bethaus-app/docker-compose.yml

services:
  flask-app:
    image: python:3.11-slim
    container_name: ${CONTAINER_NAME}
    restart: always
    working_dir: /app
    volumes:
      - ./:/app
      - ./filecache:/app/filecache
      - ./templates:/app/templates
      - ./GeoLite2-City.mmdb:/app/GeoLite2-City.mmdb:ro
      - type: bind
        source: /mnt
        target: /mnt
        bind:
          propagation: rshared
    environment:
      - FLASK_APP=app.py
      - FLASK_ENV=production
      - TITLE_SHORT=${TITLE_SHORT}
      - TITLE_LONG=${TITLE_LONG}
      - DB_HOST=postgres-db
      - DB_USER=${DB_USER}
      - DB_PASSWORD=${DB_PASSWORD}
      - DB_NAME=${DB_NAME}
    depends_on:
      - "postgres"
    networks:
      - traefik
      - internal
    labels:
      - "traefik.enable=true"

      # HTTP router (port 80), redirecting to HTTPS
      - "traefik.http.routers.${CONTAINER_NAME}.rule=${HOST_RULE}"
      - "traefik.http.routers.${CONTAINER_NAME}.entrypoints=web"
      - "traefik.http.routers.${CONTAINER_NAME}.middlewares=redirect-to-https"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"

      # HTTPS router (TLS via Let's Encrypt)
      - "traefik.http.routers.${CONTAINER_NAME}-secure.rule=${HOST_RULE}"
      - "traefik.http.routers.${CONTAINER_NAME}-secure.entrypoints=websecure"
      - "traefik.http.routers.${CONTAINER_NAME}-secure.tls=true"
      - "traefik.http.routers.${CONTAINER_NAME}-secure.tls.certresolver=myresolver"

      # Internal port
      - "traefik.http.services.${CONTAINER_NAME}.loadbalancer.server.port=5000"

    # Production-ready Gunicorn command with eventlet
    command: >
      sh -c "pip install -r requirements.txt &&
            gunicorn --worker-class eventlet -w 1 -b 0.0.0.0:5000 app:app"

  postgres:
    image: postgres:17
    restart: always
    environment:
      POSTGRES_USER: ${DB_USER:?}
      POSTGRES_PASSWORD: ${DB_PASSWORD:?}
      POSTGRES_DB: ${DB_NAME:?}
    volumes:
      - ./postgres_data:/var/lib/postgresql/data
    networks:
      internal:
        aliases:
          - postgres-db

networks:
  traefik:
    external: true
  internal:
    internal: true