mirror of
https://github.com/Memo-2023/mana-monorepo.git
synced 2026-05-14 22:21:10 +02:00
4d15d9e764
BREAKING: JWT keys are now auto-managed by Better Auth (EdDSA/Ed25519) - Remove all JWT_PRIVATE_KEY, JWT_PUBLIC_KEY, JWT_SECRET references - Keys stored in auth.jwks database table (auto-generated on first run) - Delete obsolete generate-keys.sh and generate-staging-secrets.sh scripts - Clean up legacy AUTH_*.md analysis files from root Security Improvements: - Add security_events table for audit logging - Add SecurityEventsService for tracking auth events - Enhanced security headers (HSTS, CSP, X-Frame-Options) - Rate limiting configuration Monitoring Setup: - Add auth-health-check.sh for automated testing - Add generate-dashboard.sh for HTML status dashboard - Tests: health endpoint, JWKS (EdDSA), security headers, response time - Ready for Hetzner cron deployment Documentation: - Update deployment docs with Better Auth notes - Update environment variable references - Add security improvements documentation 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
312 lines
8.7 KiB
YAML
312 lines
8.7 KiB
YAML
version: '3.9'
|
|
|
|
# To add more services:
|
|
# 1. Add service block below
|
|
# 2. Add to cd-production.yml workflow_dispatch options
|
|
# 3. Add Caddy routes to production Caddyfile
|
|
|
|
services:
|
|
# ============================================
|
|
# Backend Services (Production)
|
|
# ============================================
|
|
|
|
mana-core-auth:
|
|
image: ${DOCKER_REGISTRY:-ghcr.io/memo-2023}/mana-core-auth:${AUTH_VERSION:-latest}
|
|
container_name: mana-core-auth-prod
|
|
restart: always
|
|
environment:
|
|
NODE_ENV: production
|
|
PORT: 3001
|
|
DATABASE_URL: ${AUTH_DATABASE_URL}
|
|
REDIS_HOST: ${REDIS_HOST}
|
|
REDIS_PORT: ${REDIS_PORT}
|
|
REDIS_PASSWORD: ${REDIS_PASSWORD}
|
|
# JWT keys managed automatically by Better Auth (EdDSA) - stored in auth.jwks table
|
|
JWT_ISSUER: ${JWT_ISSUER:-manacore}
|
|
JWT_AUDIENCE: ${JWT_AUDIENCE:-manacore}
|
|
# Brevo Email Service
|
|
BREVO_API_KEY: ${BREVO_API_KEY}
|
|
EMAIL_SENDER_ADDRESS: ${EMAIL_SENDER_ADDRESS:-noreply@manacore.ai}
|
|
EMAIL_SENDER_NAME: ${EMAIL_SENDER_NAME:-ManaCore}
|
|
# URLs
|
|
BASE_URL: ${BASE_URL:-https://auth.manacore.ai}
|
|
FRONTEND_URL: ${FRONTEND_URL:-https://manacore.ai}
|
|
ports:
|
|
- "127.0.0.1:3001:3001"
|
|
healthcheck:
|
|
test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:3001/api/v1/health"]
|
|
interval: 30s
|
|
timeout: 10s
|
|
retries: 3
|
|
start_period: 40s
|
|
networks:
|
|
- manacore-prod
|
|
logging:
|
|
driver: "json-file"
|
|
options:
|
|
max-size: "50m"
|
|
max-file: "5"
|
|
deploy:
|
|
resources:
|
|
limits:
|
|
cpus: '1'
|
|
memory: 512M
|
|
reservations:
|
|
cpus: '0.5'
|
|
memory: 256M
|
|
|
|
maerchenzauber-backend:
|
|
image: ${DOCKER_REGISTRY:-ghcr.io/memo-2023}/maerchenzauber-backend:${MAERCHENZAUBER_VERSION:-latest}
|
|
container_name: maerchenzauber-backend-prod
|
|
restart: always
|
|
depends_on:
|
|
mana-core-auth:
|
|
condition: service_healthy
|
|
environment:
|
|
NODE_ENV: production
|
|
PORT: 3002
|
|
MANA_SERVICE_URL: http://mana-core-auth:3001
|
|
SUPABASE_URL: ${MAERCHENZAUBER_SUPABASE_URL}
|
|
SUPABASE_ANON_KEY: ${MAERCHENZAUBER_SUPABASE_ANON_KEY}
|
|
SUPABASE_SERVICE_ROLE_KEY: ${MAERCHENZAUBER_SUPABASE_SERVICE_ROLE_KEY}
|
|
AZURE_OPENAI_ENDPOINT: ${AZURE_OPENAI_ENDPOINT}
|
|
AZURE_OPENAI_API_KEY: ${AZURE_OPENAI_API_KEY}
|
|
AZURE_OPENAI_API_VERSION: ${AZURE_OPENAI_API_VERSION:-2024-12-01-preview}
|
|
ports:
|
|
- "127.0.0.1:3002:3002"
|
|
healthcheck:
|
|
test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:3002/health"]
|
|
interval: 30s
|
|
timeout: 10s
|
|
retries: 3
|
|
networks:
|
|
- manacore-prod
|
|
logging:
|
|
driver: "json-file"
|
|
options:
|
|
max-size: "50m"
|
|
max-file: "5"
|
|
deploy:
|
|
resources:
|
|
limits:
|
|
cpus: '2'
|
|
memory: 1G
|
|
reservations:
|
|
cpus: '1'
|
|
memory: 512M
|
|
|
|
chat-backend:
|
|
image: ${DOCKER_REGISTRY:-ghcr.io/memo-2023}/chat-backend:${CHAT_VERSION:-latest}
|
|
container_name: chat-backend-prod
|
|
restart: always
|
|
depends_on:
|
|
mana-core-auth:
|
|
condition: service_healthy
|
|
environment:
|
|
NODE_ENV: production
|
|
PORT: 3002
|
|
MANA_SERVICE_URL: http://mana-core-auth:3001
|
|
SUPABASE_URL: ${CHAT_SUPABASE_URL}
|
|
SUPABASE_SERVICE_KEY: ${CHAT_SUPABASE_SERVICE_KEY}
|
|
AZURE_OPENAI_ENDPOINT: ${AZURE_OPENAI_ENDPOINT}
|
|
AZURE_OPENAI_API_KEY: ${AZURE_OPENAI_API_KEY}
|
|
AZURE_OPENAI_API_VERSION: ${AZURE_OPENAI_API_VERSION:-2024-12-01-preview}
|
|
ports:
|
|
- "127.0.0.1:3003:3002"
|
|
healthcheck:
|
|
test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:3002/api/health"]
|
|
interval: 30s
|
|
timeout: 10s
|
|
retries: 3
|
|
networks:
|
|
- manacore-prod
|
|
logging:
|
|
driver: "json-file"
|
|
options:
|
|
max-size: "50m"
|
|
max-file: "5"
|
|
deploy:
|
|
resources:
|
|
limits:
|
|
cpus: '2'
|
|
memory: 1G
|
|
reservations:
|
|
cpus: '1'
|
|
memory: 512M
|
|
|
|
manadeck-backend:
|
|
image: ${DOCKER_REGISTRY:-ghcr.io/memo-2023}/manadeck-backend:${MANADECK_VERSION:-latest}
|
|
container_name: manadeck-backend-prod
|
|
restart: always
|
|
depends_on:
|
|
mana-core-auth:
|
|
condition: service_healthy
|
|
environment:
|
|
NODE_ENV: production
|
|
PORT: 3003
|
|
MANA_SERVICE_URL: http://mana-core-auth:3001
|
|
SUPABASE_URL: ${MANADECK_SUPABASE_URL}
|
|
SUPABASE_SERVICE_KEY: ${MANADECK_SUPABASE_SERVICE_KEY}
|
|
ports:
|
|
- "127.0.0.1:3004:3003"
|
|
healthcheck:
|
|
test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:3003/health"]
|
|
interval: 30s
|
|
timeout: 10s
|
|
retries: 3
|
|
networks:
|
|
- manacore-prod
|
|
logging:
|
|
driver: "json-file"
|
|
options:
|
|
max-size: "50m"
|
|
max-file: "5"
|
|
deploy:
|
|
resources:
|
|
limits:
|
|
cpus: '1'
|
|
memory: 512M
|
|
reservations:
|
|
cpus: '0.5'
|
|
memory: 256M
|
|
|
|
nutriphi-backend:
|
|
image: ${DOCKER_REGISTRY:-ghcr.io/memo-2023}/nutriphi-backend:${NUTRIPHI_VERSION:-latest}
|
|
container_name: nutriphi-backend-prod
|
|
restart: always
|
|
depends_on:
|
|
mana-core-auth:
|
|
condition: service_healthy
|
|
environment:
|
|
NODE_ENV: production
|
|
PORT: 3004
|
|
MANA_SERVICE_URL: http://mana-core-auth:3001
|
|
SUPABASE_URL: ${NUTRIPHI_SUPABASE_URL}
|
|
SUPABASE_SERVICE_KEY: ${NUTRIPHI_SUPABASE_SERVICE_KEY}
|
|
ports:
|
|
- "127.0.0.1:3005:3004"
|
|
healthcheck:
|
|
test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:3004/health"]
|
|
interval: 30s
|
|
timeout: 10s
|
|
retries: 3
|
|
networks:
|
|
- manacore-prod
|
|
logging:
|
|
driver: "json-file"
|
|
options:
|
|
max-size: "50m"
|
|
max-file: "5"
|
|
deploy:
|
|
resources:
|
|
limits:
|
|
cpus: '1'
|
|
memory: 512M
|
|
reservations:
|
|
cpus: '0.5'
|
|
memory: 256M
|
|
|
|
news-api:
|
|
image: ${DOCKER_REGISTRY:-ghcr.io/memo-2023}/news-api:${NEWS_VERSION:-latest}
|
|
container_name: news-api-prod
|
|
restart: always
|
|
depends_on:
|
|
mana-core-auth:
|
|
condition: service_healthy
|
|
environment:
|
|
NODE_ENV: production
|
|
PORT: 3005
|
|
MANA_SERVICE_URL: http://mana-core-auth:3001
|
|
ports:
|
|
- "127.0.0.1:3006:3005"
|
|
healthcheck:
|
|
test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:3005/health"]
|
|
interval: 30s
|
|
timeout: 10s
|
|
retries: 3
|
|
networks:
|
|
- manacore-prod
|
|
logging:
|
|
driver: "json-file"
|
|
options:
|
|
max-size: "50m"
|
|
max-file: "5"
|
|
deploy:
|
|
resources:
|
|
limits:
|
|
cpus: '1'
|
|
memory: 512M
|
|
reservations:
|
|
cpus: '0.5'
|
|
memory: 256M
|
|
|
|
picture-backend:
|
|
image: ${DOCKER_REGISTRY:-ghcr.io/memo-2023}/picture-backend:${PICTURE_VERSION:-latest}
|
|
container_name: picture-backend-prod
|
|
restart: always
|
|
depends_on:
|
|
mana-core-auth:
|
|
condition: service_healthy
|
|
environment:
|
|
NODE_ENV: production
|
|
PORT: 3006
|
|
DATABASE_URL: ${PICTURE_DATABASE_URL}
|
|
MANA_CORE_AUTH_URL: http://mana-core-auth:3001
|
|
# Replicate API for AI image generation
|
|
REPLICATE_API_TOKEN: ${REPLICATE_API_TOKEN}
|
|
# S3/MinIO storage
|
|
S3_ENDPOINT: ${S3_ENDPOINT}
|
|
S3_REGION: ${S3_REGION}
|
|
S3_ACCESS_KEY: ${S3_ACCESS_KEY}
|
|
S3_SECRET_KEY: ${S3_SECRET_KEY}
|
|
MANACORE_STORAGE_PUBLIC_URL: ${MANACORE_STORAGE_PUBLIC_URL}
|
|
# Credit system
|
|
MANA_CORE_SERVICE_KEY: ${MANA_CORE_SERVICE_KEY}
|
|
APP_ID: picture
|
|
ports:
|
|
- "127.0.0.1:3007:3006"
|
|
healthcheck:
|
|
test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:3006/api/v1/health"]
|
|
interval: 30s
|
|
timeout: 10s
|
|
retries: 3
|
|
start_period: 40s
|
|
networks:
|
|
- manacore-prod
|
|
logging:
|
|
driver: "json-file"
|
|
options:
|
|
max-size: "50m"
|
|
max-file: "5"
|
|
deploy:
|
|
resources:
|
|
limits:
|
|
cpus: '2'
|
|
memory: 1G
|
|
reservations:
|
|
cpus: '1'
|
|
memory: 512M
|
|
|
|
# ============================================
|
|
# Monitoring (Optional but recommended)
|
|
# ============================================
|
|
|
|
# Uncomment if you want container monitoring
|
|
# watchtower:
|
|
# image: containrrr/watchtower
|
|
# container_name: watchtower-prod
|
|
# restart: always
|
|
# volumes:
|
|
# - /var/run/docker.sock:/var/run/docker.sock
|
|
# command: --interval 300 --cleanup
|
|
# networks:
|
|
# - manacore-prod
|
|
|
|
# ============================================
|
|
# Networks
|
|
# ============================================
|
|
|
|
networks:
|
|
manacore-prod:
|
|
driver: bridge
|
|
name: manacore-production
|