OpenSPP
diff --git a/‎.gitignore‎
Lines changed: 4 additions & 0 deletions b/‎.gitignore‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎docker/.env.production.example‎
Lines changed: 33 additions & 10 deletions b/‎docker/.env.production.example‎
Lines changed: 33 additions & 10 deletions
diff --git a/‎docker/README.md‎
Lines changed: 146 additions & 12 deletions b/‎docker/README.md‎
Lines changed: 146 additions & 12 deletions
@@ -98,10 +98,14 @@ static/security/
 docker-compose.override.yml
 
 # Production environment files (contain secrets)
+docker/.env
 docker/.env.production
 .env.production
 .env.local
 
+# Fluentd runtime log output
+docker/fluentd/log/
+
 # act (local GitHub Actions runner)
 .act-secrets
 .actrc
 
@@ -5,6 +5,21 @@
 #
 # SECURITY: Never commit .env.production to version control!
 
+# =============================================================================
+# COMPOSE PROFILE - Choose deployment mode
+# =============================================================================
+# Nginx mode (choose one):
+#   https = Nginx with SSL + Certbot (production)
+#   http  = Nginx HTTP only, no SSL (dev / isolated on-premises)
+# Optional add-ons (comma-separated):
+#   clamav = ClamAV antivirus scanning (adds ~1GB RAM)
+#
+# Examples:
+#   COMPOSE_PROFILES=https            # HTTPS only
+#   COMPOSE_PROFILES=https,clamav     # HTTPS + antivirus
+#   COMPOSE_PROFILES=http             # HTTP only (dev)
+COMPOSE_PROFILES=https
+
 # =============================================================================
 # REQUIRED - You must set these values
 # =============================================================================
@@ -60,13 +75,21 @@ DB_SSLMODE=prefer
 # Number of Odoo workers (rule: (CPU cores * 2) + 1; ~1 worker per 6 concurrent users)
 ODOO_WORKERS=2
 
+# CPU limits (number of cores)
+ODOO_CPU_LIMIT=2
+DB_CPU_LIMIT=2
+QUEUE_CPU_LIMIT=1
+NGINX_CPU_LIMIT=1
+
 # Memory limits (Docker format: 512M, 1G, 2G, etc.)
 ODOO_MEMORY_LIMIT=4G
 ODOO_MEMORY_RESERVATION=2G
 DB_MEMORY_LIMIT=4G
 DB_MEMORY_RESERVATION=2G
 QUEUE_MEMORY_LIMIT=2G
 QUEUE_MEMORY_RESERVATION=1G
+NGINX_MEMORY_LIMIT=256M
+NGINX_MEMORY_RESERVATION=64M
 
 # Per-worker memory limits (in bytes)
 # Soft: worker recycled when exceeded
@@ -108,6 +131,13 @@ ODOO_INIT_MODULES=spp_base
 # Log level: debug, info, warn, error, critical
 LOG_LEVEL=warn
 
+# Fluentd log output path (Nginx stack only)
+# Host path where Fluentd writes collected logs when using the local/file backend.
+# Can be a local directory, an NFS mount, or any writable path on the host.
+# Not needed when using cloud backends (S3, GCS, Azure, MinIO).
+# Default: ./fluentd/log (relative to docker/ directory)
+FLUENTD_LOG_PATH=./fluentd/log
+
 # =============================================================================
 # BACKUPS
 # =============================================================================
@@ -117,18 +147,11 @@ LOG_LEVEL=warn
 BACKUP_SCHEDULE=0 2 * * *
 
 # =============================================================================
-# ANTIVIRUS (Optional - enable with --profile clamav)
+# ANTIVIRUS (enable with COMPOSE_PROFILES=https,clamav)
 # =============================================================================
 
-# Enable ClamAV antivirus scanning when:
-#   - Accepting file uploads from beneficiaries
-#   - Processing documents from external sources
-#   - Compliance requirements mandate it
-#
-# To enable: docker compose -f docker/docker-compose.production.yml --profile clamav up -d
-# Then install spp_attachment_av_scan module in Odoo
-
-# Memory limits for ClamAV (needs ~1GB for virus definitions)
+# ClamAV needs ~1GB RAM for virus definitions.
+# After enabling, install spp_attachment_av_scan module in Odoo.
 CLAMAV_MEMORY_LIMIT=1536M
 CLAMAV_MEMORY_RESERVATION=512M
 
 
@@ -19,25 +19,50 @@ See [Production Deployment](#production-deployment) below.
 
 ## Files
 
-| File                            | Description                                       |
-| ------------------------------- | ------------------------------------------------- |
-| `Dockerfile`                    | Multi-stage build for OpenSPP                     |
-| `docker-compose.production.yml` | Production stack (Traefik + Odoo + Queue Worker)  |
-| `.env.production.example`       | Production configuration template                 |
-| `entrypoint.sh`                 | Container entrypoint with database initialization |
-| `odoo.conf.template`            | Odoo configuration template                       |
-| `requirements.txt`              | Python dependencies beyond module manifests       |
-| `requirements-dev.txt`          | Development-only dependencies                     |
+| File                                 | Description                                       |
+| ------------------------------------ | ------------------------------------------------- |
+| `Dockerfile`                         | Multi-stage build for OpenSPP                     |
+| `docker-compose.production.yml`      | Production stack (Traefik + Odoo + Queue Worker)  |
+| `docker-compose.nginx.yml`           | Production stack (Nginx + Certbot + Fluentd)      |
+| `.env.production.example`            | Production configuration template                 |
+| `entrypoint.sh`                      | Container entrypoint with database initialization |
+| `odoo.conf.template`                 | Odoo configuration template                       |
+| `nginx/odoo.conf.template`           | Nginx HTTPS reverse proxy config (Odoo docs)      |
+| `nginx/odoo-http-only.conf.template` | Nginx HTTP-only reverse proxy config              |
+| `nginx/certbot-init.sh`              | Bootstrap script for initial SSL certificate      |
+| `fluentd/`                           | Fluentd log collection configs                    |
+| `backup.sh`                          | Automated PostgreSQL/PostGIS backup script        |
+| `backup-entrypoint.sh`               | Backup container entrypoint with cron scheduling  |
+| `requirements.txt`                   | Python dependencies beyond module manifests       |
+| `requirements-dev.txt`               | Development-only dependencies                     |
 
 ## Production Deployment
 
-### Architecture
+Two production compose files are available:
+
+| Compose file                    | Reverse proxy | SSL                       | Logging        |
+| ------------------------------- | ------------- | ------------------------- | -------------- |
+| `docker-compose.production.yml` | Traefik       | Let's Encrypt (automatic) | Docker default |
+| `docker-compose.nginx.yml`      | Nginx         | Certbot (Let's Encrypt)   | Fluentd        |
+
+### Architecture (Traefik)
 
 ```
 Internet -> Traefik (SSL) -> Odoo (workers) -> PostgreSQL
                           -> Queue Worker
 ```
 
+### Architecture (Nginx)
+
+```
+Internet -> Nginx (SSL) -> Odoo (workers) -> PostgreSQL
+                        -> Queue Worker
+         Certbot (certificate renewal)
+         Fluentd (log collection -> local/NFS, S3, GCS, Azure, MinIO)
+         ClamAV (antivirus, optional)
+         Backup (daily PostgreSQL dumps)
+```
+
 ### Requirements
 
 - VPS with Docker and Docker Compose v2
@@ -73,15 +98,106 @@ ODOO_ADMIN_PASSWD=<strong-random-password>
 3. **Start services:**
 
 ```bash
+# Traefik stack
 docker compose -f docker/docker-compose.production.yml up -d
+
+# Nginx stack (HTTPS)
+docker compose -f docker/docker-compose.nginx.yml --profile https up -d
 ```
 
 4. **View logs:**
 
 ```bash
 docker compose -f docker/docker-compose.production.yml logs -f odoo
+# or
+docker compose -f docker/docker-compose.nginx.yml logs -f odoo
+```
+
+### Nginx Profiles
+
+The Nginx compose file uses profiles to select the deployment mode:
+
+| Profile  | Services added        | Use case                               |
+| -------- | --------------------- | -------------------------------------- |
+| `https`  | Nginx (SSL) + Certbot | Production with HTTPS and auto-renewal |
+| `http`   | Nginx (HTTP only)     | Dev or isolated on-premises networks   |
+| `clamav` | ClamAV antivirus      | File upload scanning (~1GB extra RAM)  |
+
+Profiles can be combined:
+
+```bash
+# HTTPS + ClamAV
+docker compose -f docker/docker-compose.nginx.yml --profile https --profile clamav up -d
+
+# Or set in .env.production (no --profile flags needed):
+COMPOSE_PROFILES=https,clamav
+```
+
+HTTP-only mode (no SSL, no Certbot):
+
+```bash
+docker compose -f docker/docker-compose.nginx.yml --profile http up -d
+```
+
+### Nginx SSL Certificate Setup
+
+1. **Obtain initial certificate** (HTTPS profile only):
+
+```bash
+docker compose -f docker/docker-compose.nginx.yml run --rm certbot \
+  certonly --webroot -w /var/www/certbot \
+  --email ${ACME_EMAIL} -d ${DOMAIN} --agree-tos --non-interactive
+
+# Reload nginx to pick up the new certificate
+docker compose -f docker/docker-compose.nginx.yml exec nginx nginx -s reload
 ```
 
+2. **Schedule renewal** via system cron (certificates expire every 90 days):
+
+```bash
+# Add to system crontab (runs monthly)
+0 3 1 * * cd /path/to/your/project && docker compose -f docker/docker-compose.nginx.yml run --rm certbot renew && docker compose -f docker/docker-compose.nginx.yml exec nginx nginx -s reload
+```
+
+### Nginx Security Hardening
+
+All services in the Nginx compose file include:
+
+- **Capability dropping:** `cap_drop: ALL` with minimal `cap_add` per service
+- **No privilege escalation:** `security_opt: no-new-privileges:true`
+- **Read-only filesystems:** `read_only: true` with targeted tmpfs mounts (where
+  possible)
+- **Resource limits:** CPU and memory limits on every service
+- **Log rotation:** `json-file` driver with 5MB/3-file rotation (15MB max per service)
+- **SELinux compatibility:** `:ro,z` and `:rw,z` volume flags
+
+Nginx adds: rate limiting, security headers (HSTS, CSP, X-Frame-Options), OCSP stapling,
+proxy buffering, `/web/database` blocking.
+
+### Centralized Logging with Fluentd (Nginx stack)
+
+The Nginx compose file includes Fluentd for centralized log collection. It uses file
+tailing (not Docker's log driver), so `docker compose logs` keeps working and logs are
+never lost if Fluentd goes down.
+
+**Default backend:** Local filesystem / NFS (`output-file.conf`)
+
+**Available backends:**
+
+| Backend          | Config file                  | Plugins required                        |
+| ---------------- | ---------------------------- | --------------------------------------- |
+| Local / NFS      | `output-file.conf` (default) | None (built-in)                         |
+| AWS S3           | `output-s3.conf.example`     | fluent-plugin-s3                        |
+| Google Cloud GCS | `output-gcs.conf.example`    | fluent-plugin-gcs                       |
+| Azure Blob       | `output-azure.conf.example`  | fluent-plugin-azure-storage-append-blob |
+| MinIO            | `output-minio.conf.example`  | fluent-plugin-s3                        |
+
+To switch backends:
+
+1. Edit `docker/fluentd/fluent.conf` to `@include` the desired output config
+2. For cloud backends, uncomment the `build:` block in the fluentd service to install
+   plugins
+
 ### Using External Database (RDS/Cloud SQL)
 
 1. Set `DATABASE_URL` in `.env.production`:
@@ -90,7 +206,7 @@ docker compose -f docker/docker-compose.production.yml logs -f odoo
 DATABASE_URL=postgres://user:password@hostname:5432/openspp?sslmode=require
 ```
 
-2. Comment out or remove the `db` service in `docker-compose.production.yml`
+2. Comment out or remove the `db` service in the compose file
 
 3. Update `depends_on` in `odoo` and `queue-worker` services
 
@@ -140,8 +256,11 @@ ClamAV antivirus scanning is available as an optional profile. Enable it when:
 **Enable ClamAV:**
 
 ```bash
-# Start with ClamAV profile
+# Traefik stack
 docker compose -f docker/docker-compose.production.yml --profile clamav up -d
+
+# Nginx stack
+docker compose -f docker/docker-compose.nginx.yml --profile https --profile clamav up -d
 ```
 
 **Configure Odoo:**
@@ -172,6 +291,7 @@ docker compose -f docker/docker-compose.production.yml exec clamav clamscan --ve
 
 | Variable            | Description                           |
 | ------------------- | ------------------------------------- |
+| `COMPOSE_PROFILES`  | Deployment profile (Nginx stack only) |
 | `DB_PASSWORD`       | PostgreSQL password                   |
 | `ODOO_ADMIN_PASSWD` | Odoo admin/master password            |
 | `DOMAIN`            | Domain name (production only)         |
@@ -199,6 +319,20 @@ docker compose -f docker/docker-compose.production.yml exec clamav clamscan --ve
 | `ODOO_TIME_CPU`     | 600        | CPU time limit per request (seconds)  |
 | `ODOO_TIME_REAL`    | 1200       | Real time limit per request (seconds) |
 
+### Resource Limits (Nginx stack)
+
+| Variable              | Default | Description               |
+| --------------------- | ------- | ------------------------- |
+| `ODOO_CPU_LIMIT`      | 2       | Odoo CPU cores            |
+| `ODOO_MEMORY_LIMIT`   | 4G      | Odoo memory limit         |
+| `DB_CPU_LIMIT`        | 2       | PostgreSQL CPU cores      |
+| `DB_MEMORY_LIMIT`     | 4G      | PostgreSQL memory limit   |
+| `QUEUE_CPU_LIMIT`     | 1       | Queue worker CPU cores    |
+| `QUEUE_MEMORY_LIMIT`  | 2G      | Queue worker memory limit |
+| `NGINX_CPU_LIMIT`     | 1       | Nginx CPU cores           |
+| `NGINX_MEMORY_LIMIT`  | 256M    | Nginx memory limit        |
+| `CLAMAV_MEMORY_LIMIT` | 1536M   | ClamAV memory limit       |
+
 ### Logging
 
 | Variable    | Default | Description                       |