From 97163bfb89a454d9b4acfe0ee44ac6fe66973778 Mon Sep 17 00:00:00 2001 From: Sepehr Ramezani Date: Tue, 21 Apr 2026 23:09:22 +0200 Subject: [PATCH] fix: production deployment hardening Docker: - Restrict PostgreSQL port to 127.0.0.1 only (not exposed to LAN) - Add APP_BASE_URL for MCP server to reach Next.js via Docker network - Fix MCP healthcheck (remove always-passing fallback) - Add resource limits to mcp-server container Dockerfile: - Remove full node_modules copy (standalone already includes deps) Reduces image size by ~500MB+ Config: - Add MCP_SERVER_MODE and MCP_SERVER_URL to deploy.sh and .env.docker.example - Deploy script now auto-sets MCP_SERVER_URL based on NEXTAUTH_URL Co-Authored-By: Claude Opus 4.5 --- .env.docker.example | 3 +++ docker-compose.yml | 13 +++++++++++-- memento-note/Dockerfile | 1 - scripts/deploy.sh | 2 ++ 4 files changed, 16 insertions(+), 3 deletions(-) diff --git a/.env.docker.example b/.env.docker.example index f1f7ead..a2c9b5c 100644 --- a/.env.docker.example +++ b/.env.docker.example @@ -41,6 +41,9 @@ POSTGRES_PASSWORD=memento # Mode: 'stdio' (Claude Desktop, Cline) or 'sse' (N8N, HTTP) MCP_MODE="stdio" MCP_PORT="3001" +# Frontend MCP settings (for the MCP settings panel in the web UI) +# MCP_SERVER_MODE="sse" +# MCP_SERVER_URL="http://YOUR_IP:3001" # ============================================================================= # AI PROVIDER - TAGS GENERATION diff --git a/docker-compose.yml b/docker-compose.yml index f5be1c7..93b3fd1 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -13,7 +13,7 @@ services: volumes: - postgres-data:/var/lib/postgresql/data ports: - - "5432:5432" + - "127.0.0.1:5432:5432" healthcheck: test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-memento}"] interval: 5s @@ -79,14 +79,23 @@ services: # DATABASE_URL is auto-constructed from PostgreSQL credentials (not in .env.docker) - DATABASE_URL=postgresql://${POSTGRES_USER:-memento}:${POSTGRES_PASSWORD:-memento}@postgres:5432/${POSTGRES_DB:-memento} - NODE_ENV=production + - APP_BASE_URL=http://memento-note:3000 depends_on: postgres: condition: service_healthy restart: unless-stopped networks: - memento-network + deploy: + resources: + limits: + cpus: '1' + memory: 512M + reservations: + cpus: '0.25' + memory: 128M healthcheck: - test: ["CMD-SHELL", "wget --spider -q http://localhost:3001/ || node -e \"console.log('healthy')\""] + test: ["CMD-SHELL", "wget --spider -q http://localhost:3001/ || exit 1"] interval: 30s timeout: 10s retries: 3 diff --git a/memento-note/Dockerfile b/memento-note/Dockerfile index 383da49..02ffece 100644 --- a/memento-note/Dockerfile +++ b/memento-note/Dockerfile @@ -52,7 +52,6 @@ COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static COPY --from=builder /app/prisma ./prisma RUN chown -R nextjs:nodejs /app/prisma COPY --from=builder --chown=nextjs:nodejs /app/node_modules/.prisma ./node_modules/.prisma -COPY --from=builder --chown=nextjs:nodejs /app/node_modules ./node_modules USER nextjs diff --git a/scripts/deploy.sh b/scripts/deploy.sh index 17208ce..b40b11d 100755 --- a/scripts/deploy.sh +++ b/scripts/deploy.sh @@ -165,6 +165,8 @@ POSTGRES_PASSWORD="${pg_pass}" # MCP Server MCP_MODE="sse" MCP_PORT="3001" +MCP_SERVER_MODE="sse" +MCP_SERVER_URL="${url}:3001" # AI - Tags AI_PROVIDER_TAGS=${ai_tags_provider}