prepare for prod deployment

mendelskiv93 · mendelskiv93 · commit 59314838d7e7 · 2025-10-15T08:26:21.000+02:00
- User namespace remapping with UID/GID build args - Bind mount volumes with relative paths - Hardcoded container names for backup service integration - Secrets passed via systemd environment variables status-im/infra-sites#89 status-im/infra-sites#35
diff --git a/.env.prod.db b/.env.prod.db
@@ -0,0 +1,2 @@
+POSTGRES_USER=root
+POSTGRES_DB=shell_db_prod
diff --git a/.gitignore b/.gitignore
@@ -88,7 +88,6 @@ local_settings.py
 .env.dev
 .env.prod
 .env.dev.db
-.env.prod.db
 db.sqlite3
 node_modules/
 static/keycard_shell/js
diff --git a/Dockerfile.prod b/Dockerfile.prod
@@ -4,6 +4,10 @@
 # pull official base image
 FROM python:3.13.2-alpine as builder
 
+# Build args for UID/GID
+ARG UID=1000
+ARG GID=1000
+
 # set work directory
 WORKDIR /usr/src/keycard_shell
 # set environment variables
@@ -30,11 +34,15 @@ RUN pip wheel --no-cache-dir --no-deps --wheel-dir /usr/src/keycard_shell/wheels
 # pull official base image
 FROM python:3.13.2-alpine
 
+# Build args for UID/GID
+ARG UID=1000
+ARG GID=1000
+
 # create directory for the app user
 RUN mkdir -p /home/keycard_shell
 
 # create the app user
-RUN addgroup -S keycard_shell && adduser -S keycard_shell -G keycard_shell
+RUN addgroup -g ${GID} -S keycard_shell && adduser -u ${UID} -S keycard_shell -G keycard_shell
 
 # create the appropriate directories
 ENV HOME=/home/keycard_shell
@@ -61,16 +69,16 @@ COPY . $APP_HOME
 RUN sed -i 's/\r//g' $APP_HOME/entrypoint.prod.sh
 RUN chmod +x $APP_HOME/entrypoint.prod.sh
 
-# chown all the files to the app user
-RUN chown -R keycard_shell:keycard_shell $APP_HOME
-RUN mkdir -p /var/lib/keycard_shell/data
-RUN chown -R keycard_shell:keycard_shell /var/lib/keycard_shell/data
-
 # build JS, CSS
 RUN npm install
 RUN npm run build
 RUN npm cache clean --force
 
+# chown all the files to the app user
+RUN chown -R ${UID}:${GID} $APP_HOME
+RUN mkdir -p /var/lib/keycard_shell/data
+RUN chown -R ${UID}:${GID} /var/lib/keycard_shell/data
+
 # change to the app user
 USER keycard_shell
 
diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
@@ -1,31 +1,42 @@
 services:
   web:
+    container_name: keycard-shell-webapp
     build:
       context: .
       dockerfile: Dockerfile.prod
+      args:
+        UID: ${UID:-1000}
+        GID: ${GID:-1000}
     volumes:
-      - kpro_data:/var/lib/keycard_shell/data/
-      - static_volume:/home/keycard_shell/web/staticfiles
+      - ../upload:/var/lib/keycard_shell/data/
+      - ../static:/home/keycard_shell/web/staticfiles
+    environment:
+      - SECRET_KEY=${SECRET_KEY}
+      - DB_SIGN_KEY=${DB_SIGN_KEY}
+      - DEVICE_VERIFICATION_SIGN_KEY=${DEVICE_VERIFICATION_SIGN_KEY}
+      - SALT_KEY=${SALT_KEY}
+      - DJANGO_SUPERUSER_PASSWORD=${DJANGO_SUPERUSER_PASSWORD}
+      - SQL_PASSWORD=${SQL_PASSWORD}
     env_file:
       - ./.env.prod
     depends_on:
       - db
   db:
+    container_name: keycard-shell-db # Used by backup service - do not change!
     image: postgres:17.4-alpine
     volumes:
-      - /docker/shell/db/data:/var/lib/postgresql/data/
+      - ../db/data:/var/lib/postgresql/data/
+    environment:
+      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
     env_file:
       - ./.env.prod.db
   nginx:
+    container_name: kshell-nginx
     build: ./nginx
     ports:
       - 3000:3000
     depends_on:
       - web
     volumes:
-      - kpro_data:/var/lib/keycard_shell/data/
-      - static_volume:/home/keycard_shell/web/staticfiles
-volumes:
-  kpro_data:
-  static_volume:
-  
+      - ../upload:/var/lib/keycard_shell/data/
+      - ../static:/home/keycard_shell/web/staticfiles

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+POSTGRES_USER=root`
	`2`	`+POSTGRES_DB=shell_db_prod`