-
-
Notifications
You must be signed in to change notification settings - Fork 9
Expand file tree
/
Copy pathdocker-compose.yml
More file actions
113 lines (108 loc) · 3.21 KB
/
Copy pathdocker-compose.yml
File metadata and controls
113 lines (108 loc) · 3.21 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
version: '3.8'
services:
postgres:
image: postgres:16-alpine
container_name: changerawr_postgres
environment:
POSTGRES_USER: postgres
POSTGRES_PASSWORD: postgres
POSTGRES_DB: changerawr
volumes:
- postgres_data:/var/lib/postgresql/data
ports:
- "5432:5432"
healthcheck:
test: ["CMD-SHELL", "pg_isready -U postgres -d changerawr"]
interval: 10s
timeout: 5s
retries: 5
restart: unless-stopped
app:
build:
context: .
dockerfile: Dockerfile.compose
container_name: changerawr_app
depends_on:
postgres:
condition: service_healthy
environment:
DATABASE_URL: "postgresql://postgres:postgres@postgres:5432/changerawr?schema=public"
JWT_ACCESS_SECRET: "your_jwt_secret_key_here_change_me"
NEXT_PUBLIC_APP_URL: "http://localhost:3000"
GITHUB_ENCRYPTION_KEY: "abcdef1234567890abcdef1234567890"
ANALYTICS_SALT: "your_secure_analytics_salt_here"
NODE_ENV: "production"
# SSL Certificate Management
DOCKER_DEPLOYMENT: "true"
ENCRYPTION_KEY: "abcdef1234567890abcdef1234567890" # Must be 32 bytes base64 (same as GITHUB_ENCRYPTION_KEY)
ACME_EMAIL: "admin@example.com" # Email for Let's Encrypt notifications
ACME_STAGING: "true" # Set to "false" in production
INTERNAL_API_SECRET: "your_internal_api_secret_here_change_me"
NGINX_AGENT_URL: "http://chr-nginx-agent:8080" # Optional: nginx-agent URL
NGINX_AGENT_SECRET: "your_nginx_agent_secret_here_change_me" # Optional: webhook signature secret
CRON_SECRET: "your_cron_secret_here_change_me"
ports:
- "3000:3000" # Next.js app (internal)
- "80:80" # HTTP (nginx)
- "443:443" # HTTPS (nginx)
- "7842:7842" # nginx-agent API
volumes:
- app_uploads:/app/uploads
- app_public:/app/public/generated
- nginx_certs:/etc/ssl/changerawr
- nginx_configs:/etc/nginx/sites-enabled
healthcheck:
test: ["CMD-SHELL", "curl -f http://localhost:3000/api/health || exit 1"]
interval: 30s
timeout: 10s
retries: 3
start_period: 60s
restart: unless-stopped
# Caddy reverse proxy with on-demand TLS
caddy:
image: caddy:2-alpine
container_name: changerawr_caddy
profiles: ["ssl"]
depends_on:
- app
ports:
- "80:80"
- "443:443"
volumes:
- ./Caddyfile:/etc/caddy/Caddyfile:ro
- caddy_data:/data
- caddy_config:/config
restart: unless-stopped
# SSL certificate renewal cron job
ssl-cron:
image: curlimages/curl:latest
container_name: changerawr_ssl_cron
profiles: ["ssl"]
depends_on:
- app
entrypoint: /bin/sh
command:
- -c
- |
while true; do
sleep 43200 # 12 hours
curl -H "Authorization: Bearer $${CRON_SECRET}" http://app:3000/api/cron/ssl-renewal || true
done
environment:
CRON_SECRET: "your_cron_secret_here_change_me"
restart: unless-stopped
volumes:
postgres_data:
driver: local
app_uploads:
driver: local
app_public:
driver: local
caddy_data:
driver: local
caddy_config:
driver: local
nginx_certs:
driver: local
nginx_configs:
driver: local