adelorenzo/talk2me
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add production WSGI server - Flask dev server unsuitable for production load

Browse Source 
This adds a complete production deployment setup using Gunicorn as the WSGI server, replacing Flask's development server.

Key components:
- Gunicorn configuration with optimized worker settings
- Support for sync, threaded, and async (gevent) workers
- Automatic worker recycling to prevent memory leaks
- Increased timeouts for audio processing
- Production-ready logging and monitoring

Deployment options:
1. Docker/Docker Compose for containerized deployment
2. Systemd service for traditional deployment
3. Nginx reverse proxy configuration
4. SSL/TLS support

Production features:
- wsgi.py entry point for WSGI servers
- gunicorn_config.py with production settings
- Dockerfile with multi-stage build
- docker-compose.yml with full stack (Redis, PostgreSQL)
- nginx.conf with caching and security headers
- systemd service with security hardening
- deploy.sh automated deployment script

Configuration:
- .env.production template with all settings
- Support for environment-based configuration
- Separate requirements-prod.txt
- Prometheus metrics endpoint (/metrics)

Monitoring:
- Health check endpoints for liveness/readiness
- Prometheus-compatible metrics
- Structured logging
- Memory usage tracking
- Request counting

Security:
- Non-root user in Docker
- Systemd security restrictions
- Nginx security headers
- File permission hardening
- Resource limits

Documentation:
- Comprehensive PRODUCTION_DEPLOYMENT.md
- Scaling strategies
- Performance tuning guide
- Troubleshooting section

Also fixed memory_manager.py GC stats collection error.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Adolfo Delorenzo 2025-06-03 08:49:32 -06:00
parent 1b9ad03400
commit 92fd390866
13 changed files with 1237 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

71
.dockerignore Normal file
View File

@ -0,0 +1,71 @@
# Git
.git
.gitignore
# Python
__pycache__
*.pyc
*.pyo
*.pyd
.Python
venv/
env/
.venv
pip-log.txt
pip-delete-this-directory.txt
.tox/
.coverage
.coverage.*
.cache
*.egg-info/
.pytest_cache/
# Node
node_modules/
npm-debug.log*
yarn-debug.log*
yarn-error.log*
# IDE
.vscode/
.idea/
*.swp
*.swo
*~
# OS
.DS_Store
.DS_Store?
._*
.Spotlight-V100
.Trashes
ehthumbs.db
Thumbs.db
# Project specific
logs/
*.log
.env
.env.*
!.env.production
*.db
*.sqlite
/tmp
/temp
test_*.py
tests/
# Documentation
*.md
!README.md
docs/
# CI/CD
.github/
.gitlab-ci.yml
.travis.yml
# Development files
deploy.sh
Makefile
docker-compose.override.yml

46
Dockerfile Normal file
View File

@ -0,0 +1,46 @@
# Production Dockerfile for Talk2Me
FROM python:3.10-slim
# Install system dependencies
RUN apt-get update && apt-get install -y \
build-essential \
curl \
ffmpeg \
git \
&& rm -rf /var/lib/apt/lists/*
# Create non-root user
RUN useradd -m -u 1000 talk2me
# Set working directory
WORKDIR /app
# Copy requirements first for better caching
COPY requirements.txt requirements-prod.txt ./
RUN pip install --no-cache-dir -r requirements-prod.txt
# Copy application code
COPY --chown=talk2me:talk2me . .
# Create necessary directories
RUN mkdir -p logs /tmp/talk2me_uploads && \
chown -R talk2me:talk2me logs /tmp/talk2me_uploads
# Switch to non-root user
USER talk2me
# Set environment variables
ENV FLASK_ENV=production \
PYTHONUNBUFFERED=1 \
UPLOAD_FOLDER=/tmp/talk2me_uploads \
LOGS_DIR=/app/logs
# Health check
HEALTHCHECK --interval=30s --timeout=10s --start-period=40s --retries=3 \
CMD curl -f http://localhost:5005/health || exit 1
# Expose port
EXPOSE 5005
# Run with gunicorn
CMD ["gunicorn", "--config", "gunicorn_config.py", "wsgi:application"]

435
PRODUCTION_DEPLOYMENT.md Normal file
View File

@ -0,0 +1,435 @@
# Production Deployment Guide
This guide covers deploying Talk2Me in a production environment using a proper WSGI server.
## Overview
The Flask development server is not suitable for production use. This guide covers:
- Gunicorn as the WSGI server
- Nginx as a reverse proxy
- Docker for containerization
- Systemd for process management
- Security best practices
## Quick Start with Docker
### 1. Using Docker Compose
```bash
# Clone the repository
git clone https://github.com/your-repo/talk2me.git
cd talk2me
# Create .env file with production settings
cat > .env <<EOF
TTS_API_KEY=your-api-key
ADMIN_TOKEN=your-secure-admin-token
SECRET_KEY=your-secure-secret-key
POSTGRES_PASSWORD=your-secure-db-password
EOF
# Build and start services
docker-compose up -d
# Check status
docker-compose ps
docker-compose logs -f talk2me
```
### 2. Using Docker (standalone)
```bash
# Build the image
docker build -t talk2me .
# Run the container
docker run -d \
--name talk2me \
-p 5005:5005 \
-e TTS_API_KEY=your-api-key \
-e ADMIN_TOKEN=your-secure-token \
-e SECRET_KEY=your-secure-key \
-v $(pwd)/logs:/app/logs \
talk2me
```
## Manual Deployment
### 1. System Requirements
- Ubuntu 20.04+ or similar Linux distribution
- Python 3.8+
- Nginx
- Systemd
- 4GB+ RAM recommended
- GPU (optional, for faster transcription)
### 2. Installation
Run the deployment script as root:
```bash
sudo ./deploy.sh
```
Or manually:
```bash
# Install system dependencies
sudo apt-get update
sudo apt-get install -y python3-pip python3-venv nginx
# Create application user
sudo useradd -m -s /bin/bash talk2me
# Create directories
sudo mkdir -p /opt/talk2me /var/log/talk2me
sudo chown talk2me:talk2me /opt/talk2me /var/log/talk2me
# Copy application files
sudo cp -r . /opt/talk2me/
sudo chown -R talk2me:talk2me /opt/talk2me
# Install Python dependencies
sudo -u talk2me python3 -m venv /opt/talk2me/venv
sudo -u talk2me /opt/talk2me/venv/bin/pip install -r requirements-prod.txt
# Configure and start services
sudo cp talk2me.service /etc/systemd/system/
sudo systemctl enable talk2me
sudo systemctl start talk2me
```
## Gunicorn Configuration
The `gunicorn_config.py` file contains production-ready settings:
### Worker Configuration
```python
# Number of worker processes
workers = multiprocessing.cpu_count() * 2 + 1
# Worker timeout (increased for audio processing)
timeout = 120
# Restart workers periodically to prevent memory leaks
max_requests = 1000
max_requests_jitter = 50
```
### Performance Tuning
For different workloads:
```bash
# CPU-bound (transcription heavy)
export GUNICORN_WORKERS=8
export GUNICORN_THREADS=1
# I/O-bound (many concurrent requests)
export GUNICORN_WORKERS=4
export GUNICORN_THREADS=4
export GUNICORN_WORKER_CLASS=gthread
# Async (best concurrency)
export GUNICORN_WORKER_CLASS=gevent
export GUNICORN_WORKER_CONNECTIONS=1000
```
## Nginx Configuration
### Basic Setup
The provided `nginx.conf` includes:
- Reverse proxy to Gunicorn
- Static file serving
- WebSocket support
- Security headers
- Gzip compression
### SSL/TLS Setup
```nginx
server {
listen 443 ssl http2;
server_name your-domain.com;
ssl_certificate /etc/letsencrypt/live/your-domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/your-domain.com/privkey.pem;
# Strong SSL configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers off;
# HSTS
add_header Strict-Transport-Security "max-age=63072000" always;
}
```
## Environment Variables
### Required
```bash
# Security
SECRET_KEY=your-very-secure-secret-key
ADMIN_TOKEN=your-admin-api-token
# TTS Configuration
TTS_API_KEY=your-tts-api-key
TTS_SERVER_URL=http://your-tts-server:5050/v1/audio/speech
# Flask
FLASK_ENV=production
```
### Optional
```bash
# Performance
GUNICORN_WORKERS=4
GUNICORN_THREADS=2
MEMORY_THRESHOLD_MB=4096
GPU_MEMORY_THRESHOLD_MB=2048
# Database (for session storage)
DATABASE_URL=postgresql://user:pass@localhost/talk2me
REDIS_URL=redis://localhost:6379/0
# Monitoring
SENTRY_DSN=your-sentry-dsn
```
## Monitoring
### Health Checks
```bash
# Basic health check
curl http://localhost:5005/health
# Detailed health check
curl http://localhost:5005/health/detailed
# Memory usage
curl -H "X-Admin-Token: your-token" http://localhost:5005/admin/memory
```
### Logs
```bash
# Application logs
tail -f /var/log/talk2me/talk2me.log
# Error logs
tail -f /var/log/talk2me/errors.log
# Gunicorn logs
journalctl -u talk2me -f
# Nginx logs
tail -f /var/log/nginx/access.log
tail -f /var/log/nginx/error.log
```
### Metrics
With Prometheus client installed:
```bash
# Prometheus metrics endpoint
curl http://localhost:5005/metrics
```
## Scaling
### Horizontal Scaling
For multiple servers:
1. Use Redis for session storage
2. Use PostgreSQL for persistent data
3. Load balance with Nginx:
```nginx
upstream talk2me_backends {
least_conn;
server server1:5005 weight=1;
server server2:5005 weight=1;
server server3:5005 weight=1;
}
```
### Vertical Scaling
Adjust based on load:
```bash
# High memory usage
MEMORY_THRESHOLD_MB=8192
GPU_MEMORY_THRESHOLD_MB=4096
# More workers
GUNICORN_WORKERS=16
GUNICORN_THREADS=4
# Larger file limits
client_max_body_size 100M;
```
## Security
### Firewall
```bash
# Allow only necessary ports
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw allow 22/tcp
sudo ufw enable
```
### File Permissions
```bash
# Secure file permissions
sudo chmod 750 /opt/talk2me
sudo chmod 640 /opt/talk2me/.env
sudo chmod 755 /opt/talk2me/static
```
### AppArmor/SELinux
Create security profiles to restrict application access.
## Backup
### Database Backup
```bash
# PostgreSQL
pg_dump talk2me > backup.sql
# Redis
redis-cli BGSAVE
```
### Application Backup
```bash
# Backup application and logs
tar -czf talk2me-backup.tar.gz \
/opt/talk2me \
/var/log/talk2me \
/etc/systemd/system/talk2me.service \
/etc/nginx/sites-available/talk2me
```
## Troubleshooting
### Service Won't Start
```bash
# Check service status
systemctl status talk2me
# Check logs
journalctl -u talk2me -n 100
# Test configuration
sudo -u talk2me /opt/talk2me/venv/bin/gunicorn --check-config wsgi:application
```
### High Memory Usage
```bash
# Trigger cleanup
curl -X POST -H "X-Admin-Token: token" http://localhost:5005/admin/memory/cleanup
# Restart workers
systemctl reload talk2me
```
### Slow Response Times
1. Check worker count
2. Enable async workers
3. Check GPU availability
4. Review nginx buffering settings
## Performance Optimization
### 1. Enable GPU
Ensure CUDA/ROCm is properly installed:
```bash
# Check GPU
nvidia-smi # or rocm-smi
# Set in environment
export CUDA_VISIBLE_DEVICES=0
```
### 2. Optimize Workers
```python
# For CPU-heavy workloads
workers = cpu_count()
threads = 1
# For I/O-heavy workloads
workers = cpu_count() * 2
threads = 4
```
### 3. Enable Caching
Use Redis for caching translations:
```python
CACHE_TYPE = 'redis'
CACHE_REDIS_URL = 'redis://localhost:6379/0'
```
## Maintenance
### Regular Tasks
1. **Log Rotation**: Configured automatically
2. **Database Cleanup**: Run weekly
3. **Model Updates**: Check for Whisper updates
4. **Security Updates**: Keep dependencies updated
### Update Procedure
```bash
# Backup first
./backup.sh
# Update code
git pull
# Update dependencies
sudo -u talk2me /opt/talk2me/venv/bin/pip install -r requirements-prod.txt
# Restart service
sudo systemctl restart talk2me
```
## Rollback
If deployment fails:
```bash
# Stop service
sudo systemctl stop talk2me
# Restore backup
tar -xzf talk2me-backup.tar.gz -C /
# Restart service
sudo systemctl start talk2me
```

16
README.md
View File

@ -159,6 +159,22 @@ Comprehensive memory leak prevention for extended use:
See [MEMORY_MANAGEMENT.md](MEMORY_MANAGEMENT.md) for detailed documentation.
## Production Deployment
For production use, deploy with a proper WSGI server:
- Gunicorn with optimized worker configuration
- Nginx reverse proxy with caching
- Docker/Docker Compose support
- Systemd service management
- Comprehensive security hardening
Quick start:
```bash
docker-compose up -d
```
See [PRODUCTION_DEPLOYMENT.md](PRODUCTION_DEPLOYMENT.md) for detailed deployment instructions.
## Mobile Support
The interface is fully responsive and designed to work well on mobile devices.

44
app.py
View File

@ -1232,6 +1232,50 @@ def liveness_check():
"""Liveness probe - basic check to see if process is alive"""
return jsonify({'status': 'alive', 'timestamp': time.time()})
@app.route('/metrics', methods=['GET'])
def prometheus_metrics():
"""Prometheus-compatible metrics endpoint"""
try:
# Import prometheus client if available
from prometheus_client import generate_latest, Counter, Histogram, Gauge
# Define metrics
request_count = Counter('talk2me_requests_total', 'Total requests', ['method', 'endpoint'])
request_duration = Histogram('talk2me_request_duration_seconds', 'Request duration', ['method', 'endpoint'])
active_sessions = Gauge('talk2me_active_sessions', 'Active sessions')
memory_usage = Gauge('talk2me_memory_usage_bytes', 'Memory usage', ['type'])
# Update metrics
if hasattr(app, 'session_manager'):
active_sessions.set(len(app.session_manager.sessions))
if hasattr(app, 'memory_manager'):
stats = app.memory_manager.get_memory_stats()
memory_usage.labels(type='process').set(stats.process_memory_mb * 1024 * 1024)
memory_usage.labels(type='gpu').set(stats.gpu_memory_mb * 1024 * 1024)
return generate_latest()
except ImportError:
# Prometheus client not installed, return basic metrics
metrics = []
# Basic metrics in Prometheus format
metrics.append(f'# HELP talk2me_up Talk2Me service status')
metrics.append(f'# TYPE talk2me_up gauge')
metrics.append(f'talk2me_up 1')
if hasattr(app, 'request_count'):
metrics.append(f'# HELP talk2me_requests_total Total number of requests')
metrics.append(f'# TYPE talk2me_requests_total counter')
metrics.append(f'talk2me_requests_total {app.request_count}')
if hasattr(app, 'session_manager'):
metrics.append(f'# HELP talk2me_active_sessions Number of active sessions')
metrics.append(f'# TYPE talk2me_active_sessions gauge')
metrics.append(f'talk2me_active_sessions {len(app.session_manager.sessions)}')
return '\n'.join(metrics), 200, {'Content-Type': 'text/plain; charset=utf-8'}
@app.route('/health/storage', methods=['GET'])
def storage_health():
"""Check temporary file storage health"""

208
deploy.sh Executable file
View File

@ -0,0 +1,208 @@
#!/bin/bash
# Production deployment script for Talk2Me
set -e # Exit on error
# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color
# Configuration
APP_NAME="talk2me"
APP_USER="talk2me"
APP_DIR="/opt/talk2me"
VENV_DIR="$APP_DIR/venv"
LOG_DIR="/var/log/talk2me"
PID_FILE="/var/run/talk2me.pid"
WORKERS=${WORKERS:-4}
# Functions
print_status() {
echo -e "${GREEN}[INFO]${NC} $1"
}
print_error() {
echo -e "${RED}[ERROR]${NC} $1"
}
print_warning() {
echo -e "${YELLOW}[WARNING]${NC} $1"
}
# Check if running as root
if [[ $EUID -ne 0 ]]; then
print_error "This script must be run as root"
exit 1
fi
# Create application user if doesn't exist
if ! id "$APP_USER" &>/dev/null; then
print_status "Creating application user: $APP_USER"
useradd -m -s /bin/bash $APP_USER
fi
# Create directories
print_status "Creating application directories"
mkdir -p $APP_DIR $LOG_DIR
chown -R $APP_USER:$APP_USER $APP_DIR $LOG_DIR
# Copy application files
print_status "Copying application files"
rsync -av --exclude='venv' --exclude='__pycache__' --exclude='*.pyc' \
--exclude='logs' --exclude='.git' --exclude='node_modules' \
./ $APP_DIR/
# Create virtual environment
print_status "Setting up Python virtual environment"
su - $APP_USER -c "cd $APP_DIR && python3 -m venv $VENV_DIR"
# Install dependencies
print_status "Installing Python dependencies"
su - $APP_USER -c "cd $APP_DIR && $VENV_DIR/bin/pip install --upgrade pip"
su - $APP_USER -c "cd $APP_DIR && $VENV_DIR/bin/pip install -r requirements-prod.txt"
# Install Whisper model
print_status "Downloading Whisper model (this may take a while)"
su - $APP_USER -c "cd $APP_DIR && $VENV_DIR/bin/python -c 'import whisper; whisper.load_model(\"base\")'"
# Build frontend assets
if [ -f "package.json" ]; then
print_status "Building frontend assets"
cd $APP_DIR
npm install
npm run build
fi
# Create systemd service
print_status "Creating systemd service"
cat > /etc/systemd/system/talk2me.service <<EOF
[Unit]
Description=Talk2Me Translation Service
After=network.target
[Service]
Type=notify
User=$APP_USER
Group=$APP_USER
WorkingDirectory=$APP_DIR
Environment="PATH=$VENV_DIR/bin"
Environment="FLASK_ENV=production"
Environment="UPLOAD_FOLDER=/tmp/talk2me_uploads"
Environment="LOGS_DIR=$LOG_DIR"
ExecStart=$VENV_DIR/bin/gunicorn --config gunicorn_config.py wsgi:application
ExecReload=/bin/kill -s HUP \$MAINPID
KillMode=mixed
TimeoutStopSec=5
Restart=always
RestartSec=10
# Security settings
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
ReadWritePaths=$LOG_DIR /tmp
[Install]
WantedBy=multi-user.target
EOF
# Create nginx configuration
print_status "Creating nginx configuration"
cat > /etc/nginx/sites-available/talk2me <<EOF
server {
listen 80;
server_name _; # Replace with your domain
# Security headers
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options DENY;
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "strict-origin-when-cross-origin";
# File upload size limit
client_max_body_size 50M;
client_body_buffer_size 1M;
# Timeouts for long audio processing
proxy_connect_timeout 120s;
proxy_send_timeout 120s;
proxy_read_timeout 120s;
location / {
proxy_pass http://127.0.0.1:5005;
proxy_http_version 1.1;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host \$host;
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto \$scheme;
proxy_cache_bypass \$http_upgrade;
# Don't buffer responses
proxy_buffering off;
# WebSocket support
proxy_set_header Connection "upgrade";
}
location /static {
alias $APP_DIR/static;
expires 1y;
add_header Cache-Control "public, immutable";
}
# Health check endpoint
location /health {
proxy_pass http://127.0.0.1:5005/health;
access_log off;
}
}
EOF
# Enable nginx site
if [ -f /etc/nginx/sites-enabled/default ]; then
rm /etc/nginx/sites-enabled/default
fi
ln -sf /etc/nginx/sites-available/talk2me /etc/nginx/sites-enabled/
# Set permissions
chown -R $APP_USER:$APP_USER $APP_DIR
# Reload systemd
print_status "Reloading systemd"
systemctl daemon-reload
# Start services
print_status "Starting services"
systemctl enable talk2me
systemctl restart talk2me
systemctl restart nginx
# Wait for service to start
sleep 5
# Check service status
if systemctl is-active --quiet talk2me; then
print_status "Talk2Me service is running"
else
print_error "Talk2Me service failed to start"
journalctl -u talk2me -n 50
exit 1
fi
# Test health endpoint
if curl -s http://localhost:5005/health | grep -q "healthy"; then
print_status "Health check passed"
else
print_error "Health check failed"
exit 1
fi
print_status "Deployment complete!"
print_status "Talk2Me is now running at http://$(hostname -I | awk '{print $1}')"
print_status "Check logs at: $LOG_DIR"
print_status "Service status: systemctl status talk2me"

92
docker-compose.yml Normal file
View File

@ -0,0 +1,92 @@
version: '3.8'
services:
talk2me:
build: .
container_name: talk2me
restart: unless-stopped
ports:
- "5005:5005"
environment:
- FLASK_ENV=production
- UPLOAD_FOLDER=/tmp/talk2me_uploads
- LOGS_DIR=/app/logs
- TTS_SERVER_URL=${TTS_SERVER_URL:-http://localhost:5050/v1/audio/speech}
- TTS_API_KEY=${TTS_API_KEY}
- ADMIN_TOKEN=${ADMIN_TOKEN:-change-me-in-production}
- SECRET_KEY=${SECRET_KEY:-change-me-in-production}
- GUNICORN_WORKERS=${GUNICORN_WORKERS:-4}
- GUNICORN_THREADS=${GUNICORN_THREADS:-2}
- MEMORY_THRESHOLD_MB=${MEMORY_THRESHOLD_MB:-4096}
- GPU_MEMORY_THRESHOLD_MB=${GPU_MEMORY_THRESHOLD_MB:-2048}
volumes:
- ./logs:/app/logs
- talk2me_uploads:/tmp/talk2me_uploads
- talk2me_models:/root/.cache/whisper # Whisper models cache
deploy:
resources:
limits:
memory: 4G
reservations:
memory: 2G
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:5005/health"]
interval: 30s
timeout: 10s
retries: 3
start_period: 40s
networks:
- talk2me_network
# Nginx reverse proxy (optional, for production)
nginx:
image: nginx:alpine
container_name: talk2me_nginx
restart: unless-stopped
ports:
- "80:80"
- "443:443"
volumes:
- ./nginx.conf:/etc/nginx/conf.d/default.conf:ro
- ./static:/app/static:ro
- nginx_ssl:/etc/nginx/ssl
depends_on:
- talk2me
networks:
- talk2me_network
# Redis for session storage (optional)
redis:
image: redis:7-alpine
container_name: talk2me_redis
restart: unless-stopped
command: redis-server --maxmemory 256mb --maxmemory-policy allkeys-lru
volumes:
- redis_data:/data
networks:
- talk2me_network
# PostgreSQL for persistent storage (optional)
postgres:
image: postgres:15-alpine
container_name: talk2me_postgres
restart: unless-stopped
environment:
- POSTGRES_DB=talk2me
- POSTGRES_USER=talk2me
- POSTGRES_PASSWORD=${POSTGRES_PASSWORD:-change-me-in-production}
volumes:
- postgres_data:/var/lib/postgresql/data
networks:
- talk2me_network
volumes:
talk2me_uploads:
talk2me_models:
redis_data:
postgres_data:
nginx_ssl:
networks:
talk2me_network:
driver: bridge

86
gunicorn_config.py Normal file
View File

@ -0,0 +1,86 @@
"""
Gunicorn configuration for production deployment
"""
import multiprocessing
import os
# Server socket
bind = os.environ.get('GUNICORN_BIND', '0.0.0.0:5005')
backlog = 2048
# Worker processes
# Use 2-4 workers per CPU core
workers = int(os.environ.get('GUNICORN_WORKERS', multiprocessing.cpu_count() * 2 + 1))
worker_class = 'sync' # Use 'gevent' for async if needed
worker_connections = 1000
timeout = 120 # Increased for audio processing
keepalive = 5
# Restart workers after this many requests, to help prevent memory leaks
max_requests = 1000
max_requests_jitter = 50
# Preload the application
preload_app = True
# Server mechanics
daemon = False
pidfile = os.environ.get('GUNICORN_PID', '/tmp/talk2me.pid')
user = None
group = None
tmp_upload_dir = None
# Logging
accesslog = os.environ.get('GUNICORN_ACCESS_LOG', '-')
errorlog = os.environ.get('GUNICORN_ERROR_LOG', '-')
loglevel = os.environ.get('GUNICORN_LOG_LEVEL', 'info')
access_log_format = '%(h)s %(l)s %(u)s %(t)s "%(r)s" %(s)s %(b)s "%(f)s" "%(a)s" %(D)s'
# Process naming
proc_name = 'talk2me'
# Server hooks
def when_ready(server):
"""Called just after the server is started."""
server.log.info("Server is ready. Spawning workers")
def worker_int(worker):
"""Called just after a worker exited on SIGINT or SIGQUIT."""
worker.log.info("Worker received INT or QUIT signal")
def pre_fork(server, worker):
"""Called just before a worker is forked."""
server.log.info(f"Forking worker {worker}")
def post_fork(server, worker):
"""Called just after a worker has been forked."""
server.log.info(f"Worker spawned (pid: {worker.pid})")
def worker_exit(server, worker):
"""Called just after a worker has been killed."""
server.log.info(f"Worker exit (pid: {worker.pid})")
def pre_request(worker, req):
"""Called just before a worker processes the request."""
worker.log.debug(f"{req.method} {req.path}")
def post_request(worker, req, environ, resp):
"""Called after a worker processes the request."""
worker.log.debug(f"{req.method} {req.path} - {resp.status}")
# SSL/TLS (uncomment if using HTTPS directly)
# keyfile = '/path/to/keyfile'
# certfile = '/path/to/certfile'
# ssl_version = 'TLSv1_2'
# cert_reqs = 'required'
# ca_certs = '/path/to/ca_certs'
# Thread option (if using threaded workers)
threads = int(os.environ.get('GUNICORN_THREADS', 1))
# Silent health checks in logs
def pre_request(worker, req):
if req.path in ['/health', '/health/live']:
# Don't log health checks
return
worker.log.debug(f"{req.method} {req.path}")

6
memory_manager.py
View File

@ -157,8 +157,10 @@ class MemoryManager:
stats.active_sessions = len(self.app.session_manager.sessions)
# GC stats
for i in range(gc.get_count()):
stats.gc_collections[i] = gc.get_stats()[i].get('collections', 0)
gc_stats = gc.get_stats()
for i, stat in enumerate(gc_stats):
if isinstance(stat, dict):
stats.gc_collections[i] = stat.get('collections', 0)
except Exception as e:
logger.error(f"Error collecting memory stats: {e}")

108
nginx.conf Normal file
View File

@ -0,0 +1,108 @@
upstream talk2me {
server talk2me:5005 fail_timeout=0;
}
server {
listen 80;
server_name _;
# Redirect to HTTPS in production
# return 301 https://$server_name$request_uri;
# Security headers
add_header X-Content-Type-Options nosniff always;
add_header X-Frame-Options DENY always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self'; media-src 'self';" always;
# File upload limits
client_max_body_size 50M;
client_body_buffer_size 1M;
client_body_timeout 120s;
# Timeouts
proxy_connect_timeout 120s;
proxy_send_timeout 120s;
proxy_read_timeout 120s;
send_timeout 120s;
# Gzip compression
gzip on;
gzip_vary on;
gzip_min_length 1024;
gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml+rss application/json application/javascript;
# Static files
location /static {
alias /app/static;
expires 1y;
add_header Cache-Control "public, immutable";
# Gzip static files
gzip_static on;
}
# Service worker
location /service-worker.js {
proxy_pass http://talk2me;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
add_header Cache-Control "no-cache, no-store, must-revalidate";
}
# WebSocket support for future features
location /ws {
proxy_pass http://talk2me;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# WebSocket timeouts
proxy_read_timeout 86400s;
proxy_send_timeout 86400s;
}
# Health check (don't log)
location /health {
proxy_pass http://talk2me/health;
access_log off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
# Main application
location / {
proxy_pass http://talk2me;
proxy_redirect off;
proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $server_name;
# Don't buffer responses
proxy_buffering off;
proxy_request_buffering off;
}
}
# HTTPS configuration (uncomment for production)
# server {
# listen 443 ssl http2;
# server_name your-domain.com;
#
# ssl_certificate /etc/nginx/ssl/cert.pem;
# ssl_certificate_key /etc/nginx/ssl/key.pem;
# ssl_protocols TLSv1.2 TLSv1.3;
# ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
# ssl_prefer_server_ciphers off;
#
# # Include all location blocks from above
# }

27
requirements-prod.txt Normal file
View File

@ -0,0 +1,27 @@
# Production requirements for Talk2Me
# Includes base requirements plus production WSGI server
# Include base requirements
-r requirements.txt
# Production WSGI server
gunicorn==21.2.0
# Async workers (optional, for better concurrency)
gevent==23.9.1
greenlet==3.0.1
# Production monitoring
prometheus-client==0.19.0
# Production caching (optional)
redis==5.0.1
hiredis==2.3.2
# Database for production (optional, for session storage)
psycopg2-binary==2.9.9
SQLAlchemy==2.0.23
# Additional production utilities
python-json-logger==2.0.7 # JSON logging
sentry-sdk[flask]==1.39.1 # Error tracking (optional)

66
talk2me.service Normal file
View File

@ -0,0 +1,66 @@
[Unit]
Description=Talk2Me Real-time Translation Service
Documentation=https://github.com/your-repo/talk2me
After=network.target
[Service]
Type=notify
User=talk2me
Group=talk2me
WorkingDirectory=/opt/talk2me
Environment="PATH=/opt/talk2me/venv/bin"
Environment="FLASK_ENV=production"
Environment="PYTHONUNBUFFERED=1"
# Production environment variables
EnvironmentFile=-/opt/talk2me/.env
# Gunicorn command with production settings
ExecStart=/opt/talk2me/venv/bin/gunicorn \
--config /opt/talk2me/gunicorn_config.py \
--error-logfile /var/log/talk2me/gunicorn-error.log \
--access-logfile /var/log/talk2me/gunicorn-access.log \
--log-level info \
wsgi:application
# Reload via SIGHUP
ExecReload=/bin/kill -s HUP $MAINPID
# Graceful stop
KillMode=mixed
TimeoutStopSec=30
# Restart policy
Restart=always
RestartSec=10
StartLimitBurst=3
StartLimitInterval=60
# Security settings
NoNewPrivileges=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
RestrictRealtime=true
RestrictSUIDSGID=true
LockPersonality=true
# Allow writing to specific directories
ReadWritePaths=/var/log/talk2me /tmp/talk2me_uploads
# Resource limits
LimitNOFILE=65536
LimitNPROC=4096
# Memory limits (adjust based on your system)
MemoryLimit=4G
MemoryHigh=3G
# CPU limits (optional)
# CPUQuota=200%
[Install]
WantedBy=multi-user.target

34
wsgi.py Normal file
View File

@ -0,0 +1,34 @@
#!/usr/bin/env python3
"""
WSGI entry point for production deployment
"""
import os
import sys
from pathlib import Path
# Add the project directory to the Python path
project_root = Path(__file__).parent.absolute()
sys.path.insert(0, str(project_root))
# Set production environment
os.environ['FLASK_ENV'] = 'production'
# Import and configure the Flask app
from app import app
# Production configuration overrides
app.config.update(
DEBUG=False,
TESTING=False,
# Ensure proper secret key is set in production
SECRET_KEY=os.environ.get('SECRET_KEY', app.config.get('SECRET_KEY'))
)
# Create the WSGI application
application = app
if __name__ == '__main__':
# This is only for development/testing
# In production, use: gunicorn wsgi:application
print("Warning: Running WSGI directly. Use a proper WSGI server in production!")
application.run(host='0.0.0.0', port=5005)