From 49131a38e01545c5ae91471bdae149b07d0a8d82 Mon Sep 17 00:00:00 2001 From: limiteinductive Date: Sun, 29 Mar 2026 20:30:27 +0200 Subject: [PATCH] infra: .dockerignore, remove exposed port, healthcheck, pin caddy - add repo-root .dockerignore (target, node_modules, .git, dist) - colony: expose instead of ports (internal network only) - colony: healthcheck via /api/health - caddy: pin to 2.11, mount Caddyfile read-only - caddy: depends_on service_healthy Co-Authored-By: Claude Opus 4.6 (1M context) --- .dockerignore | 9 +++++++++ infra/colony/docker-compose.yml | 17 ++++++++++++----- 2 files changed, 21 insertions(+), 5 deletions(-) create mode 100644 .dockerignore diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 0000000..8666df5 --- /dev/null +++ b/.dockerignore @@ -0,0 +1,9 @@ +target/ +**/node_modules/ +**/dist/ +.git/ +*.db +*.db-wal +*.db-shm +.claude/ +docs/ diff --git a/infra/colony/docker-compose.yml b/infra/colony/docker-compose.yml index 1868e83..3240ee2 100644 --- a/infra/colony/docker-compose.yml +++ b/infra/colony/docker-compose.yml @@ -9,23 +9,30 @@ services: - DATABASE_URL=sqlite:/data/colony.db?mode=rwc volumes: - colony_data:/data - ports: - - "3001:3001" + # No ports exposed — Caddy reverse proxies on internal network + expose: + - "3001" restart: always + healthcheck: + test: ["CMD", "curl", "-f", "http://localhost:3001/api/health"] + interval: 10s + timeout: 3s + retries: 3 caddy: - image: caddy:latest + image: caddy:2.11 container_name: colony-caddy ports: - "80:80" - "443:443" volumes: - - ./Caddyfile:/etc/caddy/Caddyfile + - ./Caddyfile:/etc/caddy/Caddyfile:ro - caddy_data:/data - caddy_config:/config restart: always depends_on: - - colony + colony: + condition: service_healthy volumes: colony_data: