Phase 3: Production hardening

- Add gunicorn>=21.2.0 production server
- Optimize Dockerfile with gunicorn + uvicorn workers
- Add non-root user for security
- Create .dockerignore to exclude cache, .env, tests, databases

Author: cliff-de-tech

backend/.dockerignore

@@ -0,0 +1,15 @@
+__pycache__
+*.pyc
+*.pyo
+*.pyd
+.Python
+env/
+venv/
+.env
+.env.local
+.git
+.gitignore
+*.db
+*.sqlite
+.pytest_cache
+tests/

backend/Dockerfile

@@ -1,48 +1,29 @@
-# LinkedIn Post Bot - Backend Dockerfile
-# Build: docker build -t linkedin-bot-backend .
-# Run:   docker run -p 8000:8000 --env-file ../.env linkedin-bot-backend
-
 FROM python:3.11-slim
 
-# Set working directory
 WORKDIR /app
 
-# Install system dependencies
-RUN apt-get update && apt-get install -y --no-install-recommends \
-    gcc \
+# Install system dependencies (needed for some python packages)
+RUN apt-get update && apt-get install -y \
+    build-essential \
+    libpq-dev \
     && rm -rf /var/lib/apt/lists/*
 
-# Copy requirements first (better caching)
-COPY requirements.txt .
-
 # Install Python dependencies
+COPY requirements.txt .
 RUN pip install --no-cache-dir -r requirements.txt
 
 # Copy application code
 COPY . .
 
-# Copy services directory from parent (mounted at runtime or copied in CI)
-# Note: In production, ensure services/ is available at /app/services
-COPY ../services /app/services 2>/dev/null || true
-
-# Add parent directory to Python path for services imports
-ENV PYTHONPATH=/app:/app/..
-
-# Create directory for SQLite databases
-RUN mkdir -p /data
-
-# Environment variables (override with -e or --env-file)
-ENV PORT=8000
-ENV TOKEN_DB_PATH=/data/tokens.db
-ENV USER_SETTINGS_DB_PATH=/data/user_settings.db
-ENV POST_HISTORY_DB_PATH=/data/post_history.db
+# Create a non-root user for security
+RUN useradd -m appuser && chown -R appuser:appuser /app
+USER appuser
 
 # Expose port
 EXPOSE 8000
 
-# Health check
-HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
-    CMD curl -f http://localhost:8000/health || exit 1
-
-# Run the application
-CMD ["uvicorn", "app:app", "--host", "0.0.0.0", "--port", "8000"]
+# Production Command: Use Gunicorn with Uvicorn workers
+# -w 4: Use 4 worker processes (adjust based on CPU cores)
+# -k uvicorn.workers.UvicornWorker: Use async workers
+# --bind 0.0.0.0:8000: Listen on all interfaces
+CMD ["gunicorn", "-w", "4", "-k", "uvicorn.workers.UvicornWorker", "app:app", "--bind", "0.0.0.0:8000"]

backend/requirements.txt

@@ -15,6 +15,9 @@ asyncpg>=0.29.0
 databases[postgresql]>=0.9.0
 aiosqlite>=0.20.0  # For local dev SQLite fallback
 
+# Production server
+gunicorn>=21.2.0
+
 # Testing dependencies
 pytest>=7.4.0
 pytest-asyncio>=0.21.0