create prod-specific docker compose and add nginx/certbot for HTTPS/TLS termination

Author: peter-rauscher

.env.template

@@ -1,16 +1,26 @@
 # === Environment ===
 # The environment to run the application in: development, staging, or production
 ENVIRONMENT=
+DOMAIN=
+EMAIL=
 # ====================
 
 # === PostgreSQL ===
+POSTGRES_DB=
+POSTGRES_USER=
+POSTGRES_PASSWORD=
 DB_CONNECTION_STRING=
 # ===============
 
 # === Celery ===
 CELERY_BROKER_URL=
 CELERY_RESULT_BACKEND=
-# =============
+# ===============
+
+# === RabbitMQ ===
+RABBITMQ_DEFAULT_USER=
+RABBITMQ_DEFAULT_PASS=
+# ===============
 
 # === Redis ===
 REDIS_URL=

Dockerfile

@@ -15,9 +15,19 @@ RUN pip install --no-cache-dir poetry
 # Copy only requirements to cache them in docker layer
 COPY pyproject.toml poetry.lock* ./
 
+# Add build argument with default value
+ARG ENVIRONMENT=development
+
+# Set environment variable from build arg
+ENV ENVIRONMENT=${ENVIRONMENT}
+
 # Project initialization
 RUN poetry config virtualenvs.create false \
-    && poetry install --only main --no-interaction --no-ansi --no-root
+    && if [ "$ENVIRONMENT" = "development" ]; then \
+    poetry install --with dev --no-interaction --no-ansi --no-root; \
+    else \
+    poetry install --only main --no-interaction --no-ansi --no-root; \
+    fi
 
 # Copy the project
 COPY .env ./
@@ -30,4 +40,8 @@ ENV PYTHONPATH=/app/src:$PYTHONPATH
 EXPOSE 8000
 
 # Command to run the application
-CMD ["poetry", "run", "debugpy", "--listen", "0.0.0.0:5678", "-m", "uvicorn", "--reload", "src.solesearch_api.main:app", "--host", "0.0.0.0", "--port", "8000"]
+CMD if [ "$ENVIRONMENT" = "development" ]; then \
+    poetry run debugpy --listen 0.0.0.0:5678 -m uvicorn --reload src.solesearch_api.main:app --host 0.0.0.0 --port 8000; \
+    else \
+    poetry run uvicorn src.solesearch_api.main:app --host 0.0.0.0 --port 8000; \
+    fi

docker-compose.prod.init.yaml

@@ -0,0 +1,24 @@
+services:
+  nginx:
+    image: nginx:alpine
+    container_name: solesearch_nginx
+    ports:
+      - "80:80"
+    volumes:
+      - ./nginx/templates-init:/etc/nginx/templates
+      - ./nginx/certbot/etc/letsencrypt:/etc/letsencrypt
+      - ./nginx/certbot/var/www/certbot:/var/www/certbot
+    env_file:
+      - ".env"
+
+  certbot:
+    image: certbot/certbot:latest
+    container_name: solesearch_certbot
+    command: certonly --reinstall --webroot --webroot-path=/var/www/certbot --email ${EMAIL} --agree-tos --no-eff-email -d ${DOMAIN}
+    depends_on:
+      - nginx
+    volumes:
+      - ./nginx/certbot/etc/letsencrypt:/etc/letsencrypt
+      - ./nginx/certbot/var/www/certbot:/var/www/certbot
+    env_file:
+      - ".env"

docker-compose.prod.yml

@@ -0,0 +1,126 @@
+services:
+  nginx:
+    image: nginx:alpine
+    container_name: solesearch_nginx
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - ./nginx/templates:/etc/nginx/templates
+      - ./nginx/certbot/etc/letsencrypt:/etc/letsencrypt
+      - ./nginx/certbot/var/www/certbot:/var/www/certbot
+    depends_on:
+      - api
+    networks:
+      - solesearch_network
+    restart: always
+
+  certbot:
+    image: certbot/certbot:latest
+    container_name: solesearch_certbot
+    command: certonly --reinstall --webroot --webroot-path=/var/www/certbot --email ${EMAIL} --agree-tos --no-eff-email -d ${DOMAIN}
+    volumes:
+      - ./nginx/certbot/etc/letsencrypt:/etc/letsencrypt
+      - ./nginx/certbot/var/www/certbot:/var/www/certbot
+    depends_on:
+      - nginx
+    restart: unless-stopped
+    env_file:
+      - ".env"
+
+  api:
+    build:
+      context: .
+      args:
+        - ENVIRONMENT=production
+    container_name: solesearch_api
+    depends_on:
+      - db
+      - redis
+    volumes:
+      - ~/solesearch/api/data:/var/data/solesearch
+    networks:
+      - solesearch_network
+    restart: always
+    env_file:
+      - ".env"
+
+  celery_worker:
+    build:
+      context: .
+      args:
+        - ENVIRONMENT=production
+    container_name: solesearch_worker
+    command: celery -A solesearch_api.tasks worker --loglevel=info
+    depends_on:
+      - api
+      - redis
+      - rabbitmq
+    volumes:
+      - ~/solesearch/api/data:/var/data/solesearch
+    networks:
+      - solesearch_network
+    restart: always
+    env_file:
+      - ".env"
+
+  celery_beat:
+    build:
+      context: .
+      args:
+        - ENVIRONMENT=production
+    container_name: solesearch_beat
+    command: celery -A solesearch_api.tasks beat --loglevel=info
+    depends_on:
+      - api
+      - redis
+      - rabbitmq
+    volumes:
+      - ~/solesearch/api/data:/var/data/solesearch
+    networks:
+      - solesearch_network
+    restart: always
+    env_file:
+      - ".env"
+
+  db:
+    image: postgres:16-alpine
+    container_name: solesearch_db
+    env_file:
+      - ".env"
+    volumes:
+      - postgres_data:/var/lib/postgresql/data
+    ports:
+      - "5432:5432"
+    networks:
+      - solesearch_network
+    restart: always
+
+  redis:
+    image: redis:alpine
+    container_name: solesearch_redis
+    volumes:
+      - redis_data:/data
+    networks:
+      - solesearch_network
+    restart: always
+
+  rabbitmq:
+    image: rabbitmq:management-alpine
+    container_name: solesearch_rabbitmq
+    ports:
+      - "15672:15672"
+    networks:
+      - solesearch_network
+    restart: always
+    env_file:
+      - ".env"
+
+volumes:
+  postgres_data:
+  redis_data:
+
+
+networks:
+  solesearch_network:
+    driver: bridge

docker-compose.yml

@@ -1,100 +1,99 @@
 services:
   api:
-    build: .
-    container_name: sneakers_api
-    working_dir: /app
+    build:
+      context: .
+      args:
+        - ENVIRONMENT=development
+    container_name: solesearch_api
     depends_on:
       - db
       - redis
-    ports:
-      - "8000:8000"
-      - "5678:5678"
     volumes:
-      - ~/data/solesearch:/var/data/solesearch
+      - ~/solesearch/api/data:/var/data/solesearch
     networks:
-      - sneakers_network
+      - solesearch_network
     restart: always
     env_file:
       - ".env"
 
   celery_worker:
-    build: .
-    container_name: sneakers_worker
-    working_dir: /app
-    command: ["sh", "-c", "pip install debugpy -t /tmp && python /tmp/debugpy --listen 0.0.0.0:6900 -m celery -A solesearch_api.tasks worker --loglevel=info"]
+    build:
+      context: .
+      args:
+        - ENVIRONMENT=development
+    container_name: solesearch_worker
+    command: celery -A solesearch_api.tasks worker --loglevel=info
     depends_on:
       - api
       - redis
       - rabbitmq
-    ports:
-      - "6900:6900"
     volumes:
-      - ~/data/solesearch:/var/data/solesearch
+      - ~/solesearch/api/data:/var/data/solesearch
     networks:
-      - sneakers_network
+      - solesearch_network
     restart: always
     env_file:
       - ".env"
 
   celery_beat:
-    build: .
-    container_name: sneakers_beat
+    build:
+      context: .
+      args:
+        - ENVIRONMENT=development
+    container_name: solesearch_beat
     command: celery -A solesearch_api.tasks beat --loglevel=info
     depends_on:
       - api
       - redis
       - rabbitmq
     volumes:
-      - ~/data/solesearch:/var/data/solesearch
+      - ~/solesearch/api/data:/var/data/solesearch
     networks:
-      - sneakers_network
+      - solesearch_network
     restart: always
     env_file:
       - ".env"
 
   db:
     image: postgres:16-alpine
-    container_name: sneakers_db
-    environment:
-      POSTGRES_DB: Sneakers
-      POSTGRES_USER: solesearch
-      POSTGRES_PASSWORD: solesearch
+    container_name: solesearch_db
+    env_file:
+      - ".env"
     volumes:
       - postgres_data:/var/lib/postgresql/data
     ports:
       - "5432:5432"
     networks:
-      - sneakers_network
+      - solesearch_network
     restart: always
 
   redis:
     image: redis:alpine
-    container_name: sneakers_redis
-    ports:
-      - "6379:6379"
+    container_name: solesearch_redis
     volumes:
       - redis_data:/data
+    ports:
+      - "6379:6379"
     networks:
-      - sneakers_network
+      - solesearch_network
     restart: always
 
   rabbitmq:
-    image: rabbitmq:alpine
-    container_name: sneakers_rabbitmq
+    image: rabbitmq:management-alpine
+    container_name: solesearch_rabbitmq
     ports:
-      - "5672:5672"
+      - "15672:15672"
     networks:
-      - sneakers_network
-    environment:
-      - RABBITMQ_DEFAULT_USER=solesearch
-      - RABBITMQ_DEFAULT_PASS=solesearch
+      - solesearch_network
     restart: always
+    env_file:
+      - ".env"
 
 volumes:
   postgres_data:
   redis_data:
 
 
 networks:
-  sneakers_network:
+  solesearch_network:
     driver: bridge

install.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+# Create the certificate for the first time
+docker-compose -f ./docker-compose.prod.init.yaml up -d nginx
+docker-compose -f ./docker-compose.prod.init.yaml up certbot
+docker-compose -f ./docker-compose.prod.init.yaml down
+
+# Copy the configuration files down
+curl -L --create-dirs -o nginx/certbot/etc/letsencrypt/options-ssl-nginx.conf https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf
+openssl dhparam -out nginx/certbot/etc/letsencrypt/ssl-dhparams.pem 2048
+
+# Start the production services
+docker-compose -f ./docker-compose.prod.yaml up -d
+
+# Add the cron job
+echo "0 5 * * *  $(pwd)/renew_cert.sh" | crontab -

nginx/templates-init/default.conf.template

@@ -0,0 +1,9 @@
+server {
+    listen [::]:80;
+    listen 80;
+    server_name $DOMAIN www.$DOMAIN;
+    location ~ /.well-known/acme-challenge/ {
+        allow all;
+        root /var/www/certbot;
+    }
+}