feat: add demo deployment docker-compose with Caddy and PostgreSQL (#1158)

* feat: add demo deployment docker-compose with Caddy and PostgreSQL

Adds the production docker-compose stack for the demo DigitalOcean Droplet:

- deploy/demo/docker-compose.yml: three-service stack (postgres:16-alpine,
  meridian unified binary, caddy:2-alpine) with health checks and internal
  networking; only ports 80/443 exposed to host via Caddy
- deploy/demo/Caddyfile: terminates TLS with Cloudflare Origin Certificate
  and reverse-proxies to meridian:8090
- deploy/demo/.env.demo.example: extended with POSTGRES_USER/PASSWORD/DB
  variables consumed by docker-compose interpolation
- .gitignore: exclude deploy/demo/.env.demo and deploy/demo/certs/*.pem

* fix: address review feedback on demo docker-compose

- Remove meridian CMD-SHELL healthcheck: image is gcr.io/distroless/static-debian12
  which has no shell or wget; caddy now depends on service_started and handles
  upstream retries itself
- Use :? required substitution for POSTGRES_PASSWORD to fail fast at docker
  compose up when the variable is unset
- Document that POSTGRES_PASSWORD must be URL-safe (alphanumeric + - _ . ~)
  to avoid corrupting the connection string interpolation

---------

Co-authored-by: Ben Coombs <bjcoombs@users.noreply.github.com>

Author: bjcoombs

.gitignore

@@ -69,3 +69,7 @@ deployments/k8s/base/secret.yaml
 
 # IntelliJ HTTP Client private environment (may contain secrets)
 http/http-client.private.env.json
+
+# Demo deployment secrets
+deploy/demo/.env.demo
+deploy/demo/certs/*.pem

deploy/demo/.env.demo.example

@@ -18,18 +18,28 @@
 MERIDIAN_IMAGE=ghcr.io/meridianhub/meridian:demo
 
 # ---------------------------------------------------------------------------
-# Database
+# Database — PostgreSQL container (docker-compose)
 # ---------------------------------------------------------------------------
 
-# [OPTIONAL] Database driver: "cockroachdb" (default) or "postgres".
-# Set to "postgres" when using a PostgreSQL 13+ database (e.g., DigitalOcean Managed PostgreSQL).
-# When DB_DRIVER=postgres, DATABASE_URL default port changes from 26257 to 5432.
-#DB_DRIVER=cockroachdb
+# [REQUIRED] PostgreSQL superuser password for the bundled postgres container.
+# Used by both the postgres service and the meridian service connection strings.
+# IMPORTANT: Use only alphanumeric characters and the symbols - _ . ~
+# URL-reserved characters (@, :, /, #, ?, %, +) will corrupt the connection string.
+POSTGRES_PASSWORD=changeme
 
-# [REQUIRED] Database connection string used by the application.
-# CockroachDB (default): postgres://root@cockroachdb:26257/defaultdb?sslmode=disable
-# PostgreSQL (DigitalOcean Managed): postgres://doadmin:<password>@<host>:25060/defaultdb?sslmode=require
-DATABASE_URL=postgres://root@cockroachdb:26257/defaultdb?sslmode=disable
+# [OPTIONAL] PostgreSQL username (default: meridian).
+POSTGRES_USER=meridian
+
+# [OPTIONAL] PostgreSQL database name (default: meridian).
+POSTGRES_DB=meridian
+
+# [OPTIONAL] Database driver — always "postgres" for the demo stack.
+DB_DRIVER=postgres
+
+# DATABASE_URL and per-service URLs are constructed automatically by docker-compose
+# from POSTGRES_USER / POSTGRES_PASSWORD / POSTGRES_DB above.
+# Override here only if pointing at an external database instead of the bundled container.
+#DATABASE_URL=postgres://meridian:<password>@postgres:5432/meridian?sslmode=disable
 
 # [OPTIONAL] GORM database connection pool settings.
 DB_CONN_MAX_IDLE_TIME=10m

deploy/demo/Caddyfile

@@ -0,0 +1,4 @@
+demo.meridianhub.cloud, *.demo.meridianhub.cloud {
+	tls /etc/caddy/certs/origin-cert.pem /etc/caddy/certs/origin-key.pem
+	reverse_proxy meridian:8090
+}

deploy/demo/docker-compose.yml

@@ -0,0 +1,104 @@
+# Meridian demo deployment stack
+#
+# Services:
+#   postgres  - PostgreSQL 16 (internal only, not exposed to host)
+#   meridian  - Unified binary; starts after postgres is healthy
+#   caddy     - Reverse proxy; exposes 80/443, terminates TLS via Cloudflare Origin Certificate
+#
+# Usage:
+#   cp deploy/demo/.env.demo.example /opt/meridian/.env
+#   # Edit /opt/meridian/.env with actual values
+#   docker compose --env-file /opt/meridian/.env -f /opt/meridian/docker-compose.yml up -d
+#
+# Directory layout expected on the host:
+#   /opt/meridian/.env            - Filled-in environment file
+#   /opt/meridian/Caddyfile       - Caddy configuration
+#   /opt/meridian/certs/          - Cloudflare Origin Certificate files
+#     origin-cert.pem
+#     origin-key.pem
+
+services:
+  postgres:
+    image: postgres:16-alpine
+    restart: unless-stopped
+    environment:
+      POSTGRES_USER: ${POSTGRES_USER:-meridian}
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:?POSTGRES_PASSWORD must be set in the env file}
+      POSTGRES_DB: ${POSTGRES_DB:-meridian}
+    volumes:
+      - postgres_data:/var/lib/postgresql/data
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-meridian} -d ${POSTGRES_DB:-meridian}"]
+      interval: 5s
+      timeout: 5s
+      retries: 10
+      start_period: 10s
+    # Not exposed to host — accessed only by meridian on the internal network
+
+  meridian:
+    image: ${MERIDIAN_IMAGE:-ghcr.io/meridianhub/meridian:demo}
+    restart: unless-stopped
+    depends_on:
+      postgres:
+        condition: service_healthy
+    environment:
+      # --- Application ---
+      ENVIRONMENT: ${ENVIRONMENT:-demo}
+      LOG_LEVEL: ${LOG_LEVEL:-info}
+
+      # --- Database driver ---
+      DB_DRIVER: postgres
+
+      # --- Database URLs (all services share the same PostgreSQL instance in demo) ---
+      DATABASE_URL: postgres://${POSTGRES_USER:-meridian}:${POSTGRES_PASSWORD:?POSTGRES_PASSWORD must be set in the env file}@postgres:5432/${POSTGRES_DB:-meridian}?sslmode=disable
+      PLATFORM_DATABASE_URL: postgres://${POSTGRES_USER:-meridian}:${POSTGRES_PASSWORD:?POSTGRES_PASSWORD must be set in the env file}@postgres:5432/${POSTGRES_DB:-meridian}?sslmode=disable
+      CURRENT_ACCOUNT_DATABASE_URL: postgres://${POSTGRES_USER:-meridian}:${POSTGRES_PASSWORD:?POSTGRES_PASSWORD must be set in the env file}@postgres:5432/${POSTGRES_DB:-meridian}?sslmode=disable
+      FINANCIAL_ACCOUNTING_DATABASE_URL: postgres://${POSTGRES_USER:-meridian}:${POSTGRES_PASSWORD:?POSTGRES_PASSWORD must be set in the env file}@postgres:5432/${POSTGRES_DB:-meridian}?sslmode=disable
+      POSITION_KEEPING_DATABASE_URL: postgres://${POSTGRES_USER:-meridian}:${POSTGRES_PASSWORD:?POSTGRES_PASSWORD must be set in the env file}@postgres:5432/${POSTGRES_DB:-meridian}?sslmode=disable
+      PAYMENT_ORDER_DATABASE_URL: postgres://${POSTGRES_USER:-meridian}:${POSTGRES_PASSWORD:?POSTGRES_PASSWORD must be set in the env file}@postgres:5432/${POSTGRES_DB:-meridian}?sslmode=disable
+      PARTY_DATABASE_URL: postgres://${POSTGRES_USER:-meridian}:${POSTGRES_PASSWORD:?POSTGRES_PASSWORD must be set in the env file}@postgres:5432/${POSTGRES_DB:-meridian}?sslmode=disable
+      INTERNAL_BANK_ACCOUNT_DATABASE_URL: postgres://${POSTGRES_USER:-meridian}:${POSTGRES_PASSWORD:?POSTGRES_PASSWORD must be set in the env file}@postgres:5432/${POSTGRES_DB:-meridian}?sslmode=disable
+      MARKET_INFORMATION_DATABASE_URL: postgres://${POSTGRES_USER:-meridian}:${POSTGRES_PASSWORD:?POSTGRES_PASSWORD must be set in the env file}@postgres:5432/${POSTGRES_DB:-meridian}?sslmode=disable
+      REFERENCE_DATA_DATABASE_URL: postgres://${POSTGRES_USER:-meridian}:${POSTGRES_PASSWORD:?POSTGRES_PASSWORD must be set in the env file}@postgres:5432/${POSTGRES_DB:-meridian}?sslmode=disable
+
+      # --- Authentication ---
+      AUTH_MODE: ${AUTH_MODE:-disabled}
+
+      # --- Feature flags ---
+      BILLING_ENABLED: ${BILLING_ENABLED:-false}
+      REDIS_ENABLED: ${REDIS_ENABLED:-false}
+      KAFKA_ENABLED: ${KAFKA_ENABLED:-false}
+
+      # --- Multi-tenancy ---
+      MASTER_TENANT_ID: ${MASTER_TENANT_ID:-meridian_master}
+
+      # --- Connection pool ---
+      DB_MAX_OPEN_CONNS: ${DB_MAX_OPEN_CONNS:-25}
+      DB_MAX_IDLE_CONNS: ${DB_MAX_IDLE_CONNS:-5}
+      DB_CONN_MAX_LIFETIME: ${DB_CONN_MAX_LIFETIME:-5m}
+      DB_CONN_MAX_IDLE_TIME: ${DB_CONN_MAX_IDLE_TIME:-10m}
+    # Note: The meridian image uses gcr.io/distroless/static-debian12 (no shell,
+    # no wget), so a CMD-SHELL healthcheck cannot run. Health is monitored via
+    # the gRPC health check service on port 50051. Caddy uses service_started
+    # and retries upstream connections itself during meridian startup.
+    # Not exposed to host — accessed only by caddy on the internal network
+
+  caddy:
+    image: caddy:2-alpine
+    restart: unless-stopped
+    depends_on:
+      meridian:
+        condition: service_started
+    ports:
+      - "80:80"
+      - "443:443"
+    volumes:
+      - /opt/meridian/Caddyfile:/etc/caddy/Caddyfile:ro
+      - /opt/meridian/certs:/etc/caddy/certs:ro
+      - caddy_data:/data
+      - caddy_config:/config
+
+volumes:
+  postgres_data:
+  caddy_data:
+  caddy_config: