Hartmut
805bb0464f
- docker-compose.yml: require ${POSTGRES_PASSWORD} for the postgres service
and the app container's DATABASE_URL. No default — compose refuses to start
without it, mirroring the existing PGADMIN_PASSWORD pattern.
- Dockerfile.prod: move auth/db ENV assignments from persistent ENV lines into
an inline env prefix on the `pnpm build` RUN step. Placeholders are still
available to `next build` but no longer persist in the builder layer or in
the published migrator image (which is FROM builder).
- Dockerfile.dev: add HEALTHCHECK against /api/health and install curl for it.
- .dockerignore: cover nested **/.env*, **/*.pem, **/*.key, **/secrets/**.
- runtime-env.ts: add the CI build placeholder strings to the disallowed-secret
set so a misconfigured prod deploy using the baked-in ARG defaults fails
startup instead of silently running with a known-bad secret.
- .env.example: document the new POSTGRES_PASSWORD requirement.
- CI: write POSTGRES_PASSWORD into the Fresh-Linux Docker Deploy job's .env
(must match docker-compose.ci.yml's hardcoded DATABASE_URL), and provide a
dummy value in the E2E job where compose validates all services' interp.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
119 lines
3.7 KiB
YAML
119 lines
3.7 KiB
YAML
name: capakraken
|
|
|
|
services:
|
|
postgres:
|
|
image: postgres:16-alpine
|
|
ports:
|
|
- "5433:5432"
|
|
environment:
|
|
POSTGRES_DB: capakraken
|
|
POSTGRES_USER: capakraken
|
|
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:?set POSTGRES_PASSWORD in .env (any non-empty value for local dev)}
|
|
command: >
|
|
postgres
|
|
-c log_connections=on
|
|
-c log_disconnections=on
|
|
-c log_statement=ddl
|
|
-c log_line_prefix='%t [%p] %u@%d '
|
|
-c log_min_duration_statement=1000
|
|
volumes:
|
|
- capakraken_pgdata:/var/lib/postgresql/data
|
|
healthcheck:
|
|
test: ["CMD-SHELL", "pg_isready -U capakraken -d capakraken"]
|
|
interval: 5s
|
|
timeout: 3s
|
|
retries: 5
|
|
|
|
redis:
|
|
image: redis:7-alpine
|
|
ports:
|
|
- "6380:6379"
|
|
healthcheck:
|
|
test: ["CMD", "redis-cli", "ping"]
|
|
interval: 5s
|
|
timeout: 3s
|
|
retries: 5
|
|
|
|
mailhog:
|
|
image: mailhog/mailhog
|
|
ports:
|
|
- "1025:1025" # SMTP
|
|
- "8025:8025" # HTTP API / Web UI
|
|
|
|
pgadmin:
|
|
image: dpage/pgadmin4
|
|
ports:
|
|
- "5050:80"
|
|
environment:
|
|
PGADMIN_DEFAULT_EMAIL: ${PGADMIN_EMAIL:-admin@capakraken.dev}
|
|
PGADMIN_DEFAULT_PASSWORD: ${PGADMIN_PASSWORD:?PGADMIN_PASSWORD must be set}
|
|
depends_on:
|
|
postgres:
|
|
condition: service_healthy
|
|
|
|
app:
|
|
build:
|
|
context: .
|
|
dockerfile: Dockerfile.dev
|
|
ports:
|
|
- "3100:3100"
|
|
environment:
|
|
# Always use the Docker-internal service name. The host-level DATABASE_URL
|
|
# (localhost:5433) must not bleed into the container where "localhost" is
|
|
# the container itself, not the host.
|
|
DATABASE_URL: postgresql://capakraken:${POSTGRES_PASSWORD:?set POSTGRES_PASSWORD}@postgres:5432/capakraken
|
|
REDIS_URL: redis://redis:6379
|
|
NEXTAUTH_URL: ${NEXTAUTH_URL:?NEXTAUTH_URL must be set (e.g. https://your-domain.com)}
|
|
NEXTAUTH_SECRET: ${NEXTAUTH_SECRET:?set NEXTAUTH_SECRET}
|
|
# Bypass auth + API rate limiters for E2E test runs only.
|
|
# MUST remain "false" in any production or staging deployment.
|
|
# Set E2E_TEST_MODE=true in the host environment before running E2E tests.
|
|
E2E_TEST_MODE: "${E2E_TEST_MODE:-false}"
|
|
# AI provider secrets — forwarded from host .env, not hardcoded
|
|
AZURE_OPENAI_API_KEY: ${AZURE_OPENAI_API_KEY:-}
|
|
OPENAI_API_KEY: ${OPENAI_API_KEY:-}
|
|
GEMINI_API_KEY: ${GEMINI_API_KEY:-}
|
|
# SMTP — inside Docker the app must reach Mailhog via the service name.
|
|
# SMTP_HOST is hardcoded to "mailhog" here; the host .env value (localhost)
|
|
# is only relevant for `pnpm dev` (non-Docker).
|
|
SMTP_HOST: mailhog
|
|
SMTP_PORT: ${SMTP_PORT:-1025}
|
|
SMTP_USER: ${SMTP_USER:-}
|
|
SMTP_FROM: ${SMTP_FROM:-noreply@capakraken.dev}
|
|
SMTP_TLS: ${SMTP_TLS:-false}
|
|
SMTP_PASSWORD: ${SMTP_PASSWORD:-}
|
|
depends_on:
|
|
postgres:
|
|
condition: service_healthy
|
|
redis:
|
|
condition: service_healthy
|
|
volumes:
|
|
- .:/app
|
|
# Named volumes mask the bind-mount for generated/installed artefacts.
|
|
# Named (not anonymous) so they can be selectively removed: docker volume rm capakraken_node_modules
|
|
- capakraken_node_modules:/app/node_modules
|
|
- capakraken_next:/app/apps/web/.next
|
|
profiles:
|
|
- full
|
|
|
|
postgres-test:
|
|
image: postgres:16-alpine
|
|
ports:
|
|
- "${POSTGRES_TEST_PORT:-5434}:5432"
|
|
environment:
|
|
POSTGRES_DB: capakraken_test
|
|
POSTGRES_USER: capakraken
|
|
POSTGRES_PASSWORD: capakraken_test
|
|
tmpfs:
|
|
- /var/lib/postgresql/data
|
|
profiles:
|
|
- test
|
|
|
|
volumes:
|
|
capakraken_pgdata:
|
|
name: capakraken_pgdata
|
|
capakraken_node_modules:
|
|
name: capakraken_node_modules
|
|
capakraken_next:
|
|
name: capakraken_next
|