fix(docker): harden production deployment config for all services
- Add resource limits (memory/CPU) and reservations for all services - Add security hardening: read_only, no-new-privileges, tmpfs for temp dirs - Add missing prod services: loki, promtail, pg-backup from dev compose - Fix API healthcheck to include catch() for proper exit codes - Add json-file logging driver with rotation limits across all services - Remove exposed PostgreSQL port in prod (internal only) - Add shm_size for PostgreSQL shared memory - Add non-root user (appuser) to AI services Dockerfile - Add --chown=node:node to COPY directives in API/Web Dockerfiles - Harden .dockerignore: exclude IDE files, OS files, docker-compose files - Fix Redis URL to include password authentication - Add JWT_REFRESH_SECRET to API environment - Add Grafana dependency on Loki for log datasource Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Ho Ngoc Hai
@@ -2,16 +2,43 @@ node_modules
|
||||
.next
|
||||
dist
|
||||
*.tsbuildinfo
|
||||
|
||||
# Version control
|
||||
.git
|
||||
.github
|
||||
.husky
|
||||
|
||||
# Documentation and tests
|
||||
docs
|
||||
e2e
|
||||
playwright-report
|
||||
monitoring
|
||||
*.md
|
||||
!README.md
|
||||
|
||||
# Environment and secrets
|
||||
.env*
|
||||
!.env.example
|
||||
|
||||
# IDE and editor
|
||||
.vscode
|
||||
.idea
|
||||
*.swp
|
||||
*.swo
|
||||
|
||||
# Build caches
|
||||
.eslintcache
|
||||
coverage
|
||||
.turbo
|
||||
.cache
|
||||
|
||||
# OS files
|
||||
.DS_Store
|
||||
Thumbs.db
|
||||
|
||||
# Docker files (avoid recursive context)
|
||||
docker-compose*.yml
|
||||
monitoring
|
||||
|
||||
# Dev tools
|
||||
scripts/backup
|
||||
*.log
|
||||
|
||||
Reference in New Issue
Block a user