Docker Compose
Production stack
Section titled “Production stack”-
Clone and enter the production stack
Terminal window git clone https://github.com/mralaminahamed/tundracd tundra/docs/09-deployment-bundle/prod -
Configure
Terminal window cp .env.example .env# Edit .env — required values:# TUNDRA_HOSTNAME=panel.example.com# ACME_EMAIL=ops@example.com# TUNDRA_VERSION=1.0.0 -
Generate secrets
Terminal window bash scripts/generate-secrets.shThis creates
secrets/postgres_password.txt,secrets/valkey_password.txt, andsecrets/master_key.binwith mode0400. Run once — the script guards against re-runs. -
Build and start
Terminal window docker compose builddocker compose up -ddocker compose logs -f tundrad -
Complete setup
Visit
https://panel.example.com/setupto create your owner account.
Services
Section titled “Services”| Service | Image | Port |
|---|---|---|
postgres | postgres:18-trixie | internal |
valkey | valkey/valkey:8-alpine | internal |
tundrad | built from source | internal |
panel-ui | built from source | internal |
caddy | caddy:2.10-alpine | 80, 443 |
workload-1 | built from source | internal |
All services are on an internal Docker network. Only Caddy is exposed on the host.
Security hardening
Section titled “Security hardening”The production stack applies:
read_only: trueon the tundrad containersecurity_opt: no-new-privileges:truecap_drop: ALLwith onlyNET_BIND_SERVICEadded back- Docker secrets for all credentials (never in environment variables)
- Caddy: HSTS, CSP, X-Frame-Options, X-Content-Type-Options headers
Updating
Section titled “Updating”# In docs/09-deployment-bundle/prod/# 1. Update TUNDRA_VERSION in .env# 2. Pull and rebuilddocker compose pulldocker compose up -d --builddocker compose logs -f tundradMigrations run automatically on startup.