Skip to content

Operations: add hardened production container defaults #53

Description

@CryptoJones

Problem

The current compose file is optimized for local development: Postgres is published on the host, default credentials are convenient, and runtime Dockerfiles do not set non-root users.

Impact

This is easy to run locally but weak as a shared/self-host production default.

References

  • docker-compose.yml
  • api/ApplyTrack.Api/Dockerfile
  • Dockerfile.poller

Acceptance criteria

  • Provide a production compose profile/file that does not publish Postgres by default.
  • Runtime containers run as non-root users.
  • Document required secret changes for production.
  • Consider cap_drop, read-only filesystem, and minimal writable mounts where practical.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requestoperationsDeployment and operationssecuritySecurity hardening

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions