Add Watchtower auto-deploy for app images (2-minute poll)

Watchtower (profile-gated) watches only the label-enabled backend/frontend containers and recreates them when a new :test-main digest lands in the registry, polling every 120s. Scoped by label so it never touches Postgres/MinIO/Caddy/cloudflared. Reads registry creds from the host docker config. Lab host runs COMPOSE_PROFILES=tunnel,watchtower.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Justin Paul <justin@jpaul.me>
This commit is contained in:
2026-06-06 11:55:38 -04:00
parent 11f0f79866
commit 768d1b23d4
2 changed files with 23 additions and 3 deletions
+19
View File
@@ -42,6 +42,8 @@ services:
backend:
image: git.jpaul.io/justin/provenance-backend:${IMAGE_TAG:-test-main}
labels:
com.centurylinklabs.watchtower.enable: "true"
environment:
APP_ENV: ${APP_ENV:-development}
DATABASE_URL: ${DATABASE_URL:-postgresql+asyncpg://provenance:provenance@postgres:5432/provenance}
@@ -62,6 +64,8 @@ services:
frontend:
image: git.jpaul.io/justin/provenance-frontend:${IMAGE_TAG:-test-main}
labels:
com.centurylinklabs.watchtower.enable: "true"
environment:
NODE_ENV: production
depends_on:
@@ -104,6 +108,21 @@ services:
profiles:
- tunnel
# Auto-deploy: watch the label-enabled app containers (backend, frontend),
# poll the registry every 2 minutes, and recreate on a new :test-main digest.
# Scoped by label so it never touches Postgres/MinIO/Caddy. Registry creds come
# from the host docker config (the `docker login git.jpaul.io` on the host).
# Opt-in via the "watchtower" profile.
watchtower:
image: containrrr/watchtower:latest
restart: unless-stopped
command: --label-enable --cleanup --interval 120
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ${HOME:-/root}/.docker/config.json:/config.json:ro
profiles:
- watchtower
volumes:
pgdata:
miniodata: