Update Docker configuration and add Nginx virtual host setup

- Modify .dockerignore to exclude db directory but include migrations
- Update .gitignore to include .env and secrets
- Change ENTRYPOINT to CMD in Dockerfile for better flexibility
- Update PostgreSQL image version in compose.yaml
- Add Nginx virtual host configuration for production
- Add resource directory to pom.xml for Maven build
- Create .gitkeep file in secrets directory

Author: mcqueide

.dockerignore

@@ -63,4 +63,5 @@ pom.xml.tag
 pom.xml.versionsBackup
 release.properties
 replay_pid*
-**/db
+**/db
+!**/db/migration

.gitignore

@@ -31,3 +31,7 @@ build/
 
 ### VS Code ###
 .vscode/
+
+### Docker ###
+.env
+secrets/*.txt

Dockerfile

@@ -102,4 +102,4 @@ COPY --from=extract build/target/extracted/application/ ./
 
 EXPOSE 8080
 
-ENTRYPOINT [ "sh", "-c", "java $JAVA_OPTS -jar app.jar" ]
+CMD [ "sh", "-c", "java $JAVA_OPTS -jar app.jar" ]

compose.yaml

@@ -165,7 +165,7 @@ services:
   # ============================================================================
   nginx:
     image: nginx:1.29-alpine
-    container_name: production_nginx
+    container_name: nginx
 
     # Restart policy
     restart: unless-stopped
@@ -314,12 +314,9 @@ services:
   # POSTGRESQL - Database
   # ==========================================================================
   db:
-    image: postgres:18-alpine3.22
+    image: postgres:17-alpine3.22
     container_name: db
 
-    cap_drop:
-      - ALL
-    
     # Security
     security_opt:
       - no-new-privileges:true # Prevenir escalação
@@ -338,7 +335,7 @@ services:
     expose:
       - "5432"
 
-    # user: postgres
+    user: postgres
 
     # Secrets
     secrets:
@@ -361,7 +358,7 @@ services:
 
     # Healthcheck
     healthcheck:
-      test: [ "CMD-SHELL", "pg_isready -U -U $$(cat /run/secrets/db-user) -d ${POSTGRES_DB:-people}" ]
+      test: [ "CMD-SHELL", "pg_isready -U $$(cat /run/secrets/db-user) -d ${POSTGRES_DB:-people}" ]
       interval: 10s
       timeout: 5s
       retries: 5

nginx/conf.d/default.conf

@@ -0,0 +1,171 @@
+# ============================================================================
+# Configuração do Virtual Host - Produção
+# ============================================================================
+# 
+# ============================================================================
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name localhost;
+
+    # ========================================================================
+    # HEADERS DE SEGURANÇA
+    # ========================================================================
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "no-referrer-when-downgrade" always;
+    
+    # Content Security Policy (ajustar conforme necessário)
+    add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
+    
+    # HSTS (descomente quando usar HTTPS)
+    # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
+    # ========================================================================
+    # HEALTHCHECK DO NGINX
+    # ========================================================================
+    location /health {
+        access_log off;
+        return 200 "healthy\n";
+        add_header Content-Type text/plain;
+    }
+
+    # ========================================================================
+    # PROXY PARA APLICAÇÃO NODE.JS
+    # ========================================================================
+    location / {
+        # Rate limiting
+        limit_req zone=general burst=20 nodelay;
+        limit_conn addr 10;
+
+        # Proxy headers
+        proxy_pass http://backend;
+        proxy_http_version 1.1;
+        
+        # Headers importantes para aplicação
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Port $server_port;
+        
+        # WebSocket support (se necessário)
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+
+        # Timeouts
+        proxy_connect_timeout 60s;
+        proxy_send_timeout 60s;
+        proxy_read_timeout 60s;
+        
+        # Buffering
+        proxy_buffering on;
+        proxy_buffer_size 4k;
+        proxy_buffers 8 4k;
+        proxy_busy_buffers_size 8k;
+
+        # Keepalive
+        proxy_set_header Connection "";
+    }
+
+    # ========================================================================
+    # ROTA DE API COM RATE LIMITING DIFERENTE
+    # ========================================================================
+    location /api/ {
+        limit_req zone=api burst=50 nodelay;
+        limit_conn addr 20;
+
+        proxy_pass http://backend;
+        proxy_http_version 1.1;
+        
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        
+        proxy_connect_timeout 30s;
+        proxy_send_timeout 30s;
+        proxy_read_timeout 30s;
+    }
+
+    # ========================================================================
+    # ARQUIVOS ESTÁTICOS (se houver)
+    # ========================================================================
+    location /static/ {
+        alias /usr/share/nginx/html/static/;
+        expires 30d;
+        add_header Cache-Control "public, immutable";
+    }
+
+    # ========================================================================
+    # NEGAÇÃO DE ACESSO A ARQUIVOS SENSÍVEIS
+    # ========================================================================
+    location ~ /\. {
+        deny all;
+        access_log off;
+        log_not_found off;
+    }
+
+    location ~ \.(env|git|svn)$ {
+        deny all;
+        access_log off;
+        log_not_found off;
+    }
+
+    # ========================================================================
+    # ERRO PAGES
+    # ========================================================================
+    error_page 404 /404.html;
+    location = /404.html {
+        root /usr/share/nginx/html;
+        internal;
+    }
+
+    error_page 500 502 503 504 /50x.html;
+    location = /50x.html {
+        root /usr/share/nginx/html;
+        internal;
+    }
+}
+
+# ============================================================================
+# CONFIGURAÇÃO HTTPS (SSL/TLS) - Descomente quando tiver certificados
+# ============================================================================
+# server {
+#     listen 443 ssl http2;
+#     listen [::]:443 ssl http2;
+#     server_name localhost;
+# 
+#     # Certificados SSL
+#     ssl_certificate /etc/nginx/certs/cert.pem;
+#     ssl_certificate_key /etc/nginx/certs/key.pem;
+# 
+#     # Configuração SSL moderna
+#     ssl_protocols TLSv1.2 TLSv1.3;
+#     ssl_ciphers HIGH:!aNULL:!MD5;
+#     ssl_prefer_server_ciphers on;
+#     ssl_session_cache shared:SSL:10m;
+#     ssl_session_timeout 10m;
+# 
+#     # OCSP Stapling
+#     ssl_stapling on;
+#     ssl_stapling_verify on;
+# 
+#     # Headers de segurança
+#     add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+#     
+#     # ... resto da configuração igual ao server HTTP
+# }
+
+# ============================================================================
+# Redirect HTTP para HTTPS (descomente quando usar SSL)
+# ============================================================================
+# server {
+#     listen 80;
+#     listen [::]:80;
+#     server_name localhost;
+#     return 301 https://$server_name$request_uri;
+# }

pom.xml

@@ -115,6 +115,12 @@
     </dependencies>
 
     <build>
+        <resources>
+            <resource>
+                <directory>src/main/resources</directory>
+            </resource>
+        </resources>
+
         <plugins>
             <plugin>
                 <groupId>org.springframework.boot</groupId>