xtablo-source/backend/docker-compose.prod.yaml

# Production compose stack for Hetzner VM deployment.
#
# Decision references (from CONTEXT.md / RESEARCH.md):
#   D-01: Hetzner VM as the production host — single VPS, plain Docker Compose.
#   D-02: No orchestration layer — plain docker compose up on the VM.
#   D-03: Postgres runs inside the compose stack (not an external managed DB).
#   D-04: Caddy handles TLS via Let's Encrypt (persistent caddy_data volume required).
#   D-08: Same image built once; web and worker are launched via different `command:` values.
#
# Usage:
#   export IMAGE=ghcr.io/yourusername/xtablo TAG=v0.1.0
#   docker compose -f docker-compose.prod.yaml --env-file .env.prod up -d

services:

  # -------------------------------------------------------------------------
  # Postgres (D-03) — internal only; no host port binding (RESEARCH Pitfall 5)
  # -------------------------------------------------------------------------
  postgres:
    image: postgres:16-alpine
    restart: unless-stopped
    environment:
      POSTGRES_DB: ${POSTGRES_DB:-xtablo}
      POSTGRES_USER: ${POSTGRES_USER:-xtablo}
      # No default — operator MUST set POSTGRES_PASSWORD in .env.prod
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
    volumes:
      - postgres_data:/var/lib/postgresql/data
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-xtablo}"]
      interval: 10s
      timeout: 5s
      retries: 10
    # No `ports:` — Postgres is internal to the compose network only.
    # Exposing port 5432 to the host would allow unauthenticated internet access
    # on a VM with a public IP (RESEARCH Pitfall 5 / threat T-07-09).

  # -------------------------------------------------------------------------
  # Web server (D-08) — /app/web binary from the shared image
  # -------------------------------------------------------------------------
  web:
    image: ${IMAGE:-ghcr.io/yourusername/xtablo}:${TAG:-latest}
    command: /app/web
    restart: unless-stopped
    env_file: .env.prod
    depends_on:
      postgres:
        condition: service_healthy
    expose:
      - "8080"
    # No `ports:` — Caddy handles all external traffic and reverse-proxies to web:8080.

  # -------------------------------------------------------------------------
  # Background worker (D-08) — /app/worker binary from the same image
  # -------------------------------------------------------------------------
  worker:
    image: ${IMAGE:-ghcr.io/yourusername/xtablo}:${TAG:-latest}
    command: /app/worker
    restart: unless-stopped
    env_file: .env.prod
    depends_on:
      postgres:
        condition: service_healthy
      web:
        # Ensures web starts first so goose.Up() runs before the worker connects.
        # restart: unless-stopped means the worker self-heals if it races anyway.
        condition: service_started

  # -------------------------------------------------------------------------
  # Caddy reverse proxy (D-04) — TLS termination via Let's Encrypt
  # -------------------------------------------------------------------------
  caddy:
    image: caddy:2-alpine
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
      - "443:443/udp"
    volumes:
      - ./deploy/Caddyfile:/etc/caddy/Caddyfile:ro
      - caddy_data:/data
      - caddy_config:/config
    depends_on:
      - web

volumes:
  # Postgres data — persist across container restarts and upgrades.
  postgres_data:

  # Caddy TLS data — stores Let's Encrypt certificates.
  # Losing this volume forces certificate re-issuance and may hit LE rate limits.
  caddy_data:

  # Caddy runtime config — persists across Caddy restarts.
  caddy_config:
feat(07-03): add docker-compose.prod.yaml and deploy/Caddyfile - Production compose stack with postgres, web, worker, caddy services (D-01..D-04, D-08) - postgres service has no host ports binding (internal network only, T-07-09 mitigated) - web and worker use same image with different command: values (/app/web, /app/worker) - Both web and worker depend_on postgres with service_healthy condition (T-07-12 mitigated) - Caddy handles TLS via Let's Encrypt with persistent caddy_data and caddy_config volumes (D-04) - Caddyfile uses {$DOMAIN} env var interpolation for the site block (RESEARCH Pattern 6) - Caddyfile includes Let's Encrypt staging note to avoid rate limits (RESEARCH Pitfall 4) 2026-05-15 16:23:13 +00:00			`# Production compose stack for Hetzner VM deployment.`
			`#`
			`# Decision references (from CONTEXT.md / RESEARCH.md):`
			`# D-01: Hetzner VM as the production host — single VPS, plain Docker Compose.`
			`# D-02: No orchestration layer — plain docker compose up on the VM.`
			`# D-03: Postgres runs inside the compose stack (not an external managed DB).`
			`# D-04: Caddy handles TLS via Let's Encrypt (persistent caddy_data volume required).`
			# D-08: Same image built once; web and worker are launched via different `command:` values.
			`#`
			`# Usage:`
			`# export IMAGE=ghcr.io/yourusername/xtablo TAG=v0.1.0`
			`# docker compose -f docker-compose.prod.yaml --env-file .env.prod up -d`

			`services:`

			`# -------------------------------------------------------------------------`
			`# Postgres (D-03) — internal only; no host port binding (RESEARCH Pitfall 5)`
			`# -------------------------------------------------------------------------`
			`postgres:`
			`image: postgres:16-alpine`
			`restart: unless-stopped`
			`environment:`
			`POSTGRES_DB: ${POSTGRES_DB:-xtablo}`
			`POSTGRES_USER: ${POSTGRES_USER:-xtablo}`
			`# No default — operator MUST set POSTGRES_PASSWORD in .env.prod`
			`POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}`
			`volumes:`
			`- postgres_data:/var/lib/postgresql/data`
			`healthcheck:`
			`test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-xtablo}"]`
			`interval: 10s`
			`timeout: 5s`
			`retries: 10`
			# No `ports:` — Postgres is internal to the compose network only.
			`# Exposing port 5432 to the host would allow unauthenticated internet access`
			`# on a VM with a public IP (RESEARCH Pitfall 5 / threat T-07-09).`

			`# -------------------------------------------------------------------------`
			`# Web server (D-08) — /app/web binary from the shared image`
			`# -------------------------------------------------------------------------`
			`web:`
			`image: ${IMAGE:-ghcr.io/yourusername/xtablo}:${TAG:-latest}`
			`command: /app/web`
			`restart: unless-stopped`
			`env_file: .env.prod`
			`depends_on:`
			`postgres:`
			`condition: service_healthy`
			`expose:`
			`- "8080"`
			# No `ports:` — Caddy handles all external traffic and reverse-proxies to web:8080.

			`# -------------------------------------------------------------------------`
			`# Background worker (D-08) — /app/worker binary from the same image`
			`# -------------------------------------------------------------------------`
			`worker:`
			`image: ${IMAGE:-ghcr.io/yourusername/xtablo}:${TAG:-latest}`
			`command: /app/worker`
			`restart: unless-stopped`
			`env_file: .env.prod`
			`depends_on:`
			`postgres:`
			`condition: service_healthy`
fix(07): replace minioadmin placeholder creds and add worker->web migration gate 2026-05-15 16:46:30 +00:00			`web:`
			`# Ensures web starts first so goose.Up() runs before the worker connects.`
			`# restart: unless-stopped means the worker self-heals if it races anyway.`
			`condition: service_started`
feat(07-03): add docker-compose.prod.yaml and deploy/Caddyfile - Production compose stack with postgres, web, worker, caddy services (D-01..D-04, D-08) - postgres service has no host ports binding (internal network only, T-07-09 mitigated) - web and worker use same image with different command: values (/app/web, /app/worker) - Both web and worker depend_on postgres with service_healthy condition (T-07-12 mitigated) - Caddy handles TLS via Let's Encrypt with persistent caddy_data and caddy_config volumes (D-04) - Caddyfile uses {$DOMAIN} env var interpolation for the site block (RESEARCH Pattern 6) - Caddyfile includes Let's Encrypt staging note to avoid rate limits (RESEARCH Pitfall 4) 2026-05-15 16:23:13 +00:00
			`# -------------------------------------------------------------------------`
			`# Caddy reverse proxy (D-04) — TLS termination via Let's Encrypt`
			`# -------------------------------------------------------------------------`
			`caddy:`
			`image: caddy:2-alpine`
			`restart: unless-stopped`
			`ports:`
			`- "80:80"`
			`- "443:443"`
			`- "443:443/udp"`
			`volumes:`
			`- ./deploy/Caddyfile:/etc/caddy/Caddyfile:ro`
			`- caddy_data:/data`
			`- caddy_config:/config`
			`depends_on:`
			`- web`

			`volumes:`
			`# Postgres data — persist across container restarts and upgrades.`
			`postgres_data:`

			`# Caddy TLS data — stores Let's Encrypt certificates.`
			`# Losing this volume forces certificate re-issuance and may hit LE rate limits.`
			`caddy_data:`

			`# Caddy runtime config — persists across Caddy restarts.`
			`caddy_config:`