lazyflat: combined alert + apply behind authenticated web UI

Three isolated services (alert scraper, apply HTTP worker, web UI+DB) with argon2 auth, signed cookies, CSRF, rate-limited login, kill switch, apply circuit breaker, audit log, and strict CSP. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-21 09:51:35 +02:00 · 2026-04-21 09:51:35 +02:00 · 69f2f1f635
commit 69f2f1f635
46 changed files with 4183 additions and 0 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -0,0 +1,82 @@
+services:
+  web:
+    build: ./web
+    container_name: lazyflat-web
+    restart: unless-stopped
+    depends_on:
+      apply:
+        condition: service_started
+    environment:
+      - AUTH_USERNAME=${AUTH_USERNAME}
+      - AUTH_PASSWORD_HASH=${AUTH_PASSWORD_HASH}
+      - SESSION_SECRET=${SESSION_SECRET}
+      - COOKIE_SECURE=${COOKIE_SECURE:-true}
+      - INTERNAL_API_KEY=${INTERNAL_API_KEY}
+      - APPLY_URL=http://apply:8000
+      - APPLY_TIMEOUT=${APPLY_TIMEOUT:-600}
+      - APPLY_FAILURE_THRESHOLD=${APPLY_FAILURE_THRESHOLD:-3}
+      - DATA_DIR=/data
+      - SESSION_MAX_AGE_SECONDS=${SESSION_MAX_AGE_SECONDS:-604800}
+      - LOGIN_RATE_LIMIT=${LOGIN_RATE_LIMIT:-5}
+      - LOGIN_RATE_WINDOW_SECONDS=${LOGIN_RATE_WINDOW_SECONDS:-900}
+      - FILTER_ROOMS=${FILTER_ROOMS:-2.0,2.5}
+      - FILTER_MAX_RENT=${FILTER_MAX_RENT:-1500}
+      - FILTER_MAX_MORNING_COMMUTE=${FILTER_MAX_MORNING_COMMUTE:-50}
+    volumes:
+      - lazyflat_data:/data
+    # Coolify assigns the public port/domain via labels — no host port needed.
+    expose:
+      - "8000"
+
+  apply:
+    build: ./apply
+    container_name: lazyflat-apply
+    restart: unless-stopped
+    # Intentionally NOT exposed to the internet. Reachable only on the compose network.
+    expose:
+      - "8000"
+    environment:
+      - INTERNAL_API_KEY=${INTERNAL_API_KEY}
+      - HEADLESS=true
+      - SUBMIT_FORMS=${SUBMIT_FORMS:-False}
+      - LANGUAGE=${LANGUAGE:-de}
+      - BROWSER_WIDTH=${BROWSER_WIDTH:-600}
+      - BROWSER_HEIGHT=${BROWSER_HEIGHT:-800}
+      - BROWSER_LOCALE=${BROWSER_LOCALE:-de-DE}
+      - POST_SUBMISSION_SLEEP_MS=${POST_SUBMISSION_SLEEP_MS:-0}
+      - SALUTATION=${SALUTATION}
+      - LASTNAME=${LASTNAME}
+      - FIRSTNAME=${FIRSTNAME}
+      - EMAIL=${EMAIL}
+      - TELEPHONE=${TELEPHONE}
+      - STREET=${STREET}
+      - HOUSE_NUMBER=${HOUSE_NUMBER}
+      - POSTCODE=${POSTCODE}
+      - CITY=${CITY}
+      - IS_POSSESSING_WBS=${IS_POSSESSING_WBS:-False}
+      - WBS_TYPE=${WBS_TYPE:-0}
+      - WBS_VALID_TILL=${WBS_VALID_TILL:-1970-01-01}
+      - WBS_ROOMS=${WBS_ROOMS:-0}
+      - WBS_ADULTS=${WBS_ADULTS:-0}
+      - WBS_CHILDREN=${WBS_CHILDREN:-0}
+      - IS_PRIO_WBS=${IS_PRIO_WBS:-False}
+      - IMMOMIO_EMAIL=${IMMOMIO_EMAIL:-}
+      - IMMOMIO_PASSWORD=${IMMOMIO_PASSWORD:-}
+
+  alert:
+    build: ./alert
+    container_name: lazyflat-alert
+    restart: unless-stopped
+    depends_on:
+      web:
+        condition: service_started
+    environment:
+      - WEB_URL=http://web:8000
+      - INTERNAL_API_KEY=${INTERNAL_API_KEY}
+      - SLEEP_INTERVALL=${SLEEP_INTERVALL:-60}
+      - GMAPS_API_KEY=${GMAPS_API_KEY}
+      - BERLIN_WOHNEN_USERNAME=${BERLIN_WOHNEN_USERNAME}
+      - BERLIN_WOHNEN_PASSWORD=${BERLIN_WOHNEN_PASSWORD}
+
+volumes:
+  lazyflat_data: