ops: add docker-compose.prod.yml overlay

Production overlay narrows the dev defaults: - removes published ports from postgres, minio, opensearch, qdrant, redis - only the api container stays externally reachable; - enables the OpenSearch security plugin and requires OPENSEARCH_ADMIN_PASSWORD via ?:required interpolation; - requires Qdrant API key, MinIO root credentials, postgres password, and CORS_ALLOWED_ORIGINS to be set (no localhost fallback); - doubles OpenSearch heap (-Xms2g -Xmx2g) and worker concurrency to 4; - drops the MinIO management console. Validated with: set -a; . .env.prod.example; CORS_ALLOWED_ORIGINS=https://example.com docker compose -f docker-compose.yml -f docker-compose.prod.yml config The RUNBOOK was updated in the initial commit and already documents the overlay invocation and credential rotation workflow. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-13 16:52:57 +03:00
parent a375ca55b9
commit d3c96161b0
1 changed files with 101 additions and 0 deletions
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -0,0 +1,101 @@
+# Production overlay for LegacyHUB.
+#
+# Usage:
+#   cp .env.prod.example .env.prod
+#   $EDITOR .env.prod                    # rotate every credential
+#   docker compose \
+#     -f docker-compose.yml -f docker-compose.prod.yml \
+#     --env-file .env.prod \
+#     up -d --build --force-recreate
+#
+# This overlay narrows the dev-friendly defaults:
+#   - removes published ports from data services (only api stays public);
+#   - turns on the OpenSearch security plugin and forces an admin password;
+#   - requires CORS_ALLOWED_ORIGINS to be set (no localhost fallback);
+#   - bumps Java + worker concurrency for real workloads;
+#   - drops the MinIO console.
+
+services:
+  postgres:
+    ports: !reset []
+    environment:
+      POSTGRES_DB: ${POSTGRES_DB}
+      POSTGRES_USER: ${POSTGRES_USER}
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:?POSTGRES_PASSWORD must be set}
+    restart: always
+
+  minio:
+    command: server /data
+    ports: !reset []
+    environment:
+      MINIO_ROOT_USER: ${MINIO_ACCESS_KEY:?MINIO_ACCESS_KEY must be set}
+      MINIO_ROOT_PASSWORD: ${MINIO_SECRET_KEY:?MINIO_SECRET_KEY must be set}
+    restart: always
+
+  opensearch:
+    ports: !reset []
+    environment:
+      - discovery.type=single-node
+      - bootstrap.memory_lock=true
+      - "OPENSEARCH_JAVA_OPTS=-Xms2g -Xmx2g"
+      - DISABLE_INSTALL_DEMO_CONFIG=true
+      - plugins.security.disabled=false
+      - OPENSEARCH_INITIAL_ADMIN_PASSWORD=${OPENSEARCH_ADMIN_PASSWORD:?OPENSEARCH_ADMIN_PASSWORD must be set}
+    restart: always
+
+  qdrant:
+    ports: !reset []
+    environment:
+      QDRANT__SERVICE__API_KEY: ${QDRANT_API_KEY:?QDRANT_API_KEY must be set}
+    restart: always
+
+  redis:
+    ports: !reset []
+    restart: always
+
+  api:
+    environment:
+      <<: &prod-env
+        POSTGRES_HOST: ${POSTGRES_HOST}
+        POSTGRES_PORT: ${POSTGRES_PORT}
+        POSTGRES_DB: ${POSTGRES_DB}
+        POSTGRES_USER: ${POSTGRES_USER}
+        POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
+        MINIO_ENDPOINT: ${MINIO_ENDPOINT}
+        MINIO_ACCESS_KEY: ${MINIO_ACCESS_KEY}
+        MINIO_SECRET_KEY: ${MINIO_SECRET_KEY}
+        MINIO_BUCKET_ORIGINALS: ${MINIO_BUCKET_ORIGINALS}
+        MINIO_BUCKET_DERIVED: ${MINIO_BUCKET_DERIVED}
+        MINIO_SECURE: "true"
+        OPENSEARCH_HOST: ${OPENSEARCH_HOST}
+        OPENSEARCH_PORT: ${OPENSEARCH_PORT}
+        OPENSEARCH_USE_SSL: "true"
+        OPENSEARCH_VERIFY_CERTS: "true"
+        OPENSEARCH_USER: ${OPENSEARCH_USER}
+        OPENSEARCH_PASSWORD: ${OPENSEARCH_PASSWORD}
+        OPENSEARCH_INDEX_CHUNKS: ${OPENSEARCH_INDEX_CHUNKS}
+        QDRANT_HOST: ${QDRANT_HOST}
+        QDRANT_PORT: ${QDRANT_PORT}
+        QDRANT_API_KEY: ${QDRANT_API_KEY}
+        QDRANT_COLLECTION_CHUNKS: ${QDRANT_COLLECTION_CHUNKS}
+        REDIS_URL: ${REDIS_URL}
+        OCR_LANGUAGES: ${OCR_LANGUAGES}
+        OCR_ENABLED: ${OCR_ENABLED}
+        DOCLING_OCR_ENABLED: ${DOCLING_OCR_ENABLED}
+        MAX_DOCUMENT_TIMEOUT_SECONDS: ${MAX_DOCUMENT_TIMEOUT_SECONDS}
+        EMBEDDING_MODEL: ${EMBEDDING_MODEL}
+        EMBEDDING_DEVICE: ${EMBEDDING_DEVICE}
+        RERANKER_MODEL: ${RERANKER_MODEL}
+        RERANKER_DEVICE: ${RERANKER_DEVICE}
+        RERANKER_ENABLED: ${RERANKER_ENABLED}
+        APP_LOG_LEVEL: ${APP_LOG_LEVEL}
+        APP_INPUT_DIR: /data/input
+        APP_WORK_DIR: /data/work
+        CORS_ALLOWED_ORIGINS: ${CORS_ALLOWED_ORIGINS:?CORS_ALLOWED_ORIGINS must be set (no * in production)}
+    restart: always
+
+  worker:
+    command: ["celery", "-A", "app.workers.celery_app", "worker", "--loglevel=INFO", "--concurrency=4"]
+    environment:
+      <<: *prod-env
+    restart: always