222 lines
6.7 KiB
YAML
222 lines
6.7 KiB
YAML
---
|
|
version: "3.8"
|
|
|
|
services:
|
|
db:
|
|
image: postgres:9.6-alpine
|
|
networks: &internalNetwork
|
|
- internal_network
|
|
healthcheck:
|
|
test: ["CMD", "pg_isready", "-U", "postgres"]
|
|
volumes:
|
|
- postgres:/var/lib/postgresql/data
|
|
environment:
|
|
- POSTGRES_PASSWORD=${DB_PASS}
|
|
- POSTGRES_USER=${DB_USER}
|
|
- POSTGRES_DB=${DB_NAME}
|
|
|
|
redis:
|
|
image: redis:6.0-alpine
|
|
networks: *internalNetwork
|
|
healthcheck:
|
|
test: ["CMD", "redis-cli", "ping"]
|
|
volumes:
|
|
- redis:/data
|
|
|
|
# es:
|
|
# restart: always
|
|
# image: docker.elastic.co/elasticsearch/elasticsearch-oss:6.8.10
|
|
# environment:
|
|
# - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
|
|
# - "cluster.name=es-mastodon"
|
|
# - "discovery.type=single-node"
|
|
# - "bootstrap.memory_lock=true"
|
|
# networks:
|
|
# - internal_network
|
|
# healthcheck:
|
|
# test: ["CMD-SHELL", "curl --silent --fail localhost:9200/_cluster/health || exit 1"]
|
|
# volumes:
|
|
# - ./elasticsearch:/usr/share/elasticsearch/data
|
|
# ulimits:
|
|
# memlock:
|
|
# soft: -1
|
|
# hard: -1
|
|
|
|
web:
|
|
image: &image decentral1se/hometown:v1.0.5_3.4.0
|
|
command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000"
|
|
networks: &bothNetworks
|
|
- proxy
|
|
- internal_network
|
|
healthcheck:
|
|
test:
|
|
[
|
|
"CMD-SHELL",
|
|
"wget -q --spider --proxy=off localhost:3000/health || exit 1",
|
|
]
|
|
deploy:
|
|
restart_policy:
|
|
condition: on-failure
|
|
labels:
|
|
- "traefik.enable=true"
|
|
- "traefik.docker.network=proxy"
|
|
- "traefik.http.services.${STACK_NAME}_web.loadbalancer.server.port=3000"
|
|
- "traefik.http.routers.${STACK_NAME}_web.rule=Host(`${DOMAIN}`)"
|
|
- "traefik.http.routers.${STACK_NAME}_web.entrypoints=web-secure"
|
|
- "traefik.http.routers.${STACK_NAME}_web.tls.certresolver=${LETS_ENCRYPT_ENV}"
|
|
# WEB_DOMAIN redirect
|
|
#- "traefik.http.routers.${STACK_NAME}_web.rule=(Host(`${DOMAIN}`) || (Host(`${LOCAL_DOMAIN}`) && Path(`/.well-known/webfinger`)))"
|
|
# - "traefik.http.middlewares.mastodon-webfinger.redirectregex.regex=^https?://${LOCAL_DOMAIN}/.*" #^(http|https)://${LOCAL_DOMAIN}/.well-known/webfinger"
|
|
# # - "traefik.http.middlewares.mastodon-webfinger.redirectregex.permanent=true"
|
|
# - "traefik.http.middlewares.mastodon-webfinger.redirectregex.replacement=https://${WEB_DOMAIN}/.well-known/webfinger"
|
|
# - "traefik.http.routers.${STACK_NAME}_hack.rule=(Host(`${LOCAL_DOMAIN}`) && Path(`/.well-known/`))"
|
|
# - "traefik.http.routers.${STACK_NAME}_hack.entrypoints=websecure"
|
|
# - "traefik.http.routers.${STACK_NAME}_hack.middlewares=mastodon-webfinger@docker"
|
|
|
|
volumes: &appVolume
|
|
- app:/mastodon
|
|
# secrets: &secrets
|
|
# - secret_key_base
|
|
# - otp_secret
|
|
environment: &env
|
|
- DB_HOST
|
|
- DB_USER
|
|
- DB_NAME
|
|
- DB_PASS
|
|
- DB_PORT
|
|
- REDIS_HOST
|
|
- REDIS_PORT
|
|
- REDIS_URL
|
|
- REDIS_NAMESPACE
|
|
- CACHE_REDIS_HOST
|
|
- CACHE_REDIS_PORT
|
|
- CACHE_REDIS_URL
|
|
- CACHE_REDIS_NAMESPACE
|
|
- ES_ENABLED
|
|
- ES_HOST
|
|
- ES_PORT
|
|
- ES_PREFIX
|
|
- STATSD_ADDR
|
|
- STATSD_NAMESPACE
|
|
- VAPID_PRIVATE_KEY
|
|
- VAPID_PUBLIC_KEY
|
|
- OTP_SECRET
|
|
- SECRET_KEY_BASE
|
|
- LOCAL_DOMAIN
|
|
- WEB_DOMAIN
|
|
- ALTERNATE_DOMAINS
|
|
- AUTHORIZED_FETCH
|
|
- LIMITED_FEDERATION_MODE
|
|
- RAILS_ENV
|
|
- RAILS_SERVE_STATIC_FILES
|
|
- SINGLE_USER_MODE
|
|
- EMAIL_DOMAIN_ALLOWLIST
|
|
- EMAIL_DOMAIN_DENYLIST
|
|
- DEFAULT_LOCALE
|
|
- MAX_SESSION_ACTIVATIONS
|
|
- USER_ACTIVE_DAYS
|
|
- SMTP_SERVER
|
|
- SMTP_PORT
|
|
- SMTP_LOGIN
|
|
- SMTP_PASSWORD
|
|
- SMTP_FROM_ADDRESS
|
|
- SMTP_DOMAIN
|
|
- SMTP_DELIVERY_METHOD
|
|
- SMTP_AUTH_METHOD
|
|
- SMTP_CA_FILE
|
|
- SMTP_OPENSSL_VERIFY_MODE
|
|
- SMTP_ENABLE_STARTTLS_AUTO
|
|
- SMTP_TLS
|
|
- SMTP_SSL
|
|
- PAPERCLIP_ROOT_PATH
|
|
- PAPERCLIP_ROOT_URL
|
|
- OAUTH_REDIRECT_AT_SIGN_IN
|
|
- LDAP_ENABLED
|
|
- LDAP_HOST
|
|
- LDAP_PORT
|
|
- LDAP_METHOD
|
|
- LDAP_BASE
|
|
- LDAP_BIND_DN
|
|
- LDAP_PASSWORD
|
|
- LDAP_UID
|
|
- LDAP_SEARCH_FILTER
|
|
- LDAP_MAIL
|
|
- LDAP_UID_CONVERSTION_ENABLED
|
|
- SAML_ENABLED
|
|
- SAML_ACS_URL
|
|
- SAML_ISSUER
|
|
- SAML_IDP_SSO_TARGET_URL
|
|
- SAML_IDP_CERT
|
|
- SAML_IDP_CERT_FINGERPRINT
|
|
- SAML_NAME_IDENTIFIER_FORMAT
|
|
- SAML_CERT
|
|
- SAML_PRIVATE_KEY
|
|
- SAML_SECURITY_WANT_ASSERTION_SIGNED
|
|
- SAML_SECURITY_WANT_ASSERTION_ENCRYPTED
|
|
- SAML_SECURITY_ASSUME_EMAIL_IS_VERIFIED
|
|
- SAML_ATTRIBUTES_STATEMENTS_UID
|
|
- SAML_ATTRIBUTES_STATEMENTS_EMAIL
|
|
- SAML_ATTRIBUTES_STATEMENTS_FULL_NAME
|
|
- SAML_ATTRIBUTES_STATEMENTS_FIRST_NAME
|
|
- SAML_ATTRIBUTES_STATEMENTS_LAST_NAME
|
|
- SAML_UID_ATTRIBUTE
|
|
- SAML_ATTRIBUTES_STATEMENTS_VERIFIED
|
|
- SAML_ATTRIBUTES_STATEMENTS_VERIFIED_EMAIL
|
|
- http_proxy
|
|
- ALLOW_ACCESS_TO_HIDDEN_SERVICE
|
|
|
|
streaming:
|
|
image: *image
|
|
command: node ./streaming
|
|
networks: *bothNetworks
|
|
healthcheck:
|
|
test:
|
|
[
|
|
"CMD-SHELL",
|
|
"wget -q --spider --proxy=off localhost:4000/api/v1/streaming/health || exit 1",
|
|
]
|
|
deploy:
|
|
restart_policy:
|
|
condition: on-failure
|
|
labels:
|
|
- "traefik.enable=true"
|
|
- "traefik.docker.network=proxy"
|
|
- "traefik.http.services.${STACK_NAME}_streaming.loadbalancer.server.port=4000"
|
|
- "traefik.http.routers.${STACK_NAME}_streaming.rule=(Host(`${DOMAIN}`) && PathPrefix(`/api/v1/streaming`))"
|
|
- "traefik.http.routers.${STACK_NAME}_streaming.entrypoints=web-secure"
|
|
- "traefik.http.routers.${STACK_NAME}_streaming.tls.certresolver=${LETS_ENCRYPT_ENV}"
|
|
|
|
## Redirect from EXTRA_DOMAINS to DOMAIN
|
|
#- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
|
|
#- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
|
|
#- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
|
|
environment: *env
|
|
volumes: *appVolume # used to make sure this volume is created
|
|
|
|
sidekiq:
|
|
image: *image
|
|
command: bundle exec sidekiq
|
|
deploy:
|
|
restart_policy:
|
|
condition: on-failure
|
|
networks: *bothNetworks
|
|
volumes: *appVolume
|
|
environment: *env
|
|
|
|
# secrets:
|
|
# secret_key_base:
|
|
# name: ${STACK_NAME}_secret_key_base_${SECRET_DB_PASSWORD_VERSION}
|
|
# external: true
|
|
# otp_secret:
|
|
# name: ${STACK_NAME}_otp_secret_${SECRET_DB_ROOT_PASSWORD_VERSION}
|
|
# external: true
|
|
volumes:
|
|
app:
|
|
redis:
|
|
postgres:
|
|
networks:
|
|
proxy:
|
|
external: true
|
|
internal_network:
|
|
internal: true
|