From 2133ad28f0872570b359504901e950f223b8a8cc Mon Sep 17 00:00:00 2001 From: alethienvu2 Date: Sun, 5 Apr 2026 21:09:49 +0700 Subject: [PATCH] feat: add config cloudflared, env for db port --- .env.cloudflared.example | 5 +++++ .env.example | 20 +++++++++++++++++--- .gitignore | 1 + Makefile | 7 +++++++ README.md | 3 +++ docker-compose.cloudflared.yml | 30 ++++++++++++++++++++++++++++++ docker-compose.postgres.yml | 3 +++ 7 files changed, 66 insertions(+), 3 deletions(-) create mode 100644 .env.cloudflared.example create mode 100644 docker-compose.cloudflared.yml diff --git a/.env.cloudflared.example b/.env.cloudflared.example new file mode 100644 index 000000000..959cf0cc8 --- /dev/null +++ b/.env.cloudflared.example @@ -0,0 +1,5 @@ +# Used only by docker-compose.cloudflared.yml (cloudflared service). +# Copy to .env.cloudflared and paste your connector token. +# +# Cloudflare Zero Trust → Networks → Tunnels → (your tunnel) → Install connector +TUNNEL_TOKEN= diff --git a/.env.example b/.env.example index e615d5663..2a711a826 100644 --- a/.env.example +++ b/.env.example @@ -9,9 +9,23 @@ GOCLAW_GATEWAY_TOKEN= GOCLAW_ENCRYPTION_KEY= POSTGRES_PASSWORD= -# --- Database (only for non-Docker deployments) --- -# Docker Compose auto-builds this from POSTGRES_USER/PASSWORD/DB. -# GOCLAW_POSTGRES_DSN=postgres://user:pass@host:5432/dbname?sslmode=disable +# --- PostgreSQL (Docker Compose) --- +# Published host port for the postgres service (default 5432). Change if something +# else already binds 5432 on your machine (e.g. a local PostgreSQL install). +# POSTGRES_PORT=5433 +# +# Optional overrides (defaults: user/db goclaw): +# POSTGRES_USER=goclaw +# POSTGRES_DB=goclaw + +# --- Database (non-Docker, or host tools connecting to Compose Postgres) --- +# Inside Compose, goclaw uses the internal DSN (postgres:5432) automatically. +# From your host (./goclaw, psql), use localhost and POSTGRES_PORT, e.g.: +# GOCLAW_POSTGRES_DSN=postgres://goclaw:YOUR_PASSWORD@127.0.0.1:5433/goclaw?sslmode=disable + +# --- Cloudflare Tunnel (only when using docker-compose.cloudflared.yml) --- +# Create `.env.cloudflared` next to this file (not tracked in git). Copy from `.env.cloudflared.example`. +# TUNNEL_TOKEN= # --- Sandbox (only when using docker-compose.sandbox.yml) --- # Docker socket GID: 999 on Linux, 0 on Windows/macOS Docker Desktop. diff --git a/.gitignore b/.gitignore index 142b218dc..87a9572fe 100644 --- a/.gitignore +++ b/.gitignore @@ -16,6 +16,7 @@ pkg-helper # Environment .env* !.env.example +!.env.cloudflared.example app browser-poc diff --git a/Makefile b/Makefile index e83a6c862..427a1a100 100644 --- a/Makefile +++ b/Makefile @@ -27,6 +27,8 @@ version: # ── Docker Compose ── # Default: backend (with embedded web UI) + Postgres. No separate nginx needed. # Add WITH_WEB_NGINX=1 for separate nginx on :3000 (custom SSL, reverse proxy). +# Cloudflare Tunnel: if `.env.cloudflared` exists it is merged automatically (same as +# docker-compose.cloudflared.yml). Set WITH_CLOUDFLARED=0 to skip. COMPOSE_BASE = docker compose -f docker-compose.yml -f docker-compose.postgres.yml ifdef WITH_WEB_NGINX COMPOSE_BASE += -f docker-compose.selfservice.yml @@ -51,6 +53,11 @@ endif ifdef WITH_CLAUDE_CLI COMPOSE_EXTRA += -f docker-compose.claude-cli.yml endif +ifneq ($(WITH_CLOUDFLARED),0) +ifneq ($(wildcard .env.cloudflared),) +COMPOSE_EXTRA += -f docker-compose.cloudflared.yml +endif +endif COMPOSE = $(COMPOSE_BASE) $(COMPOSE_EXTRA) UPGRADE = docker compose -f docker-compose.yml -f docker-compose.postgres.yml -f docker-compose.upgrade.yml diff --git a/README.md b/README.md index 815be4f08..669db374d 100644 --- a/README.md +++ b/README.md @@ -187,6 +187,9 @@ chmod +x prepare-env.sh && ./prepare-env.sh # Add at least one GOCLAW_*_API_KEY to .env, then: make up +# If Postgres fails to start ("port 5432 already allocated"), set another host +# port in .env, e.g. POSTGRES_PORT=5433 (see .env.example). + # Web Dashboard at http://localhost:18790 (built-in) # Health check: curl http://localhost:18790/health diff --git a/docker-compose.cloudflared.yml b/docker-compose.cloudflared.yml new file mode 100644 index 000000000..471f9e046 --- /dev/null +++ b/docker-compose.cloudflared.yml @@ -0,0 +1,30 @@ +# Cloudflare Tunnel (cloudflared) — expose the gateway via Cloudflare without opening host ports. +# +# Usage: +# make up — includes this file automatically when `.env.cloudflared` exists (see Makefile). +# docker compose -f docker-compose.yml -f docker-compose.postgres.yml -f docker-compose.cloudflared.yml up -d +# WITH_CLOUDFLARED=0 make up — skip tunnel even if `.env.cloudflared` exists +# +# Required: file `.env.cloudflared` (see `.env.cloudflared.example`) with: +# TUNNEL_TOKEN= +# +# We use a separate file so the token is not injected into the goclaw container (goclaw loads all of `.env` via env_file). +# +# Ingress target in the Cloudflare dashboard must reach this stack on the Docker network, e.g.: +# http://goclaw:18790 +# (not http://localhost:18790 — that is the host, not the goclaw container from cloudflared’s view.) + +services: + cloudflared: + image: cloudflare/cloudflared:latest + restart: unless-stopped + command: tunnel --no-autoupdate run + env_file: + - path: .env.cloudflared + required: true + networks: + - goclaw-net + depends_on: + - goclaw + security_opt: + - no-new-privileges:true diff --git a/docker-compose.postgres.yml b/docker-compose.postgres.yml index 10eebdda9..8ff14be5c 100644 --- a/docker-compose.postgres.yml +++ b/docker-compose.postgres.yml @@ -7,6 +7,9 @@ # Required env vars (set in .env or shell): # GOCLAW_OPENROUTER_API_KEY (or another provider key) # POSTGRES_PASSWORD (defaults to "goclaw" for dev) +# +# If host port 5432 is already in use, set POSTGRES_PORT (e.g. 5433) in .env. +# The goclaw container still connects via postgres:5432 on the Docker network. services: postgres: