Production Deployment
Production Compose file
For production, use:
bash
docker compose -f deployment/docker-compose.prod.yml up -dThe production configuration differs from development by:
- No source volume mounts (built from images)
restart: unless-stoppedfor all services- Resource limits (CPU, memory)
- No direct port access to the database or MinIO
Secrets management with SOPS + age
For production, secrets are encrypted with SOPS:
bash
# Decrypt secrets (age key must be present)
sops -d deployment/secrets.enc.yaml > .env
# The deploy script does this automatically
deployment/scripts/deploy.shThe age public key is documented in deployment/secrets.enc.yaml.example.
TLS with Caddy
Caddy handles TLS termination and reverse proxy. Set the domain variable:
bash
DOMAIN=app.clavis-rallye.comCaddy automatically provisions a Let's Encrypt certificate. The configuration is in deployment/Caddyfile.production.
Production environment variables
| Variable | Description |
|---|---|
DOMAIN | Production domain (e.g., app.clavis-rallye.com) |
JWT_SECRET_KEY | JWT signing key (≥32 characters, random) |
HMAC_AUDIT_KEY | HMAC key for audit log chain |
POSTGRES_PASSWORD | Database password |
MINIO_ACCESS_KEY | MinIO access credentials |
MINIO_SECRET_KEY | MinIO secret key |
All [SECRET]-marked variables from deployment/.env.example must be set.