build(backend): Dockerize for self-hosted deploy + deploy/log docs

Backend deploy target is self-hosted Docker (VPS / Kubernetes / Docker Engine), not Cloud Run. Add a multi-stage Dockerfile (Node 20, bcrypt compiled in build stage, non-root runtime), .dockerignore, a staging docker-compose, and DEPLOY.md covering install, build, migrate, run, and log mapping/rotation. Pin engines.node>=20. Update deployment.md runbook and backend/CLAUDE.md infra line off Cloud Run. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-05 15:10:59 +08:00
parent be20eee16b
commit 91bdbd5289
7 changed files with 399 additions and 3 deletions
--- a/backend/docker-compose.staging.yml
+++ b/backend/docker-compose.staging.yml
@@ -0,0 +1,39 @@
+# Staging deploy for the Halo Bestie backend (self-hosted Docker).
+# Usage:
+#   cd backend
+#   docker compose -f docker-compose.staging.yml up -d
+#
+# Prereqs: a populated .env.staging (cp .env.example .env.staging) and the
+# Firebase service-account JSON at the mounted host path below. See DEPLOY.md.
+#
+# This runs ONLY the backend. Postgres + Valkey are expected to be reachable
+# via DATABASE_URL / VALKEY_URL in .env.staging (managed/self-hosted elsewhere).
+# TLS termination + the public hostname are handled by a reverse proxy in front.
+
+services:
+  backend:
+    image: ${BACKEND_IMAGE:-halobestie-backend:staging}
+    # To build on the host instead of pulling a pushed image, comment out
+    # `image:` above and uncomment:
+    # build: .
+    container_name: halobestie-staging
+    env_file: .env.staging
+    ports:
+      - "3000:3000"            # public listener only — never publish 3001
+    volumes:
+      # Firebase service-account JSON (must match the env's Firebase project,
+      # staging = my-bestie-876ec). FIREBASE_SERVICE_ACCOUNT_PATH in .env.staging
+      # must equal the in-container path on the right.
+      - /opt/halobestie/secrets/firebase-sa.json:/secrets/firebase-sa.json:ro
+      # Optional: only needed if XENDIT_WEBHOOK_FALLBACK_ENABLED=true (writes
+      # rolling JSONL to /app/logs). App logs themselves go to stdout — see DEPLOY.md §8.
+      - backend-logs:/app/logs
+    restart: unless-stopped
+    logging:
+      driver: json-file
+      options:
+        max-size: "10m"
+        max-file: "5"
+
+volumes:
+  backend-logs: