feat(deploy): merge Phase 5a deployment configuration

Complete containerized deployment system with Docker/Podman support. Key features: - Multi-stage Dockerfile with Python 3.11-slim base - Docker Compose configurations for production and development - Nginx reverse proxy with security headers and rate limiting - Systemd service units for Docker, Podman, and docker-compose - Backup/restore scripts with integrity verification - Podman compatibility (ADR-009) All tests pass including Podman verification testing. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-21 19:16:54 -07:00
parent d3c3e8dc6b
commit 01dcaba86b
22 changed files with 6353 additions and 18 deletions
--- a/docker-compose.production.yml
+++ b/docker-compose.production.yml
@@ -0,0 +1,51 @@
+version: '3.8'
+
+# Gondulf Production Configuration - nginx Reverse Proxy with TLS
+# Usage: podman-compose -f docker-compose.yml -f docker-compose.production.yml up -d
+# Or:    docker-compose -f docker-compose.yml -f docker-compose.production.yml up -d
+
+services:
+  gondulf:
+    # Remove direct port exposure in production (nginx handles external access)
+    ports: []
+
+    # Production environment settings
+    environment:
+      - GONDULF_HTTPS_REDIRECT=true
+      - GONDULF_SECURE_COOKIES=true
+      - GONDULF_TRUST_PROXY=true
+      - GONDULF_DEBUG=false
+      - GONDULF_LOG_LEVEL=INFO
+
+  nginx:
+    image: nginx:1.25-alpine
+    container_name: gondulf_nginx
+    restart: unless-stopped
+
+    # External ports
+    ports:
+      - "80:80"
+      - "443:443"
+
+    # Configuration and SSL certificates
+    volumes:
+      - ./deployment/nginx/conf.d:/etc/nginx/conf.d:ro
+      - ./deployment/nginx/ssl:/etc/nginx/ssl:ro
+      # Optional: Let's Encrypt challenge directory
+      # - ./deployment/nginx/certbot:/var/www/certbot:ro
+
+    # Wait for Gondulf to be healthy
+    depends_on:
+      gondulf:
+        condition: service_healthy
+
+    networks:
+      - gondulf_network
+
+    # nginx health check
+    healthcheck:
+      test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://localhost/health"]
+      interval: 30s
+      timeout: 5s
+      retries: 3
+      start_period: 5s