Skip to content

Commit 2d1f62c

Browse files
baijumclaude
andcommitted
fix: remove default celery-worker and add security/celery docs
Remove celery-worker service from both compose files since most apps don't need it. Add README sections explaining how to re-enable Celery and documenting automatic security features (headers, Trivy, credentials). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1 parent 834ec8f commit 2d1f62c

3 files changed

Lines changed: 37 additions & 32 deletions

File tree

README.md

Lines changed: 37 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,6 @@ app/ # FastAPI backend
1515
main.py # Application entry point
1616
Dockerfile # Backend container image
1717
models.py # SQLAlchemy models
18-
tasks.py # Celery background tasks
1918
alembic/ # Database migrations
2019
deploy/
2120
docker-compose.yml # App containers (multi-app mode)
@@ -80,6 +79,43 @@ Configure these GitHub Actions secrets on your repository (**Settings > Secrets
8079

8180
Database and storage credentials are auto-generated on the server by the bootstrap script. They are not GitHub secrets.
8281

82+
## Background Tasks (Celery)
83+
84+
The template does not include a celery-worker service by default. If your app needs background tasks:
85+
86+
1. Add `celery` and `redis` to `requirements.txt`
87+
2. Create `app/tasks.py` with your Celery app and tasks
88+
3. Add the celery-worker service to `deploy/docker-compose.yml`:
89+
90+
```yaml
91+
celery-worker:
92+
build:
93+
context: ..
94+
dockerfile: app/Dockerfile
95+
command: celery -A app.tasks worker --loglevel=info
96+
env_file:
97+
- .env
98+
restart: unless-stopped
99+
networks:
100+
- towlion
101+
deploy:
102+
resources:
103+
limits:
104+
cpus: '0.25'
105+
memory: 256M
106+
reservations:
107+
cpus: '0.10'
108+
memory: 128M
109+
```
110+
111+
## Security
112+
113+
Security hardening is applied automatically by the platform:
114+
115+
- **Security headers** — HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Permissions-Policy are set via the Caddy `(security_headers)` snippet, imported by every app route
116+
- **Trivy scanning** — Every deploy scans the built Docker image for HIGH/CRITICAL vulnerabilities (non-blocking). A weekly cron scan covers all running images.
117+
- **Credential isolation** — Per-app PostgreSQL users and MinIO buckets are provisioned by `create-app-credentials.sh`
118+
83119
## Self-Hosting
84120

85121
For full self-hosting instructions, see the platform documentation:

deploy/docker-compose.standalone.yml

Lines changed: 0 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -20,18 +20,6 @@ services:
2020
condition: service_started
2121
restart: unless-stopped
2222

23-
celery-worker:
24-
build:
25-
context: ..
26-
dockerfile: app/Dockerfile
27-
command: celery -A app.tasks worker --loglevel=info
28-
env_file:
29-
- .env
30-
depends_on:
31-
redis:
32-
condition: service_started
33-
restart: unless-stopped
34-
3523
postgres:
3624
image: postgres:16
3725
environment:

deploy/docker-compose.yml

Lines changed: 0 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -23,25 +23,6 @@ services:
2323
cpus: '0.25'
2424
memory: 256M
2525

26-
celery-worker:
27-
build:
28-
context: ..
29-
dockerfile: app/Dockerfile
30-
command: celery -A app.tasks worker --loglevel=info
31-
env_file:
32-
- .env
33-
restart: unless-stopped
34-
networks:
35-
- towlion
36-
deploy:
37-
resources:
38-
limits:
39-
cpus: '0.25'
40-
memory: 256M
41-
reservations:
42-
cpus: '0.10'
43-
memory: 128M
44-
4526
networks:
4627
towlion:
4728
external: true

0 commit comments

Comments
 (0)