xiaoquan
b358dbdab1
- deploy.yml 从 secrets 动态生成 .env,部署后自动删除 - docker-compose.prod.yml 支持全部业务配置注入(短信/微信/支付宝等) - .env.example 只保留 GITEA_RUNNER_TOKEN,其他密钥全部迁移到 Secrets - 更新 deploy/README.md 文档,完整列出 Secrets 配置清单 服务器上不再存储任何密码文件,安全性大幅提升 Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
134 lines
3.4 KiB
YAML
134 lines
3.4 KiB
YAML
version: '3.8'
|
|
|
|
services:
|
|
mysql:
|
|
image: mysql:8.0
|
|
container_name: rent-prod-mysql
|
|
restart: always
|
|
environment:
|
|
MYSQL_ROOT_PASSWORD: ${PROD_DB_PASSWORD:-rent123456}
|
|
MYSQL_DATABASE: rent_platform
|
|
MYSQL_CHARSET: utf8mb4
|
|
MYSQL_COLLATION: utf8mb4_unicode_ci
|
|
ports:
|
|
- "3306:3306"
|
|
volumes:
|
|
- mysql_prod_data:/var/lib/mysql
|
|
- ../../database/migrations:/docker-entrypoint-initdb.d
|
|
command: --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci
|
|
healthcheck:
|
|
test: ["CMD", "mysqladmin", "ping", "-h", "localhost"]
|
|
interval: 10s
|
|
timeout: 5s
|
|
retries: 5
|
|
networks:
|
|
- rent-prod
|
|
|
|
redis:
|
|
image: redis:7-alpine
|
|
container_name: rent-prod-redis
|
|
restart: always
|
|
ports:
|
|
- "6379:6379"
|
|
volumes:
|
|
- redis_prod_data:/data
|
|
command: redis-server --appendonly yes
|
|
healthcheck:
|
|
test: ["CMD", "redis-cli", "ping"]
|
|
interval: 10s
|
|
timeout: 5s
|
|
retries: 5
|
|
networks:
|
|
- rent-prod
|
|
|
|
server:
|
|
build:
|
|
context: ../..
|
|
dockerfile: deploy/docker/Dockerfile.server
|
|
container_name: rent-prod-server
|
|
restart: always
|
|
ports:
|
|
- "3000:3000"
|
|
environment:
|
|
NODE_ENV: production
|
|
PORT: 3000
|
|
# Docker 内部网络
|
|
DB_HOST: mysql
|
|
DB_PORT: 3306
|
|
DB_USERNAME: root
|
|
DB_DATABASE: rent_platform
|
|
REDIS_HOST: redis
|
|
REDIS_PORT: 6379
|
|
# 从 .env.prod 注入的密钥
|
|
DB_PASSWORD: ${PROD_DB_PASSWORD}
|
|
JWT_SECRET: ${PROD_JWT_SECRET}
|
|
JWT_EXPIRES_IN: ${PROD_JWT_EXPIRES_IN:-2h}
|
|
JWT_REFRESH_EXPIRES_IN: ${PROD_JWT_REFRESH_EXPIRES_IN:-7d}
|
|
SMS_ACCESS_KEY_ID: ${PROD_SMS_ACCESS_KEY_ID:-}
|
|
SMS_ACCESS_KEY_SECRET: ${PROD_SMS_ACCESS_KEY_SECRET:-}
|
|
SMS_SIGN_NAME: ${PROD_SMS_SIGN_NAME:-}
|
|
SMS_TEMPLATE_CODE: ${PROD_SMS_TEMPLATE_CODE:-}
|
|
WECHAT_APPID: ${PROD_WECHAT_APPID:-}
|
|
WECHAT_SECRET: ${PROD_WECHAT_SECRET:-}
|
|
WECHAT_MCHID: ${PROD_WECHAT_MCHID:-}
|
|
WECHAT_SERIAL_NO: ${PROD_WECHAT_SERIAL_NO:-}
|
|
WECHAT_APIV3_KEY: ${PROD_WECHAT_APIV3_KEY:-}
|
|
WECHAT_PRIVATE_KEY: ${PROD_WECHAT_PRIVATE_KEY:-}
|
|
WECHAT_PAY_NOTIFY_URL: ${PROD_WECHAT_PAY_NOTIFY_URL:-}
|
|
WECHAT_REFUND_NOTIFY_URL: ${PROD_WECHAT_REFUND_NOTIFY_URL:-}
|
|
ALIPAY_APPID: ${PROD_ALIPAY_APPID:-}
|
|
ALIPAY_PRIVATE_KEY: ${PROD_ALIPAY_PRIVATE_KEY:-}
|
|
API_BASE_URL: ${PROD_API_BASE_URL:-http://localhost:3000}
|
|
depends_on:
|
|
mysql:
|
|
condition: service_healthy
|
|
redis:
|
|
condition: service_healthy
|
|
networks:
|
|
- rent-prod
|
|
|
|
merchant-admin:
|
|
build:
|
|
context: ../..
|
|
dockerfile: deploy/docker/Dockerfile.merchant
|
|
container_name: rent-prod-merchant
|
|
restart: always
|
|
ports:
|
|
- "8081:80"
|
|
depends_on:
|
|
- server
|
|
networks:
|
|
- rent-prod
|
|
|
|
platform-admin:
|
|
build:
|
|
context: ../..
|
|
dockerfile: deploy/docker/Dockerfile.platform
|
|
container_name: rent-prod-platform
|
|
restart: always
|
|
ports:
|
|
- "8082:80"
|
|
depends_on:
|
|
- server
|
|
networks:
|
|
- rent-prod
|
|
|
|
website:
|
|
build:
|
|
context: ../..
|
|
dockerfile: deploy/docker/Dockerfile.website
|
|
container_name: rent-prod-website
|
|
restart: always
|
|
ports:
|
|
- "8083:80"
|
|
networks:
|
|
- rent-prod
|
|
|
|
volumes:
|
|
mysql_prod_data:
|
|
redis_prod_data:
|
|
|
|
networks:
|
|
rent-prod:
|
|
name: rent-prod
|