serienbrief_django/docker-compose.yml

# =============================================================================
# Serienbrief – Compose (Production)
# Ubuntu Server 22.04/24.04 LTS · Docker Engine 27.x · Compose v2
# =============================================================================
# Die App spricht intern nur HTTP. TLS terminiert ein vorgelagerter Nginx-
# Reverse-Proxy (außerhalb dieses Compose-Stacks, z.B. zentraler LAN-Proxy).
# Der hier enthaltene "nginx"-Service ist NUR ein App-interner Proxy für:
#   - Ausspielen von static/media über X-Accel-Redirect
#   - Connection-Pooling und einfache Rate-Limits
# =============================================================================

name: serienbrief

x-logging: &default-logging
  driver: "json-file"
  options:
    max-size: "10m"
    max-file: "5"
    tag: "{{.Name}}"

x-restart: &default-restart
  restart: unless-stopped

x-security-opts: &default-security-opts
  security_opt:
    - no-new-privileges:true

services:
  # ---------------------------------------------------------------------------
  # App-interner Nginx – nimmt Traffic vom äußeren Proxy entgegen (HTTP).
  # Hört nur auf Loopback bzw. dem konfigurierten LAN-Bind.
  # ---------------------------------------------------------------------------
  nginx:
    image: nginx:1.27-alpine
    <<: [*default-restart, *default-security-opts]
    depends_on:
      web:
        condition: service_healthy
    ports:
      # Standardmäßig nur lokal – der externe Proxy spricht über das Docker-
      # Host-Interface. Für direkten LAN-Zugriff LAN_BIND_IP in .env setzen.
      - "${APP_BIND_IP:-127.0.0.1}:${APP_BIND_PORT:-8080}:80"
    volumes:
      - ./nginx/nginx.conf:/etc/nginx/nginx.conf:ro
      - ./nginx/conf.d:/etc/nginx/conf.d:ro
      - static_files:/var/www/static:ro
      - media_files:/var/www/media:ro
      - nginx_cache:/var/cache/nginx
      - nginx_run:/var/run
    networks:
      - frontend
    logging: *default-logging
    healthcheck:
      test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://127.0.0.1/healthz"]
      interval: 30s
      timeout: 5s
      retries: 3
      start_period: 10s
    deploy:
      resources:
        limits:
          memory: 128M
          cpus: "0.5"

  # ---------------------------------------------------------------------------
  # Django – Gunicorn WSGI
  # ---------------------------------------------------------------------------
  web:
    build:
      context: ./app
      dockerfile: Dockerfile
      target: runtime
      args:
        APP_UID: ${APP_UID:-10001}
        APP_GID: ${APP_GID:-10001}
    image: serienbrief/web:${APP_VERSION:-latest}
    <<: [*default-restart, *default-security-opts]
    depends_on:
      db:
        condition: service_healthy
      redis:
        condition: service_healthy
    env_file: .env
    environment:
      DJANGO_SETTINGS_MODULE: config.settings.production
      ROLE: web
    volumes:
      - static_files:/app/staticfiles
      - media_files:/app/media
    networks:
      - frontend
      - backend
    logging: *default-logging
    healthcheck:
      test: ["CMD", "python", "-c", "import urllib.request,sys; sys.exit(0 if urllib.request.urlopen('http://127.0.0.1:8000/healthz', timeout=3).status==200 else 1)"]
      interval: 30s
      timeout: 5s
      retries: 3
      start_period: 30s
    read_only: true
    tmpfs:
      - /tmp:size=256M,mode=1777
    deploy:
      resources:
        limits:
          memory: 1G
          cpus: "1.5"

  # ---------------------------------------------------------------------------
  # Celery Worker – DOCX→PDF-Generierung
  # ---------------------------------------------------------------------------
  worker:
    image: serienbrief/web:${APP_VERSION:-latest}
    <<: [*default-restart, *default-security-opts]
    depends_on:
      db:
        condition: service_healthy
      redis:
        condition: service_healthy
      web:
        condition: service_started
    env_file: .env
    environment:
      DJANGO_SETTINGS_MODULE: config.settings.production
      ROLE: worker
    command: ["celery", "-A", "config", "worker", "--loglevel=info", "--concurrency=2", "--max-tasks-per-child=50"]
    volumes:
      - media_files:/app/media
    networks:
      - backend
    logging: *default-logging
    healthcheck:
      test: ["CMD-SHELL", "celery -A config inspect ping -d celery@$$HOSTNAME || exit 1"]
      interval: 60s
      timeout: 10s
      retries: 3
      start_period: 30s
    read_only: true
    tmpfs:
      - /tmp:size=512M,mode=1777
    deploy:
      resources:
        limits:
          memory: 2G
          cpus: "2.0"

  # ---------------------------------------------------------------------------
  # Celery Beat – Scheduler (Retention, Cleanup)
  # ---------------------------------------------------------------------------
  beat:
    image: serienbrief/web:${APP_VERSION:-latest}
    <<: [*default-restart, *default-security-opts]
    depends_on:
      db:
        condition: service_healthy
      redis:
        condition: service_healthy
    env_file: .env
    environment:
      DJANGO_SETTINGS_MODULE: config.settings.production
      ROLE: beat
    command: ["celery", "-A", "config", "beat", "--loglevel=info", "--scheduler", "django_celery_beat.schedulers:DatabaseScheduler"]
    networks:
      - backend
    logging: *default-logging
    read_only: true
    tmpfs:
      - /tmp:size=64M,mode=1777
    deploy:
      resources:
        limits:
          memory: 256M
          cpus: "0.3"

  # ---------------------------------------------------------------------------
  # PostgreSQL
  # ---------------------------------------------------------------------------
  db:
    image: postgres:16-alpine
    <<: [*default-restart, *default-security-opts]
    environment:
      POSTGRES_DB: ${POSTGRES_DB}
      POSTGRES_USER: ${POSTGRES_USER}
      POSTGRES_PASSWORD_FILE: /run/secrets/postgres_password
      PGDATA: /var/lib/postgresql/data/pgdata
    secrets:
      - postgres_password
    volumes:
      - postgres_data:/var/lib/postgresql/data
      - ./postgres/init:/docker-entrypoint-initdb.d:ro
    networks:
      - backend
    logging: *default-logging
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER} -d ${POSTGRES_DB}"]
      interval: 10s
      timeout: 5s
      retries: 5
      start_period: 20s
    shm_size: 256mb
    deploy:
      resources:
        limits:
          memory: 1G
          cpus: "1.0"

  # ---------------------------------------------------------------------------
  # Redis – Celery Broker
  # ---------------------------------------------------------------------------
  redis:
    image: redis:7-alpine
    <<: [*default-restart, *default-security-opts]
    command:
      - "redis-server"
      - "--requirepass"
      - "${REDIS_PASSWORD}"
      - "--maxmemory"
      - "256mb"
      - "--maxmemory-policy"
      - "allkeys-lru"
      - "--save"
      - "900 1"
      - "--appendonly"
      - "yes"
    volumes:
      - redis_data:/data
    networks:
      - backend
    logging: *default-logging
    healthcheck:
      test: ["CMD", "redis-cli", "-a", "${REDIS_PASSWORD}", "--no-auth-warning", "ping"]
      interval: 30s
      timeout: 5s
      retries: 3
      start_period: 10s
    deploy:
      resources:
        limits:
          memory: 384M
          cpus: "0.5"

  # ---------------------------------------------------------------------------
  # Backup – pg_dump + Media-Tar, nightly, 14 Tage Retention
  # ---------------------------------------------------------------------------
  backup:
    image: postgres:16-alpine
    <<: [*default-restart, *default-security-opts]
    depends_on:
      db:
        condition: service_healthy
    environment:
      PGHOST: db
      PGUSER: ${POSTGRES_USER}
      PGDATABASE: ${POSTGRES_DB}
      PGPASSWORD_FILE: /run/secrets/postgres_password
      BACKUP_RETENTION_DAYS: "14"
    secrets:
      - postgres_password
    volumes:
      - ./backups:/backups
      - media_files:/media:ro
    networks:
      - backend
    entrypoint: ["/bin/sh", "-c"]
    command:
      - |
        apk add --no-cache tar gzip findutils >/dev/null && \
        while true; do
          TS=$$(date +%Y%m%d_%H%M%S)
          export PGPASSWORD=$$(cat $$PGPASSWORD_FILE)
          echo "[$$(date -Iseconds)] starting backup $$TS"
          pg_dump -Fc -f /backups/db_$$TS.dump && \
          tar czf /backups/media_$$TS.tar.gz -C /media . && \
          find /backups -name "db_*.dump"     -mtime +$$BACKUP_RETENTION_DAYS -delete && \
          find /backups -name "media_*.tar.gz" -mtime +$$BACKUP_RETENTION_DAYS -delete && \
          echo "[$$(date -Iseconds)] backup done"
          sleep 86400
        done
    logging: *default-logging
    deploy:
      resources:
        limits:
          memory: 256M
          cpus: "0.5"

# =============================================================================
networks:
  frontend:
    driver: bridge
    driver_opts:
      com.docker.network.bridge.name: br-sb-front
  backend:
    driver: bridge
    driver_opts:
      com.docker.network.bridge.name: br-sb-back

# =============================================================================
volumes:
  postgres_data:
  redis_data:
  static_files:
  media_files:
  nginx_cache:
  nginx_run:

# =============================================================================
secrets:
  postgres_password:
    file: ./secrets/postgres_password.txt