Add timezone configuration and security options to services in docker-compose.yaml

2025-08-18 15:57:11 +02:00
parent ce69744836
commit dabddba145
2 changed files with 623 additions and 5 deletions
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -6,6 +6,8 @@ services:
    image: alpine:3.19
    container_name: postgres_auto_upgrade
    working_dir: /opt/phx
+    environment:
+      TZ: Europe/Berlin
    volumes:
        - .:/opt/phx:rw
        - /var/run/docker.sock:/var/run/docker.sock
@@ -26,6 +28,8 @@ services:
    image: alpine:3.19
    container_name: postgres_rollback
    working_dir: /opt/phx
+    environment:
+      TZ: Europe/Berlin
    volumes:
        - .:/opt/phx:rw
        - /var/run/docker.sock:/var/run/docker.sock
@@ -53,10 +57,13 @@ services:
    #     loki-external-labels: "service=phx-postgres,env=prod"
    networks:
      - backend
+    security_opt:
+      - no-new-privileges:true
    environment:
      DEBUG: true
      POSTGRES_DB: ${DB_NAME}
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
+      TZ: Europe/Berlin
    volumes:
      - "./database:/var/lib/postgresql/data"
    # deploy:
@@ -128,6 +135,7 @@ services:
      MAIL_USERNAME: ${MAIL_USERNAME}
      MAIL_PASSWORD: ${MAIL_PASSWORD}
      MAIL_DEBUG: 'False'
+      TZ: Europe/Berlin
    volumes:
      - ./pgadmin/data:/var/lib/pgadmin
      - ./pgadmin/pgadmin-entrypoint.sh:/docker-entrypoint.sh:ro
@@ -169,8 +177,12 @@ services:
    #     loki-retries: "${LOKI_RETRIES}"
    #     loki-batch-size: "${LOKI_BATCH_SIZE}"
    #     loki-external-labels: "service=phx-app,env=prod,project=phoenix"
+    environment:
+      TZ: Europe/Berlin
    volumes:
      - ./app_custom:/usr/share/nginx/html/assets/custom
+      - nginx-logs:/var/log/nginx # this is part of the fail2ban to avoid rotation logs cleaning setup. This will be done by docker volume rm nginx-logs
+      # - ./phoenix-app/logs:/var/log/nginx # this is part of the fail2ban config to make analysis of the logs easier
      # - ./nginx/nginx.conf:/etc/nginx/nginx.conf # Uncomment this if you want to use override the default nginx.conf
      # - ./nginx/includes:/etc/nginx/includes:ro # Uncomment this if you want to use override the default includes
    networks:
@@ -217,6 +229,7 @@ services:
      - PERFORMANCE_STRUCTURED_LOGGING=${PERFORMANCE_STRUCTURED_LOGGING}
      - PERFORMANCE_WARNING_THRESHOLD=${PERFORMANCE_WARNING_THRESHOLD}
      - PERFORMANCE_DETAILED_MEMORY=${PERFORMANCE_DETAILED_MEMORY}
+      - TZ=Europe/Berlin
    command: ["npm", "run", "start:server"]
    deploy:
      replicas: ${PHOENIX_SYSTEM_REPLICAS} #change here if u want to have more replicas. Cant find a way to set via variable right now
@@ -249,7 +262,7 @@ services:
      start_period: 60s  # Grace period before health checks start
    volumes:
      - "./assets:/usr/src/app/packages/dev-server/assets"
-      - "./server_custom:/usr/src/app/packages/dev-server/custom"
+      
      # - "./logs:/usr/src/app/packages/dev-server/logs"
  phoenix-worker:
    restart: always
@@ -267,6 +280,7 @@ services:
    networks:
      - backend
    environment:
+      - TZ=Europe/Berlin
      - "DB_HOST=${DB_HOST}"
      - "DB_NAME=${DB_NAME}"
      - "DB_PASSWORD=${POSTGRES_PASSWORD}"
@@ -305,7 +319,7 @@ services:
      start_period: 30s  # Grace period before health checks start
    volumes:
      - "./assets:/usr/src/app/packages/dev-server/assets"
-      - "./server_custom:/usr/src/app/packages/dev-server/custom"
+      
      # - "./logs:/usr/src/app/packages/dev-server/logs"
  phoenix-redis:
    image: 'bitnami/redis:latest'
@@ -325,6 +339,7 @@ services:
    environment:
      ALLOW_EMPTY_PASSWORD: "no"
      REDIS_PASSWORD: ${REDIS_PASSWORD}
+      TZ: Europe/Berlin
    # deploy:
    #   restart_policy: # Define how the service should restart when it fails
    #     condition: on-failure # Only restart if the container exits with a non-zero code
@@ -370,6 +385,7 @@ services:
      DB_PASSWORD: ${POSTGRES_PASSWORD}
      DB_USERNAME: ${DB_USERNAME}
      REDIS_PASSWORD: ${REDIS_PASSWORD}
+      TZ: Europe/Berlin
    networks:
      - frontend
      - backend
@@ -418,6 +434,8 @@ services:
      - metrics
      - frontend
    restart: unless-stopped
+    environment:
+      TZ: Europe/Berlin
    ports:
      - "9100:9100"  # Restrict to only allow access from Grafana Server IP
    command:
@@ -514,6 +532,7 @@ services:
      SERVER_NAMES_HASH_BUCKET_SIZE: 128 # Increase hash bucket size for server names - good for bigger domains names, if not set correctly, it will throw an error, break the container.
      # FORCE_RENEW: 'true'
      DOMAINS: "${HTTPS_PORTAL_DOMAINS}"
+      TZ: Europe/Berlin
    volumes:
      - ./https_portal/data:/var/lib/https-portal # ssl_certs, vhost.d, htdocs
      - ./https_portal/log:/var/log/nginx # nginx logs
@@ -541,14 +560,19 @@ services:
    restart: always
    image: crazymax/fail2ban:latest
    container_name: fail2ban
-    network_mode: 'host'
+    network_mode: host # important: act on host network
    cap_add:
-        - NET_ADMIN
+        - NET_ADMIN # needed to manage firewall
        - NET_RAW
+    environment:
+      TZ: Europe/Berlin
    volumes:
        - ./fail2ban/data:/data
        - ./fail2ban/jail.d:/etc/fail2ban/jail.d
-        - /var/log:/var/log:ro
+        - ./fail2ban/filter.d:/data/filter.d
+        - /var/log:/var/log:ro # Parse host logs to the sshd
+        - nginx-logs:/data/nginx-logs:ro
+        # - ./phoenix-app/logs:/logs/phoenix-app:ro # not needed anymore, but keep here for manual/testing purposes.
    memswap_limit: 512M
    deploy:
      restart_policy: # Define how the service should restart when it fails
@@ -567,6 +591,10 @@ services:
      phoenix-worker: # This is to avoid alocation of resources to the fail2ban if the phoenix-worker is not healthy yet.
        condition: service_healthy

+volumes:
+  nginx-logs:
+    name: nginx-logs
+
 networks:
  backend:
    driver: bridge