2fapi-server/docker-compose.yml at main · gthstepsecurity/2fapi-server · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
version: "3.9"

# 2FApi development infrastructure services.
# Start with: docker compose up -d
# Stop with:  docker compose down
# Reset data: docker compose down -v
#
# SECURITY: Copy .env.example to .env and set real credentials.
# NEVER use default credentials in production.
#
# TLS REQUIREMENTS (I-10):
# - Production deployments MUST use TLS for all client-server connections.
# - PostgreSQL: configure ssl=on in postgresql.conf, provide server cert/key.
# - Redis: configure tls-port, tls-cert-file, tls-key-file in redis.conf.
# - Application: all inter-service communication must use verified TLS certificates.
# - Certificate validation MUST NOT be disabled (no --tls-auth-clients no).

services:
  postgres:
    image: postgres:16.6-alpine
    container_name: twofapi-postgres
    environment:
      POSTGRES_DB: ${POSTGRES_DB:-twofapi}
      POSTGRES_USER: ${POSTGRES_USER:-twofapi}
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:?POSTGRES_PASSWORD must be set in .env}
    ports:
      - "127.0.0.1:5434:5432"
    volumes:
      - pgdata:/var/lib/postgresql/data
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-twofapi} -d ${POSTGRES_DB:-twofapi}"]
      interval: 5s
      timeout: 3s
      retries: 5

  redis:
    image: redis:7.4-alpine
    container_name: twofapi-redis
    ports:
      - "127.0.0.1:6379:6379"
    command: redis-server --requirepass ${REDIS_PASSWORD:?REDIS_PASSWORD must be set in .env} --maxmemory 64mb --maxmemory-policy allkeys-lru
    healthcheck:
      # CE03: Use --no-auth-warning to prevent password leaking in process list/logs
      test: ["CMD-SHELL", "redis-cli -a $${REDIS_PASSWORD} --no-auth-warning ping | grep PONG"]
      interval: 5s
      timeout: 3s
      retries: 5

volumes:
  pgdata:
    driver: local