Files
Reactive-Resume/compose.yml
T
Amruth Pillai a42dbcd452 feat(security): harden auth, oauth, and printer endpoints
Add stricter URL and redirect validation, endpoint rate limiting, safer defaults for printer and compose config, and CSP protections across server and API surfaces.

Made-with: Cursor
2026-04-25 15:31:06 +02:00

140 lines
3.7 KiB
YAML

name: reactive_resume
services:
postgres:
image: postgres:latest
restart: unless-stopped
networks:
- data_network
environment:
- POSTGRES_DB=postgres
- POSTGRES_USER=postgres
- POSTGRES_PASSWORD=postgres
volumes:
- postgres_data:/var/lib/postgresql
healthcheck:
test: ["CMD", "pg_isready", "-U", "postgres", "-d", "postgres"]
start_period: 10s
interval: 30s
timeout: 10s
retries: 3
browserless:
image: ${BROWSERLESS_IMAGE:-ghcr.io/browserless/chromium:latest}
restart: unless-stopped
networks:
- printer_network
environment:
- QUEUED=10
- HEALTH=true
- CONCURRENT=5
- TOKEN=${BROWSERLESS_TOKEN:-change-me}
healthcheck:
test: ["CMD-SHELL", 'curl -f "http://localhost:3000/pressure?token=${BROWSERLESS_TOKEN:-change-me}"']
interval: 10s
timeout: 5s
retries: 10
# As an alternative to browserless, you can also use a lightweight image like chromedp/headless-shell:latest
# See https://docs.rxresu.me/self-hosting/docker#alternative-printer-options for more information.
# chrome:
# image: chromedp/headless-shell:latest
# restart: unless-stopped
# networks:
# - printer_network
# ports:
# - "9222:9222"
seaweedfs:
image: chrislusf/seaweedfs:latest
restart: unless-stopped
command: server -s3 -filer -dir=/data -ip=0.0.0.0
networks:
- storage_network
environment:
- AWS_ACCESS_KEY_ID=seaweedfs
- AWS_SECRET_ACCESS_KEY=seaweedfs
volumes:
- seaweedfs_data:/data
healthcheck:
test: ["CMD", "wget", "-q", "-O", "/dev/null", "http://localhost:8888"]
start_period: 10s
interval: 30s
timeout: 10s
retries: 3
seaweedfs_create_bucket:
image: quay.io/minio/mc:latest
restart: on-failure
entrypoint: >
/bin/sh -c "
sleep 5;
mc alias set seaweedfs http://seaweedfs:8333 seaweedfs seaweedfs;
mc mb seaweedfs/reactive-resume;
exit 0;
"
networks:
- storage_network
depends_on:
seaweedfs:
condition: service_healthy
reactive_resume:
# image: amruthpillai/reactive-resume:latest
# image: ghcr.io/amruthpillai/reactive-resume:latest
build:
context: .
dockerfile: Dockerfile
networks:
- data_network
- printer_network
- storage_network
ports:
- "3000:3000"
environment:
# Server
- TZ=Etc/UTC
- NODE_ENV=production
- APP_URL=http://localhost:3000
- PRINTER_APP_URL=http://host.docker.internal:3000
# Printer
- PRINTER_ENDPOINT=ws://browserless:3000?token=${BROWSERLESS_TOKEN:-change-me}
# - PRINTER_ENDPOINT=http://chrome:9222 # Or, if you're using chromedp/headless-shell
# Database
- DATABASE_URL=postgresql://postgres:postgres@postgres:5432/postgres
# Authentication
- AUTH_SECRET=change-me-to-a-secure-secret-key-in-production
# Storage
- S3_ACCESS_KEY_ID=seaweedfs
- S3_SECRET_ACCESS_KEY=seaweedfs
- S3_ENDPOINT=http://seaweedfs:8333
- S3_BUCKET=reactive-resume
- S3_FORCE_PATH_STYLE=true
volumes:
- reactive_resume_data:/app/data
depends_on:
postgres:
condition: service_healthy
browserless:
condition: service_healthy
seaweedfs_create_bucket:
condition: service_completed_successfully
extra_hosts:
- "host.docker.internal:host-gateway"
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:3000/api/health"]
start_period: 10s
interval: 30s
timeout: 10s
retries: 3
volumes:
postgres_data:
seaweedfs_data:
reactive_resume_data:
networks:
data_network:
printer_network:
storage_network: