57 lines
1.6 KiB
YAML
57 lines
1.6 KiB
YAML
# ── Production Compose Overlay ─────────────────────────────────────────────────
|
|
#
|
|
# Usage:
|
|
# make docker-prod # build + start with prod settings
|
|
# docker compose -f docker-compose.yml -f docker-compose.prod.yml up -d
|
|
#
|
|
# Differences from dev:
|
|
# - Runs as non-root user (timmy) from Dockerfile
|
|
# - No bind mounts — uses image-baked source only
|
|
# - Named volumes only (no host path dependencies)
|
|
# - Read-only root filesystem with tmpfs for /tmp
|
|
# - Resource limits enforced
|
|
# - Secrets passed via environment variables (set in .env)
|
|
#
|
|
# Security note: Set all secrets in .env before deploying.
|
|
# Required: L402_HMAC_SECRET, L402_MACAROON_SECRET
|
|
# Recommended: TASKOSAUR_JWT_SECRET, TASKOSAUR_ENCRYPTION_KEY
|
|
|
|
services:
|
|
|
|
dashboard:
|
|
# Remove dev-only root user override — use Dockerfile's USER timmy
|
|
user: ""
|
|
read_only: true
|
|
tmpfs:
|
|
- /tmp:size=100M
|
|
volumes:
|
|
# Override: named volume only, no host bind mounts
|
|
- timmy-data:/app/data
|
|
# Remove ./src and ./static bind mounts (use baked-in image files)
|
|
environment:
|
|
DEBUG: "false"
|
|
TIMMY_ENV: "production"
|
|
deploy:
|
|
resources:
|
|
limits:
|
|
cpus: "2.0"
|
|
memory: 2G
|
|
|
|
celery-worker:
|
|
user: ""
|
|
read_only: true
|
|
tmpfs:
|
|
- /tmp:size=100M
|
|
volumes:
|
|
- timmy-data:/app/data
|
|
deploy:
|
|
resources:
|
|
limits:
|
|
cpus: "1.0"
|
|
memory: 1G
|
|
|
|
# Override timmy-data to use a simple named volume (no host bind)
|
|
volumes:
|
|
timmy-data:
|
|
driver: local
|