Fonts, Docker fixes
This commit is contained in:
@@ -169,8 +169,13 @@ docker compose logs -f backend # follow backend logs
|
||||
docker compose down # stop everything (keeps the postgres_data volume)
|
||||
docker compose down -v # stop and wipe all data — careful!
|
||||
docker compose up --build -d # rebuild after pulling code changes
|
||||
docker builder prune -af && docker image prune -af # reclaim disk used by old build layers/images
|
||||
```
|
||||
|
||||
> Each `docker compose up --build` leaves the previous build's cache layers and images
|
||||
> behind, which adds up quickly given how much disk `cargo build` needs. Run the prune
|
||||
> command above after each rebuild (or on a cron job) to reclaim that space.
|
||||
|
||||
### Optional: hardened deployment — isolated user + rootless Docker
|
||||
|
||||
Anyone who can run `docker` commands effectively has root on the host (container volume mounts can reach the whole filesystem) — being in the `docker` group is root-equivalent. For a production server, it's worth confining this stack to a dedicated, unprivileged system user running its own **rootless Docker** daemon, instead of using a system-wide install or adding the user to the `docker` group.
|
||||
@@ -292,6 +297,7 @@ Fill in `.env` with strong, unique secrets — `openssl rand -hex 32` is a conve
|
||||
|
||||
```sh
|
||||
docker compose up --build -d
|
||||
docker builder prune -af && docker image prune -af # reclaim disk used by old build layers/images
|
||||
```
|
||||
|
||||
**6. Firewall** (run as your normal sudo-capable user — not `rss-svc`):
|
||||
|
||||
Reference in New Issue
Block a user