Kyle Pope
dbad9c69b3
- Add .dockerignore for backend and frontend (DC-1: eliminates node_modules/ and .env from build context) - Delete start.sh with --reload flag (DC-2: superseded by Dockerfile CMD) - Create entrypoint.sh with exec uvicorn (DW-5: proper PID 1 signal handling) - Pin base images to patch-level tags (DW-1: reproducible builds) - Reorder Dockerfile: create appuser before COPY, use --chown (DW-2) - Switch to npm ci for lockfile-enforced installs (DW-3) - Add network segmentation: backend_net + frontend_net (DW-4: db unreachable from frontend container) - Add deploy.resources limits to all services (DW-6: OOM protection) - Refactor proxy-params.conf to include security headers, deduplicate from nginx.conf location blocks (DW-7) - Add image/svg+xml to gzip_types (DS-1) - Add wget healthcheck for frontend service (DS-2) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
14 lines
249 B
Bash
14 lines
249 B
Bash
#!/bin/sh
|
|
set -e
|
|
|
|
echo "Running database migrations..."
|
|
alembic upgrade head
|
|
|
|
echo "Starting uvicorn..."
|
|
exec uvicorn app.main:app \
|
|
--host 0.0.0.0 \
|
|
--port 8000 \
|
|
--no-server-header \
|
|
--proxy-headers \
|
|
--forwarded-allow-ips '*'
|