fix(docs): correct DEPLOYMENT.md env var name and prod overlay note
- Security checklist: OCR_TRAINING_TOKEN → APP_OCR_TRAINING_TOKEN (backend) plus TRAINING_TOKEN (OCR service); both must share the same value - Bootstrap: clarify docker-compose.prod.yml is not committed — must be created from docs/infrastructure/production-compose.md Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit was merged in pull request #443.
This commit is contained in:
Marcel
@@ -139,7 +139,7 @@ All vars are set in `.env` at the repo root (copy from `.env.example`). The back
|
||||
- [ ] Set `APP_ADMIN_USERNAME` if you want a non-default admin login name (add to `.env` — not in `.env.example`)
|
||||
- [ ] Rotate `POSTGRES_PASSWORD` from `change-me`
|
||||
- [ ] Rotate `MINIO_ROOT_PASSWORD` from `change-me`
|
||||
- [ ] Set a strong `OCR_TRAINING_TOKEN` (`python3 -c "import secrets; print(secrets.token_hex(32))"`)
|
||||
- [ ] Set a strong `APP_OCR_TRAINING_TOKEN` (backend) and the matching `TRAINING_TOKEN` (OCR service) — both must be the same value (`python3 -c "import secrets; print(secrets.token_hex(32))"`)
|
||||
- [ ] Confirm `ALLOWED_PDF_HOSTS` is locked to your MinIO/S3 hostname — widening to `*` opens SSRF
|
||||
- [ ] Set `SPRING_PROFILES_ACTIVE=prod` in the prod overlay (not `dev,e2e` — that exposes Swagger UI and `/v3/api-docs`)
|
||||
- [ ] Use a dedicated MinIO service account for `S3_ACCESS_KEY` / `S3_SECRET_KEY`, not the root credentials
|
||||
@@ -156,6 +156,7 @@ cp .env.example .env
|
||||
# Create the bucket named $MINIO_DEFAULT_BUCKETS with private access.
|
||||
|
||||
# 3. Start the stack (prod overlay — see docs/infrastructure/production-compose.md)
|
||||
# docker-compose.prod.yml is NOT committed — create it from the guide above
|
||||
docker compose -f docker-compose.yml -f docker-compose.prod.yml up -d
|
||||
|
||||
# 4. Flyway migrations run automatically on backend start.
|
||||
|
||||
Reference in New Issue
Block a user