d3c96161b0
Production overlay narrows the dev defaults: - removes published ports from postgres, minio, opensearch, qdrant, redis - only the api container stays externally reachable; - enables the OpenSearch security plugin and requires OPENSEARCH_ADMIN_PASSWORD via ?:required interpolation; - requires Qdrant API key, MinIO root credentials, postgres password, and CORS_ALLOWED_ORIGINS to be set (no localhost fallback); - doubles OpenSearch heap (-Xms2g -Xmx2g) and worker concurrency to 4; - drops the MinIO management console. Validated with: set -a; . .env.prod.example; CORS_ALLOWED_ORIGINS=https://example.com docker compose -f docker-compose.yml -f docker-compose.prod.yml config The RUNBOOK was updated in the initial commit and already documents the overlay invocation and credential rotation workflow. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
3.5 KiB
3.5 KiB