orcpub/docker-compose.yaml at develop · Orcpub/orcpub · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
---
# ============================================================================
# How variables work in this file
# ============================================================================
#
# Each ${VAR:-default} reads from TWO places, in this order:
#   1. Shell environment variables  (export VAR=value)
#   2. The .env file in this directory
#
# Shell env vars ALWAYS win over .env values. This means:
#   - You can override any setting with: VAR=value docker compose up -d
#   - If your shell already has a variable set (e.g. from a Codespace or
#     .bashrc), it will override what's in .env — even if you didn't intend it.
#
# To check what compose actually resolves:
#   docker compose config | grep DATOMIC_URL
#
# Recommended setup:
#   1. Run ./run to generate .env with secure passwords
#   2. Run: docker compose up --build -d
#   3. If a variable isn't being picked up from .env, check for a conflicting
#      shell variable with: echo $DATOMIC_URL
#      Clear it with: unset DATOMIC_URL
#
# See docs/DOCKER.md for the full quick-start guide.
# See docs/ENVIRONMENT.md for all available variables.
# ============================================================================

services:
  orcpub:
    # Build: docker compose up --build
    # Override image: ORCPUB_IMAGE=registry/name:tag docker compose up
    image: ${ORCPUB_IMAGE:-orcpub-app}
    build:
      context: .
      dockerfile: docker/Dockerfile
      target: app
    environment:
      PORT: ${PORT:-8890}
      EMAIL_SERVER_URL: ${EMAIL_SERVER_URL:-}
      EMAIL_ACCESS_KEY: ${EMAIL_ACCESS_KEY:-}
      EMAIL_SECRET_KEY: ${EMAIL_SECRET_KEY:-}
      EMAIL_SERVER_PORT: ${EMAIL_SERVER_PORT:-587}
      EMAIL_FROM_ADDRESS: ${EMAIL_FROM_ADDRESS:-}
      EMAIL_ERRORS_TO: ${EMAIL_ERRORS_TO:-}
      EMAIL_SSL: ${EMAIL_SSL:-FALSE}
      EMAIL_TLS: ${EMAIL_TLS:-FALSE}
      # Datomic Pro with dev storage protocol (required for Java 21 support).
      # The hostname MUST be "datomic" (the compose service name), NOT "localhost".
      # Password is NOT in the URL — the app reads DATOMIC_PASSWORD separately
      # and appends it at startup. Old URLs with ?password= still work.
      DATOMIC_URL: ${DATOMIC_URL:-datomic:dev://datomic:4334/orcpub}
      DATOMIC_PASSWORD: ${DATOMIC_PASSWORD:-change-me}
      SIGNATURE: ${SIGNATURE:-change-me-to-something-unique}
      CSP_POLICY: ${CSP_POLICY:-strict}
      DEV_MODE: ${DEV_MODE:-}
      LOAD_HOMEBREW_URL: ${LOAD_HOMEBREW_URL:-}
    depends_on:
      datomic:
        condition: service_healthy
    healthcheck:
      # BusyBox wget (Alpine): only -q and --spider are supported.
      # Use 127.0.0.1 (not localhost) to avoid IPv4/IPv6 ambiguity.
      # /health returns 200 OK — lighter than / which renders the full SPA page.
      test: ["CMD-SHELL", "wget -q --spider http://127.0.0.1:${PORT:-8890}/health"]
      interval: 10s
      timeout: 5s
      retries: 30
      start_period: 60s
    restart: always
  datomic:
    image: ${DATOMIC_IMAGE:-orcpub-datomic}
    build:
      context: .
      dockerfile: docker/Dockerfile
      target: transactor
    environment:
      ADMIN_PASSWORD: ${ADMIN_PASSWORD:-change-me-admin}
      DATOMIC_PASSWORD: ${DATOMIC_PASSWORD:-change-me}
      # ALT_HOST: what the transactor advertises to peers for fallback connections.
      # Default 127.0.0.1 works for single-host. Set to "datomic" for Swarm.
      ALT_HOST: ${ALT_HOST:-127.0.0.1}
      ENCRYPT_CHANNEL: ${ENCRYPT_CHANNEL:-true}
    volumes:
      - ./data:/data
      - ./logs:/log
      - ./backups:/backups
    healthcheck:
      test: ["CMD-SHELL", "grep -q ':10EE ' /proc/net/tcp || grep -q ':10EE ' /proc/net/tcp6"]
      interval: 5s
      timeout: 3s
      retries: 30
      start_period: 40s
    restart: always
  web:
    image: nginx:alpine
    ports:
      - "80:80"
      - "443:443"
    environment:
      # nginx:alpine runs envsubst on /etc/nginx/templates/*.template at startup.
      # Only defined env vars are substituted — nginx's own $host, $scheme, etc. are safe.
      ORCPUB_PORT: ${PORT:-8890}
    volumes:
      - ./deploy/nginx.conf.template:/etc/nginx/templates/default.conf.template
      - ./deploy/snakeoil.crt:/etc/nginx/snakeoil.crt
      - ./deploy/snakeoil.key:/etc/nginx/snakeoil.key
      - ./deploy/homebrew/:/usr/share/nginx/html/homebrew/
    depends_on:
      orcpub:
        condition: service_healthy
    restart: always

# --- Docker Secrets ---
# Uncomment to use Docker secrets instead of .env for passwords.
# Secrets are mounted as files at /run/secrets/<name> inside the container.
# Both deploy/start.sh (transactor) and the app (config.clj) check
# /run/secrets/ first, then fall back to environment variables.
#
# Option A: File-based secrets (works with plain docker compose, no Swarm)
#   Each password goes in its own file instead of .env. Docker mounts
#   them inside the container. Still plain files on your hard drive —
#   but isolated with strict permissions instead of all in one .env.
#   Create a secrets/ directory with one file per secret:
#     mkdir -p secrets
#     printf 'mypassword' > secrets/datomic_password
#     printf 'mypassword' > secrets/admin_password
#     printf 'mysecret'   > secrets/signature
#     chmod 600 secrets/*
#
#   secrets:
#     datomic_password:
#       file: ./secrets/datomic_password
#     admin_password:
#       file: ./secrets/admin_password
#     signature:
#       file: ./secrets/signature
#
# Option B: External secrets (Swarm only — created via docker secret create)
#   Swarm stores passwords encrypted inside the cluster. When a container
#   needs one, Swarm delivers it into memory — the password is never
#   saved to the server's hard drive. Use this for multi-server clusters.
#   printf 'mypassword' | docker secret create datomic_password -
#   printf 'mypassword' | docker secret create admin_password -
#   printf 'mysecret'   | docker secret create signature -
#
#   secrets:
#     datomic_password:
#       external: true
#     admin_password:
#       external: true
#     signature:
#       external: true
#
# Then add to each service that needs secrets:
#   orcpub:
#     secrets:
#       - datomic_password
#       - signature
#   datomic:
#     secrets:
#       - datomic_password
#       - admin_password
#
# You can remove the corresponding env vars from .env, or leave them —
# secret files take priority over env vars.