# File: /share/np-dms/app/docker-compose-app.yml # DMS Container v1.8.6: Application Stack (Backend + Frontend) # Application name: lcbp3-app # ============================================================ # ⚠️ ใช้งานร่วมกับ services อื่นที่รันอยู่แล้วบน QNAP: # - mariadb (lcbp3-db) # - redis (lcbp3-redis) # - cache (services) # - search (services) # - npm (lcbp3-npm) # ============================================================ # 🔒 SECURITY (ADR-016, Tier-1): # - ห้าม commit ค่า secret จริงในไฟล์นี้ # - ใช้ .env (gitignored) คู่กับ compose: # docker compose --env-file .env -f docker-compose-app.yml up -d # - QNAP Container Station 3.x รองรับ env_file แล้ว # - JWT_SECRET (backend) ต้องคนละค่ากับ AUTH_SECRET (frontend NextAuth) # ============================================================ name: lcbp3 x-restart: &restart_policy restart: unless-stopped x-logging: &default_logging logging: driver: 'json-file' options: max-size: '10m' max-file: '5' networks: lcbp3: external: true services: # ---------------------------------------------------------------- # 1. Backend API (NestJS) # Service Name: backend (ตามที่ NPM อ้างอิง → backend:3000) # ---------------------------------------------------------------- backend: <<: [*restart_policy, *default_logging] image: lcbp3-backend:${BACKEND_IMAGE_TAG:-latest} container_name: backend # M4: container hardening user: 'node' # L1: stdin_open/tty removed — production services ไม่ต้องใช้ interactive TTY read_only: true tmpfs: - /tmp:rw,noexec,nosuid,size=256m security_opt: - no-new-privileges:true cap_drop: - ALL deploy: resources: limits: cpus: '2.0' memory: 1536M reservations: cpus: '0.5' memory: 512M env_file: - .env environment: TZ: 'Asia/Bangkok' NODE_ENV: 'production' # --- Database --- DB_HOST: 'mariadb' DB_PORT: '3306' DB_DATABASE: 'lcbp3' DB_USERNAME: 'center' DB_PASSWORD: ${DB_PASSWORD:?DB_PASSWORD required} # --- Redis --- REDIS_HOST: 'cache' REDIS_PORT: '6379' REDIS_PASSWORD: ${REDIS_PASSWORD:?REDIS_PASSWORD required} # --- Elasticsearch --- ELASTICSEARCH_HOST: 'search' ELASTICSEARCH_PORT: '9200' ELASTICSEARCH_USERNAME: ${ELASTICSEARCH_USERNAME:-elastic} ELASTICSEARCH_PASSWORD: ${ELASTICSEARCH_PASSWORD:?ELASTICSEARCH_PASSWORD required} # --- JWT (backend only) --- JWT_SECRET: ${JWT_SECRET:?JWT_SECRET required} JWT_EXPIRATION: '8h' JWT_REFRESH_SECRET: ${JWT_REFRESH_SECRET:?JWT_REFRESH_SECRET required} # --- ClamAV (ADR-016 file upload scan) --- CLAMAV_HOST: 'clamav' CLAMAV_PORT: '3310' # --- Numbering --- NUMBERING_LOCK_TIMEOUT: '5000' NUMBERING_RESERVATION_TTL: '300' # --- File Upload --- UPLOAD_TEMP_DIR: '/app/uploads/temp' UPLOAD_PERMANENT_DIR: '/app/uploads/permanent' PORT: '3000' MAX_FILE_SIZE: '52428800' networks: - lcbp3 volumes: # Two-Phase Storage: จัดเก็บไฟล์นอก container - '/share/np-dms-as/data/uploads/temp:/app/uploads/temp' - '/share/np-dms-as/data/uploads/permanent:/app/uploads/permanent' - '/share/np-dms/data/logs/backend:/app/logs' # Mount legacy staging folder to match n8n's output path - '/share/np-dms-as/Legacy:/home/node/.n8n-files/staging_ai:ro' healthcheck: test: ['CMD', 'curl', '-f', 'http://localhost:3000/health'] interval: 30s timeout: 10s retries: 3 start_period: 30s depends_on: clamav: condition: service_healthy # ---------------------------------------------------------------- # 2. Frontend Web App (Next.js) # Service Name: frontend (ตามที่ NPM อ้างอิง → frontend:3000) # ---------------------------------------------------------------- frontend: <<: [*restart_policy, *default_logging] image: lcbp3-frontend:${FRONTEND_IMAGE_TAG:-latest} container_name: frontend # M4: container hardening (Next.js standalone runs as 'nextjs' user by default) user: 'nextjs' read_only: true tmpfs: - /tmp:rw,noexec,nosuid,size=128m - /app/.next/cache:rw,size=256m security_opt: - no-new-privileges:true cap_drop: - ALL # L1: stdin_open/tty removed deploy: resources: limits: cpus: '2.0' memory: 2G reservations: cpus: '0.25' memory: 512M env_file: - .env environment: TZ: 'Asia/Bangkok' NODE_ENV: 'production' HOSTNAME: '0.0.0.0' PORT: '3000' # --- API Backend URL --- NEXT_PUBLIC_API_URL: 'https://backend.np-dms.work/api' # --- NextAuth (ห้ามใช้ค่าเดียวกับ JWT_SECRET) --- AUTH_SECRET: ${AUTH_SECRET:?AUTH_SECRET required} AUTH_URL: 'https://lcbp3.np-dms.work' AUTH_TRUST_HOST: 'true' INTERNAL_API_URL: 'http://backend:3000/api' networks: - lcbp3 healthcheck: test: ['CMD', 'curl', '-f', 'http://localhost:3000/'] interval: 30s timeout: 10s retries: 3 start_period: 60s depends_on: backend: condition: service_healthy # ---------------------------------------------------------------- # 3. ClamAV (Antivirus scanning for file uploads — ADR-016) # Service Name: clamav (Backend อ้างอิง CLAMAV_HOST=clamav, port 3310) # ---------------------------------------------------------------- clamav: <<: [*restart_policy, *default_logging] image: clamav/clamav:1.3 container_name: clamav security_opt: - no-new-privileges:true cap_drop: - ALL cap_add: - CHOWN - SETUID - SETGID deploy: resources: limits: cpus: '1.0' memory: 2G reservations: cpus: '0.25' memory: 1G environment: TZ: 'Asia/Bangkok' CLAMAV_NO_FRESHCLAMD: 'false' CLAMAV_NO_CLAMD: 'false' CLAMD_STARTUP_TIMEOUT: '1800' networks: - lcbp3 volumes: # cache definitions เพื่อไม่ต้อง download ทุกครั้งที่ restart - '/share/np-dms/clamav/data:/var/lib/clamav' - '/share/np-dms/data/logs/clamav:/var/log/clamav' healthcheck: test: ['CMD', 'clamdcheck.sh'] interval: 60s timeout: 30s retries: 3 start_period: 300s