np-dms/lcbp3
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

690418:1638 Refactor Infra gitea
CI / CD Pipeline / build (push) Has been cancelled
Details
CI / CD Pipeline / deploy (push) Has been cancelled
Details

Browse Source
This commit is contained in:
admin
2026-04-18 16:38:04 +07:00
parent 8b658e8530
commit 29a6509c58
36 changed files with 1824 additions and 157 deletions
Download Patch File Download Diff File Expand all files Collapse all files
specs/04-Infrastructure-OPS/04-00-docker-compose/QNAP/app/docker-compose-app.yml
+210
View File
@@ -0,0 +1,210 @@
# File: /share/np-dms/app/docker-compose-app.yml
# DMS Container v1.8.6: Application Stack (Backend + Frontend)
# Application name: lcbp3-app
# ============================================================
# ⚠️ ใช้งานร่วมกับ services อื่นที่รันอยู่แล้วบน QNAP:
# - mariadb (lcbp3-db)
# - redis (lcbp3-redis)
# - cache (services)
# - search (services)
# - npm (lcbp3-npm)
# ============================================================
# 🔒 SECURITY (ADR-016, Tier-1):
# - ห้าม commit ค่า secret จริงในไฟล์นี้
# - ใช้ .env (gitignored) คู่กับ compose:
# docker compose --env-file .env -f docker-compose-app.yml up -d
# - QNAP Container Station 3.x รองรับ env_file แล้ว
# - JWT_SECRET (backend) ต้องคนละค่ากับ AUTH_SECRET (frontend NextAuth)
# ============================================================
name: lcbp3
x-restart: &restart_policy
restart: unless-stopped
x-logging: &default_logging
logging:
driver: 'json-file'
options:
max-size: '10m'
max-file: '5'
networks:
lcbp3:
external: true
services:
# ----------------------------------------------------------------
# 1. Backend API (NestJS)
# Service Name: backend (ตามที่ NPM อ้างอิง → backend:3000)
# ----------------------------------------------------------------
backend:
<<: [*restart_policy, *default_logging]
image: lcbp3-backend:${BACKEND_IMAGE_TAG:-latest}
container_name: backend
# M4: container hardening
user: 'node'
# L1: stdin_open/tty removed — production services ไม่ต้องใช้ interactive TTY
read_only: true
tmpfs:
- /tmp:rw,noexec,nosuid,size=256m
security_opt:
- no-new-privileges:true
cap_drop:
- ALL
deploy:
resources:
limits:
cpus: '2.0'
memory: 1536M
reservations:
cpus: '0.5'
memory: 512M
env_file:
- .env
environment:
TZ: 'Asia/Bangkok'
NODE_ENV: 'production'
# --- Database ---
DB_HOST: 'mariadb'
DB_PORT: '3306'
DB_DATABASE: 'lcbp3'
DB_USERNAME: 'center'
DB_PASSWORD: ${DB_PASSWORD:?DB_PASSWORD required}
# --- Redis ---
REDIS_HOST: 'cache'
REDIS_PORT: '6379'
REDIS_PASSWORD: ${REDIS_PASSWORD:?REDIS_PASSWORD required}
# --- Elasticsearch ---
ELASTICSEARCH_HOST: 'search'
ELASTICSEARCH_PORT: '9200'
ELASTICSEARCH_USERNAME: ${ELASTICSEARCH_USERNAME:-elastic}
ELASTICSEARCH_PASSWORD: ${ELASTICSEARCH_PASSWORD:?ELASTICSEARCH_PASSWORD required}
# --- JWT (backend only) ---
JWT_SECRET: ${JWT_SECRET:?JWT_SECRET required}
JWT_EXPIRATION: '8h'
JWT_REFRESH_SECRET: ${JWT_REFRESH_SECRET:?JWT_REFRESH_SECRET required}
# --- ClamAV (ADR-016 file upload scan) ---
CLAMAV_HOST: 'clamav'
CLAMAV_PORT: '3310'
# --- Numbering ---
NUMBERING_LOCK_TIMEOUT: '5000'
NUMBERING_RESERVATION_TTL: '300'
# --- File Upload ---
UPLOAD_TEMP_DIR: '/app/uploads/temp'
UPLOAD_PERMANENT_DIR: '/app/uploads/permanent'
PORT: '3000'
MAX_FILE_SIZE: '52428800'
networks:
- lcbp3
volumes:
# Two-Phase Storage: จัดเก็บไฟล์นอก container
- '/share/np-dms-as/data/uploads/temp:/app/uploads/temp'
- '/share/np-dms-as/data/uploads/permanent:/app/uploads/permanent'
- '/share/np-dms/data/logs/backend:/app/logs'
# Mount legacy staging folder to match n8n's output path
- '/share/np-dms-as/Legacy:/home/node/.n8n-files/staging_ai:ro'
healthcheck:
test: ['CMD', 'curl', '-f', 'http://localhost:3000/health']
interval: 30s
timeout: 10s
retries: 3
start_period: 30s
depends_on:
clamav:
condition: service_healthy
# ----------------------------------------------------------------
# 2. Frontend Web App (Next.js)
# Service Name: frontend (ตามที่ NPM อ้างอิง → frontend:3000)
# ----------------------------------------------------------------
frontend:
<<: [*restart_policy, *default_logging]
image: lcbp3-frontend:${FRONTEND_IMAGE_TAG:-latest}
container_name: frontend
# M4: container hardening (Next.js standalone runs as 'nextjs' user by default)
user: 'nextjs'
read_only: true
tmpfs:
- /tmp:rw,noexec,nosuid,size=128m
- /app/.next/cache:rw,size=256m
security_opt:
- no-new-privileges:true
cap_drop:
- ALL
# L1: stdin_open/tty removed
deploy:
resources:
limits:
cpus: '2.0'
memory: 2G
reservations:
cpus: '0.25'
memory: 512M
env_file:
- .env
environment:
TZ: 'Asia/Bangkok'
NODE_ENV: 'production'
HOSTNAME: '0.0.0.0'
PORT: '3000'
# --- API Backend URL ---
NEXT_PUBLIC_API_URL: 'https://backend.np-dms.work/api'
# --- NextAuth (ห้ามใช้ค่าเดียวกับ JWT_SECRET) ---
AUTH_SECRET: ${AUTH_SECRET:?AUTH_SECRET required}
AUTH_URL: 'https://lcbp3.np-dms.work'
AUTH_TRUST_HOST: 'true'
INTERNAL_API_URL: 'http://backend:3000/api'
networks:
- lcbp3
healthcheck:
test: ['CMD', 'curl', '-f', 'http://localhost:3000/']
interval: 30s
timeout: 10s
retries: 3
start_period: 60s
depends_on:
backend:
condition: service_healthy
# ----------------------------------------------------------------
# 3. ClamAV (Antivirus scanning for file uploads — ADR-016)
# Service Name: clamav (Backend อ้างอิง CLAMAV_HOST=clamav, port 3310)
# ----------------------------------------------------------------
clamav:
<<: [*restart_policy, *default_logging]
image: clamav/clamav:1.3
container_name: clamav
security_opt:
- no-new-privileges:true
cap_drop:
- ALL
cap_add:
- CHOWN
- SETUID
- SETGID
deploy:
resources:
limits:
cpus: '1.0'
memory: 2G
reservations:
cpus: '0.25'
memory: 1G
environment:
TZ: 'Asia/Bangkok'
CLAMAV_NO_FRESHCLAMD: 'false'
CLAMAV_NO_CLAMD: 'false'
CLAMD_STARTUP_TIMEOUT: '1800'
networks:
- lcbp3
volumes:
# cache definitions เพื่อไม่ต้อง download ทุกครั้งที่ restart
- '/share/np-dms/clamav/data:/var/lib/clamav'
- '/share/np-dms/data/logs/clamav:/var/log/clamav'
healthcheck:
test: ['CMD', 'clamdcheck.sh']
interval: 60s
timeout: 30s
retries: 3
start_period: 300s