feat: consolidate docker-compose.yml for baked-in images
Remove all bind-mounted config files and init containers. Services reduced from 7 to 5. All configuration via environment variables.
This commit is contained in:
hsiegeln
@@ -1,58 +1,11 @@
|
||||
services:
|
||||
traefik-certs:
|
||||
image: alpine:latest
|
||||
restart: "no"
|
||||
entrypoint: ["sh", "-c"]
|
||||
command:
|
||||
- |
|
||||
if [ -f /certs/cert.pem ]; then
|
||||
echo "Certs already exist, skipping"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# Option 1: User-supplied certificate
|
||||
if [ -n "$$CERT_FILE" ] && [ -n "$$KEY_FILE" ]; then
|
||||
apk add --no-cache openssl >/dev/null 2>&1
|
||||
cp "$$CERT_FILE" /certs/cert.pem
|
||||
cp "$$KEY_FILE" /certs/key.pem
|
||||
if [ -n "$$CA_FILE" ]; then
|
||||
cp "$$CA_FILE" /certs/ca.pem
|
||||
fi
|
||||
# Validate: key matches cert
|
||||
CERT_MOD=$$(openssl x509 -noout -modulus -in /certs/cert.pem 2>/dev/null | md5sum)
|
||||
KEY_MOD=$$(openssl rsa -noout -modulus -in /certs/key.pem 2>/dev/null | md5sum)
|
||||
if [ "$$CERT_MOD" != "$$KEY_MOD" ]; then
|
||||
echo "ERROR: Certificate and key do not match!"
|
||||
rm -f /certs/cert.pem /certs/key.pem /certs/ca.pem
|
||||
exit 1
|
||||
fi
|
||||
SELF_SIGNED=false
|
||||
echo "Installed user-supplied certificate"
|
||||
else
|
||||
# Option 2: Generate self-signed
|
||||
apk add --no-cache openssl >/dev/null 2>&1
|
||||
openssl req -x509 -newkey rsa:4096 \
|
||||
-keyout /certs/key.pem -out /certs/cert.pem \
|
||||
-days 365 -nodes \
|
||||
-subj "/CN=$$PUBLIC_HOST" \
|
||||
-addext "subjectAltName=DNS:$$PUBLIC_HOST,DNS:*.$$PUBLIC_HOST"
|
||||
SELF_SIGNED=true
|
||||
echo "Generated self-signed cert for $$PUBLIC_HOST"
|
||||
fi
|
||||
|
||||
# Write metadata for SaaS app to seed DB
|
||||
SUBJECT=$$(openssl x509 -noout -subject -in /certs/cert.pem 2>/dev/null | sed 's/subject=//')
|
||||
FINGERPRINT=$$(openssl x509 -noout -fingerprint -sha256 -in /certs/cert.pem 2>/dev/null | sed 's/.*=//')
|
||||
NOT_BEFORE=$$(openssl x509 -noout -startdate -in /certs/cert.pem 2>/dev/null | sed 's/notBefore=//')
|
||||
NOT_AFTER=$$(openssl x509 -noout -enddate -in /certs/cert.pem 2>/dev/null | sed 's/notAfter=//')
|
||||
HAS_CA=false
|
||||
[ -f /certs/ca.pem ] && HAS_CA=true
|
||||
cat > /certs/meta.json <<METAEOF
|
||||
{"subject":"$$SUBJECT","fingerprint":"$$FINGERPRINT","selfSigned":$$SELF_SIGNED,"hasCa":$$HAS_CA,"notBefore":"$$NOT_BEFORE","notAfter":"$$NOT_AFTER"}
|
||||
METAEOF
|
||||
mkdir -p /certs/staged /certs/prev
|
||||
chmod 775 /certs /certs/staged /certs/prev
|
||||
chmod 660 /certs/*.pem 2>/dev/null || true
|
||||
traefik:
|
||||
image: ${TRAEFIK_IMAGE:-gitea.siegeln.net/cameleer/cameleer-traefik}:${VERSION:-latest}
|
||||
restart: unless-stopped
|
||||
ports:
|
||||
- "${HTTP_PORT:-80}:80"
|
||||
- "${HTTPS_PORT:-443}:443"
|
||||
- "${LOGTO_CONSOLE_PORT:-3002}:3002"
|
||||
environment:
|
||||
PUBLIC_HOST: ${PUBLIC_HOST:-localhost}
|
||||
CERT_FILE: ${CERT_FILE:-}
|
||||
@@ -60,28 +13,13 @@ services:
|
||||
CA_FILE: ${CA_FILE:-}
|
||||
volumes:
|
||||
- certs:/certs
|
||||
|
||||
traefik:
|
||||
image: traefik:v3
|
||||
restart: unless-stopped
|
||||
depends_on:
|
||||
traefik-certs:
|
||||
condition: service_completed_successfully
|
||||
ports:
|
||||
- "80:80"
|
||||
- "443:443"
|
||||
- "3002:3002"
|
||||
volumes:
|
||||
- /var/run/docker.sock:/var/run/docker.sock:ro
|
||||
- ./traefik.yml:/etc/traefik/traefik.yml:ro
|
||||
- ./docker/traefik-dynamic.yml:/etc/traefik/dynamic.yml:ro
|
||||
- certs:/etc/traefik/certs:ro
|
||||
networks:
|
||||
- cameleer
|
||||
- cameleer-traefik
|
||||
|
||||
postgres:
|
||||
image: postgres:16-alpine
|
||||
image: ${POSTGRES_IMAGE:-gitea.siegeln.net/cameleer/cameleer-postgres}:${VERSION:-latest}
|
||||
restart: unless-stopped
|
||||
environment:
|
||||
POSTGRES_DB: ${POSTGRES_DB:-cameleer_saas}
|
||||
@@ -89,7 +27,6 @@ services:
|
||||
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-cameleer_dev}
|
||||
volumes:
|
||||
- pgdata:/var/lib/postgresql/data
|
||||
- ./docker/init-databases.sh:/docker-entrypoint-initdb.d/init-databases.sh:ro
|
||||
healthcheck:
|
||||
test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-cameleer} -d ${POSTGRES_DB:-cameleer_saas}"]
|
||||
interval: 5s
|
||||
@@ -98,54 +35,37 @@ services:
|
||||
networks:
|
||||
- cameleer
|
||||
|
||||
clickhouse:
|
||||
image: ${CLICKHOUSE_IMAGE:-gitea.siegeln.net/cameleer/cameleer-clickhouse}:${VERSION:-latest}
|
||||
restart: unless-stopped
|
||||
environment:
|
||||
CLICKHOUSE_PASSWORD: ${CLICKHOUSE_PASSWORD:-cameleer_ch}
|
||||
volumes:
|
||||
- chdata:/var/lib/clickhouse
|
||||
healthcheck:
|
||||
test: ["CMD-SHELL", "clickhouse-client --password ${CLICKHOUSE_PASSWORD:-cameleer_ch} --query 'SELECT 1'"]
|
||||
interval: 10s
|
||||
timeout: 5s
|
||||
retries: 3
|
||||
labels:
|
||||
- prometheus.scrape=true
|
||||
- prometheus.path=/metrics
|
||||
- prometheus.port=9363
|
||||
networks:
|
||||
- cameleer
|
||||
|
||||
logto:
|
||||
image: ${LOGTO_IMAGE:-gitea.siegeln.net/cameleer/cameleer-logto}:${VERSION:-latest}
|
||||
restart: unless-stopped
|
||||
depends_on:
|
||||
postgres:
|
||||
condition: service_healthy
|
||||
entrypoint: ["sh", "-c", "npm run cli db seed -- --swe && npm start"]
|
||||
environment:
|
||||
DB_URL: postgres://${POSTGRES_USER:-cameleer}:${POSTGRES_PASSWORD:-cameleer_dev}@postgres:5432/logto
|
||||
ENDPOINT: ${PUBLIC_PROTOCOL:-https}://${PUBLIC_HOST:-localhost}
|
||||
ADMIN_ENDPOINT: ${PUBLIC_PROTOCOL:-https}://${PUBLIC_HOST:-localhost}:3002
|
||||
ADMIN_ENDPOINT: ${PUBLIC_PROTOCOL:-https}://${PUBLIC_HOST:-localhost}:${LOGTO_CONSOLE_PORT:-3002}
|
||||
TRUST_PROXY_HEADER: 1
|
||||
NODE_TLS_REJECT_UNAUTHORIZED: "0" # dev only — accept self-signed cert for internal OIDC discovery
|
||||
healthcheck:
|
||||
test: ["CMD-SHELL", "node -e \"require('http').get('http://localhost:3001/oidc/.well-known/openid-configuration', r => process.exit(r.statusCode === 200 ? 0 : 1)).on('error', () => process.exit(1))\""]
|
||||
interval: 5s
|
||||
timeout: 5s
|
||||
retries: 30
|
||||
start_period: 15s
|
||||
labels:
|
||||
- traefik.enable=true
|
||||
- traefik.http.routers.logto.rule=PathPrefix(`/`)
|
||||
- traefik.http.routers.logto.priority=1
|
||||
- traefik.http.routers.logto.entrypoints=websecure
|
||||
- traefik.http.routers.logto.tls=true
|
||||
- traefik.http.routers.logto.service=logto
|
||||
- traefik.http.routers.logto.middlewares=logto-cors
|
||||
- traefik.http.middlewares.logto-cors.headers.accessControlAllowOriginList=${PUBLIC_PROTOCOL:-https}://${PUBLIC_HOST:-localhost}:3002
|
||||
- traefik.http.middlewares.logto-cors.headers.accessControlAllowMethods=GET,POST,PUT,PATCH,DELETE,OPTIONS
|
||||
- traefik.http.middlewares.logto-cors.headers.accessControlAllowHeaders=Authorization,Content-Type
|
||||
- traefik.http.middlewares.logto-cors.headers.accessControlAllowCredentials=true
|
||||
- traefik.http.services.logto.loadbalancer.server.port=3001
|
||||
- traefik.http.routers.logto-console.rule=PathPrefix(`/`)
|
||||
- traefik.http.routers.logto-console.entrypoints=admin-console
|
||||
- traefik.http.routers.logto-console.tls=true
|
||||
- traefik.http.routers.logto-console.service=logto-console
|
||||
- traefik.http.services.logto-console.loadbalancer.server.port=3002
|
||||
networks:
|
||||
- cameleer
|
||||
|
||||
logto-bootstrap:
|
||||
image: postgres:16-alpine
|
||||
depends_on:
|
||||
logto:
|
||||
condition: service_healthy
|
||||
restart: "no"
|
||||
entrypoint: ["sh", "/scripts/logto-bootstrap.sh"]
|
||||
environment:
|
||||
NODE_TLS_REJECT_UNAUTHORIZED: "${NODE_TLS_REJECT:-0}"
|
||||
LOGTO_ENDPOINT: http://logto:3001
|
||||
LOGTO_ADMIN_ENDPOINT: http://logto:3002
|
||||
LOGTO_PUBLIC_ENDPOINT: ${PUBLIC_PROTOCOL:-https}://${PUBLIC_HOST:-localhost}
|
||||
@@ -157,8 +77,34 @@ services:
|
||||
PG_DB_SAAS: ${POSTGRES_DB:-cameleer_saas}
|
||||
SAAS_ADMIN_USER: ${SAAS_ADMIN_USER:-admin}
|
||||
SAAS_ADMIN_PASS: ${SAAS_ADMIN_PASS:-admin}
|
||||
VENDOR_SEED_ENABLED: "${VENDOR_SEED_ENABLED:-false}"
|
||||
VENDOR_USER: ${VENDOR_USER:-vendor}
|
||||
VENDOR_PASS: ${VENDOR_PASS:-vendor}
|
||||
healthcheck:
|
||||
test: ["CMD-SHELL", "node -e \"require('http').get('http://localhost:3001/oidc/.well-known/openid-configuration', r => process.exit(r.statusCode === 200 ? 0 : 1)).on('error', () => process.exit(1))\" && test -f /data/logto-bootstrap.json"]
|
||||
interval: 10s
|
||||
timeout: 5s
|
||||
retries: 60
|
||||
start_period: 30s
|
||||
labels:
|
||||
- traefik.enable=true
|
||||
- traefik.http.routers.logto.rule=PathPrefix(`/`)
|
||||
- traefik.http.routers.logto.priority=1
|
||||
- traefik.http.routers.logto.entrypoints=websecure
|
||||
- traefik.http.routers.logto.tls=true
|
||||
- traefik.http.routers.logto.service=logto
|
||||
- traefik.http.routers.logto.middlewares=logto-cors
|
||||
- "traefik.http.middlewares.logto-cors.headers.accessControlAllowOriginList=${PUBLIC_PROTOCOL:-https}://${PUBLIC_HOST:-localhost}:${LOGTO_CONSOLE_PORT:-3002}"
|
||||
- traefik.http.middlewares.logto-cors.headers.accessControlAllowMethods=GET,POST,PUT,PATCH,DELETE,OPTIONS
|
||||
- traefik.http.middlewares.logto-cors.headers.accessControlAllowHeaders=Authorization,Content-Type
|
||||
- traefik.http.middlewares.logto-cors.headers.accessControlAllowCredentials=true
|
||||
- traefik.http.services.logto.loadbalancer.server.port=3001
|
||||
- traefik.http.routers.logto-console.rule=PathPrefix(`/`)
|
||||
- traefik.http.routers.logto-console.entrypoints=admin-console
|
||||
- traefik.http.routers.logto-console.tls=true
|
||||
- traefik.http.routers.logto-console.service=logto-console
|
||||
- traefik.http.services.logto-console.loadbalancer.server.port=3002
|
||||
volumes:
|
||||
- ./docker/logto-bootstrap.sh:/scripts/logto-bootstrap.sh:ro
|
||||
- bootstrapdata:/data
|
||||
networks:
|
||||
- cameleer
|
||||
@@ -167,10 +113,8 @@ services:
|
||||
image: ${CAMELEER_IMAGE:-gitea.siegeln.net/cameleer/cameleer-saas}:${VERSION:-latest}
|
||||
restart: unless-stopped
|
||||
depends_on:
|
||||
postgres:
|
||||
logto:
|
||||
condition: service_healthy
|
||||
logto-bootstrap:
|
||||
condition: service_completed_successfully
|
||||
volumes:
|
||||
- bootstrapdata:/data/bootstrap:ro
|
||||
- certs:/certs
|
||||
@@ -193,28 +137,6 @@ services:
|
||||
networks:
|
||||
- cameleer
|
||||
|
||||
clickhouse:
|
||||
image: clickhouse/clickhouse-server:latest
|
||||
restart: unless-stopped
|
||||
environment:
|
||||
CLICKHOUSE_PASSWORD: ${CLICKHOUSE_PASSWORD:-cameleer_ch}
|
||||
volumes:
|
||||
- chdata:/var/lib/clickhouse
|
||||
- ./docker/clickhouse-init.sql:/docker-entrypoint-initdb.d/init.sql:ro
|
||||
- ./docker/clickhouse-users.xml:/etc/clickhouse-server/users.d/default-user.xml
|
||||
- ./docker/clickhouse-config.xml:/etc/clickhouse-server/config.d/prometheus.xml:ro
|
||||
healthcheck:
|
||||
test: ["CMD-SHELL", "clickhouse-client --password ${CLICKHOUSE_PASSWORD:-cameleer_ch} --query 'SELECT 1'"]
|
||||
interval: 10s
|
||||
timeout: 5s
|
||||
retries: 3
|
||||
labels:
|
||||
- prometheus.scrape=true
|
||||
- prometheus.path=/metrics
|
||||
- prometheus.port=9363
|
||||
networks:
|
||||
- cameleer
|
||||
|
||||
networks:
|
||||
cameleer:
|
||||
driver: bridge
|
||||
|
||||
Reference in New Issue
Block a user