fix: production deployment hardening
Some checks failed
Deploy to Production / Deploy to 192.168.1.190 (push) Has been cancelled

Docker:
- Restrict PostgreSQL port to 127.0.0.1 only (not exposed to LAN)
- Add APP_BASE_URL for MCP server to reach Next.js via Docker network
- Fix MCP healthcheck (remove always-passing fallback)
- Add resource limits to mcp-server container

Dockerfile:
- Remove full node_modules copy (standalone already includes deps)
  Reduces image size by ~500MB+

Config:
- Add MCP_SERVER_MODE and MCP_SERVER_URL to deploy.sh and .env.docker.example
- Deploy script now auto-sets MCP_SERVER_URL based on NEXTAUTH_URL

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Sepehr Ramezani
2026-04-21 23:09:22 +02:00
parent 8d37115e1d
commit 97163bfb89
4 changed files with 16 additions and 3 deletions

View File

@@ -41,6 +41,9 @@ POSTGRES_PASSWORD=memento
# Mode: 'stdio' (Claude Desktop, Cline) or 'sse' (N8N, HTTP)
MCP_MODE="stdio"
MCP_PORT="3001"
# Frontend MCP settings (for the MCP settings panel in the web UI)
# MCP_SERVER_MODE="sse"
# MCP_SERVER_URL="http://YOUR_IP:3001"
# =============================================================================
# AI PROVIDER - TAGS GENERATION

View File

@@ -13,7 +13,7 @@ services:
volumes:
- postgres-data:/var/lib/postgresql/data
ports:
- "5432:5432"
- "127.0.0.1:5432:5432"
healthcheck:
test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-memento}"]
interval: 5s
@@ -79,14 +79,23 @@ services:
# DATABASE_URL is auto-constructed from PostgreSQL credentials (not in .env.docker)
- DATABASE_URL=postgresql://${POSTGRES_USER:-memento}:${POSTGRES_PASSWORD:-memento}@postgres:5432/${POSTGRES_DB:-memento}
- NODE_ENV=production
- APP_BASE_URL=http://memento-note:3000
depends_on:
postgres:
condition: service_healthy
restart: unless-stopped
networks:
- memento-network
deploy:
resources:
limits:
cpus: '1'
memory: 512M
reservations:
cpus: '0.25'
memory: 128M
healthcheck:
test: ["CMD-SHELL", "wget --spider -q http://localhost:3001/ || node -e \"console.log('healthy')\""]
test: ["CMD-SHELL", "wget --spider -q http://localhost:3001/ || exit 1"]
interval: 30s
timeout: 10s
retries: 3

View File

@@ -52,7 +52,6 @@ COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static
COPY --from=builder /app/prisma ./prisma
RUN chown -R nextjs:nodejs /app/prisma
COPY --from=builder --chown=nextjs:nodejs /app/node_modules/.prisma ./node_modules/.prisma
COPY --from=builder --chown=nextjs:nodejs /app/node_modules ./node_modules
USER nextjs

View File

@@ -165,6 +165,8 @@ POSTGRES_PASSWORD="${pg_pass}"
# MCP Server
MCP_MODE="sse"
MCP_PORT="3001"
MCP_SERVER_MODE="sse"
MCP_SERVER_URL="${url}:3001"
# AI - Tags
AI_PROVIDER_TAGS=${ai_tags_provider}