# 15. Docker & Infrastructure Optimization

meta:
  id: web-production-15
  feature: web-production
  priority: P2
  depends_on: []
  tags: [infrastructure, docker, production]

objective:
- Optimize Docker images and infrastructure for production deployment with security and efficiency

deliverables:
- Multi-stage optimized Dockerfile for web app
- Docker Compose for local production simulation
- Infrastructure as Code (Terraform or Pulumi)
- Security scanning for Docker images

steps:
1. Create optimized Dockerfile for web app:
   - Multi-stage build (deps → build → runtime)
   - Use node:22-alpine for minimal image size
   - Run as non-root user
   - Copy only necessary files to runtime stage
   - Health check in Dockerfile
2. Optimize scheduler Dockerfile:
   - Reduce image size (currently copies many files)
   - Use .dockerignore to exclude unnecessary files
   - Pin base image versions
3. Create docker-compose.prod.yml:
   - Web app service with replicas
   - Redis service with persistence
   - Database is external (Turso) — no container needed
   - Nginx reverse proxy with SSL termination
   - Watchtower for automatic updates
4. Add security scanning:
   - Trivy or Snyk scan in CI pipeline
   - Fail build on CRITICAL vulnerabilities
   - Weekly automated scan of production images
5. Implement Infrastructure as Code:
   - Terraform configuration for AWS/GCP/Vultr
   - VPC, subnets, security groups
   - ECS/Fargate or Kubernetes deployment
   - Load balancer with SSL
   - Turso database (managed — no IaaS needed, configure via environment variables)
   - ElastiCache/Memorystore for Redis
6. Add environment-specific configs:
   - Production nginx.conf with rate limiting
   - SSL certificate management (Let's Encrypt)
   - Firewall rules

tests:
- Integration: Build image, verify size <200MB
- Security: Trivy scan shows no CRITICAL vulnerabilities
- Deploy: Terraform apply creates infrastructure

acceptance_criteria:
- Web Docker image <200MB compressed
- Scheduler Docker image <150MB compressed
- No CRITICAL vulnerabilities in image scans
- docker-compose.prod.yml runs full stack locally
- Terraform creates reproducible infrastructure
- Nginx reverse proxy with SSL and rate limiting
- Non-root user running containers

validation:
- `docker images` → web image <200MB
- `trivy image kordant-web` → no CRITICAL
- `docker-compose -f docker-compose.prod.yml up` → full stack running
- `terraform plan` → no unexpected changes

notes:
- Current scheduler/Dockerfile copies many source files — optimize with .dockerignore
- Consider using distroless images for even smaller footprint
- Use AWS Fargate or Google Cloud Run for serverless containers
- Turso is fully managed — no database container or IaaS needed, just `DATABASE_URL` and `DATABASE_AUTH_TOKEN`