np-dms/lcbp3
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
29a6509c587719172521a084c37314ce991f7f69
lcbp3/specs/04-Infrastructure-OPS/04-00-docker-compose/README.md
T
admin 29a6509c58
CI / CD Pipeline / build (push) Has been cancelled
Details
CI / CD Pipeline / deploy (push) Has been cancelled
Details
690418:1638 Refactor Infra gitea
2026-04-18 16:38:04 +07:00

3.2 KiB
Raw Blame History

Docker Compose Stacks (v1.8.6)

Production compose files for the NP-DMS / LCBP3 platform. All stacks share one external Docker network lcbp3.

Layout

04-00-docker-compose/
├── .env.template                    # Master template (placeholders)
├── x-base.yml                       # Shared YAML anchors (S2)
├── SECURITY-MIGRATION-v1.8.6.md     # Full C/H/M/L/S migration runbook
├── QNAP/
│   ├── app/         docker-compose-app.yml          (backend, frontend, clamav)
│   ├── mariadb/     docker-compose-lcbp3-db.yml     (mariadb, pma)
│   ├── service/     docker-compose.yml              (cache, search)
│   ├── npm/         docker-compose.yml              (npm, landing)
│   ├── gitea/       docker-compose.yml              (gitea)
│   ├── n8n/         docker-compose.yml              (n8n, n8n-db, tika, docker-socket-proxy)
│   ├── rocketchat/  docker-compose.yml              (mongodb, mongo-init-replica, rocketchat)
│   └── monitoring/  docker-compose.yml              (node-exporter, cadvisor — QNAP-side exporters)
└── ASUSTOR/
    ├── registry/      docker-compose.yml            (registry, registry-ui)
    ├── gitea-runner/  docker-compose.yml            (gitea act_runner)
    └── monitoring/    docker-compose.yml            (prometheus, grafana, loki, promtail, uptime-kuma, node-exporter, cadvisor)

Usage (per stack)

# 1. place a gitignored .env in the stack folder
cp .env.example .env              # or copy relevant vars from ../../.env.template
vi .env
chmod 600 .env

# 2. up the stack (Compose V2)
docker compose --env-file .env -f docker-compose.yml up -d

Security (Non-Negotiable — see SECURITY-MIGRATION-v1.8.6.md)

  • Tier-1: No secrets in compose files; .env is gitignored; JWT_SECRETAUTH_SECRET
  • Redis: --requirepass enforced on server
  • Elasticsearch: internal network only
  • MariaDB: root and app user split; loopback bind
  • MongoDB: --auth --keyFile
  • Registry: htpasswd
  • ClamAV: mandatory upstream of backend uploads (ADR-016)
  • AI boundary: Ollama / AI only on Admin Desktop (ADR-018)

Shared YAML Anchors (S2)

If your Compose version supports include: (V2.20+), reference x-base.yml:

include:
  - path: ../../x-base.yml

services:
  mysvc:
    <<: [*restart_policy, *default_logging, *hardening]

Otherwise, keep the inline anchor pattern (current repo-wide convention).

Secret Management Roadmap (S1)

Current: env_file: .env (gitignored) per stack.

Future (order of preference):

  1. Docker secrets (Swarm) — rotate-in-place, no FS exposure
  2. External secret manager — Infisical / Vault / Bitwarden Secrets Manager
  3. SOPS-encrypted .env.sops files in the repo (age/GPG) — nice middle ground; Ops unseals at deploy time

Tracking issue: open a task under specs/04-Infrastructure-OPS/ when choosing a direction.

Per-stack .env.example Files (S3)

Each stack has its own .env.example listing only the vars it consumes. Copy → edit → chmod 600.

Release / Deploy Gates

See specs/04-Infrastructure-OPS/04-08-release-management-policy.md for the blue-green rollout procedure.

Reference in New Issue View Git Blame Copy Permalink