Production overlay narrows the dev defaults:
- removes published ports from postgres, minio, opensearch, qdrant,
redis - only the api container stays externally reachable;
- enables the OpenSearch security plugin and requires
OPENSEARCH_ADMIN_PASSWORD via ?:required interpolation;
- requires Qdrant API key, MinIO root credentials, postgres password,
and CORS_ALLOWED_ORIGINS to be set (no localhost fallback);
- doubles OpenSearch heap (-Xms2g -Xmx2g) and worker concurrency to 4;
- drops the MinIO management console.
Validated with:
set -a; . .env.prod.example; CORS_ALLOWED_ORIGINS=https://example.com
docker compose -f docker-compose.yml -f docker-compose.prod.yml config
The RUNBOOK was updated in the initial commit and already documents
the overlay invocation and credential rotation workflow.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
