Files
site-slavic-pulse-com/docker-compose-example/docker-compose.yml
T
tomasz-syn-grzegorza f4775366ef Harden production security: Dockerfile build, nginx whitelist, and CSP.
Replace Dokploy runtime git clone with Dockerfile build to keep tokens out of the container, add nginx security headers and path whitelist, and scrub templates from the running image after HTML generation.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-27 16:58:27 +02:00

40 lines
1.1 KiB
YAML

# ============================================================
# Slavic Pulse - Docker Compose (Dokploy / manual)
# ============================================================
# Dokploy + Traefik: NIE mapuj portu na hosta (ports:).
# W UI Dokploy ustaw domenę i Container Port = 80 — Traefik routuje po FQDN.
# Wewnętrznie nginx nasłuchuje na :80 (expose poniżej).
#
# Build z Dockerfile — Dokploy klonuje repo na hoście i buduje obraz.
# Brak runtime git clone w kontenerze (hardening bezpieczeństwa).
# ============================================================
services:
frontend:
build:
context: ..
dockerfile: Dockerfile
container_name: slavic-pulse-com-frontend
restart: unless-stopped
expose:
- "80"
env_file:
- .env
healthcheck:
test: ["CMD", "wget", "-qO-", "http://127.0.0.1:80/"]
interval: 30s
timeout: 10s
retries: 3
start_period: 15s
deploy:
resources:
limits:
memory: 256M
cpus: "0.5"
reservations:
memory: 64M