Skip to content

Production Deployment

Production Compose file

For production, use:

bash
docker compose -f deployment/docker-compose.prod.yml up -d

The production configuration differs from development by:

  • No source volume mounts (built from images)
  • restart: unless-stopped for all services
  • Resource limits (CPU, memory)
  • No direct port access to the database or MinIO

Secrets management with SOPS + age

For production, secrets are encrypted with SOPS:

bash
# Decrypt secrets (age key must be present)
sops -d deployment/secrets.enc.yaml > .env

# The deploy script does this automatically
deployment/scripts/deploy.sh

The age public key is documented in deployment/secrets.enc.yaml.example.

TLS with Caddy

Caddy handles TLS termination and reverse proxy. Set the domain variable:

bash
DOMAIN=app.clavis-rallye.com

Caddy automatically provisions a Let's Encrypt certificate. The configuration is in deployment/Caddyfile.production.

Production environment variables

VariableDescription
DOMAINProduction domain (e.g., app.clavis-rallye.com)
JWT_SECRET_KEYJWT signing key (≥32 characters, random)
HMAC_AUDIT_KEYHMAC key for audit log chain
POSTGRES_PASSWORDDatabase password
MINIO_ACCESS_KEYMinIO access credentials
MINIO_SECRET_KEYMinIO secret key

All [SECRET]-marked variables from deployment/.env.example must be set.