mirror of
https://github.com/johndoe6345789/metabuilder.git
synced 2026-04-25 22:34:56 +00:00
johndoe6345789
ac6f35d128
- Add comprehensive GitHub Actions workflow for WorkflowUI builds and deployments * Quality checks: TypeScript type-check, lint, build, tests * Security scanning: npm audit and Trivy vulnerability scanning * Docker build: Multi-architecture (amd64, arm64) with SBOM generation * Test deployment: Validates docker-compose and health checks * PR notifications with build status - Create Docker deployment guide (DOCKER.md) covering: * Quick start and configuration * Building and pushing to registries * Persistent data and backup strategies * Performance tuning and monitoring * Production security checklist * Nginx reverse proxy configuration * Troubleshooting procedures - Add production docker-compose override (docker-compose.prod.yml): * Resource limits (2GB memory, 2 CPU) * Security hardening (capabilities, read-only filesystems, non-root user) * Secrets management for NEXTAUTH_SECRET * Enhanced health checks with proper timeouts * JSON logging with rotation - Add environment configuration template (.env.example): * All configurable variables documented * NextAuth, Flask, database, SMTP, security settings * Development and feature flag options * Example values for common configurations Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
163 lines
3.6 KiB
YAML
163 lines
3.6 KiB
YAML
# Production-grade Docker Compose configuration
|
|
# Usage: docker-compose -f docker-compose.yml -f docker-compose.prod.yml up -d
|
|
|
|
version: '3.8'
|
|
|
|
services:
|
|
workflowui:
|
|
# Image from container registry
|
|
image: ghcr.io/yourusername/metabuilder/workflowui:latest
|
|
|
|
# Resource limits
|
|
mem_limit: 2g
|
|
memswap_limit: 4g
|
|
cpus: '2.0'
|
|
|
|
# Restart policy
|
|
restart: always
|
|
|
|
# Enhanced health check
|
|
healthcheck:
|
|
test: ["CMD", "sh", "-c", "wget --quiet --tries=1 --spider http://localhost:3000/api/health && wget --quiet --tries=1 --spider http://localhost:5000/api/health"]
|
|
interval: 30s
|
|
timeout: 10s
|
|
retries: 3
|
|
start_period: 60s
|
|
|
|
# Logging
|
|
logging:
|
|
driver: "json-file"
|
|
options:
|
|
max-size: "10m"
|
|
max-file: "3"
|
|
labels: "service=workflowui"
|
|
|
|
# Security options
|
|
security_opt:
|
|
- no-new-privileges:true
|
|
cap_drop:
|
|
- ALL
|
|
cap_add:
|
|
- NET_BIND_SERVICE
|
|
|
|
# Read-only root filesystem (for base OS)
|
|
read_only: false # Set to true after testing - backend needs write access to /app/data and /app/logs
|
|
|
|
# User context
|
|
user: "1000:1000" # Non-root user (if configured in Dockerfile)
|
|
|
|
# Environment
|
|
environment:
|
|
- NODE_ENV=production
|
|
- FLASK_ENV=production
|
|
- NEXTAUTH_URL=https://workflowui.example.com
|
|
- NEXTAUTH_SECRET_FILE=/run/secrets/nextauth_secret
|
|
- DATABASE_URL=/app/data/workflows.db
|
|
|
|
# Secrets (use Docker Secrets in Swarm mode)
|
|
secrets:
|
|
- nextauth_secret
|
|
|
|
# Volumes with read-only options where possible
|
|
volumes:
|
|
- workflowui-data:/app/data
|
|
- workflowui-logs:/app/logs
|
|
|
|
# Network
|
|
networks:
|
|
- metabuilder-network
|
|
|
|
# Labels for monitoring/orchestration
|
|
labels:
|
|
app: "workflowui"
|
|
version: "1.0"
|
|
environment: "production"
|
|
monitoring: "true"
|
|
|
|
smtp-relay:
|
|
# Use stable tag for production
|
|
image: ghcr.io/yourusername/metabuilder/smtp-relay:latest
|
|
|
|
# Resource limits
|
|
mem_limit: 512m
|
|
memswap_limit: 1g
|
|
cpus: '0.5'
|
|
|
|
# Restart policy
|
|
restart: always
|
|
|
|
# Health check
|
|
healthcheck:
|
|
test: ["CMD", "curl", "-f", "http://localhost:8080/health"]
|
|
interval: 30s
|
|
timeout: 10s
|
|
retries: 3
|
|
start_period: 20s
|
|
|
|
# Logging
|
|
logging:
|
|
driver: "json-file"
|
|
options:
|
|
max-size: "5m"
|
|
max-file: "2"
|
|
labels: "service=smtp-relay"
|
|
|
|
# Security options
|
|
security_opt:
|
|
- no-new-privileges:true
|
|
cap_drop:
|
|
- ALL
|
|
cap_add:
|
|
- NET_BIND_SERVICE
|
|
|
|
# Environment
|
|
environment:
|
|
- SMTP_LISTEN_HOST=0.0.0.0
|
|
- SMTP_LISTEN_PORT=2525
|
|
- HTTP_LISTEN_HOST=127.0.0.1 # Only expose to localhost in production
|
|
- HTTP_LISTEN_PORT=8080
|
|
- GMAIL_USERNAME=${GMAIL_USERNAME}
|
|
- GMAIL_APP_PASSWORD=${GMAIL_APP_PASSWORD}
|
|
- FORWARD_TO=${FORWARD_TO}
|
|
- ALLOW_ANY_RCPT=false
|
|
- ADD_X_HEADERS=true
|
|
- MAX_STORE=1000
|
|
|
|
# Network
|
|
networks:
|
|
- metabuilder-network
|
|
|
|
# Labels
|
|
labels:
|
|
app: "smtp-relay"
|
|
version: "1.0"
|
|
environment: "production"
|
|
|
|
volumes:
|
|
workflowui-data:
|
|
driver: local
|
|
driver_opts:
|
|
type: tmpfs # Use local storage
|
|
o: size=1gb
|
|
labels:
|
|
backup: "daily"
|
|
retention: "30d"
|
|
|
|
workflowui-logs:
|
|
driver: local
|
|
driver_opts:
|
|
type: tmpfs
|
|
o: size=500m
|
|
|
|
networks:
|
|
metabuilder-network:
|
|
driver: bridge
|
|
driver_opts:
|
|
com.docker.network.driver.mtu: 1500
|
|
labels:
|
|
environment: "production"
|
|
|
|
secrets:
|
|
nextauth_secret:
|
|
external: true # Created separately: echo "your-secret" | docker secret create nextauth_secret -
|