version: "3.9" services: db: image: mysql:8.0 container_name: honey-mysql restart: always # Database credentials are read from the secret file via backend container # The backend will construct the connection URL from SPRING_DATASOURCE_* properties # For MySQL container, we need to set these via environment or use a separate secret # Option 1: Use environment variables (for MySQL container only) # Note: MYSQL_USER cannot be "root" - root user is configured via MYSQL_ROOT_PASSWORD only environment: MYSQL_DATABASE: honey_db MYSQL_ROOT_PASSWORD: ${DB_ROOT_PASSWORD} # Option 2: Mount secret file and read values (more secure) # This requires parsing the secret file or using a script # For simplicity, we'll use environment variables for MySQL container # The secret file is primarily for the backend application # Do NOT expose MySQL port to host - only accessible within Docker network # ports: # - "3306:3306" volumes: - mysql_data:/var/lib/mysql # Mount MySQL performance configuration (created on VPS at /opt/app/mysql/conf/my.cnf) - /opt/app/mysql/conf/my.cnf:/etc/mysql/conf.d/my.cnf:ro # Resource limits for MySQL (16GB buffer pool + 2GB overhead) deploy: resources: limits: cpus: '2.0' memory: 18G healthcheck: # Use shell to access environment variable (Docker Compose doesn't interpolate in healthcheck arrays) test: ["CMD-SHELL", "mysqladmin ping -h localhost -u root -p$$MYSQL_ROOT_PASSWORD || exit 1"] interval: 10s timeout: 5s retries: 5 networks: - honey-network backend: build: context: . dockerfile: Dockerfile container_name: honey-backend depends_on: db: condition: service_healthy # Expose backend port to localhost only (for Nginx on host to access) # This is safe - only accessible from the host, not from internet # Port 8080 is the primary/active backend ports: - "127.0.0.1:8080:8080" # Labels for rolling update management labels: - "deployment.role=primary" - "deployment.version=current" volumes: # Mount persistent avatar storage (absolute path for consistency) - /opt/app/data/avatars:/app/data/avatars # Mount secret configuration file (read-only) - /run/secrets/honey-config.properties:/run/secrets/honey-config.properties:ro # Mount logback config directory (editable on VPS without rebuilding) # Note: File must exist on host before mounting. Run setup-logging.sh first. - /opt/app/backend/config:/app/config:rw # Mount logs directory (persistent storage) - /opt/app/logs:/app/logs environment: # Java memory settings: 10GB heap (Xms/Xmx) + G1GC for low latency # -Xms: Start with 10GB (prevents resizing overhead) # -Xmx: Max limit 10GB # -XX:+UseG1GC: Use G1 garbage collector (best for large heaps) # -XX:MaxGCPauseMillis=200: Target max GC pause time JAVA_OPTS: -Xms10g -Xmx10g -XX:+UseG1GC -XX:MaxGCPauseMillis=200 # Logging configuration (external logback-spring.xml) LOGGING_CONFIG: /app/config/logback-spring.xml LOG_DIR: /app/logs # Resource limits for backend (10GB heap + 2GB overhead for stack/metaspace) deploy: resources: limits: cpus: '4.0' memory: 12G networks: - honey-network restart: always healthcheck: test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://localhost:8080/actuator/health/liveness"] interval: 30s timeout: 10s retries: 3 start_period: 60s backend-new: # This service is used during rolling updates # It will be started manually via deployment script build: context: . dockerfile: Dockerfile container_name: honey-backend-new depends_on: db: condition: service_healthy # Port 8082 is the new/standby backend during deployment (8081 is used by phpMyAdmin) ports: - "127.0.0.1:8082:8080" profiles: - rolling-update # Labels for rolling update management labels: - "deployment.role=standby" - "deployment.version=new" volumes: # Mount persistent avatar storage (absolute path for consistency) - /opt/app/data/avatars:/app/data/avatars # Mount secret configuration file (read-only) - /run/secrets/honey-config.properties:/run/secrets/honey-config.properties:ro # Mount logback config directory (editable on VPS without rebuilding) # Note: File must exist on host before mounting. Run setup-logging.sh first. - /opt/app/backend/config:/app/config:rw # Mount logs directory (persistent storage) - /opt/app/logs:/app/logs environment: # Java memory settings: 10GB heap (Xms/Xmx) + G1GC for low latency # -Xms: Start with 10GB (prevents resizing overhead) # -Xmx: Max limit 10GB # -XX:+UseG1GC: Use G1 garbage collector (best for large heaps) # -XX:MaxGCPauseMillis=200: Target max GC pause time JAVA_OPTS: -Xms10g -Xmx10g -XX:+UseG1GC -XX:MaxGCPauseMillis=200 # Logging configuration (external logback-spring.xml) LOGGING_CONFIG: /app/config/logback-spring.xml LOG_DIR: /app/logs # Resource limits for backend (10GB heap + 2GB overhead for stack/metaspace) deploy: resources: limits: cpus: '4.0' memory: 12G networks: - honey-network restart: always healthcheck: test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://localhost:8080/actuator/health/liveness"] interval: 30s timeout: 10s retries: 3 start_period: 60s phpmyadmin: image: phpmyadmin:latest container_name: honey-phpmyadmin restart: always depends_on: db: condition: service_healthy # Expose phpMyAdmin to localhost only (Nginx will proxy it with path protection) ports: - "127.0.0.1:8081:80" environment: # Connect to MySQL service using Docker service name PMA_HOST: db PMA_PORT: 3306 # Use the same root password as MySQL container MYSQL_ROOT_PASSWORD: ${DB_ROOT_PASSWORD} # Security: Set upload limit UPLOAD_LIMIT: 64M # Configure absolute URI so phpMyAdmin generates correct URLs for assets # This variable must be set from a secret file on the VPS (not in git) # Example: export PMA_ABSOLUTE_URI="https://win-spin.live/your-secret-path" PMA_ABSOLUTE_URI: ${PMA_ABSOLUTE_URI:-} # Tell phpMyAdmin it's behind a proxy using HTTPS PMA_SSL: "true" # Trust proxy headers (X-Forwarded-Proto, etc.) PMA_TRUSTED_PROXIES: "127.0.0.1" networks: - honey-network # Resource limits for phpMyAdmin deploy: resources: limits: cpus: '1.0' memory: 512M volumes: mysql_data: driver: local networks: honey-network: driver: bridge