# Docker Compose Stacks (v1.8.6)

Production compose files for the NP-DMS / LCBP3 platform. All stacks share one external Docker network `lcbp3`.

## Layout

```
04-00-docker-compose/
├── .env.template                    # Master template (placeholders)
├── x-base.yml                       # Shared YAML anchors (S2)
├── SECURITY-MIGRATION-v1.8.6.md     # Full C/H/M/L/S migration runbook
├── QNAP/
│   ├── app/         docker-compose-app.yml          (backend, frontend, clamav)
│   ├── mariadb/     docker-compose-lcbp3-db.yml     (mariadb, pma)
│   ├── service/     docker-compose.yml              (cache, search)
│   ├── npm/         docker-compose.yml              (npm, landing)
│   ├── gitea/       docker-compose.yml              (gitea)
│   ├── n8n/         docker-compose.yml              (n8n, n8n-db, tika, docker-socket-proxy)
│   ├── rocketchat/  docker-compose.yml              (mongodb, mongo-init-replica, rocketchat)
│   └── monitoring/  docker-compose.yml              (node-exporter, cadvisor — QNAP-side exporters)
└── ASUSTOR/
    ├── registry/      docker-compose.yml            (registry, registry-ui)
    ├── gitea-runner/  docker-compose.yml            (gitea act_runner)
    └── monitoring/    docker-compose.yml            (prometheus, grafana, loki, promtail, uptime-kuma, node-exporter, cadvisor)
```

## Usage (per stack)

```bash
# 1. place a gitignored .env in the stack folder
cp .env.example .env              # or copy relevant vars from ../../.env.template
vi .env
chmod 600 .env

# 2. up the stack (Compose V2)
docker compose --env-file .env -f docker-compose.yml up -d
```

## Security (Non-Negotiable — see `SECURITY-MIGRATION-v1.8.6.md`)

- **Tier-1:** No secrets in compose files; `.env` is gitignored; `JWT_SECRET` ≠ `AUTH_SECRET`
- **Redis:** `--requirepass` enforced on server
- **Elasticsearch:** internal network only
- **MariaDB:** root and app user split; loopback bind
- **MongoDB:** `--auth --keyFile`
- **Registry:** htpasswd
- **ClamAV:** mandatory upstream of backend uploads (ADR-016)
- **AI boundary:** Ollama / AI only on Admin Desktop (ADR-018)

## Shared YAML Anchors (S2)

If your Compose version supports `include:` (V2.20+), reference `x-base.yml`:

```yaml
include:
  - path: ../../x-base.yml

services:
  mysvc:
    <<: [*restart_policy, *default_logging, *hardening]
```

Otherwise, keep the inline anchor pattern (current repo-wide convention).

## Secret Management Roadmap (S1)

Current: `env_file: .env` (gitignored) per stack.

Future (order of preference):

1. **Docker secrets** (Swarm) — rotate-in-place, no FS exposure
2. **External secret manager** — Infisical / Vault / Bitwarden Secrets Manager
3. **SOPS-encrypted** `.env.sops` files in the repo (age/GPG) — nice middle ground; Ops unseals at deploy time

Tracking issue: open a task under `specs/04-Infrastructure-OPS/` when choosing a direction.

## Per-stack `.env.example` Files (S3)

Each stack has its own `.env.example` listing only the vars it consumes. Copy → edit → `chmod 600`.

## Release / Deploy Gates

See `specs/04-Infrastructure-OPS/04-08-release-management-policy.md` for the blue-green rollout procedure.