rails app with redis and postgres and SSL

Submitted by @nplusp

Kamal deploy.yml

service: app

image: nplusp/app

servers:
  web:
    hosts:
      - <%= ENV['BACKEND_IP_ADDRESS'] %>
    labels:
      traefik.http.routers.nplusapp.rule: Host(`<%= ENV['DOMAIN'] %>`)
      traefik.http.routers.nplusapp.entrypoints: websecure
      traefik.http.routers.nplusapp.tls.certresolver: letsencrypt
    options:
      "add-host": host.docker.internal:host-gateway
    cmd: "./bin/rails server"

  job:
    hosts:
      - <%= ENV['BACKEND_IP_ADDRESS'] %>
    options:
      "add-host": host.docker.internal:host-gateway
    cmd: "bundle exec sidekiq -C config/sidekiq.yml -v"

registry:
  username: nplusp
  password:
    - KAMAL_REGISTRY_PASSWORD

env:
  clear:
    RAILS_LOG_TO_STDOUT: true
    RAILS_SERVE_STATIC_FILES: true
    DOCKER_BUILDKIT: true
    RAILS_ENV: production
    POSTGRES_DB_HOST: <%= ENV['BACKEND_IP_ADDRESS'] %>
    REDIS_URL: redis://<%= ENV['BACKEND_IP_ADDRESS'] %>:6379/0
  secret:
    - RAILS_MASTER_KEY
    - POSTGRES_DB_NAME
    - POSTGRES_USER
    - POSTGRES_PASSWORD
    - MOTOR_AUTH_USERNAME
    - MOTOR_AUTH_PASSWORD

builder:
  remote:
    arch: amd64
    host: ssh://root@<%= ENV['BACKEND_IP_ADDRESS'] %>

accessories:
  db:
    image: postgres:15
    port: 5432
    host: <%= ENV['BACKEND_IP_ADDRESS'] %>
    env:
      secret:
        - POSTGRES_USER
        - POSTGRES_PASSWORD
    files:
      - db/production.sql:/docker-entrypoint-initdb.d/setup.sql
    directories:
      - data:/var/lib/postgresql/data
    options:
      "add-host": host.docker.internal:host-gateway

  redis:
    image: redis:latest
    port: 6379
    host: <%= ENV['BACKEND_IP_ADDRESS'] %>
    directories:
      - /var/lib/redis:/data
    options:
      "add-host": host.docker.internal:host-gateway

traefik:
  options:
    "add-host": host.docker.internal:host-gateway
    publish:
      - "443:443"
    volume:
      - "/letsencrypt/acme.json:/letsencrypt/acme.json"
  args:
    accesslog: true
    accesslog.format: json
    entryPoints.web.address: ":80"
    entryPoints.websecure.address: ":443"
    entryPoints.web.http.redirections.entryPoint.to: websecure
    entryPoints.web.http.redirections.entryPoint.scheme: https
    entryPoints.web.http.redirections.entrypoint.permanent: true
    entrypoints.websecure.http.tls: true
    entrypoints.websecure.http.tls.domains[0].main: "<%= ENV['DOMAIN'] %>"
    entrypoints.websecure.http.tls.domains[0].sans: "*.<%= ENV['DOMAIN'] %>"
    certificatesResolvers.letsencrypt.acme.email: "<%= ENV['LETSENCRYPT_ACCOUNT_EMAIL'] %>"
    certificatesResolvers.letsencrypt.acme.storage: "/letsencrypt/acme.json"
    certificatesResolvers.letsencrypt.acme.httpchallenge: true
    certificatesResolvers.letsencrypt.acme.httpchallenge.entrypoint: web

healthcheck:
  log_lines: 10_000
  max_attempts: 7

volumes:
  - "/storage:/rails/storage"

Dockerfile

# Make sure RUBY_VERSION matches the Ruby version in .ruby-version and Gemfile
ARG RUBY_VERSION=3.3.0
FROM registry.docker.com/library/ruby:$RUBY_VERSION-slim as base

# Rails app lives here
WORKDIR /rails

# Set production environment
ENV RAILS_ENV="production" \
    BUNDLE_DEPLOYMENT="1" \
    BUNDLE_PATH="/usr/local/bundle" \
    BUNDLE_WITHOUT="development"

# Throw-away build stage to reduce size of final image
FROM base as build

# Install packages needed to build gems
RUN apt-get update -qq && \
    apt-get install --no-install-recommends -y build-essential git libpq-dev libvips pkg-config curl

# Install application gems
COPY Gemfile Gemfile.lock ./
RUN bundle install && \
    rm -rf ~/.bundle/ "${BUNDLE_PATH}"/ruby/*/cache "${BUNDLE_PATH}"/ruby/*/bundler/gems/*/.git && \
    bundle exec bootsnap precompile --gemfile

# Copy application code
COPY . .

# Final stage for app image
FROM base

# Install packages needed for deployment
RUN apt-get update -qq && \
    apt-get install --no-install-recommends -y postgresql-client curl libvips && \
    rm -rf /var/lib/apt/lists /var/cache/apt/archives

# Copy built artifacts: gems, application
COPY --from=build /usr/local/bundle /usr/local/bundle
COPY --from=build /rails /rails

# Run and own only the runtime files as a non-root user for security
RUN useradd rails --create-home --shell /bin/bash && \
    chown -R rails:rails db log storage tmp
USER rails:rails

# Entrypoint prepares the database.
ENTRYPOINT ["/rails/bin/docker-entrypoint"]

# Start the server by default, this can be overwritten at runtime
EXPOSE 3000

env.example file

# KAMAL ENV
DOMAIN=google.com
LETSENCRYPT_ACCOUNT_EMAIL=email
BACKEND_IP_ADDRESS=0.0.0.0

DOCKER_BUILDKIT=true
KAMAL_REGISTRY_PASSWORD=kamal_registry_password
RAILS_MASTER_KEY=rails_master_key

MOTOR_AUTH_USERNAME=admin
MOTOR_AUTH_PASSWORD=admin

POSTGRES_DB_NAME=database_name
POSTGRES_USER=db_user
POSTGRES_PASSWORD=secret_password

Explanation

for ssl:
mkdir -p /letsencrypt && touch /letsencrypt/acme.json && chmod 600 /letsencrypt/acme.json
kamal traefik reboot