infra: add Docker setup for portable deployment

Dockerfile (Python 3.12 slim) + docker-compose (backend + nginx). Backend on port 8000 inside container, nginx proxies API and serves frontend static. SQLite persisted in named volume. Nginx listens on 127.0.0.1:8080 — external SSL handled by host reverse proxy. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-21 16:23:08 +02:00 · 2026-03-21 16:23:08 +02:00 · 5da2a9a708
commit 5da2a9a708
parent 6617c85cd5
4 changed files with 112 additions and 0 deletions
--- a/nginx/docker.conf
+++ b/nginx/docker.conf
@ -0,0 +1,61 @@
+map $request_uri $masked_uri {
+    default                    $request_uri;
+    "~^(/bot)[^/]+(/.*)$"     "$1[REDACTED]$2";
+}
+
+log_format baton_secure '$remote_addr - $remote_user [$time_local] '
+                        '"$request_method $masked_uri $server_protocol" '
+                        '$status $body_bytes_sent '
+                        '"$http_referer" "$http_user_agent"';
+
+server {
+    listen 80;
+    server_name _;
+
+    access_log /var/log/nginx/baton_access.log baton_secure;
+    error_log  /var/log/nginx/baton_error.log warn;
+
+    add_header X-Content-Type-Options nosniff always;
+    add_header X-Frame-Options DENY always;
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'" always;
+
+    # API + health + admin → backend
+    location /api/ {
+        proxy_pass         http://backend:8000;
+        proxy_set_header   Host              $host;
+        proxy_set_header   X-Real-IP         $remote_addr;
+        proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_set_header   X-Forwarded-Proto $scheme;
+        proxy_read_timeout  30s;
+        proxy_send_timeout  30s;
+        proxy_connect_timeout 5s;
+    }
+
+    location /health {
+        proxy_pass         http://backend:8000;
+        proxy_set_header   Host              $host;
+        proxy_set_header   X-Real-IP         $remote_addr;
+        proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_set_header   X-Forwarded-Proto $scheme;
+    }
+
+    location /admin/users {
+        proxy_pass         http://backend:8000;
+        proxy_set_header   Host              $host;
+        proxy_set_header   X-Real-IP         $remote_addr;
+        proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_set_header   X-Forwarded-Proto $scheme;
+        proxy_read_timeout  30s;
+    }
+
+    # Frontend static
+    location / {
+        root       /usr/share/nginx/html;
+        try_files  $uri /index.html;
+        expires    1h;
+        add_header Cache-Control "public" always;
+        add_header X-Content-Type-Options nosniff always;
+        add_header X-Frame-Options DENY always;
+        add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'" always;
+    }
+}