chore: update prod-compose to use file-envs for secrets

2025-12-03 12:38:24 +01:00 · 2025-12-03 12:38:24 +01:00 · d8384098b4
commit d8384098b4
parent ee094eec2f
5 changed files with 66 additions and 18 deletions
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@ -1,22 +1,33 @@
 services:
  app:
-    image: git.local-it.org/local-it/mitgliederverwaltung:latest
+    image: mitgliederverwaltung:latest
    container_name: mv-prod-app
-    # Use host network for local testing to access localhost:8080 (Rauthy)
-    # In real production, remove this and use external OIDC provider
-    network_mode: host
+    ports:
+      - "4001:4001"
    environment:
-      DATABASE_URL: "ecto://postgres:postgres@localhost:5001/mv_prod"
-      SECRET_KEY_BASE: "${SECRET_KEY_BASE}"
-      TOKEN_SIGNING_SECRET: "${TOKEN_SIGNING_SECRET}"
-      PHX_HOST: "${PHX_HOST}"
+      # Database configuration using separate variables
+      # Use Docker service name for internal networking
+      DATABASE_HOST: "db-prod"
+      DATABASE_PORT: "5432"
+      DATABASE_USER: "postgres"
+      DATABASE_NAME: "mv_prod"
+      DATABASE_PASSWORD_FILE: "/run/secrets/db_password"
+      # Phoenix secrets via Docker secrets
+      SECRET_KEY_BASE_FILE: "/run/secrets/secret_key_base"
+      TOKEN_SIGNING_SECRET_FILE: "/run/secrets/token_signing_secret"
+      PHX_HOST: "${PHX_HOST:-localhost}"
      PORT: "4001"
      PHX_SERVER: "true"
-      # Rauthy OIDC config - uses localhost because of host network mode
+      # Rauthy OIDC config - use host.docker.internal to reach host services
      OIDC_CLIENT_ID: "mv"
-      OIDC_BASE_URL: "http://localhost:8080/auth/v1"
-      OIDC_CLIENT_SECRET: "${OIDC_CLIENT_SECRET:-}"
+      OIDC_BASE_URL: "http://host.docker.internal:8080/auth/v1"
+      OIDC_CLIENT_SECRET_FILE: "/run/secrets/oidc_client_secret"
      OIDC_REDIRECT_URI: "http://localhost:4001/auth/user/rauthy/callback"
+    secrets:
+      - db_password
+      - secret_key_base
+      - token_signing_secret
+      - oidc_client_secret
    depends_on:
      - db-prod
    restart: unless-stopped
@ -26,13 +37,25 @@ services:
    container_name: mv-prod-db
    environment:
      POSTGRES_USER: postgres
-      POSTGRES_PASSWORD: postgres
+      POSTGRES_PASSWORD_FILE: /run/secrets/db_password
      POSTGRES_DB: mv_prod
+    secrets:
+      - db_password
    volumes:
      - postgres_data_prod:/var/lib/postgresql/data
    ports:
      - "5001:5432"
    restart: unless-stopped

+secrets:
+  db_password:
+    file: ./secrets/db_password.txt
+  secret_key_base:
+    file: ./secrets/secret_key_base.txt
+  token_signing_secret:
+    file: ./secrets/token_signing_secret.txt
+  oidc_client_secret:
+    file: ./secrets/oidc_client_secret.txt
+
 volumes:
  postgres_data_prod: