97 lines
2.6 KiB
YAML
97 lines
2.6 KiB
YAML
# Production Docker Compose Configuration
|
|
# This file provides production-specific settings with maximum security
|
|
|
|
version: '3.8'
|
|
|
|
services:
|
|
# Backend - Production Security
|
|
backend:
|
|
# Remove external port exposure - only accessible via reverse proxy
|
|
ports: []
|
|
expose:
|
|
- "3001" # Internal only
|
|
environment:
|
|
NODE_ENV: production
|
|
# Security settings
|
|
API_DEBUG: false
|
|
LOG_LEVEL: warn
|
|
# Session security
|
|
SESSION_SECURE: true
|
|
SESSION_SAME_SITE: strict
|
|
# Enhanced security headers
|
|
ENABLE_SECURITY_HEADERS: true
|
|
|
|
# PostgreSQL - Production Security
|
|
postgres:
|
|
# No external ports in production
|
|
ports: []
|
|
expose:
|
|
- "5432" # Internal only
|
|
environment:
|
|
# Production database settings
|
|
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD} # Must be set via environment
|
|
POSTGRES_INITDB_ARGS: "--auth-host=scram-sha-256"
|
|
# Additional security
|
|
command: >
|
|
postgres
|
|
-c ssl=on
|
|
-c ssl_cert_file=/var/lib/postgresql/server.crt
|
|
-c ssl_key_file=/var/lib/postgresql/server.key
|
|
-c log_connections=on
|
|
-c log_disconnections=on
|
|
-c log_statement=all
|
|
|
|
# Redis - Production Security
|
|
redis:
|
|
# No external ports in production
|
|
ports: []
|
|
expose:
|
|
- "6379" # Internal only
|
|
command: >
|
|
redis-server
|
|
--appendonly yes
|
|
--requirepass ${REDIS_PASSWORD}
|
|
--maxmemory 256mb
|
|
--maxmemory-policy allkeys-lru
|
|
environment:
|
|
REDIS_PASSWORD: ${REDIS_PASSWORD} # Must be set via environment
|
|
|
|
# Data Retention - Production Security
|
|
data-retention:
|
|
# No external ports in production
|
|
ports: []
|
|
expose:
|
|
- "3001" # Internal only
|
|
environment:
|
|
NODE_ENV: production
|
|
IMMEDIATE_CLEANUP: false
|
|
|
|
# Frontend - Production Optimization
|
|
frontend:
|
|
environment:
|
|
# Production optimizations
|
|
NGINX_WORKER_PROCESSES: auto
|
|
NGINX_WORKER_CONNECTIONS: 1024
|
|
|
|
# Management - Production Optimization
|
|
management:
|
|
environment:
|
|
# Production optimizations
|
|
NGINX_WORKER_PROCESSES: auto
|
|
NGINX_WORKER_CONNECTIONS: 1024
|
|
|
|
# Health Probe - Production Settings
|
|
healthprobe:
|
|
environment:
|
|
PROBE_FAILRATE: 5 # Lower failure rate in production
|
|
PROBE_INTERVAL_SECONDS: 300 # Less frequent in production
|
|
|
|
# Production-specific network settings
|
|
networks:
|
|
drone-network:
|
|
driver: bridge
|
|
driver_opts:
|
|
# Enhanced network security
|
|
com.docker.network.bridge.enable_icc: "false"
|
|
com.docker.network.bridge.enable_ip_masquerade: "true"
|
|
com.docker.network.driver.mtu: 1500 |