# Docker Compose Deployment Management .PHONY: help dev-up dev-down dev-logs dev-restart staging-up staging-down staging-logs staging-restart staging-status homelab-secure-up homelab-secure-down prod-up prod-down prod-logs prod-restart prod-status status clean rollback security-mode check-audit-sink health-check security-scan # Default target help: ## Show this help message @echo "Available commands:" @grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-25s\033[0m %s\n", $$1, $$2}' # Development environment dev-up: ## Start development environment @echo "Starting development environment..." docker-compose -f docker-compose.dev.yml up -d @echo "Services: Caddy (8080/8443), Redis (6379), Prometheus (9090), Grafana (3000)" dev-down: ## Stop development environment @echo "Stopping development environment..." docker-compose -f docker-compose.dev.yml down dev-logs: ## Show development logs docker-compose -f docker-compose.dev.yml logs -f dev-restart: ## Restart development environment @echo "Restarting development environment..." docker-compose -f docker-compose.dev.yml restart # Staging environment staging-up: ## Start staging environment @echo "Starting staging environment..." @if [ ! -f .env.staging ]; then \ echo "Creating staging environment file..."; \ echo "DATA_DIR=./data/staging" > .env.staging; \ echo "LOG_LEVEL=info" >> .env.staging; \ echo "COMPLIANCE_MODE=standard" >> .env.staging; \ fi docker-compose -f docker-compose.staging.yml up -d @echo "Staging services: Caddy (9080/9443), Redis (6380), API (9102), MinIO (9002/9003)" staging-down: ## Stop staging environment @echo "Stopping staging environment..." docker-compose -f docker-compose.staging.yml down staging-logs: ## Show staging logs docker-compose -f docker-compose.staging.yml logs -f staging-restart: ## Restart staging environment @echo "Restarting staging environment..." docker-compose -f docker-compose.staging.yml restart staging-status: ## Show staging status docker-compose -f docker-compose.staging.yml ps # Homelab environment homelab-secure-up: ## Start secure homelab environment @echo "Starting secure homelab environment..." docker-compose -f docker-compose.homelab-secure.yml up -d homelab-secure-down: ## Stop secure homelab environment @echo "Stopping secure homelab environment..." docker-compose -f docker-compose.homelab-secure.yml down # Production environment prod-up: ## Start production environment @echo "Starting production environment..." @echo "⚠ WARNING: This is production! Ensure you have proper backups." @read -p "Continue? [y/N] " confirm && [ "$$confirm" = "y" ] || exit 1 docker-compose -f docker-compose.prod.yml up -d prod-down: ## Stop production environment @echo "Stopping production environment..." docker-compose -f docker-compose.prod.yml down prod-logs: ## Show production logs docker-compose -f docker-compose.prod.yml logs -f prod-restart: ## Restart production environment @echo "Restarting production environment..." @read -p "Restart production? [y/N] " confirm && [ "$$confirm" = "y" ] || exit 1 docker-compose -f docker-compose.prod.yml restart prod-status: ## Show production status docker-compose -f docker-compose.prod.yml ps # Utility commands status: ## Show status of all environments @echo "=== Development Status ===" @if [ -f docker-compose.dev.yml ]; then \ docker-compose -f docker-compose.dev.yml ps 2>/dev/null || echo "Not running"; \ fi @echo "" @echo "=== Staging Status ===" @if [ -f docker-compose.staging.yml ]; then \ docker-compose -f docker-compose.staging.yml ps 2>/dev/null || echo "Not running"; \ fi @echo "" @echo "=== Homelab Secure Status ===" @if [ -f docker-compose.homelab-secure.yml ]; then \ docker-compose -f docker-compose.homelab-secure.yml ps 2>/dev/null || echo "Not running"; \ fi @echo "" @echo "=== Production Status ===" @if [ -f docker-compose.prod.yml ]; then \ docker-compose -f docker-compose.prod.yml ps 2>/dev/null || echo "Not running"; \ fi clean: ## Clean up all containers and volumes @echo "Cleaning up all Docker resources..." @echo "This will remove all containers and volumes. Continue? [y/N]" @read -r confirm && [ "$$confirm" = "y" ] || exit 1 docker-compose -f docker-compose.dev.yml down -v 2>/dev/null || true docker-compose -f docker-compose.staging.yml down -v 2>/dev/null || true docker-compose -f docker-compose.homelab-secure.yml down -v 2>/dev/null || true docker-compose -f docker-compose.prod.yml down -v 2>/dev/null || true docker system prune -f @echo "Cleanup complete." # Security mode targets security-mode-dev: ## Run worker in dev security mode @echo "Running with dev security mode (relaxed validation)..." COMPLIANCE_MODE=dev docker-compose -f docker-compose.dev.yml up -d worker security-mode-standard: ## Run worker in standard security mode @echo "Running with standard security mode..." COMPLIANCE_MODE=standard docker-compose -f docker-compose.dev.yml up -d worker security-mode-hipaa: ## Run worker in HIPAA security mode @echo "Running with HIPAA security mode (strict compliance)..." @echo "✓ Network mode: none" @echo "✓ Seccomp profile: default-hardened" @echo "✓ No new privileges: enforced" @echo "✓ Audit sink: required" @read -p "Confirm HIPAA mode deployment? [y/N] " confirm && [ "$$confirm" = "y" ] || exit 1 COMPLIANCE_MODE=hipaa docker-compose -f docker-compose.dev.yml up -d worker # Rollback targets rollback-staging: ## Rollback staging deployment @echo "Rolling back staging deployment..." @echo "⚠ This rolls back the image only - queue state and audit log are NOT rolled back" @read -p "Continue with rollback? [y/N] " confirm && [ "$$confirm" = "y" ] || exit 1 docker-compose -f docker-compose.staging.yml down @if [ -f .staging-deployment.log ]; then \ PREVIOUS_TAG=$$(tail -2 .staging-deployment.log | head -1 | grep -o 'tag=[^ ]*' | cut -d'=' -f2 || echo "latest"); \ echo "Previous tag: $$PREVIOUS_TAG"; \ docker-compose -f docker-compose.staging.yml up -d; \ fi @echo "$$(date -Iseconds) | rollback | staging | actor=$$(whoami)" >> .staging-audit.log rollback-prod: ## Rollback production deployment @echo "Rolling back production deployment..." @echo "⚠ CRITICAL: This rolls back the image only" @echo "⚠ Queue state is NOT rolled back" @echo "⚠ Audit log chain is NOT rolled back (must never break chain)" @echo "⚠ New artifacts remain in storage" @read -p "CONFIRM PRODUCTION ROLLBACK? [yes/N] " confirm && [ "$$confirm" = "yes" ] || exit 1 docker-compose -f docker-compose.prod.yml down @if [ -f .prod-audit.log ]; then \ PREVIOUS_SHA=$$(tail -2 .prod-audit.log | head -1 | grep -o 'sha-[a-f0-9]*' || echo "previous"); \ echo "Rolling back to: $$PREVIOUS_SHA"; \ docker-compose -f docker-compose.prod.yml up -d; \ fi @echo "$$(date -Iseconds) | rollback | prod | actor=$$(whoami)" >> .prod-audit.log @echo "Rollback complete. Verify health: make prod-status" check-audit-sink: ## Check audit sink reachability @echo "Checking audit sink..." @if [ -f ../scripts/check-audit-sink.sh ]; then \ ../scripts/check-audit-sink.sh --env staging; \ else \ echo "Audit sink check script not found"; \ fi health-check: ## Run health checks on all environments @echo "=== Health Checks ===" @echo "Development (localhost:9101):" @curl -fsS http://localhost:9101/health 2>/dev/null && echo "✓ Healthy" || echo "✗ Not responding" @echo "" @echo "Staging (localhost:9102):" @curl -fsS http://localhost:9102/health 2>/dev/null && echo "✓ Healthy" || echo "✗ Not responding" @echo "" @echo "Production (localhost:9101):" @curl -fsS http://localhost:9101/health 2>/dev/null && echo "✓ Healthy" || echo "✗ Not responding" security-scan: ## Run security scanners locally @echo "Running security scanners..." @if command -v gosec >/dev/null 2>&1; then \ echo "Running gosec..."; \ cd .. && gosec ./... 2>/dev/null || echo "gosec found issues"; \ else \ echo "gosec not installed - skipping"; \ fi @if command -v nancy >/dev/null 2>&1; then \ echo "Running nancy..."; \ cd .. && go list -json -deps ./... 2>/dev/null | nancy sleuth 2>/dev/null || echo "nancy found issues"; \ else \ echo "nancy not installed - skipping"; \ fi # Quick aliases up: dev-up ## Alias for dev-up down: dev-down ## Alias for dev-down logs: dev-logs ## Alias for dev-logs restart: dev-restart ## Alias for dev-restart