From 768d1b23d4a702321afa347e544c56b90c6f28e9 Mon Sep 17 00:00:00 2001 From: Justin Paul Date: Sat, 6 Jun 2026 11:55:38 -0400 Subject: [PATCH] Add Watchtower auto-deploy for app images (2-minute poll) Watchtower (profile-gated) watches only the label-enabled backend/frontend containers and recreates them when a new :test-main digest lands in the registry, polling every 120s. Scoped by label so it never touches Postgres/MinIO/Caddy/cloudflared. Reads registry creds from the host docker config. Lab host runs COMPOSE_PROFILES=tunnel,watchtower. Co-Authored-By: Claude Opus 4.8 (1M context) Signed-off-by: Justin Paul --- deploy/.env.example | 7 ++++--- deploy/docker-compose.yml | 19 +++++++++++++++++++ 2 files changed, 23 insertions(+), 3 deletions(-) diff --git a/deploy/.env.example b/deploy/.env.example index 87f2a5e..a8c14f7 100644 --- a/deploy/.env.example +++ b/deploy/.env.example @@ -30,9 +30,10 @@ S3_REGION=us-east-1 # tunnel forwards plain HTTP to caddy:80. PROVENANCE_SITE_ADDRESS=:80 -# --- Cloudflare Tunnel (optional) --- -# Enable by setting COMPOSE_PROFILES=tunnel and supplying the connector token -# from the Cloudflare dashboard. Public hostname -> http://caddy:80. +# --- Deploy-host services (optional, selected via COMPOSE_PROFILES) --- +# 'tunnel' -> cloudflared connector (needs CLOUDFLARE_TUNNEL_TOKEN; public hostname -> http://caddy:80) +# 'watchtower' -> auto-pull updated backend/frontend images every 2 min (needs `docker login git.jpaul.io` on the host) +# Combine with commas. On the lab host: COMPOSE_PROFILES=tunnel,watchtower CLOUDFLARE_TUNNEL_TOKEN= COMPOSE_PROFILES= diff --git a/deploy/docker-compose.yml b/deploy/docker-compose.yml index d87e925..25486d7 100644 --- a/deploy/docker-compose.yml +++ b/deploy/docker-compose.yml @@ -42,6 +42,8 @@ services: backend: image: git.jpaul.io/justin/provenance-backend:${IMAGE_TAG:-test-main} + labels: + com.centurylinklabs.watchtower.enable: "true" environment: APP_ENV: ${APP_ENV:-development} DATABASE_URL: ${DATABASE_URL:-postgresql+asyncpg://provenance:provenance@postgres:5432/provenance} @@ -62,6 +64,8 @@ services: frontend: image: git.jpaul.io/justin/provenance-frontend:${IMAGE_TAG:-test-main} + labels: + com.centurylinklabs.watchtower.enable: "true" environment: NODE_ENV: production depends_on: @@ -104,6 +108,21 @@ services: profiles: - tunnel + # Auto-deploy: watch the label-enabled app containers (backend, frontend), + # poll the registry every 2 minutes, and recreate on a new :test-main digest. + # Scoped by label so it never touches Postgres/MinIO/Caddy. Registry creds come + # from the host docker config (the `docker login git.jpaul.io` on the host). + # Opt-in via the "watchtower" profile. + watchtower: + image: containrrr/watchtower:latest + restart: unless-stopped + command: --label-enable --cleanup --interval 120 + volumes: + - /var/run/docker.sock:/var/run/docker.sock + - ${HOME:-/root}/.docker/config.json:/config.json:ro + profiles: + - watchtower + volumes: pgdata: miniodata: