medassist-ng/docker-compose.yml

# =============================================================================
# PRODUCTION DOCKER COMPOSE - Security Hardened
# =============================================================================

services:
  backend:
    image: git.danielvolz.org/daniel/medassist-ng/backend:0.0.1
    container_name: medassist-ng-backend
    env_file:
      - .env
    volumes:
      - ./data:/app/data
    ports:
      - "4000:3000"
    networks:
      - medassist-ng-net
    # Security options
    security_opt:
      - no-new-privileges:true
    read_only: true
    tmpfs:
      - /tmp:noexec,nosuid,size=64m
    cap_drop:
      - ALL
    healthcheck:
      test: ["CMD", "/nodejs/bin/node", "-e", "fetch('http://localhost:3000/health').then(r => process.exit(r.ok ? 0 : 1)).catch(() => process.exit(1))"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 30s

  frontend:
    image: git.danielvolz.org/daniel/medassist-ng/frontend:0.0.1
    container_name: medassist-ng-frontend
    ports:
      - "4174:8080"
    networks:
      - medassist-ng-net
    depends_on:
      backend:
        condition: service_healthy
    # Security options
    security_opt:
      - no-new-privileges:true
    read_only: true
    tmpfs:
      - /tmp:noexec,nosuid,size=64m
      - /var/cache/nginx:noexec,nosuid,size=64m
      - /var/run:noexec,nosuid,size=64m
    cap_drop:
      - ALL

networks:
  medassist-ng-net:
    driver: bridge