Infrastructure-Re/docker-compose-prod.yml at main · mp-access/Infrastructure-Re · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
services:
  postgres:
    user: :1000
    container_name: postgres
    image: postgres:16-bookworm
    restart: always
    ports:
      - "5432:5432"
    volumes:
      - courses:/var/lib/postgresql/data
    environment:
      TZ: "Europe/Zurich"
      POSTGRES_DB: access
      POSTGRES_USER: ${POSTGRES_USER}
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
  keycloak:
    user: :1000
    container_name: keycloak
    image: quay.io/keycloak/keycloak:22.0
    restart: always
    privileged: true
    ports:
      - "8080:8080"
      - "8443:8443"
    depends_on:
      - postgres
    volumes:
      - ./access/theme:/opt/keycloak/themes/access/login
      - ./access/realm.json:/opt/keycloak/data/import/realm.json
      - ./access/letsencrypt/live/${DOMAIN}/fullchain.pem:/certs/fullchain.pem
      - ./access/letsencrypt/live/${DOMAIN}/privkey.pem:/certs/privkey.pem
    command: start --import-realm
    environment:
      KC_FEATURES: preview,docker
      KC_PROXY: edge
      KC_DB: postgres
      KC_DB_URL: ${POSTGRES_URL}
      KC_DB_USERNAME: ${POSTGRES_USER}
      KC_DB_PASSWORD: ${POSTGRES_PASSWORD}
      KC_HTTPS_CERTIFICATE_FILE: /certs/fullchain.pem
      KC_HTTPS_CERTIFICATE_KEY_FILE: /certs/privkey.pem
      KC_HOSTNAME_STRICT: 'false'
      KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN}
      KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD}
      CLIENT_SECRET: ${CLIENT_SECRET}
      PROXY_ADDRESS_FORWARDING: 'true'
  docker:
    user: :1000
    container_name: docker
    image: docker:dind
    restart: always
    privileged: true
    init: true
    ports:
      - "2376:2376"
    volumes:
      - ./access/workspace:/workspace/data
      - ./access/tls/ca:/tls/ca
      - ./access/tls/client:/tls/client
    environment:
      DOCKER_TLS_CERTDIR: /tls
  backend:
    user: :1000
    container_name: backend
    image: sealuzh/access-backend:x
    restart: always
    privileged: true
    ports:
      - "8081:8081"
    depends_on:
      - keycloak
      - docker
    volumes:
      - ./access/workspace:/workspace/data
      - ./access/tls/client:/tls/client:ro
    environment:
      TZ: "Europe/Zurich"
      POSTGRES_URL: ${POSTGRES_URL}
      POSTGRES_USER: ${POSTGRES_USER}
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
      KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN}
      KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD}
      AUTH_SERVER_URL: ${AUTH_SERVER_URL}
      DOCKER_HOST: tcp://docker:2376
      DOCKER_TLS_VERIFY: 'true'
      DOCKER_CERT_PATH: /tls/client
      WORKING_DIR: /workspace/data
      API_KEY: ${API_KEY}
  frontend:
    user: :1000
    container_name: frontend
    image: sealuzh/access-frontend:x
    restart: always
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./access/certbot:/var/www/certbot
      - ./access/letsencrypt:/etc/letsencrypt
      - ./access/nginx.conf:/etc/nginx/conf.d/nginx.conf
    environment:
      DOMAIN: ${DOMAIN}
  certbot:
    user: :1000
    image: certbot/certbot
    container_name: certbot
    ports:
      - "80:80"
    volumes:
      - ./access/certbot:/var/www/certbot
      - ./access/letsencrypt:/etc/letsencrypt
    command: >-
             certonly -v --standalone
             --email ${LETSENCRYPT_EMAIL} -d ${DOMAIN} --agree-tos
             --non-interactive

volumes:
  courses: