services: apparel-designer: build: context: . dockerfile: Dockerfile # Pass a base64-encoded SSH private key in as a build secret so # npm can authenticate against git.kadil.dev for the `goods-editor` # git+ssh: dependency. The Dockerfile decodes the base64 inside # the build. See Dockerfile docblock for the full mechanism and # the rationale for base64 over raw PEM. # # The secret is only available during the single RUN step that # mounts it; nothing about the key ends up in the built image. secrets: - ssh_key container_name: apparel-designer ports: ["3001:3001"] volumes: - uploads_data:/app/uploads - exports_data:/app/exports environment: - NODE_ENV=production - PORT=3001 restart: unless-stopped # Build-time secret declaration. # # The Dockerfile expects a BASE64-ENCODED private key (not the raw # PEM). See the Dockerfile docblock for the encoding command. Two # ways to provide it, pick whichever fits where you're building from: # # ── A. File-based (typical local dev) ────────────────────────────── # Encode the key to a temp file once, then point SSH_KEY_FILE at it: # # base64 < ~/.ssh/goods-editor-deploy | tr -d '\n' > ~/.ssh/goods-editor-deploy.b64 # SSH_KEY_FILE=$HOME/.ssh/goods-editor-deploy.b64 docker compose build # # The fallback `/dev/null` keeps `docker compose config` from erroring # when SSH_KEY_FILE isn't set; actual builds against /dev/null fail # with a clear base64-decode error rather than a cryptic compose error. # # ── B. Env-var-based (CI) ────────────────────────────────────────── # Comment out the `file:` line and uncomment `environment:` below. # Provide the base64-encoded key in SSH_KEY_B64: # # SSH_KEY_B64="$(base64 < ~/.ssh/goods-editor-deploy | tr -d '\n')" \ # docker compose build # # Requires Docker Compose v2.23+ for the `environment:` secret source. secrets: ssh_key: file: ${SSH_KEY_FILE:-/dev/null} # environment: SSH_KEY_B64 volumes: uploads_data: exports_data: