cpta_blog/docker-compose.staging.yml at main · ComputerAnything/cpta_blog · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
# Staging environment - localhost:3000 for testing before production
services:
  # Reverse proxy (internal only)
  nginx-proxy:
    image: nginx:alpine
    container_name: blog_nginx_staging
    restart: unless-stopped
    ports:
      - "127.0.0.1:3000:80"  # Only accessible from localhost (same port as cpta_app since they run separately)
    volumes:
      - ./deployment/nginx/staging-proxy.conf:/etc/nginx/nginx.conf:ro
    depends_on:
      - blog-frontend
    networks:
      - proxy_network

  # Redis for rate limiting
  redis:
    image: redis:7-alpine
    container_name: blog_redis_staging
    restart: unless-stopped
    command: >
      redis-server
      --requirepass ${REDIS_PASSWORD:-changeme}
      --maxmemory 256mb
      --maxmemory-policy allkeys-lru
      --appendonly yes
      --appendfilename "appendonly.aof"
      --auto-aof-rewrite-percentage 100
      --auto-aof-rewrite-min-size 64mb
    volumes:
      - redis_data:/data
    ports:
      - "127.0.0.1:6379:6379"
    networks:
      - backend_network
    # Exposed to localhost for development mode (4-terminal workflow)
    healthcheck:
      test: ["CMD", "redis-cli", "-a", "${REDIS_PASSWORD:-changeme}", "ping"]
      interval: 10s
      timeout: 3s

  # Backend API
  blog-backend:
    build:
      context: ./backend
      dockerfile: Dockerfile
    container_name: blog_backend_staging
    env_file:
      - ./backend/.env
    restart: unless-stopped
    depends_on:
      - redis
    environment:
      - FLASK_ENV=staging
      - REDIS_URL=redis://:${REDIS_PASSWORD:-changeme}@redis:6379/0
    networks:
      - frontend_network
      - backend_network
    expose:
      - "8000"
    # Security hardening
    read_only: true
    tmpfs:
      - /tmp
      - /app/backend/__pycache__:uid=1000,gid=1000
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    cap_add:
      - NET_BIND_SERVICE

  # Frontend (nginx serving React)
  blog-frontend:
    build:
      context: ./frontend
      dockerfile: Dockerfile
    container_name: blog_frontend_staging
    restart: unless-stopped
    depends_on:
      - blog-backend
    networks:
      - proxy_network
      - frontend_network
    expose:
      - "80"
    # Security hardening
    read_only: true
    tmpfs:
      - /var/cache/nginx
      - /var/run
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    cap_add:
      - NET_BIND_SERVICE
      - CHOWN
      - SETUID
      - SETGID

networks:
  proxy_network:
    name: blog_staging_proxy_network
    driver: bridge

  frontend_network:
    name: blog_staging_frontend_network
    driver: bridge
    internal: false

  # Internal network for backend-redis communication
  # Note: internal: false allows port mapping for development mode (4-terminal workflow)
  backend_network:
    name: blog_staging_backend_network
    driver: bridge
    internal: false

volumes:
  redis_data:
    name: blog_staging_redis_data
    driver: local