e4333631e1
- .gitea/workflows/deploy.yml: trigger on pull_request to main so PRs
get test feedback; gate build-and-push + deploy on push events so
PRs only run the test jobs (no registry push, no SSH deploy).
- docker-compose.yml: change `${POSTGRES_PASSWORD:-mangalord}` to
`${POSTGRES_PASSWORD:?...}` so a deploy without an .env fails fast
instead of booting Postgres with a known-default credential.
- .env.example: change the example value to a "change-me" sentinel,
add a banner explaining that production needs HTTPS in front of
the frontend container because COOKIE_SECURE=true makes browsers
refuse cookies over plain HTTP.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
65 lines
2.3 KiB
YAML
65 lines
2.3 KiB
YAML
# Production-like compose. Requires a populated `.env` next to this
|
|
# file: at minimum POSTGRES_PASSWORD must be set to a non-default
|
|
# value (the `?required` form below fails fast otherwise). The
|
|
# frontend container expects HTTPS in front (Caddy/Traefik/nginx)
|
|
# because COOKIE_SECURE=true browsers will refuse to send the session
|
|
# cookie over plain HTTP.
|
|
services:
|
|
postgres:
|
|
image: postgres:16-alpine
|
|
environment:
|
|
POSTGRES_USER: ${POSTGRES_USER:-mangalord}
|
|
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:?POSTGRES_PASSWORD must be set in .env}
|
|
POSTGRES_DB: ${POSTGRES_DB:-mangalord}
|
|
volumes:
|
|
- postgres-data:/var/lib/postgresql/data
|
|
healthcheck:
|
|
test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-mangalord}"]
|
|
interval: 5s
|
|
timeout: 5s
|
|
retries: 10
|
|
|
|
backend:
|
|
build: ./backend
|
|
depends_on:
|
|
postgres:
|
|
condition: service_healthy
|
|
environment:
|
|
DATABASE_URL: postgres://${POSTGRES_USER:-mangalord}:${POSTGRES_PASSWORD:?POSTGRES_PASSWORD must be set in .env}@postgres:5432/${POSTGRES_DB:-mangalord}
|
|
BIND_ADDRESS: 0.0.0.0:8080
|
|
STORAGE_DIR: /var/lib/mangalord/storage
|
|
RUST_LOG: ${RUST_LOG:-info,mangalord=debug}
|
|
# Auth / cookies — see .env.example for context.
|
|
COOKIE_SECURE: ${COOKIE_SECURE:-true}
|
|
COOKIE_DOMAIN: ${COOKIE_DOMAIN:-}
|
|
SESSION_TTL_DAYS: ${SESSION_TTL_DAYS:-30}
|
|
# CORS — same-origin by default; populate when serving the API on
|
|
# a different host than the frontend.
|
|
CORS_ALLOWED_ORIGINS: ${CORS_ALLOWED_ORIGINS:-}
|
|
# Upload limits.
|
|
MAX_REQUEST_BYTES: ${MAX_REQUEST_BYTES:-209715200}
|
|
MAX_FILE_BYTES: ${MAX_FILE_BYTES:-20971520}
|
|
volumes:
|
|
- storage-data:/var/lib/mangalord/storage
|
|
# No host port mapping in the default setup — the frontend proxies
|
|
# /api/* through its hooks.server.ts. Expose :8080 only if you want
|
|
# to hit the API directly from the host (e.g., bot scripts during
|
|
# development).
|
|
expose:
|
|
- "8080"
|
|
|
|
frontend:
|
|
build: ./frontend
|
|
depends_on:
|
|
- backend
|
|
environment:
|
|
# SvelteKit's hooks.server.ts proxies /api/* to this URL so the
|
|
# browser only ever talks to :3000 and cookies stay same-origin.
|
|
BACKEND_URL: http://backend:8080
|
|
ports:
|
|
- "3000:3000"
|
|
|
|
volumes:
|
|
postgres-data:
|
|
storage-data:
|