Problem
The current compose file is optimized for local development: Postgres is published on the host, default credentials are convenient, and runtime Dockerfiles do not set non-root users.
Impact
This is easy to run locally but weak as a shared/self-host production default.
References
docker-compose.yml
api/ApplyTrack.Api/Dockerfile
Dockerfile.poller
Acceptance criteria
- Provide a production compose profile/file that does not publish Postgres by default.
- Runtime containers run as non-root users.
- Document required secret changes for production.
- Consider
cap_drop, read-only filesystem, and minimal writable mounts where practical.
Problem
The current compose file is optimized for local development: Postgres is published on the host, default credentials are convenient, and runtime Dockerfiles do not set non-root users.
Impact
This is easy to run locally but weak as a shared/self-host production default.
References
docker-compose.ymlapi/ApplyTrack.Api/DockerfileDockerfile.pollerAcceptance criteria
cap_drop, read-only filesystem, and minimal writable mounts where practical.