bankstatementprocessor/docker-compose.network-isolated.yml at main · longieirl/bankstatementprocessor · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
# docker-compose.network-isolated.yml
# Network-isolated Docker Compose configuration for GDPR-compliant processing
# Use this configuration when processing sensitive financial data
#
# Usage:
#   docker-compose -f docker-compose.network-isolated.yml up --build
#
# Security Features:
# - Network mode: none (complete network isolation)
# - Read-only root filesystem
# - No new privileges
# - Dropped all capabilities
# - Resource limits enforced

services:
  bank-processor:
    image: ${DOCKER_IMAGE:-bankstatementsprocessor}:${VERSION:-latest}
    build:
      context: .
      target: production
      args:
        VERSION: ${VERSION:-dev}
        BUILD_DATE: ${BUILD_DATE:-}
        VCS_REF: ${VCS_REF:-}
    pull_policy: ${PULL_POLICY:-build}
    container_name: bank-statement-processor-isolated
    platform: linux/arm64

    # ========================================================================
    # SECURITY: Network Isolation (GDPR Compliance)
    # ========================================================================
    # Complete network isolation - no network access at all
    # This ensures sensitive financial data cannot be transmitted
    network_mode: none

    # ========================================================================
    # SECURITY: Filesystem Isolation
    # ========================================================================
    # Read-only root filesystem (writable volumes mounted explicitly)
    read_only: true

    # Temporary directories for runtime writes
    tmpfs:
      - /tmp
      - /home/appuser/.cache

    # ========================================================================
    # SECURITY: Volume Mounts (Local Filesystem Only)
    # ========================================================================
    volumes:
      # Input statements (read-only recommended)
      - ./input:/app/input:ro

      # Output CSV files (read-write)
      - ./output:/app/output

      # Processing activity logs (read-write)
      - ./logs:/app/logs

      # Optional: Custom templates (read-only)
      # - ./custom_templates:/app/custom_templates:ro

    # ========================================================================
    # SECURITY: Process Capabilities
    # ========================================================================
    # Drop all Linux capabilities (principle of least privilege)
    cap_drop:
      - ALL

    # Prevent privilege escalation
    security_opt:
      - no-new-privileges:true

    # ========================================================================
    # APPLICATION CONFIGURATION
    # ========================================================================
    environment:
      - LOG_LEVEL=${LOG_LEVEL:-INFO}
      - EXIT_AFTER_PROCESSING=${EXIT_AFTER_PROCESSING:-true}
      - ENABLE_DYNAMIC_BOUNDARY=${ENABLE_DYNAMIC_BOUNDARY:-false}
      - SORT_BY_DATE=${SORT_BY_DATE:-true}
      - RECURSIVE_SCAN=${RECURSIVE_SCAN:-true}
      # Minimal output format for GDPR-compliant environments (override to add json/excel)
      - OUTPUT_FORMATS=${OUTPUT_FORMATS:-csv}
      # Disabled by default in isolated mode; enable explicitly if required
      - GENERATE_MONTHLY_SUMMARY=${GENERATE_MONTHLY_SUMMARY:-false}
      - GENERATE_EXPENSE_ANALYSIS=${GENERATE_EXPENSE_ANALYSIS:-false}
      - TOTALS_COLUMNS=${TOTALS_COLUMNS:-debit,credit}
      - TABLE_TOP_Y=${TABLE_TOP_Y:-250}
      - TABLE_BOTTOM_Y=${TABLE_BOTTOM_Y:-720}
      - DATA_RETENTION_DAYS=${DATA_RETENTION_DAYS:-0}
      - AUTO_CLEANUP_ON_EXIT=${AUTO_CLEANUP_ON_EXIT:-false}
      - LOGS_DIR=${LOGS_DIR:-logs}

    # ========================================================================
    # RESOURCE LIMITS
    # ========================================================================
    # Memory and CPU limits to prevent resource exhaustion
    mem_limit: 8g
    mem_reservation: 4g
    cpus: 4.0
    shm_size: 2g

    # ========================================================================
    # PROCESS LIMITS
    # ========================================================================
    ulimits:
      nofile:
        soft: 65536
        hard: 65536
      nproc:
        soft: 4096
        hard: 4096

# No networks defined - network_mode: none overrides this
networks: {}

# No volumes defined - using bind mounts only
volumes: {}