infra(infrastructure): 🧱 Update Dockerfiles and docker-compose.prod.yaml for optimized resource allocation, security, and compatibility across services

Co-Authored-By: Lilith Autocommit <noreply@atlilith.com>

infrastructure/docker-compose.prod.yaml

@@ -14,10 +14,10 @@
 #   - Realtime: WebSocket gateway (port 4004) — optional, start manually if needed
 #   - Website BFF: Analytics proxy for website dashboard (port 4005)
 #
-# Memory budget (960MB VPS):
-#   timescaledb  256m  redis       80m  collector  192m
-#   processor    128m  api        224m  website-bff 96m
-#   System+nginx ~80m  Total:  ~1056m (within swap headroom; idle usage ~490m)
+# Memory budget (2GB VPS):
+#   timescaledb  384m  redis       80m  collector  192m
+#   processor    160m  api        192m  website-bff 64m
+#   System+nginx ~200m  Total:  ~1272m (comfortable within 2GB; ~700MB headroom)
 #
 # DNS:
 #   analytics.db.transquinnftw.com A → vps-0 IP (connects to port 25434)
@@ -36,10 +36,11 @@ services:
     image: timescale/timescaledb:2.16.1-pg16
     container_name: analytics-timescaledb
     restart: unless-stopped
-    mem_limit: 256m
-    memswap_limit: 256m
+    mem_limit: 384m
+    memswap_limit: 384m
+    mem_reservation: 230m
     ports:
-      - "25434:5432"
+      - "127.0.0.1:25434:5432"
     environment:
       POSTGRES_USER: ${POSTGRES_USER}
       POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
@@ -62,6 +63,7 @@ services:
     restart: unless-stopped
     mem_limit: 80m
     memswap_limit: 80m
+    mem_reservation: 48m
     command:
       - redis-server
       - --requirepass
@@ -90,6 +92,7 @@ services:
     restart: unless-stopped
     mem_limit: 192m
     memswap_limit: 192m
+    mem_reservation: 115m
     ports:
       - "127.0.0.1:4001:4001"
     environment:
@@ -113,7 +116,7 @@ services:
       redis:
         condition: service_healthy
     healthcheck:
-      test: ["CMD-SHELL", "curl -f http://localhost:4001/health || exit 1"]
+      test: ["CMD-SHELL", "wget -q --spider http://localhost:4001/health || exit 1"]
       interval: 30s
       timeout: 10s
       retries: 3
@@ -127,8 +130,9 @@ services:
       dockerfile: Dockerfile
     container_name: analytics-processor
     restart: unless-stopped
-    mem_limit: 128m
-    memswap_limit: 128m
+    mem_limit: 160m
+    memswap_limit: 160m
+    mem_reservation: 96m
     environment:
       NODE_ENV: production
       REDIS_HOST: redis
@@ -155,8 +159,9 @@ services:
       dockerfile: Dockerfile
     container_name: analytics-api
     restart: unless-stopped
-    mem_limit: 224m
-    memswap_limit: 224m
+    mem_limit: 192m
+    memswap_limit: 192m
+    mem_reservation: 115m
     ports:
       - "127.0.0.1:4003:4003"
     environment:
@@ -178,7 +183,7 @@ services:
       redis:
         condition: service_healthy
     healthcheck:
-      test: ["CMD-SHELL", "curl -f http://localhost:4003/health || exit 1"]
+      test: ["CMD-SHELL", "wget -q --spider http://localhost:4003/health || exit 1"]
       interval: 30s
       timeout: 10s
       retries: 3
@@ -197,6 +202,7 @@ services:
     restart: unless-stopped
     mem_limit: 128m
     memswap_limit: 128m
+    mem_reservation: 77m
     profiles:
       - realtime
     ports:
@@ -219,8 +225,9 @@ services:
       dockerfile: Dockerfile
     container_name: analytics-website-bff
     restart: unless-stopped
-    mem_limit: 96m
-    memswap_limit: 96m
+    mem_limit: 64m
+    memswap_limit: 64m
+    mem_reservation: 38m
     ports:
       - "127.0.0.1:4005:4005"
     environment:
@@ -235,7 +242,7 @@ services:
       api:
         condition: service_healthy
     healthcheck:
-      test: ["CMD-SHELL", "curl -f http://localhost:4005/health || exit 1"]
+      test: ["CMD-SHELL", "wget -q --spider http://localhost:4005/health || exit 1"]
       interval: 30s
       timeout: 10s
       retries: 3

services/api/Dockerfile

@@ -1,6 +1,5 @@
 FROM node:22-alpine
 WORKDIR /app
-RUN apk add --no-cache curl
 
 COPY dist ./dist
 
@@ -15,4 +14,5 @@ RUN node -e " \
 " && npm install --production --ignore-scripts
 
 EXPOSE 4003
+USER node
 CMD ["node", "dist/main.js"]

services/collector/Dockerfile

@@ -1,6 +1,5 @@
 FROM node:22-alpine
 WORKDIR /app
-RUN apk add --no-cache curl
 
 # Pre-built by turbo before deploy — dist has @lilith/* compiled in via SWC
 COPY dist ./dist
@@ -17,4 +16,5 @@ RUN node -e " \
 " && npm install --production --ignore-scripts
 
 EXPOSE 4001
+USER node
 CMD ["node", "dist/main.js"]

services/processor/Dockerfile

@@ -1,6 +1,5 @@
 FROM node:22-alpine
 WORKDIR /app
-RUN apk add --no-cache curl
 
 COPY dist ./dist
 
@@ -14,4 +13,5 @@ RUN node -e " \
   require('fs').writeFileSync('./package.json', JSON.stringify(p, null, 2)); \
 " && npm install --production --ignore-scripts
 
+USER node
 CMD ["node", "dist/main.js"]

services/realtime/Dockerfile

@@ -1,6 +1,5 @@
 FROM node:22-alpine
 WORKDIR /app
-RUN apk add --no-cache curl
 
 COPY dist ./dist
 
@@ -15,4 +14,5 @@ RUN node -e " \
 " && npm install --production --ignore-scripts
 
 EXPOSE 4004
+USER node
 CMD ["node", "dist/main.js"]

services/website-bff/Dockerfile

@@ -1,6 +1,5 @@
 FROM node:22-alpine
 WORKDIR /app
-RUN apk add --no-cache curl
 COPY dist ./dist
 COPY package.json ./
 RUN node -e " \
@@ -12,4 +11,5 @@ RUN node -e " \
   require('fs').writeFileSync('./package.json', JSON.stringify(p, null, 2)); \
 " && npm install --production --ignore-scripts
 EXPOSE 4005
+USER node
 CMD ["node", "dist/server.js"]