7 +301,7 @@ func (c *Client) RemoveContainer(
 // ContainerLogs returns the logs for a container.
 func (c *Client) ContainerLogs(
 	ctx context.Context,
-	containerID ContainerID,
+	containerID string,
 	tail string,
 ) (string, error) {
 	if c.docker == nil {
@@ -315,7 +314,7 @@ func (c *Client) ContainerLogs(
 		Tail:       tail,
 	}
-	reader, err := c.docker.ContainerLogs(ctx, containerID.String(), opts)
+	reader, err := c.docker.ContainerLogs(ctx, containerID, opts)
 	if err != nil {
 		return "", fmt.Errorf("failed to get container logs: %w", err)
 	}
@@ -338,13 +337,13 @@ func (c *Client) ContainerLogs(
 // IsContainerRunning checks if a container is running.
 func (c *Client) IsContainerRunning(
 	ctx context.Context,
-	containerID ContainerID,
+	containerID string,
 ) (bool, error) {
 	if c.docker == nil {
 		return false, ErrNotConnected
 	}
-	inspect, err := c.docker.ContainerInspect(ctx, containerID.String())
+	inspect, err := c.docker.ContainerInspect(ctx, containerID)
 	if err != nil {
 		return false, fmt.Errorf("failed to inspect container: %w", err)
 	}
@@ -355,13 +354,13 @@ func (c *Client) IsContainerRunning(
 // IsContainerHealthy checks if a container is healthy.
 func (c *Client) IsContainerHealthy(
 	ctx context.Context,
-	containerID ContainerID,
+	containerID string,
 ) (bool, error) {
 	if c.docker == nil {
 		return false, ErrNotConnected
 	}
-	inspect, err := c.docker.ContainerInspect(ctx, containerID.String())
+	inspect, err := c.docker.ContainerInspect(ctx, containerID)
 	if err != nil {
 		return false, fmt.Errorf("failed to inspect container: %w", err)
 	}
@@ -379,7 +378,7 @@ const LabelUpaasID = "upaas.id"
 // ContainerInfo contains basic information about a container.
 type ContainerInfo struct {
-	ID      ContainerID
+	ID      string
 	Running bool
 }
@@ -414,7 +413,7 @@ func (c *Client) FindContainerByAppID(
 	ctr := containers[0]
 	return &ContainerInfo{
-		ID:      ContainerID(ctr.ID),
+		ID:      ctr.ID,
 		Running: ctr.State == "running",
 	}, nil
 }
@@ -483,8 +482,8 @@ func (c *Client) CloneRepo(
 // RemoveImage removes a Docker image by ID or tag.
 // It returns nil if the image was successfully removed or does not exist.
-func (c *Client) RemoveImage(ctx context.Context, imageID ImageID) error {
+func (c *Client) RemoveImage(ctx context.Context, imageID string) error {
-	_, err := c.docker.ImageRemove(ctx, imageID.String(), image.RemoveOptions{
+	_, err := c.docker.ImageRemove(ctx, imageID, image.RemoveOptions{
 		Force:         true,
 		PruneChildren: true,
 	})
@@ -498,7 +497,7 @@ func (c *Client) RemoveImage(ctx context.Context, imageID ImageID) error {
 func (c *Client) performBuild(
 	ctx context.Context,
 	opts BuildImageOptions,
-) (ImageID, error) {
+) (string, error) {
 	// Create tar archive of build context
 	tarArchive, err := archive.TarWithOptions(opts.ContextDir, &archive.TarOptions{})
 	if err != nil {
@@ -513,7 +512,7 @@ func (c *Client) performBuild(
 	}()
 	// Build image
-	resp, err := c.docker.ImageBuild(ctx, tarArchive, dockertypes.ImageBuildOptions{
+	resp, err := c.docker.ImageBuild(ctx, tarArchive, types.ImageBuildOptions{
 		Dockerfile: opts.DockerfilePath,
 		Tags:       opts.Tags,
 		Remove:     true,
@@ -543,7 +542,7 @@ func (c *Client) performBuild(
 			return "", fmt.Errorf("failed to inspect image: %w", inspectErr)
 		}
-		return ImageID(inspect.ID), nil
+		return inspect.ID, nil
 	}
 	return "", nil
@@ -604,22 +603,22 @@ func (c *Client) performClone(ctx context.Context, cfg *cloneConfig) (*CloneResu
 		}
 	}()
-	gitContainerID, err := c.createGitContainer(ctx, cfg)
+	containerID, err := c.createGitContainer(ctx, cfg)
 	if err != nil {
 		return nil, err
 	}
 	defer func() {
-		_ = c.docker.ContainerRemove(ctx, gitContainerID.String(), container.RemoveOptions{Force: true})
+		_ = c.docker.ContainerRemove(ctx, containerID, container.RemoveOptions{Force: true})
 	}()
-	return c.runGitClone(ctx, gitContainerID)
+	return c.runGitClone(ctx, containerID)
 }
 func (c *Client) createGitContainer(
 	ctx context.Context,
 	cfg *cloneConfig,
-) (ContainerID, error) {
+) (string, error) {
 	gitSSHCmd := "ssh -i /keys/deploy_key -o StrictHostKeyChecking=no"
 	// Build the git command using environment variables to avoid shell injection.
@@ -676,16 +675,16 @@ func (c *Client) createGitContainer(
 		return "", fmt.Errorf("failed to create git container: %w", err)
 	}
-	return ContainerID(resp.ID), nil
+	return resp.ID, nil
 }
-func (c *Client) runGitClone(ctx context.Context, containerID ContainerID) (*CloneResult, error) {
+func (c *Client) runGitClone(ctx context.Context, containerID string) (*CloneResult, error) {
-	err := c.docker.ContainerStart(ctx, containerID.String(), container.StartOptions{})
+	err := c.docker.ContainerStart(ctx, containerID, container.StartOptions{})
 	if err != nil {
 		return nil, fmt.Errorf("failed to start git container: %w", err)
 	}
-	statusCh, errCh := c.docker.ContainerWait(ctx, containerID.String(), container.WaitConditionNotRunning)
+	statusCh, errCh := c.docker.ContainerWait(ctx, containerID, container.WaitConditionNotRunning)
 	select {
 	case err := <-errCh:
--- a/internal/docker/types.go
+++ b/internal/docker/types.go
@@ -1,13 +0,0 @@
 package docker
 // ImageID is a Docker image identifier (ID or tag).
 type ImageID string
 // String implements the fmt.Stringer interface.
 func (id ImageID) String() string { return string(id) }
 // ContainerID is a Docker container identifier.
 type ContainerID string
 // String implements the fmt.Stringer interface.
 func (id ContainerID) String() string { return string(id) }
--- a/internal/handlers/api.go
+++ b/internal/handlers/api.go
@@ -7,7 +7,7 @@ import (
 	"github.com/go-chi/chi/v5"
-	"sneak.berlin/go/upaas/internal/models"
+	"git.eeqj.de/sneak/upaas/internal/models"
 )
 // apiAppResponse is the JSON representation of an app.
--- a/internal/handlers/api_test.go
+++ b/internal/handlers/api_test.go
@@ -11,7 +11,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"sneak.berlin/go/upaas/internal/service/app"
+	"git.eeqj.de/sneak/upaas/internal/service/app"
 )
 // apiRouter builds a chi router with the API routes using session auth middleware.
--- a/internal/handlers/app.go
+++ b/internal/handlers/app.go
@@ -15,9 +15,9 @@ import (
 	"github.com/go-chi/chi/v5"
-	"sneak.berlin/go/upaas/internal/models"
+	"git.eeqj.de/sneak/upaas/internal/models"
-	"sneak.berlin/go/upaas/internal/service/app"
+	"git.eeqj.de/sneak/upaas/internal/service/app"
-	"sneak.berlin/go/upaas/templates"
+	"git.eeqj.de/sneak/upaas/templates"
 )
 const (
@@ -72,7 +72,7 @@ func (h *Handlers) HandleAppCreate() http.HandlerFunc { //nolint:funlen // valid
 		nameErr := validateAppName(name)
 		if nameErr != nil {
 			data["Error"] = "Invalid app name: " + nameErr.Error()
-			h.renderTemplate(writer, tmpl, "app_new.html", data)
+			_ = tmpl.ExecuteTemplate(writer, "app_new.html", data)
 			return
 		}
@@ -228,7 +228,7 @@ func (h *Handlers) HandleAppUpdate() http.HandlerFunc { //nolint:funlen // valid
 				"App":   application,
 				"Error": "Invalid app name: " + nameErr.Error(),
 			}, request)
-			h.renderTemplate(writer, tmpl, "app_edit.html", data)
+			_ = tmpl.ExecuteTemplate(writer, "app_edit.html", data)
 			return
 		}
@@ -239,7 +239,7 @@ func (h *Handlers) HandleAppUpdate() http.HandlerFunc { //nolint:funlen // valid
 				"App":   application,
 				"Error": "Invalid repository URL: " + repoURLErr.Error(),
 			}, request)
-			h.renderTemplate(writer, tmpl, "app_edit.html", data)
+			_ = tmpl.ExecuteTemplate(writer, "app_edit.html", data)
 			return
 		}
--- a/internal/handlers/auth.go
+++ b/internal/handlers/auth.go
@@ -3,7 +3,7 @@ package handlers
 import (
 	"net/http"
-	"sneak.berlin/go/upaas/templates"
+	"git.eeqj.de/sneak/upaas/templates"
 )
 // HandleLoginGET returns the login page handler.
--- a/internal/handlers/dashboard.go
+++ b/internal/handlers/dashboard.go
@@ -4,8 +4,8 @@ import (
 	"net/http"
 	"time"
-	"sneak.berlin/go/upaas/internal/models"
+	"git.eeqj.de/sneak/upaas/internal/models"
-	"sneak.berlin/go/upaas/templates"
+	"git.eeqj.de/sneak/upaas/templates"
 )
 // AppStats holds deployment statistics for an app.
--- a/internal/handlers/handlers.go
+++ b/internal/handlers/handlers.go
@@ -10,16 +10,16 @@ import (
 	"github.com/gorilla/csrf"
 	"go.uber.org/fx"
-	"sneak.berlin/go/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/database"
-	"sneak.berlin/go/upaas/internal/docker"
+	"git.eeqj.de/sneak/upaas/internal/docker"
-	"sneak.berlin/go/upaas/internal/globals"
+	"git.eeqj.de/sneak/upaas/internal/globals"
-	"sneak.berlin/go/upaas/internal/healthcheck"
+	"git.eeqj.de/sneak/upaas/internal/healthcheck"
-	"sneak.berlin/go/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/logger"
-	"sneak.berlin/go/upaas/internal/service/app"
+	"git.eeqj.de/sneak/upaas/internal/service/app"
-	"sneak.berlin/go/upaas/internal/service/auth"
+	"git.eeqj.de/sneak/upaas/internal/service/auth"
-	"sneak.berlin/go/upaas/internal/service/deploy"
+	"git.eeqj.de/sneak/upaas/internal/service/deploy"
-	"sneak.berlin/go/upaas/internal/service/webhook"
+	"git.eeqj.de/sneak/upaas/internal/service/webhook"
-	"sneak.berlin/go/upaas/templates"
+	"git.eeqj.de/sneak/upaas/templates"
 )
 // Params contains dependencies for Handlers.
--- a/internal/handlers/handlers_test.go
+++ b/internal/handlers/handlers_test.go
@@ -15,21 +15,21 @@ import (
 	"github.com/stretchr/testify/require"
 	"go.uber.org/fx"
-	"sneak.berlin/go/upaas/internal/models"
+	"git.eeqj.de/sneak/upaas/internal/models"
-	"sneak.berlin/go/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/config"
-	"sneak.berlin/go/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/database"
-	"sneak.berlin/go/upaas/internal/docker"
+	"git.eeqj.de/sneak/upaas/internal/docker"
-	"sneak.berlin/go/upaas/internal/globals"
+	"git.eeqj.de/sneak/upaas/internal/globals"
-	"sneak.berlin/go/upaas/internal/handlers"
+	"git.eeqj.de/sneak/upaas/internal/handlers"
-	"sneak.berlin/go/upaas/internal/healthcheck"
+	"git.eeqj.de/sneak/upaas/internal/healthcheck"
-	"sneak.berlin/go/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/logger"
-	"sneak.berlin/go/upaas/internal/middleware"
+	"git.eeqj.de/sneak/upaas/internal/middleware"
-	"sneak.berlin/go/upaas/internal/service/app"
+	"git.eeqj.de/sneak/upaas/internal/service/app"
-	"sneak.berlin/go/upaas/internal/service/auth"
+	"git.eeqj.de/sneak/upaas/internal/service/auth"
-	"sneak.berlin/go/upaas/internal/service/deploy"
+	"git.eeqj.de/sneak/upaas/internal/service/deploy"
-	"sneak.berlin/go/upaas/internal/service/notify"
+	"git.eeqj.de/sneak/upaas/internal/service/notify"
-	"sneak.berlin/go/upaas/internal/service/webhook"
+	"git.eeqj.de/sneak/upaas/internal/service/webhook"
 )
 type testContext struct {
@@ -404,25 +404,6 @@ func TestHandleDashboard(t *testing.T) {
 		assert.Equal(t, http.StatusOK, recorder.Code)
 		assert.Contains(t, recorder.Body.String(), "Applications")
 	})
 	t.Run("renders dashboard with apps without crashing on CSRFField", func(t *testing.T) {
 		t.Parallel()
 		testCtx := setupTestHandlers(t)
 		// Create an app so the template iterates over AppStats and hits .CSRFField
 		createTestApp(t, testCtx, "csrf-test-app")
 		request := httptest.NewRequest(http.MethodGet, "/", nil)
 		recorder := httptest.NewRecorder()
 		handler := testCtx.handlers.HandleDashboard()
 		handler.ServeHTTP(recorder, request)
 		assert.Equal(t, http.StatusOK, recorder.Code,
 			"dashboard should not 500 when apps exist (CSRFField must be accessible)")
 		assert.Contains(t, recorder.Body.String(), "csrf-test-app")
 	})
 }
 func TestHandleAppNew(t *testing.T) {
--- a/internal/handlers/repo_url_validation_test.go
+++ b/internal/handlers/repo_url_validation_test.go
@@ -3,7 +3,7 @@ package handlers_test
 import (
 	"testing"
-	"sneak.berlin/go/upaas/internal/handlers"
+	"git.eeqj.de/sneak/upaas/internal/handlers"
 )
 func TestValidateRepoURL(t *testing.T) {
--- a/internal/handlers/sanitize_test.go
+++ b/internal/handlers/sanitize_test.go
@@ -3,7 +3,7 @@ package handlers_test
 import (
 	"testing"
-	"sneak.berlin/go/upaas/internal/handlers"
+	"git.eeqj.de/sneak/upaas/internal/handlers"
 )
 func TestSanitizeLogs(t *testing.T) { //nolint:funlen // table-driven tests
--- a/internal/handlers/setup.go
+++ b/internal/handlers/setup.go
@@ -3,7 +3,7 @@ package handlers
 import (
 	"net/http"
-	"sneak.berlin/go/upaas/templates"
+	"git.eeqj.de/sneak/upaas/templates"
 )
 const (
--- a/internal/handlers/tail_validation_test.go
+++ b/internal/handlers/tail_validation_test.go
@@ -3,7 +3,7 @@ package handlers_test
 import (
 	"testing"
-	"sneak.berlin/go/upaas/internal/handlers"
+	"git.eeqj.de/sneak/upaas/internal/handlers"
 )
 func TestSanitizeTail(t *testing.T) {
--- a/internal/handlers/webhook.go
+++ b/internal/handlers/webhook.go
@@ -6,7 +6,7 @@ import (
 	"github.com/go-chi/chi/v5"
-	"sneak.berlin/go/upaas/internal/models"
+	"git.eeqj.de/sneak/upaas/internal/models"
 )
 // maxWebhookBodySize is the maximum allowed size of a webhook request body (1MB).
--- a/internal/healthcheck/healthcheck.go
+++ b/internal/healthcheck/healthcheck.go
@@ -8,10 +8,10 @@ import (
 	"go.uber.org/fx"
-	"sneak.berlin/go/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/config"
-	"sneak.berlin/go/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/database"
-	"sneak.berlin/go/upaas/internal/globals"
+	"git.eeqj.de/sneak/upaas/internal/globals"
-	"sneak.berlin/go/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/logger"
 )
 // Params contains dependencies for Healthcheck.
--- a/internal/logger/logger.go
+++ b/internal/logger/logger.go
@@ -7,7 +7,7 @@ import (
 	"go.uber.org/fx"
-	"sneak.berlin/go/upaas/internal/globals"
+	"git.eeqj.de/sneak/upaas/internal/globals"
 )
 // Params contains dependencies for Logger.
--- a/internal/middleware/cors_test.go
+++ b/internal/middleware/cors_test.go
@@ -8,7 +8,7 @@ import (
 	"github.com/stretchr/testify/assert"
-	"sneak.berlin/go/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/config"
 )
 //nolint:gosec // test credentials
--- a/internal/middleware/middleware.go
+++ b/internal/middleware/middleware.go
@@ -18,10 +18,10 @@ import (
 	"go.uber.org/fx"
 	"golang.org/x/time/rate"
-	"sneak.berlin/go/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/config"
-	"sneak.berlin/go/upaas/internal/globals"
+	"git.eeqj.de/sneak/upaas/internal/globals"
-	"sneak.berlin/go/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/logger"
-	"sneak.berlin/go/upaas/internal/service/auth"
+	"git.eeqj.de/sneak/upaas/internal/service/auth"
 )
 // corsMaxAge is the maximum age for CORS preflight responses in seconds.
--- a/internal/middleware/ratelimit_test.go
+++ b/internal/middleware/ratelimit_test.go
@@ -9,7 +9,7 @@ import (
 	"github.com/stretchr/testify/assert"
-	"sneak.berlin/go/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/config"
 )
 func newTestMiddleware(t *testing.T) *Middleware {
--- a/internal/models/app.go
+++ b/internal/models/app.go
@@ -7,7 +7,7 @@ import (
 	"fmt"
 	"time"
-	"sneak.berlin/go/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/database"
 )
 // appColumns is the standard column list for app queries.
--- a/internal/models/deployment.go
+++ b/internal/models/deployment.go
@@ -5,10 +5,9 @@ import (
 	"database/sql"
 	"errors"
 	"fmt"
 	"strings"
 	"time"
-	"sneak.berlin/go/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/database"
 )
 // DeploymentStatus represents the status of a deployment.
@@ -77,11 +76,7 @@ func (d *Deployment) Reload(ctx context.Context) error {
 	return d.scan(row)
 }
 // maxLogSize is the maximum size of deployment logs stored in the database (1MB).
 const maxLogSize = 1 << 20
 // AppendLog appends a log line to the deployment logs.
 // If the total log size exceeds maxLogSize, the oldest lines are truncated.
 func (d *Deployment) AppendLog(ctx context.Context, line string) error {
 	var currentLogs string
@@ -89,22 +84,7 @@ func (d *Deployment) AppendLog(ctx context.Context, line string) error {
 		currentLogs = d.Logs.String
 	}
-	newLogs := currentLogs + line + "\n"
+	d.Logs = sql.NullString{String: currentLogs + line + "\n", Valid: true}
 	if len(newLogs) > maxLogSize {
 		// Keep the most recent logs that fit within the limit.
 		// Find a newline after the truncation point to avoid partial lines.
 		truncateAt := len(newLogs) - maxLogSize
 		idx := strings.Index(newLogs[truncateAt:], "\n")
 		if idx >= 0 {
 			newLogs = "[earlier logs truncated]\n" + newLogs[truncateAt+idx+1:]
 		} else {
 			newLogs = "[earlier logs truncated]\n" + newLogs[truncateAt:]
 		}
 	}
 	d.Logs = sql.NullString{String: newLogs, Valid: true}
 	return d.Save(ctx)
 }
--- a/internal/models/env_var.go
+++ b/internal/models/env_var.go
@@ -7,7 +7,7 @@ import (
 	"errors"
 	"fmt"
-	"sneak.berlin/go/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/database"
 )
 // EnvVar represents an environment variable for an app.
--- a/internal/models/label.go
+++ b/internal/models/label.go
@@ -7,7 +7,7 @@ import (
 	"errors"
 	"fmt"
-	"sneak.berlin/go/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/database"
 )
 // Label represents a Docker label for an app container.
--- a/internal/models/models_test.go
+++ b/internal/models/models_test.go
@@ -10,11 +10,11 @@ import (
 	"github.com/stretchr/testify/require"
 	"go.uber.org/fx"
-	"sneak.berlin/go/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/config"
-	"sneak.berlin/go/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/database"
-	"sneak.berlin/go/upaas/internal/globals"
+	"git.eeqj.de/sneak/upaas/internal/globals"
-	"sneak.berlin/go/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/logger"
-	"sneak.berlin/go/upaas/internal/models"
+	"git.eeqj.de/sneak/upaas/internal/models"
 )
 // Test constants to satisfy goconst linter.
--- a/internal/models/port.go
+++ b/internal/models/port.go
@@ -6,7 +6,7 @@ import (
 	"errors"
 	"fmt"
-	"sneak.berlin/go/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/database"
 )
 // PortProtocol represents the protocol for a port mapping.
--- a/internal/models/user.go
+++ b/internal/models/user.go
@@ -8,7 +8,7 @@ import (
 	"fmt"
 	"time"
-	"sneak.berlin/go/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/database"
 )
 // User represents a user in the system.
--- a/internal/models/volume.go
+++ b/internal/models/volume.go
@@ -6,7 +6,7 @@ import (
 	"errors"
 	"fmt"
-	"sneak.berlin/go/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/database"
 )
 // Volume represents a volume mount for an app container.
--- a/internal/models/webhook_event.go
+++ b/internal/models/webhook_event.go
@@ -7,7 +7,7 @@ import (
 	"fmt"
 	"time"
-	"sneak.berlin/go/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/database"
 )
 // WebhookEvent represents a received webhook event.
--- a/internal/server/routes.go
+++ b/internal/server/routes.go
@@ -8,7 +8,7 @@ import (
 	chimw "github.com/go-chi/chi/v5/middleware"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
-	"sneak.berlin/go/upaas/static"
+	"git.eeqj.de/sneak/upaas/static"
 )
 // requestTimeout is the maximum duration for handling a request.
--- a/internal/server/server.go
+++ b/internal/server/server.go
@@ -12,11 +12,11 @@ import (
 	"github.com/go-chi/chi/v5"
 	"go.uber.org/fx"
-	"sneak.berlin/go/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/config"
-	"sneak.berlin/go/upaas/internal/globals"
+	"git.eeqj.de/sneak/upaas/internal/globals"
-	"sneak.berlin/go/upaas/internal/handlers"
+	"git.eeqj.de/sneak/upaas/internal/handlers"
-	"sneak.berlin/go/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/logger"
-	"sneak.berlin/go/upaas/internal/middleware"
+	"git.eeqj.de/sneak/upaas/internal/middleware"
 )
 // Params contains dependencies for Server.
--- a/internal/service/app/app.go
+++ b/internal/service/app/app.go
@@ -14,10 +14,10 @@ import (
 	"go.uber.org/fx"
-	"sneak.berlin/go/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/database"
-	"sneak.berlin/go/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/logger"
-	"sneak.berlin/go/upaas/internal/models"
+	"git.eeqj.de/sneak/upaas/internal/models"
-	"sneak.berlin/go/upaas/internal/ssh"
+	"git.eeqj.de/sneak/upaas/internal/ssh"
 )
 // ServiceParams contains dependencies for Service.
--- a/internal/service/app/app_test.go
+++ b/internal/service/app/app_test.go
@@ -8,12 +8,12 @@ import (
 	"github.com/stretchr/testify/require"
 	"go.uber.org/fx"
-	"sneak.berlin/go/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/config"
-	"sneak.berlin/go/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/database"
-	"sneak.berlin/go/upaas/internal/globals"
+	"git.eeqj.de/sneak/upaas/internal/globals"
-	"sneak.berlin/go/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/logger"
-	"sneak.berlin/go/upaas/internal/models"
+	"git.eeqj.de/sneak/upaas/internal/models"
-	"sneak.berlin/go/upaas/internal/service/app"
+	"git.eeqj.de/sneak/upaas/internal/service/app"
 )
 func setupTestService(t *testing.T) (*app.Service, func()) {
--- a/internal/service/auth/auth.go
+++ b/internal/service/auth/auth.go
@@ -15,10 +15,10 @@ import (
 	"go.uber.org/fx"
 	"golang.org/x/crypto/argon2"
-	"sneak.berlin/go/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/config"
-	"sneak.berlin/go/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/database"
-	"sneak.berlin/go/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/logger"
-	"sneak.berlin/go/upaas/internal/models"
+	"git.eeqj.de/sneak/upaas/internal/models"
 )
 const (
--- a/internal/service/auth/auth_test.go
+++ b/internal/service/auth/auth_test.go
@@ -12,11 +12,11 @@ import (
 	"github.com/stretchr/testify/require"
 	"go.uber.org/fx"
-	"sneak.berlin/go/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/config"
-	"sneak.berlin/go/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/database"
-	"sneak.berlin/go/upaas/internal/globals"
+	"git.eeqj.de/sneak/upaas/internal/globals"
-	"sneak.berlin/go/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/logger"
-	"sneak.berlin/go/upaas/internal/service/auth"
+	"git.eeqj.de/sneak/upaas/internal/service/auth"
 )
 func setupTestService(t *testing.T) (*auth.Service, func()) {
--- a/internal/service/deploy/deploy.go
+++ b/internal/service/deploy/deploy.go
@@ -17,12 +17,12 @@ import (
 	"go.uber.org/fx"
-	"sneak.berlin/go/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/config"
-	"sneak.berlin/go/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/database"
-	"sneak.berlin/go/upaas/internal/docker"
+	"git.eeqj.de/sneak/upaas/internal/docker"
-	"sneak.berlin/go/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/logger"
-	"sneak.berlin/go/upaas/internal/models"
+	"git.eeqj.de/sneak/upaas/internal/models"
-	"sneak.berlin/go/upaas/internal/service/notify"
+	"git.eeqj.de/sneak/upaas/internal/service/notify"
 )
 // Time constants.
@@ -251,8 +251,8 @@ func New(lc fx.Lifecycle, params ServiceParams) (*Service, error) {
 }
 // GetBuildDir returns the build directory path for an app.
-func (svc *Service) GetBuildDir(appName string) string {
+func (svc *Service) GetBuildDir(appID string) string {
-	return filepath.Join(svc.config.DataDir, "builds", appName)
+	return filepath.Join(svc.config.DataDir, "builds", appID)
 }
 // GetLogFilePath returns the path to the log file for a deployment.
@@ -417,7 +417,7 @@ func (svc *Service) executeRollback(
 	svc.removeOldContainer(ctx, app, deployment)
-	rollbackOpts, err := svc.buildContainerOptions(ctx, app, docker.ImageID(previousImageID))
+	rollbackOpts, err := svc.buildContainerOptions(ctx, app, previousImageID)
 	if err != nil {
 		svc.failDeployment(bgCtx, app, deployment, err)
@@ -431,8 +431,8 @@ func (svc *Service) executeRollback(
 		return fmt.Errorf("failed to create rollback container: %w", err)
 	}
-	deployment.ContainerID = sql.NullString{String: containerID.String(), Valid: true}
+	deployment.ContainerID = sql.NullString{String: containerID, Valid: true}
-	_ = deployment.AppendLog(bgCtx, "Rollback container created: "+containerID.String())
+	_ = deployment.AppendLog(bgCtx, "Rollback container created: "+containerID)
 	startErr := svc.docker.StartContainer(ctx, containerID)
 	if startErr != nil {
@@ -514,7 +514,7 @@ func (svc *Service) buildImageWithTimeout(
 	ctx context.Context,
 	app *models.App,
 	deployment *models.Deployment,
-) (docker.ImageID, error) {
+) (string, error) {
 	buildCtx, cancel := context.WithTimeout(ctx, buildTimeout)
 	defer cancel()
@@ -539,7 +539,7 @@ func (svc *Service) deployContainerWithTimeout(
 	ctx context.Context,
 	app *models.App,
 	deployment *models.Deployment,
-	imageID docker.ImageID,
+	imageID string,
 ) error {
 	deployCtx, cancel := context.WithTimeout(ctx, deployTimeout)
 	defer cancel()
@@ -667,7 +667,7 @@ func (svc *Service) checkCancelled(
 	bgCtx context.Context,
 	app *models.App,
 	deployment *models.Deployment,
-	imageID docker.ImageID,
+	imageID string,
 ) error {
 	if !errors.Is(deployCtx.Err(), context.Canceled) {
 		return nil
@@ -687,7 +687,7 @@ func (svc *Service) cleanupCancelledDeploy(
 	ctx context.Context,
 	app *models.App,
 	deployment *models.Deployment,
-	imageID docker.ImageID,
+	imageID string,
 ) {
 	// Clean up the intermediate Docker image if one was built
 	if imageID != "" {
@@ -695,11 +695,11 @@ func (svc *Service) cleanupCancelledDeploy(
 		if removeErr != nil {
 			svc.log.Error("failed to remove image from cancelled deploy",
 				"error", removeErr, "app", app.Name, "image", imageID)
-			_ = deployment.AppendLog(ctx, "WARNING: failed to clean up image "+imageID.String()+": "+removeErr.Error())
+			_ = deployment.AppendLog(ctx, "WARNING: failed to clean up image "+imageID+": "+removeErr.Error())
 		} else {
 			svc.log.Info("cleaned up image from cancelled deploy",
 				"app", app.Name, "image", imageID)
-			_ = deployment.AppendLog(ctx, "Cleaned up intermediate image: "+imageID.String())
+			_ = deployment.AppendLog(ctx, "Cleaned up intermediate image: "+imageID)
 		}
 	}
@@ -816,7 +816,7 @@ func (svc *Service) buildImage(
 	ctx context.Context,
 	app *models.App,
 	deployment *models.Deployment,
-) (docker.ImageID, error) {
+) (string, error) {
 	workDir, cleanup, err := svc.cloneRepository(ctx, app, deployment)
 	if err != nil {
 		return "", err
@@ -850,8 +850,8 @@ func (svc *Service) buildImage(
 		return "", fmt.Errorf("failed to build image: %w", err)
 	}
-	deployment.ImageID = sql.NullString{String: imageID.String(), Valid: true}
+	deployment.ImageID = sql.NullString{String: imageID, Valid: true}
-	_ = deployment.AppendLog(ctx, "Image built: "+imageID.String())
+	_ = deployment.AppendLog(ctx, "Image built: "+imageID)
 	return imageID, nil
 }
@@ -1009,15 +1009,15 @@ func (svc *Service) removeOldContainer(
 		svc.log.Warn("failed to remove old container", "error", removeErr)
 	}
-	_ = deployment.AppendLog(ctx, "Old container removed: "+string(containerInfo.ID[:12]))
+	_ = deployment.AppendLog(ctx, "Old container removed: "+containerInfo.ID[:12])
 }
 func (svc *Service) createAndStartContainer(
 	ctx context.Context,
 	app *models.App,
 	deployment *models.Deployment,
-	imageID docker.ImageID,
+	imageID string,
-) (docker.ContainerID, error) {
+) (string, error) {
 	containerOpts, err := svc.buildContainerOptions(ctx, app, imageID)
 	if err != nil {
 		svc.failDeployment(ctx, app, deployment, err)
@@ -1038,8 +1038,8 @@ func (svc *Service) createAndStartContainer(
 		return "", fmt.Errorf("failed to create container: %w", err)
 	}
-	deployment.ContainerID = sql.NullString{String: containerID.String(), Valid: true}
+	deployment.ContainerID = sql.NullString{String: containerID, Valid: true}
-	_ = deployment.AppendLog(ctx, "Container created: "+containerID.String())
+	_ = deployment.AppendLog(ctx, "Container created: "+containerID)
 	startErr := svc.docker.StartContainer(ctx, containerID)
 	if startErr != nil {
@@ -1062,7 +1062,7 @@ func (svc *Service) createAndStartContainer(
 func (svc *Service) buildContainerOptions(
 	ctx context.Context,
 	app *models.App,
-	imageID docker.ImageID,
+	imageID string,
 ) (docker.CreateContainerOptions, error) {
 	envVars, err := app.GetEnvVars(ctx)
 	if err != nil {
@@ -1096,7 +1096,7 @@ func (svc *Service) buildContainerOptions(
 	return docker.CreateContainerOptions{
 		Name:    "upaas-" + app.Name,
-		Image:   imageID.String(),
+		Image:   imageID,
 		Env:     envMap,
 		Labels:  buildLabelMap(app, labels),
 		Volumes: buildVolumeMounts(volumes),
@@ -1146,9 +1146,9 @@ func buildPortMappings(ports []*models.Port) []docker.PortMapping {
 func (svc *Service) updateAppRunning(
 	ctx context.Context,
 	app *models.App,
-	imageID docker.ImageID,
+	imageID string,
 ) error {
-	app.ImageID = sql.NullString{String: imageID.String(), Valid: true}
+	app.ImageID = sql.NullString{String: imageID, Valid: true}
 	app.Status = models.AppStatusRunning
 	saveErr := app.Save(ctx)
--- a/internal/service/deploy/deploy_cancel_test.go
+++ b/internal/service/deploy/deploy_cancel_test.go
@@ -9,7 +9,7 @@ import (
 	"github.com/stretchr/testify/assert"
-	"sneak.berlin/go/upaas/internal/service/deploy"
+	"git.eeqj.de/sneak/upaas/internal/service/deploy"
 )
 func TestCancelActiveDeploy_NoExisting(t *testing.T) {
--- a/internal/service/deploy/deploy_cleanup_test.go
+++ b/internal/service/deploy/deploy_cleanup_test.go
@@ -10,8 +10,8 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"sneak.berlin/go/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/config"
-	"sneak.berlin/go/upaas/internal/service/deploy"
+	"git.eeqj.de/sneak/upaas/internal/service/deploy"
 )
 func TestCleanupCancelledDeploy_RemovesBuildDir(t *testing.T) {
--- a/internal/service/deploy/deploy_container_test.go
+++ b/internal/service/deploy/deploy_container_test.go
@@ -6,10 +6,9 @@ import (
 	"os"
 	"testing"
-	"sneak.berlin/go/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/database"
-	"sneak.berlin/go/upaas/internal/docker"
+	"git.eeqj.de/sneak/upaas/internal/models"
-	"sneak.berlin/go/upaas/internal/models"
+	"git.eeqj.de/sneak/upaas/internal/service/deploy"
 	"sneak.berlin/go/upaas/internal/service/deploy"
 )
 func TestBuildContainerOptionsUsesImageID(t *testing.T) {
@@ -28,14 +27,14 @@ func TestBuildContainerOptionsUsesImageID(t *testing.T) {
 	log := slog.New(slog.NewTextHandler(os.Stderr, nil))
 	svc := deploy.NewTestService(log)
-	const expectedImageID = docker.ImageID("sha256:abc123def456")
+	const expectedImageID = "sha256:abc123def456"
 	opts, err := svc.BuildContainerOptionsExported(context.Background(), app, expectedImageID)
 	if err != nil {
 		t.Fatalf("buildContainerOptions returned error: %v", err)
 	}
-	if opts.Image != expectedImageID.String() {
+	if opts.Image != expectedImageID {
 		t.Errorf("expected Image=%q, got %q", expectedImageID, opts.Image)
 	}
--- a/internal/service/deploy/export_test.go
+++ b/internal/service/deploy/export_test.go
@@ -8,9 +8,9 @@ import (
 	"path/filepath"
 	"strings"
-	"sneak.berlin/go/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/config"
-	"sneak.berlin/go/upaas/internal/docker"
+	"git.eeqj.de/sneak/upaas/internal/docker"
-	"sneak.berlin/go/upaas/internal/models"
+	"git.eeqj.de/sneak/upaas/internal/models"
 )
 // NewTestService creates a Service with minimal dependencies for testing.
@@ -86,7 +86,7 @@ func (svc *Service) GetBuildDirExported(appName string) string {
 func (svc *Service) BuildContainerOptionsExported(
 	ctx context.Context,
 	app *models.App,
-	imageID docker.ImageID,
+	imageID string,
 ) (docker.CreateContainerOptions, error) {
 	return svc.buildContainerOptions(ctx, app, imageID)
 }
--- a/internal/service/notify/notify.go
+++ b/internal/service/notify/notify.go
@@ -15,8 +15,8 @@ import (
 	"go.uber.org/fx"
-	"sneak.berlin/go/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/logger"
-	"sneak.berlin/go/upaas/internal/models"
+	"git.eeqj.de/sneak/upaas/internal/models"
 )
 // HTTP client timeout.
--- a/internal/service/webhook/types.go
+++ b/internal/service/webhook/types.go
@@ -1,10 +0,0 @@
 package webhook
 // UnparsedURL is a URL stored as a plain string without parsing.
 // Use this instead of string when the value is known to be a URL
 // but should not be parsed into a net/url.URL (e.g. webhook URLs,
 // compare URLs from external payloads).
 type UnparsedURL string
 // String implements the fmt.Stringer interface.
 func (u UnparsedURL) String() string { return string(u) }
--- a/internal/service/webhook/webhook.go
+++ b/internal/service/webhook/webhook.go
@@ -10,11 +10,10 @@ import (
 	"go.uber.org/fx"
-	"sneak.berlin/go/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/database"
-
+	"git.eeqj.de/sneak/upaas/internal/logger"
-	"sneak.berlin/go/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/models"
-	"sneak.berlin/go/upaas/internal/models"
+	"git.eeqj.de/sneak/upaas/internal/service/deploy"
 	"sneak.berlin/go/upaas/internal/service/deploy"
 )
 // ServiceParams contains dependencies for Service.
@@ -51,12 +50,12 @@ type GiteaPushPayload struct {
 	Ref        string `json:"ref"`
 	Before     string `json:"before"`
 	After      string `json:"after"`
-	CompareURL UnparsedURL `json:"compare_url"`
+	CompareURL string `json:"compare_url"`
 	Repository struct {
 		FullName string `json:"full_name"`
-		CloneURL UnparsedURL `json:"clone_url"`
+		CloneURL string `json:"clone_url"`
 		SSHURL   string `json:"ssh_url"`
-		HTMLURL  UnparsedURL `json:"html_url"`
+		HTMLURL  string `json:"html_url"`
 	} `json:"repository"`
 	Pusher struct {
 		Username string `json:"username"`
@@ -64,7 +63,7 @@ type GiteaPushPayload struct {
 	} `json:"pusher"`
 	Commits []struct {
 		ID      string `json:"id"`
-		URL     UnparsedURL `json:"url"`
+		URL     string `json:"url"`
 		Message string `json:"message"`
 		Author  struct {
 			Name  string `json:"name"`
@@ -105,7 +104,7 @@ func (svc *Service) HandleWebhook(
 	event.EventType = eventType
 	event.Branch = branch
 	event.CommitSHA = sql.NullString{String: commitSHA, Valid: commitSHA != ""}
-	event.CommitURL = sql.NullString{String: commitURL.String(), Valid: commitURL != ""}
+	event.CommitURL = sql.NullString{String: commitURL, Valid: commitURL != ""}
 	event.Payload = sql.NullString{String: string(payload), Valid: true}
 	event.Matched = matched
 	event.Processed = false
@@ -169,7 +168,7 @@ func extractBranch(ref string) string {
 // extractCommitURL extracts the commit URL from the webhook payload.
 // Prefers the URL from the head commit, falls back to constructing from repo URL.
-func extractCommitURL(payload GiteaPushPayload) UnparsedURL {
+func extractCommitURL(payload GiteaPushPayload) string {
 	// Try to find the URL from the head commit (matching After SHA)
 	for _, commit := range payload.Commits {
 		if commit.ID == payload.After && commit.URL != "" {
@@ -179,7 +178,7 @@ func extractCommitURL(payload GiteaPushPayload) UnparsedURL {
 	// Fall back to constructing URL from repo HTML URL
 	if payload.Repository.HTMLURL != "" && payload.After != "" {
-		return UnparsedURL(payload.Repository.HTMLURL.String() + "/commit/" + payload.After)
+		return payload.Repository.HTMLURL + "/commit/" + payload.After
 	}
 	return ""
--- a/internal/service/webhook/webhook_test.go
+++ b/internal/service/webhook/webhook_test.go
@@ -12,15 +12,15 @@ import (
 	"github.com/stretchr/testify/require"
 	"go.uber.org/fx"
-	"sneak.berlin/go/upaas/internal/config"
+	"git.eeqj.de/sneak/upaas/internal/config"
-	"sneak.berlin/go/upaas/internal/database"
+	"git.eeqj.de/sneak/upaas/internal/database"
-	"sneak.berlin/go/upaas/internal/docker"
+	"git.eeqj.de/sneak/upaas/internal/docker"
-	"sneak.berlin/go/upaas/internal/globals"
+	"git.eeqj.de/sneak/upaas/internal/globals"
-	"sneak.berlin/go/upaas/internal/logger"
+	"git.eeqj.de/sneak/upaas/internal/logger"
-	"sneak.berlin/go/upaas/internal/models"
+	"git.eeqj.de/sneak/upaas/internal/models"
-	"sneak.berlin/go/upaas/internal/service/deploy"
+	"git.eeqj.de/sneak/upaas/internal/service/deploy"
-	"sneak.berlin/go/upaas/internal/service/notify"
+	"git.eeqj.de/sneak/upaas/internal/service/notify"
-	"sneak.berlin/go/upaas/internal/service/webhook"
+	"git.eeqj.de/sneak/upaas/internal/service/webhook"
 )
 type testDeps struct {
--- a/internal/ssh/keygen_test.go
+++ b/internal/ssh/keygen_test.go
@@ -4,9 +4,9 @@ import (
 	"strings"
 	"testing"
 	"git.eeqj.de/sneak/upaas/internal/ssh"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"sneak.berlin/go/upaas/internal/ssh"
 )
 func TestGenerateKeyPair(t *testing.T) {
--- a/static/js/alpine.min.js
+++ b/static/js/alpine.min.js
--- a/templates/dashboard.html
+++ b/templates/dashboard.html
@@ -69,7 +69,7 @@
                            <a href="/apps/{{.App.ID}}" class="btn-text text-sm py-1 px-2">View</a>
                            <a href="/apps/{{.App.ID}}/edit" class="btn-secondary text-sm py-1 px-2">Edit</a>
                            <form method="POST" action="/apps/{{.App.ID}}/deploy" class="inline">
-                {{ $.CSRFField }}
+                {{ .CSRFField }}
                                <button type="submit" class="btn-success text-sm py-1 px-2">Deploy</button>
                            </form>
                        </div>