infra: add Docker, Compose, and Nginx for staging deployment

- Dockerfile: multi-stage build (deps → builder → runner), standalone output - docker-compose.yml: app + postgres services, health checks - nginx/staging.letsbe.biz.conf: reverse proxy ready for certbot SSL - Updated .env.example with all required secrets Deploy steps: 1. Copy nginx conf to /etc/nginx/sites-enabled/ 2. nginx -t && systemctl reload nginx 3. certbot --nginx -d staging.letsbe.biz 4. Create .env from .env.example 5. docker compose up -d --build Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-25 20:38:29 +01:00
parent a1f9eca76c
commit 93c97da4d0
4 changed files with 152 additions and 9 deletions
--- a/nginx/staging.letsbe.biz.conf
+++ b/nginx/staging.letsbe.biz.conf
@@ -0,0 +1,48 @@
+server {
+    listen 80;
+    listen [::]:80;
+    server_name staging.letsbe.biz;
+
+    # Certbot will add SSL config after: sudo certbot --nginx -d staging.letsbe.biz
+
+    location / {
+        proxy_pass http://127.0.0.1:3000;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection 'upgrade';
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_cache_bypass $http_upgrade;
+        proxy_read_timeout 86400;
+    }
+
+    # Static assets — long cache
+    location /_next/static/ {
+        proxy_pass http://127.0.0.1:3000;
+        proxy_cache_valid 200 365d;
+        add_header Cache-Control "public, max-age=31536000, immutable";
+    }
+
+    # Public assets
+    location /images/ {
+        proxy_pass http://127.0.0.1:3000;
+        proxy_cache_valid 200 30d;
+        add_header Cache-Control "public, max-age=2592000";
+    }
+
+    # Payload media uploads
+    location /media/ {
+        proxy_pass http://127.0.0.1:3000;
+        proxy_cache_valid 200 30d;
+        add_header Cache-Control "public, max-age=2592000";
+    }
+
+    # Security headers
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+
+    client_max_body_size 50M;
+}