ba80784ae7
- Removed privileged: true from docker-compose.yml - Removed SYS_MODULE cap_add (kept NET_ADMIN for WireGuard) - Removed source code bind mounts (./src, package.json) - Removed wg0.conf and resolv.conf bind mounts (now generated from env) - Added resource limits: mem_limit 512m, cpus 1.0 - Added healthcheck with curl - Added non-root user appuser:appgroup in Dockerfile - wg0.conf now generated from env vars at container startup (WG_PRIVATE_KEY, etc.) - resolv.conf generated from WG_DNS env var - Rotated wg0.conf — private key removed from file - Added WG_ALLOWED_IPS to .env.example SECURITY: Rotate WireGuard keys on server if previously used in production
29 lines
904 B
YAML
29 lines
904 B
YAML
version: "3.3"
|
|
services:
|
|
telegram_shop_prod:
|
|
build:
|
|
context: .
|
|
dockerfile: ./Dockerfile
|
|
hostname: telegram_shop_prod
|
|
container_name: telegram_shop_prod
|
|
restart: always
|
|
env_file:
|
|
- .env
|
|
volumes:
|
|
- ./db:/app/db/ # Синхронизация базы данных (persistence)
|
|
- ./wg/start.sh:/app/start.sh # Монтируем start.sh (генерирует wg0.conf из env)
|
|
cap_add: # Минимальные привилегии, необходимые только для WireGuard
|
|
- NET_ADMIN
|
|
sysctls:
|
|
- net.ipv4.conf.all.src_valid_mark=1 # Необходимо для маршрутизации
|
|
mem_limit: 512m
|
|
cpus: "1.0"
|
|
healthcheck:
|
|
test: ["CMD", "curl", "-f", "http://localhost:3000/health"]
|
|
interval: 30s
|
|
timeout: 10s
|
|
retries: 3
|
|
start_period: 60s
|
|
networks:
|
|
default:
|