automatization/docker-compose.prod.yml at main · speedandfunction/automatization · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
services:
  n8n:
    restart: unless-stopped
    depends_on:
      postgresql: !reset null
    environment:
      - WEBHOOK_URL=${N8N_WEBHOOK_URL:?N8N_WEBHOOK_URL is required}
      - N8N_ENCRYPTION_KEY=${N8N_ENCRYPTION_KEY:?N8N_ENCRYPTION_KEY is required}
      - N8N_HOST=${N8N_HOST:?N8N_HOST is required}
      - DB_POSTGRESDB_HOST=${POSTGRES_HOST:?POSTGRES_HOST is required}
      - DB_POSTGRESDB_PORT=${POSTGRES_PORT:-5432}
      - DB_POSTGRESDB_DATABASE=${POSTGRES_DB_N8N:?POSTGRES_DB_N8N is required}
      - DB_POSTGRESDB_USER=${POSTGRES_USER_N8N:?POSTGRES_USER_N8N is required}
      - DB_POSTGRESDB_PASSWORD=${POSTGRES_PASSWORD_N8N:?POSTGRES_PASSWORD_N8N is required}
      - N8N_SMTP_HOST=${N8N_SMTP_HOST:-email-smtp.us-east-1.amazonaws.com}
      - N8N_SMTP_PORT=${N8N_SMTP_PORT:-587}
      - N8N_SMTP_USER=${N8N_SMTP_USER:?N8N_SMTP_USER is required}
      - N8N_SMTP_PASS=${N8N_SMTP_PASS:?N8N_SMTP_PASS is required}
      - N8N_SMTP_SENDER=${N8N_SMTP_SENDER:?N8N_SMTP_SENDER is required}
      - N8N_SMTP_SSL=${N8N_SMTP_SSL:-false}
      - N8N_SMTP_TLS=${N8N_SMTP_TLS:-true}
      - N8N_BLOCKED_NODES=n8n-nodes-base.executeCommand,n8n-nodes-base.ssh
      - N8N_DEFAULT_BINARY_DATA_MODE=filesystem
      - N8N_BINARY_DATA_STORAGE_PATH=/data/n8n/binaryData
      - SEMBLY_USER=${SEMBLY_USER:?SEMBLY_USER is required}
      - SEMBLY_PASS=${SEMBLY_PASS:?SEMBLY_PASS is required}
      # Google Service Account variables
      - MN_SERVICE_SA_GOOGLE_TYPE=${MN_SERVICE_SA_GOOGLE_TYPE:?MN_SERVICE_SA_GOOGLE_TYPE is required}
      - MN_SERVICE_SA_GOOGLE_PROJECT_ID=${MN_SERVICE_SA_GOOGLE_PROJECT_ID:?MN_SERVICE_SA_GOOGLE_PROJECT_ID is required}
      - MN_SERVICE_SA_GOOGLE_PRIVATE_KEY_ID=${MN_SERVICE_SA_GOOGLE_PRIVATE_KEY_ID:?MN_SERVICE_SA_GOOGLE_PRIVATE_KEY_ID is required}
      - MN_SERVICE_SA_GOOGLE_PRIVATE_KEY=${MN_SERVICE_SA_GOOGLE_PRIVATE_KEY:?MN_SERVICE_SA_GOOGLE_PRIVATE_KEY is required}
      - MN_SERVICE_SA_GOOGLE_CLIENT_EMAIL=${MN_SERVICE_SA_GOOGLE_CLIENT_EMAIL:?MN_SERVICE_SA_GOOGLE_CLIENT_EMAIL is required}
      - MN_SERVICE_SA_GOOGLE_CLIENT_ID=${MN_SERVICE_SA_GOOGLE_CLIENT_ID:?MN_SERVICE_SA_GOOGLE_CLIENT_ID is required}
      - MN_SERVICE_SA_GOOGLE_AUTH_URI=${MN_SERVICE_SA_GOOGLE_AUTH_URI:?MN_SERVICE_SA_GOOGLE_AUTH_URI is required}
      - MN_SERVICE_SA_GOOGLE_TOKEN_URI=${MN_SERVICE_SA_GOOGLE_TOKEN_URI:?MN_SERVICE_SA_GOOGLE_TOKEN_URI is required}
      - MN_SERVICE_SA_GOOGLE_AUTH_PROVIDER_X509_CERT_URL=${MN_SERVICE_SA_GOOGLE_AUTH_PROVIDER_X509_CERT_URL:?MN_SERVICE_SA_GOOGLE_AUTH_PROVIDER_X509_CERT_URL is required}
      - MN_SERVICE_SA_GOOGLE_CLIENT_X509_CERT_URL=${MN_SERVICE_SA_GOOGLE_CLIENT_X509_CERT_URL:?MN_SERVICE_SA_GOOGLE_CLIENT_X509_CERT_URL is required}
      - MN_SERVICE_SA_GOOGLE_UNIVERSE_DOMAIN=${MN_SERVICE_SA_GOOGLE_UNIVERSE_DOMAIN:?MN_SERVICE_SA_GOOGLE_UNIVERSE_DOMAIN is required}
      # CPB (Connecting People Bot) — defaults allow safe deploy before CPB is configured
      - CPB_POSTGRES_HOST=${POSTGRES_HOST:-localhost}
      - CPB_POSTGRES_DB=${POSTGRES_DB_CPB:-cpb_bot}
      - CPB_POSTGRES_USER=${POSTGRES_USER_CPB:-cpb_app}
      - CPB_POSTGRES_PASSWORD=${POSTGRES_PASSWORD_CPB:-cpb_password}
      - CPB_SLACK_BOT_TOKEN=${CPB_SLACK_BOT_TOKEN:-xoxb-placeholder}
      - CPB_CHANNEL_ID=${CPB_CHANNEL_ID:-CXXXXXXXXX}
      - CPB_REPORT_CHANNEL_ID=${CPB_REPORT_CHANNEL_ID:-CXXXXXXXXX}
      - CPB_ADMIN_SLACK_ID=${CPB_ADMIN_SLACK_ID:-UXXXXXXXXX}
      - CPB_DEV_SLACK_ID=${CPB_DEV_SLACK_ID:-UXXXXXXXXX}
      - CPB_PAIRING_LAMBDA=${CPB_PAIRING_LAMBDA:-0.0578}
      - CPB_PAIRING_ALPHA=${CPB_PAIRING_ALPHA:-0.3}
      - CPB_PAIRING_TRIALS=${CPB_PAIRING_TRIALS:-50}
      - CPB_PAIRING_MIN_WEIGHT=${CPB_PAIRING_MIN_WEIGHT:-0.01}
    volumes:
    - n8n_data:/data/n8n
  postgresql: !reset null

  temporal:
    depends_on:
      postgresql: !reset null
    environment:
      - TEMPORAL_PORT=${TEMPORAL_PORT:?TEMPORAL_PORT is required}
      - POSTGRES_SEEDS=${POSTGRES_HOST:?POSTGRES_HOST is required}
      - DB_PORT=${POSTGRES_PORT:-5432}
      - DBNAME=${POSTGRES_DB_TEMPORAL:?POSTGRES_DB_TEMPORAL is required}
      - POSTGRES_USER=${POSTGRES_USER_TEMPORAL:?POSTGRES_USER_TEMPORAL is required}
      - POSTGRES_PWD=${POSTGRES_PASSWORD_TEMPORAL:?POSTGRES_PASSWORD_TEMPORAL is required}

  temporal-ui:
    environment:
      - TEMPORAL_UI_PORT=${TEMPORAL_UI_PORT:?TEMPORAL_UI_PORT is required}
      - POSTGRES_SEEDS=${POSTGRES_HOST:?POSTGRES_HOST is required}
      - DB_PORT=${POSTGRES_PORT:-5432}
      - DBNAME=${POSTGRES_DB_TEMPORAL:?POSTGRES_DB_TEMPORAL is required}
      - POSTGRES_USER=${POSTGRES_USER_TEMPORAL:?POSTGRES_USER_TEMPORAL is required}
      - POSTGRES_PWD=${POSTGRES_PASSWORD_TEMPORAL:?POSTGRES_PASSWORD_TEMPORAL is required}
    ports: !reset []

  redis:
    environment:
      - REDIS_PASSWORD=${REDIS_PASSWORD:?REDIS_PASSWORD is required}

  oauth2-proxy:
    container_name: temporal-oauth-proxy
    image: quay.io/oauth2-proxy/oauth2-proxy:v7.8.0
    restart: unless-stopped
    depends_on:
      - temporal-ui
    env_file:
      - .env
    ports:
      - "8080:8080"
    environment:
      # Google provider settings
      - OAUTH2_PROXY_PROVIDER=google
      - OAUTH2_PROXY_CLIENT_ID=${GOOGLE_CLIENT_ID:?GOOGLE_CLIENT_ID is required}
      - OAUTH2_PROXY_CLIENT_SECRET=${GOOGLE_CLIENT_SECRET:?GOOGLE_CLIENT_SECRET is required}

      # Email validation settings
      - OAUTH2_PROXY_EMAIL_DOMAINS=speedandfunction.com

      # Required settings
      - OAUTH2_PROXY_COOKIE_DOMAINS=.temporal.gluzdov.com
      - OAUTH2_PROXY_WHITELIST_DOMAINS=.temporal.gluzdov.com
      - OAUTH2_PROXY_HTTP_ADDRESS=0.0.0.0:8080
      - OAUTH2_PROXY_UPSTREAMS=http://temporal-ui:8080
      - OAUTH2_PROXY_REDIRECT_URL=${OAUTH2_PROXY_REDIRECT_URL:-https://temporal.gluzdov.com/oauth2/callback}
      - OAUTH2_PROXY_COOKIE_SECRET=${OAUTH2_PROXY_COOKIE_SECRET:?OAUTH2_PROXY_COOKIE_SECRET is required}

      # Cookie settings
      - OAUTH2_PROXY_COOKIE_NAME=_oauth2_proxy
      - OAUTH2_PROXY_COOKIE_SECURE=true
      - OAUTH2_PROXY_COOKIE_HTTPONLY=true
      - OAUTH2_PROXY_COOKIE_SAMESITE=lax
      - OAUTH2_PROXY_COOKIE_REFRESH=1h
      - OAUTH2_PROXY_COOKIE_EXPIRE=168h

      # CSRF protection settings
      - OAUTH2_PROXY_CSRF_COOKIE_NAME=_oauth2_proxy_csrf
      - OAUTH2_PROXY_CSRF_COOKIE_SECURE=true
      - OAUTH2_PROXY_CSRF_COOKIE_DOMAIN=.temporal.gluzdov.com
      - OAUTH2_PROXY_CSRF_COOKIE_HTTPONLY=true
      - OAUTH2_PROXY_CSRF_COOKIE_SAMESITE=lax

      # Debug settings
      - OAUTH2_PROXY_SHOW_DEBUG_ON_ERROR=true

      # Logout settings
      - OAUTH2_PROXY_SIGN_OUT_URL=${OAUTH2_PROXY_SIGN_OUT_URL:-https://temporal.gluzdov.com/oauth2/sign_out}
    healthcheck:
      test: ["CMD", "wget", "-O", "/dev/null", "-q", "http://localhost:8080/oauth2/health"]
      interval: 10s
      timeout: 5s
      retries: 5
      start_period: 30s
    networks:
      - app-network

volumes:
  n8n_data:
    driver: local
    driver_opts:
      type: none
      o: bind
      device: /data/n8n