techblog_cms/docker-compose.yml at main · dendencat/techblog_cms · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
services:
  # Load Balancer - Nginx
  nginx:
    build:
      context: .
      dockerfile: Dockerfile.nginx
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./nginx/conf.d:/etc/nginx/conf.d
      - ./nginx/ssl:/etc/nginx/ssl
      - static_volume:/var/www/static
      - media_volume:/var/www/media
      - certbot_etc:/etc/letsencrypt
      - certbot_var:/var/lib/letsencrypt
      - webroot:/var/www/certbot
    user: root
    depends_on:
      - django
    networks:
      - techblog_network
    restart: always
    environment:
      - NGINX_ENVSUBST_TEMPLATE_DIR=/etc/nginx/conf.d
      - NGINX_ENVSUBST_OUTPUT_DIR=/etc/nginx/conf.d
      - NGINX_HOST=localhost
    deploy:
      resources:
        limits:
          cpus: "0.25"
          memory: 128M
    healthcheck:
      test: ["CMD", "nginx", "-t"]
      interval: 30s
      timeout: 10s
      retries: 3
    # Security: Using official image, regularly update to patch vulnerabilities.
    # Enforces HTTPS and adds security headers.

  # Web Application - Django with Gunicorn
  django:
    build:
      context: .
      dockerfile: Dockerfile.django
    volumes:
      - .:/app
      - logs:/app/logs
      - static_volume:/app/static
      - media_volume:/app/media
    expose:
      - 8000
    environment:
      SECRET_KEY: ${SECRET_KEY}  # Loaded from .env file
      DEBUG: ${DEBUG:-False}
      ALLOWED_HOSTS: ${ALLOWED_HOSTS:-localhost,127.0.0.1}
      # Prefer passing through DATABASE_URL from .env to avoid duplication
      DATABASE_URL: ${DATABASE_URL}
      # Pass through REDIS_URL so URL-encoded credentials remain intact
      REDIS_URL: ${REDIS_URL:-redis://redis:6379/0}
      DJANGO_SETTINGS_MODULE: techblog_cms.settings
      PYTHONPATH: /app
      DJANGO_ENV: production
      REDIS_PASSWORD: ${REDIS_PASSWORD}
    depends_on:
      - db
      - redis
    networks:
      - techblog_network
    restart: always
    user: appuser
    deploy:
      resources:
        limits:
          cpus: "0.50"
          memory: 512M
    # Security: Runs the application as a non-root user.
    # Environment variables for sensitive settings.
    healthcheck:
      test: ["CMD", "python", "-c", "import requests; requests.get('http://localhost:8000/health/')"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 40s

  # Database - PostgreSQL
  db:
    image: postgres:16-alpine
    volumes:
      - db_data:/var/lib/postgresql/data # Persist data
      - ./docker/init-db.sh:/docker-entrypoint-initdb.d/init-db.sh
    environment:
      POSTGRES_USER: ${POSTGRES_USER}
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
      POSTGRES_DB: ${POSTGRES_DB}
      # Optional app-specific DB credentials used by init-db.sh
      APP_DB_USER: ${APP_DB_USER:-}
      APP_DB_PASSWORD: ${APP_DB_PASSWORD:-}
      APP_DB_NAME: ${APP_DB_NAME:-}
    networks:
      - techblog_network
    restart: always
    user: postgres
    deploy:
      resources:
        limits:
          cpus: "0.50"
          memory: 512M
    # Security: Uses a specific PostgreSQL version.
    # Environment variables for credentials.

  # Caching - Redis
  redis:
    image: redis:7-alpine
    command: redis-server --requirepass ${REDIS_PASSWORD:-your_redis_password} # Set a password
    ports:
      - "6379:6379"
    networks:
      techblog_network:
        aliases:
          - cache
    restart: always
    user: redis
    deploy:
      resources:
        limits:
          cpus: "0.25"
          memory: 256M
    # Security: Requires a password for authentication.
    # Consider network restrictions for enhanced security.

  # Static Files Server
  static:
    image: nginx:alpine
    volumes:
      - static_volume:/usr/share/nginx/html
    ports:
      - "8080:80"
    networks:
      - techblog_network
    restart: unless-stopped
    user: root
    deploy:
      resources:
        limits:
          cpus: "0.25"
          memory: 128M

  certbot:
    image: certbot/certbot:latest
    volumes:
      - ./nginx/ssl:/etc/nginx/ssl:rw
      - certbot_etc:/etc/letsencrypt:rw
      - certbot_var:/var/lib/letsencrypt
      - webroot:/var/www/certbot
    user: root
    entrypoint: "/bin/sh"
    command: >
      -c 'trap exit TERM; while :; do
      certbot renew --webroot -w /var/www/certbot --deploy-hook "cp -fL /etc/letsencrypt/live/${DOMAIN:-blog.iohub.link}/* /etc/nginx/ssl/ && chmod 644 /etc/nginx/ssl/*.pem" --quiet &&
      sleep 12h & wait $${!};
      done'
    restart: unless-stopped
    environment:
      - DOMAIN=blog.iohub.link

networks:
  techblog_network:
    driver: bridge

volumes:
  db_data:
  static_volume:
  logs:
    driver: local
  media_volume:
    driver: local
  certbot_etc:
  certbot_var:
  webroot: