epguides-api/docker-compose.yml at main · frecar/epguides-api · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
# =============================================================================
# Development Configuration
# Usage: make up  (or: docker compose up)
# =============================================================================
# Hardening posture mirrors docker-compose.prod.yml (see #242) while keeping
# dev ergonomics: code bind mount, --reload, debug logging.

services:
  epguides-api:
    build:
      context: .
    command: >
      uvicorn app.main:app
      --host 0.0.0.0
      --port 3000
      --reload
      --reload-dir /app/app
      --log-level debug
    ports:
      - "3000:3000"
    volumes:
      - ./:/app
    env_file:
      - .env
    environment:
      - PYTHONDONTWRITEBYTECODE=1
      - PYTHONUNBUFFERED=1
    depends_on:
      redis:
        condition: service_healthy
    healthcheck:
      test: ["CMD", "python", "healthcheck.py"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 10s
    deploy:
      resources:
        limits:
          memory: 512M
        reservations:
          memory: 128M
    # read_only:false in dev — the bind mount at /app is writable for
    # --reload to pick up edits, and the .pytest_cache / __pycache__ that
    # uvicorn writes back into /app would fight a read-only root fs.
    # Other hardening flags still apply.
    cap_drop:
      - ALL
    security_opt:
      - no-new-privileges:true
    restart: unless-stopped
    stop_grace_period: 35s
    logging:
      driver: "json-file"
      options:
        max-size: "10m"
        max-file: "3"

  redis:
    image: redis:7-alpine
    command: >
      redis-server
      --maxmemory 256mb
      --maxmemory-policy allkeys-lru
      --save ""
      --appendonly no
    ports:
      - "6379:6379"
    healthcheck:
      test: ["CMD", "redis-cli", "ping"]
      interval: 5s
      timeout: 3s
      retries: 3
    deploy:
      resources:
        limits:
          memory: 300M
        reservations:
          memory: 64M
    cap_drop:
      - ALL
    cap_add:
      - SETUID
      - SETGID
    read_only: true
    tmpfs:
      - /tmp:size=16M
    security_opt:
      - no-new-privileges:true
    restart: unless-stopped
    stop_grace_period: 10s
    logging:
      driver: "json-file"
      options:
        max-size: "5m"
        max-file: "2"