From 7364d11ffef694bbd222f27b9327a98f7e098fb8 Mon Sep 17 00:00:00 2001
From: Giorgio Gilestro <giorgio@gilest.ro>
Date: Fri, 22 May 2026 21:26:55 +0100
Subject: [PATCH] deploy: add prod compose overlay (no host port, joins
 intranet network)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The VPS deployment sits behind Nginx Proxy Manager on a pre-existing
`intranet` Docker bridge network. The overlay drops the host port
binding from the base compose, switches uvicorn to listen on port 80
inside the container (uniform NPM upstreams), and joins the app to
both `default` (for db/redis) and `intranet` (for NPM ingress).

Apply with:
  docker compose -f docker-compose.yml -f docker-compose.prod.yml up -d

Local dev (compose without the overlay) is unchanged — still binds
the host port from CASSANDRA_PORT in .env.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 README.md               | 11 +++++++++++
 docker-compose.prod.yml | 28 ++++++++++++++++++++++++++++
 2 files changed, 39 insertions(+)
 create mode 100644 docker-compose.prod.yml

diff --git a/README.md b/README.md
index b80289e..ff29f5c 100644
--- a/README.md
+++ b/README.md
@@ -16,6 +16,17 @@ docker compose up --build  # db + app + scheduler + daily backup sidecar
 open http://localhost:8000/
 ```
 
+## Production (VPS)
+
+Apply the prod overlay so the app has no host port binding and joins the
+existing `intranet` Docker network (where Nginx Proxy Manager lives):
+
+```bash
+docker compose -f docker-compose.yml -f docker-compose.prod.yml up -d --build
+```
+
+Then point NPM at upstream `readmarkets-app-1:80`.
+
 ## Architecture
 
 - **app** (FastAPI + Jinja2 + HTMX) — web dashboard on port 8000
diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
new file mode 100644
index 0000000..d9b0bd8
--- /dev/null
+++ b/docker-compose.prod.yml
@@ -0,0 +1,28 @@
+# Production overlay. Applied on the VPS with:
+#
+#   docker compose -f docker-compose.yml -f docker-compose.prod.yml up -d
+#
+# Drops the host port binding entirely and joins the `intranet` external
+# Docker network so a front-side proxy (Nginx Proxy Manager) on the same
+# network can reach the container directly. The app listens on port 80
+# inside the container so NPM upstreams are uniform across services
+# (always `<container-name>:80`).
+#
+# The local-dev compose (just `docker-compose.yml` alone) still binds to
+# the host port from `.env` / CASSANDRA_PORT — unchanged.
+
+services:
+  app:
+    # Strip the host port binding from the base file: no public listener
+    # on the VPS, only the intranet bridge.
+    ports: []
+    command: ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "80", "--workers", "1"]
+    expose:
+      - "80"
+    networks:
+      - default
+      - intranet
+
+networks:
+  intranet:
+    external: true