tranquil-pds/docker-compose.prod.yaml

services:
  tranquil-pds:
    build:
      context: .
      dockerfile: Dockerfile
    image: tranquil-pds:latest
    restart: unless-stopped
    environment:
      SERVER_HOST: "0.0.0.0"
      SERVER_PORT: "3000"
      PDS_HOSTNAME: "${PDS_HOSTNAME:?PDS_HOSTNAME is required}"
      DATABASE_URL: "postgres://tranquil_pds:${DB_PASSWORD:?DB_PASSWORD is required}@db:5432/pds"
      S3_ENDPOINT: "http://minio:9000"
      AWS_REGION: "us-east-1"
      S3_BUCKET: "pds-blobs"
      AWS_ACCESS_KEY_ID: "${MINIO_ROOT_USER:-minioadmin}"
      AWS_SECRET_ACCESS_KEY: "${MINIO_ROOT_PASSWORD:?MINIO_ROOT_PASSWORD is required}"
      VALKEY_URL: "redis://valkey:6379"
      JWT_SECRET: "${JWT_SECRET:?JWT_SECRET is required (min 32 chars)}"
      DPOP_SECRET: "${DPOP_SECRET:?DPOP_SECRET is required (min 32 chars)}"
      MASTER_KEY: "${MASTER_KEY:?MASTER_KEY is required (min 32 chars)}"
      CRAWLERS: "${CRAWLERS:-https://bsky.network}"
    depends_on:
      db:
        condition: service_healthy
      minio:
        condition: service_healthy
      valkey:
        condition: service_healthy
    healthcheck:
      test: ["CMD", "wget", "-q", "--spider", "http://localhost:3000/xrpc/_health"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 10s
    deploy:
      resources:
        limits:
          memory: 1G
        reservations:
          memory: 256M

  frontend:
    build:
      context: ./frontend
      dockerfile: Dockerfile
    image: tranquil-pds-frontend:latest
    restart: unless-stopped
    healthcheck:
      test: ["CMD", "wget", "-q", "--spider", "http://localhost:80/"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 5s
    deploy:
      resources:
        limits:
          memory: 128M
        reservations:
          memory: 32M

  db:
    image: postgres:18-alpine
    restart: unless-stopped
    environment:
      POSTGRES_USER: tranquil_pds
      POSTGRES_PASSWORD: "${DB_PASSWORD:?DB_PASSWORD is required}"
      POSTGRES_DB: pds
    volumes:
      - postgres_data:/var/lib/postgresql/data
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U tranquil_pds -d pds"]
      interval: 10s
      timeout: 5s
      retries: 5
      start_period: 10s
    deploy:
      resources:
        limits:
          memory: 512M
        reservations:
          memory: 128M

  minio:
    image: cgr.dev/chainguard/minio:latest
    restart: unless-stopped
    command: server /data --console-address ":9001"
    environment:
      MINIO_ROOT_USER: "${MINIO_ROOT_USER:-minioadmin}"
      MINIO_ROOT_PASSWORD: "${MINIO_ROOT_PASSWORD:?MINIO_ROOT_PASSWORD is required}"
    volumes:
      - minio_data:/data
    deploy:
      resources:
        limits:
          memory: 512M
        reservations:
          memory: 128M

  minio-init:
    image: cgr.dev/chainguard/minio-client:latest-dev
    depends_on:
      - minio
    entrypoint: >
      /bin/sh -c "
      for i in 1 2 3 4 5 6 7 8 9 10; do
        mc alias set local http://minio:9000 $${MINIO_ROOT_USER} $${MINIO_ROOT_PASSWORD} && break;
        echo 'Waiting for minio...'; sleep 2;
      done;
      mc mb --ignore-existing local/pds-blobs;
      mc mb --ignore-existing local/pds-backups;
      mc anonymous set none local/pds-blobs;
      exit 0;
      "
    environment:
      MINIO_ROOT_USER: "${MINIO_ROOT_USER:-minioadmin}"
      MINIO_ROOT_PASSWORD: "${MINIO_ROOT_PASSWORD:?MINIO_ROOT_PASSWORD is required}"

  valkey:
    image: valkey/valkey:9-alpine
    restart: unless-stopped
    command: valkey-server --appendonly yes --maxmemory 256mb --maxmemory-policy allkeys-lru
    volumes:
      - valkey_data:/data
    healthcheck:
      test: ["CMD", "valkey-cli", "ping"]
      interval: 10s
      timeout: 5s
      retries: 3
      start_period: 5s
    deploy:
      resources:
        limits:
          memory: 300M
        reservations:
          memory: 64M

  nginx:
    image: nginx:1.29-alpine
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./nginx.frontend.conf:/etc/nginx/nginx.conf:ro
      - ./certs:/etc/nginx/certs:ro
      - acme_challenge:/var/www/acme:ro
    depends_on:
      - tranquil-pds
      - frontend
    healthcheck:
      test: ["CMD", "nginx", "-t"]
      interval: 30s
      timeout: 10s
      retries: 3

  certbot:
    image: certbot/certbot:v5.2.2
    volumes:
      - ./certs:/etc/letsencrypt
      - acme_challenge:/var/www/acme
    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew --webroot -w /var/www/acme; sleep 12h & wait $${!}; done'"

  prometheus:
    image: prom/prometheus:v3.8.0
    restart: unless-stopped
    ports:
      - "127.0.0.1:9090:9090"
    volumes:
      - ./observability/prometheus.yaml:/etc/prometheus/prometheus.yaml:ro
      - prometheus_data:/prometheus
    command:
      - '--config.file=/etc/prometheus/prometheus.yaml'
      - '--storage.tsdb.path=/prometheus'
      - '--storage.tsdb.retention.time=30d'
    deploy:
      resources:
        limits:
          memory: 256M

volumes:
  postgres_data:
  minio_data:
  valkey_data:
  prometheus_data:
  acme_challenge: