-
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathdocker-compose.yml
More file actions
171 lines (165 loc) · 5.66 KB
/
docker-compose.yml
File metadata and controls
171 lines (165 loc) · 5.66 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
# LOCAL DEVELOPMENT docker-compose
# Self-contained local stack with PostgreSQL, Redis, and the API service.
# For AWS deployment, use the scripts and compose files under deploy/aws/.
#
# Secrets strategy for local Docker:
# - Preferred: mount your host ~/.aws read-only and let the API read Secrets Manager
# - Alternative: pass AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY / AWS_SESSION_TOKEN
# - Local-only fallback: export DB_PASSWORD / DB_ADMIN_PASSWORD / MAPBOX_TOKEN /
# OPENCAGE_API_KEY in your shell before `docker compose up`
services:
postgres:
image: postgis/postgis:18-3.6
platform: linux/amd64
container_name: shadowcheck_postgres_local
restart: unless-stopped
environment:
POSTGRES_USER: ${POSTGRES_SUPERUSER:-postgres}
POSTGRES_DB: ${DB_NAME:-shadowcheck_db}
POSTGRES_HOST_AUTH_METHOD: trust
ports:
- "127.0.0.1:${DB_PORT:-5432}:5432"
volumes:
- postgres_data:/var/lib/postgresql
- ./docker/initdb:/docker-entrypoint-initdb.d:ro
healthcheck:
test:
[
"CMD-SHELL",
"pg_isready -U ${DB_ADMIN_USER:-shadowcheck_admin} -d ${DB_NAME:-shadowcheck_db}",
]
interval: 10s
timeout: 5s
retries: 8
start_period: 10s
shm_size: 256mb
redis:
image: redis:7-alpine
container_name: shadowcheck_web_redis
restart: unless-stopped
ports:
- "127.0.0.1:6379:6379"
volumes:
- redis_data:/data
healthcheck:
test: ["CMD", "redis-cli", "ping"]
interval: 10s
timeout: 5s
retries: 5
start_period: 10s
command: redis-server --appendonly yes --maxmemory 512mb --maxmemory-policy allkeys-lru
api:
build:
context: .
dockerfile: Dockerfile
container_name: shadowcheck_web_api
hostname: shadowcheck-local
restart: unless-stopped
environment:
NODE_ENV: ${NODE_ENV:-development}
NODE_OPTIONS: ${NODE_OPTIONS:---max-old-space-size=2048}
PORT: ${PORT:-3001}
API_GATE_ENABLED: "true"
DB_HOST: postgres
DB_PORT: 5432
DB_USER: ${DB_USER:-shadowcheck_user}
DB_ADMIN_USER: ${DB_ADMIN_USER:-shadowcheck_admin}
DB_NAME: ${DB_NAME:-shadowcheck_db}
DB_PASSWORD: ${DB_PASSWORD:-}
DB_ADMIN_PASSWORD: ${DB_ADMIN_PASSWORD:-}
DB_SSL: ${DB_SSL:-false}
FORCE_HTTPS: ${FORCE_HTTPS:-false}
CORS_ORIGINS: ${CORS_ORIGINS:-*}
REDIS_HOST: redis
REDIS_PORT: 6379
# Region is safe to default locally; credentials still must come from the shell or mounted ~/.aws.
AWS_REGION: ${AWS_REGION:-us-east-1}
AWS_DEFAULT_REGION: ${AWS_DEFAULT_REGION:-us-east-1}
AWS_PROFILE: ${AWS_PROFILE:-shadowcheck-sso}
AWS_SDK_LOAD_CONFIG: "1"
AWS_EC2_METADATA_DISABLED: "true"
AWS_ACCESS_KEY_ID: ${AWS_ACCESS_KEY_ID:-}
AWS_SECRET_ACCESS_KEY: ${AWS_SECRET_ACCESS_KEY:-}
AWS_SESSION_TOKEN: ${AWS_SESSION_TOKEN:-}
SHADOWCHECK_AWS_SECRET: ${SHADOWCHECK_AWS_SECRET:-shadowcheck/config}
S3_BACKUP_BUCKET: ${S3_BACKUP_BUCKET:-}
ADMIN_ALLOW_DOCKER: ${ADMIN_ALLOW_DOCKER:-true}
API_RUN_AS_ROOT_FOR_DOCKER: ${API_RUN_AS_ROOT_FOR_DOCKER:-true}
MAPBOX_TOKEN: ${MAPBOX_TOKEN:-}
HOME: /home/nodejs
DOCKER_HOST: unix:///var/run/docker.sock
ports:
- "127.0.0.1:${PORT:-3001}:3001"
volumes:
- ./data:/app/data
- ./logs:/app/logs
- ./backups:/app/backups
# Option B (preferred): read-only AWS shared config/credentials from the host.
# Refresh SSO/login on the host first; the container only reads the files.
- ${HOME}/.aws:/home/nodejs/.aws:ro
- ${XDG_RUNTIME_DIR:-/run/user/1000}/podman/podman.sock:/var/run/docker.sock
healthcheck:
test: ["CMD-SHELL", "curl -fsS http://127.0.0.1:3001/health >/dev/null || exit 1"]
interval: 30s
timeout: 10s
retries: 3
start_period: 180s
depends_on:
postgres:
condition: service_healthy
redis:
condition: service_healthy
frontend:
build:
context: .
dockerfile: docker/Dockerfile.frontend.local
container_name: shadowcheck_web_frontend
restart: unless-stopped
ports:
- "127.0.0.1:8080:80"
healthcheck:
test: ["CMD", "wget", "-qO-", "http://localhost/health"]
interval: 30s
timeout: 5s
retries: 3
start_period: 10s
depends_on:
api:
condition: service_healthy
grafana:
image: grafana/grafana:latest
restart: unless-stopped
environment:
- GF_SECURITY_ADMIN_USER=${GRAFANA_ADMIN_USER:-grafanaadmin}
- GF_SECURITY_ADMIN_PASSWORD=${GRAFANA_ADMIN_PASSWORD:-grafanaadmin}
- GF_USERS_ALLOW_SIGN_UP=false
- GF_SECURITY_ALLOW_EMBEDDING=true
- GF_AUTH_ANONYMOUS_ENABLED=false
- GF_AUTH_ANONYMOUS_ORG_ROLE=Viewer
- GF_SERVER_ROOT_URL=http://localhost:8080/grafana/
- GF_SERVER_HTTP_PORT=3002
- GF_SERVER_SERVE_FROM_SUB_PATH=true
- GF_DASHBOARDS_DEFAULT_HOME_DASHBOARD_PATH=/etc/grafana/provisioning/dashboards/shadowcheck_overview.json
- GRAFANA_READER_PASSWORD=${GRAFANA_READER_PASSWORD:-grafanareader}
- DB_HOST=postgres
- DB_PORT=5432
volumes:
- grafana_data:/var/lib/grafana
- ./deploy/monitoring/grafana/provisioning:/etc/grafana/provisioning
- ./grafana/dashboards:/etc/grafana/provisioning/dashboards/tactical
healthcheck:
test: ["CMD-SHELL", "wget -q -O- http://localhost:3002/api/health >/dev/null || exit 1"]
interval: 30s
timeout: 10s
retries: 3
start_period: 30s
depends_on:
postgres:
condition: service_healthy
volumes:
postgres_data:
driver: local
redis_data:
driver: local
grafana_data:
driver: local