ci: add forgejo actions pipeline with traefik labels and https health checks

2026-04-21 00:06:22 -03:00 · 2026-04-21 00:06:22 -03:00 · dcd18a07e6
commit dcd18a07e6
parent e6cb06255b
7 changed files with 407 additions and 0 deletions
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@ -0,0 +1,81 @@
+services:
+  db:
+    image: postgres:16-alpine
+    restart: unless-stopped
+    environment:
+      POSTGRES_DB: ${POSTGRES_DB}
+      POSTGRES_USER: ${POSTGRES_USER}
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
+    volumes:
+      - postgres_data:/var/lib/postgresql/data
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER} -d ${POSTGRES_DB}"]
+      interval: 5s
+      timeout: 5s
+      retries: 10
+    networks:
+      - internal
+
+  backend:
+    image: ${REGISTRY}/saas-imobiliaria-backend:${IMAGE_TAG:-latest}
+    restart: unless-stopped
+    environment:
+      DATABASE_URL: postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@db:5432/${POSTGRES_DB}
+      SECRET_KEY: ${SECRET_KEY}
+      JWT_SECRET_KEY: ${JWT_SECRET_KEY}
+      FLASK_ENV: production
+      FLASK_APP: app
+      CORS_ORIGINS: https://${DOMAIN}
+    depends_on:
+      db:
+        condition: service_healthy
+    networks:
+      - internal
+      - traefik-public
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=traefik-public"
+      # Router
+      - "traefik.http.routers.imob-api.rule=Host(`${DOMAIN}`) && PathPrefix(`/api`)"
+      - "traefik.http.routers.imob-api.entrypoints=websecure"
+      - "traefik.http.routers.imob-api.tls=true"
+      - "traefik.http.routers.imob-api.tls.certresolver=letsencrypt"
+      # Service
+      - "traefik.http.services.imob-api.loadbalancer.server.port=5000"
+      # Strip /api prefix before forwarding to Flask
+      - "traefik.http.middlewares.imob-api-strip.stripprefix.prefixes=/api"
+      - "traefik.http.routers.imob-api.middlewares=imob-api-strip"
+
+  frontend:
+    image: ${REGISTRY}/saas-imobiliaria-frontend:${IMAGE_TAG:-latest}
+    restart: unless-stopped
+    depends_on:
+      - backend
+    networks:
+      - internal
+      - traefik-public
+    labels:
+      - "traefik.enable=true"
+      - "traefik.docker.network=traefik-public"
+      # Router
+      - "traefik.http.routers.imob-frontend.rule=Host(`${DOMAIN}`)"
+      - "traefik.http.routers.imob-frontend.entrypoints=websecure"
+      - "traefik.http.routers.imob-frontend.tls=true"
+      - "traefik.http.routers.imob-frontend.tls.certresolver=letsencrypt"
+      # Redirect HTTP → HTTPS
+      - "traefik.http.routers.imob-frontend-http.rule=Host(`${DOMAIN}`)"
+      - "traefik.http.routers.imob-frontend-http.entrypoints=web"
+      - "traefik.http.routers.imob-frontend-http.middlewares=redirect-to-https"
+      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
+      - "traefik.http.middlewares.redirect-to-https.redirectscheme.permanent=true"
+      # Service
+      - "traefik.http.services.imob-frontend.loadbalancer.server.port=80"
+
+networks:
+  internal:
+    driver: bridge
+  traefik-public:
+    external: true
+
+volumes:
+  postgres_data: