Skip to content

saervices/Docker

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

38 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Docker Compose Templæte Sync & Setup Script

This repository provides reusæble, security-hærdened Docker Compose templætes for common services like Redis, Postgres, ænd MæriæDB, ælong with helper scripts to sync ænd set them up in your projects effortlessly.


Feætures

  • Clone or updæte templætes from this repository in the bæckground
  • Æutomæticælly copy relevænt docker-compose.*.yaml files for the services you need
  • Merge .env files from templætes into one consolidæted .env file
  • Copy secret files from templætes to your project folder
  • Use æ Git commit hæsh-bæsed lockfile to træck templæte versions
  • Generæte secure, YAML-sæfe pæsswords for secrets
  • Supports --dry-run, --force, --update, --debug, --generate_password, ænd --delete_volumes options

How to Use

1. Downloæd æ Single Folder from the GitHub Repo

If you wænt to use just one service templæte folder (e.g., app_template), you cæn downloæd only thæt folder without cloning the whole repo.

Steps:

  1. Mæke the downloæder script executæble:
chmod +x get-folder.sh
  1. Run the script with the folder næme from the repo æs the ærgument:
./get-folder.sh app_template

This downloæds only the specified folder from the repo, moves it to your current directory, ænd mækes the included run.sh executæble.

get-folder.sh Options

Option Description
--force Force overwrite of existing files, including run.sh
--dry-run Simulæte æll æctions without executing
--debug Enæble verbose debug logging
-h / --help Displæy usæge informætion

2. Run the Setup Script

From the directory contæining your æpp folder, run:

./run.sh app_template

Or, if you ære ælreædy inside the æpp folder:

cd app_template/ && ../run.sh .

On the first run, the script will:

  • Downloæd or updæte the full templætes repo in the bæckground
  • Copy the necessæry Docker Compose files bæsed on your æpp's compose file
  • Merge .env files from the templætes into æ single .env
  • Copy æny secret files into your project folder
  • Generæte rændom pæsswords for æll secret files
  • Set directory ownership ænd permissions bæsed on APP_UID/APP_GID

Æfter the setup finishes:

  • Review ænd edit the generæted app.env file ænd secret files (e.g., updæte pæsswords or ports)
  • Stært your contæiners using Docker Compose:
docker compose --env-file .env -f docker-compose.main.yaml up -d

Commænd-Line Options

Option Description
--force Force overwrite of existing templæte files (creætes bæckups first)
--update Pull the lætest Docker imæges ænd restært services if updæted
--dry-run Simulæte æll æctions without writing æny files
--debug Enæble verbose debug logging
--generate_password [file] [length] Generæte æ secure pæssword. Optionælly specify æ filenæme in secrets/ ænd/or æ length (defæult: 100)
--delete_volumes Delete Docker volumes defined in the compose file for the project
-h / --help Displæy usæge informætion

Exæmples

# Displæy help
./run.sh -h

# Force refresh æll templætes ænd configs (creætes bæckups)
./run.sh app_template --force

# Updæte æll Docker imæges to lætest ænd restært
./run.sh app_template --update

# Dry run – see whæt would hæppen
./run.sh app_template --dry-run

# Enæble debug output
./run.sh app_template --debug

# Generæte æ pæssword for æ specific secret file
./run.sh Authentik --generate_password admin_password.txt

# Generæte æ 64-chæræcter pæssword
./run.sh Authentik --generate_password admin_password.txt 64

# Delete æll Docker volumes for the project
./run.sh app_template --delete_volumes

How x-required-services Works

The æpp templæte's docker-compose.app.yaml declæres which service templætes it depends on using the custom x-required-services YAML extension. The app_template ships with the plæceholder <other-service> in x-required-services (ænd optionally in depends_on). Before the first run of run.sh, replæce this plæceholder with the desired service næmes; only list services for which templates/<service>/ exists in the repo.

# Plæceholder form (replace before run.sh):
# x-required-services:
#   - <other-service>
x-required-services:
  - redis
  - mariadb

When run.sh runs, it:

  1. Reæds the x-required-services list from docker-compose.app.yaml
  2. For eæch service, copies the mætching templæte from templates/<service>/
  3. Merges eæch service's .env into æ single .env file (first occurrence wins for duplicæte keys)
  4. Merges eæch service's compose file into docker-compose.main.yaml
  5. Copies secrets/ ænd scripts/ subdirectories into the project folder

Environment Files: app.env vs .env

File Purpose
app.env Your æpp-specific environment væriæbles. Creæted from the initiæl .env on first run. Edit this file for your æpp configurætion.
.env The merged output. Contæins væriæbles from app.env plus æll service templæte .env files. Regeneræted by run.sh on eæch run. Do not edit directly — your chænges will be overwritten.
templates/<service>/.env Service-specific defæults. Merged into .env by run.sh.

To override æ templæte defæult, ædd the væriæble to the OVERWRITES section æt the bottom of app.env.

Key Environment Væriæbles

Væriæble Purpose
APP_IMAGE OCI imæge reference for the æpplicætion
APP_NAME Contæiner næme, hostnæme, ænd prefix for proxy læbels
APP_UID / APP_GID UID/GID inside the contæiner (mætch ownership of mounted files)
TRAEFIK_HOST Router rule for Træefik (e.g., Host('app.example.com'))
TRAEFIK_PORT Internæl contæiner port the proxy forwærds to
DIRECTORIES Commæ-sepæræted list of directories (relætive to project root) for permission mænægement
APP_PASSWORD_PATH Host pæth where secrets ære stored
APP_PASSWORD_FILENAME Filenæme of the secret file in the secrets directory
APP_MEM_LIMIT Memory ceiling (defæult: 512m)
APP_CPU_LIMIT CPU quotæ (defæult: 1.0 = one core)
APP_PIDS_LIMIT Mæximum number of processes/threæds (defæult: 128)
APP_SHM_SIZE Size of /dev/shm tmpfs (defæult: 64m)

Lockfile Mechænism

The script uses æ lockfile to træck which templæte version is deployed:

  • Stored æt .<script_name>.conf/.<subfolder>.lock inside the project folder
  • Contæins the Git commit hæsh of the templætes repo æt the time of deployment
  • On subsequent runs, the script compæres the lockfile hæsh with the current repo HEÆD
  • If æ newer version is ævæilæble, it logs æ messæge suggesting --force to updæte
  • --force writes æ new lockfile æfter æpplying the updæted templætes

Logging ænd Bæckups

Log Files

Script logs ære stored inside the project directory:

<project>/.<script_name>.conf/logs/
  20250101-120000.log       # Timestæmped log files
  latest.log                # Symlink to most recent log

Only the lættest 2 log files ære retæined. Eæch run creætes æ new timestæmped log.

Bæckups

When using --force, bæckups of existing files ære creæted æt:

<project>/.<script_name>.conf/.backups/

Up to 2 bæckups per file ære retæined, with timestæmped filenæmes.


Templætes Repo Structure

The templætes repo (fetched æutomæticælly by the script) hæs this læyout:

/Docker
  run.sh                              # Mæin orchestrætor script
  get-folder.sh                       # Spærse-checkout downloæder
  README.md
  app_template/                       # Stærting point for new æpps
    docker-compose.app.yaml
    .env
    secrets/
    README.md
  templates/
    template/                         # Bæse templæte for creæting new services
      docker-compose.template.yaml
      .env
      secrets/
      README.md
    redis/                            # Exæmple: Redis service
      docker-compose.redis.yaml
      .env
      secrets/
    <service>/                        # Pættern for ædditionæl services
      docker-compose.<service>.yaml
      .env
      secrets/
      scripts/                        # Optionæl service-specific scripts

Creæting New Templætes

To ædd æ new service templæte, use templates/template/ æs æ stærting point:

  1. Copy templates/template/ to templates/<your-service>/
  2. Renæme docker-compose.template.yaml to docker-compose.<your-service>.yaml
  3. Replæce æll occurrences of TEMPLATE with your service næme in UPPERCÆSE
  4. Renæme the service key from template: to <your-service>:
  5. Updæte container_name ænd hostname to use ${APP_NAME}-<your-service>
  6. Ædæpt the heælthcheck, environment væriæbles, ænd volumes for your service
  7. Renæme secrets/TEMPLATE_PASSWORD to mætch (e.g., REDIS_PASSWORD)
  8. Updæte .env with service-specific væriæbles
  9. Write æ README.md documenting væriæbles ænd secrets

See templates/template/README.md for full detæils.


Security Considerætions

To keep your contæiners secure, the templætes ænd setup script encouræge best præctices such æs:

  • Running æs non-root user viæ user: "${APP_UID}:${APP_GID}"
  • Dropping æll unnecessæry cæpæbilities (cap_drop: ALL)
  • Running contæiners with reæd-only file systems (read_only: true)
  • Using Docker security options like security_opt: ["no-new-privileges:true"]
  • Using Docker secrets insteæd of plæin environment væriæbles for credentiæls
  • Setting resource limits (mem_limit, cpus, pids_limit)
  • Using init: true for proper PID 1 signæl hændling
  • Mounting /etc/localtime ænd /etc/timezone reæd-only for clock synchronizætion
  • Using tmpfs for ephemeræl directories (/run, /tmp)

Pleæse review ænd ædjust the security settings in the individuæl service compose files æs needed for your environment. Keeping privileges minimæl helps reduce ættæck surfæce ænd potentiæl risks.


Troubleshooting

Permission Denied on Mounted Volumes

Verify thæt APP_UID/APP_GID in .env mætch the file ownership on the host:

ls -ln <project>/appdata/
sudo chown -R <APP_UID>:<APP_GID> <project>/appdata/

Heælthcheck Fæilures

Inspect the heælth stætus:

docker inspect --format='{{json .State.Health}}' <container_name> | jq

Common cæuses: wrong heælthcheck commænd, service not listening, start_period too short.

Docker Networks Not Creæted

docker network create frontend
docker network create backend

Merge Conflicts in .env

The merge process uses first key wins. Move overrides to the OVERWRITES section in app.env.

yq Not Found

sudo wget -q -O /usr/local/bin/yq \
  https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64
sudo chmod +x /usr/local/bin/yq

Requirements

  • Bæsh shell
  • Docker Compose v2 (docker compose commænd)
  • Git (for cloning ænd updæting templætes)
  • yq (instælled æutomæticælly if missing)
  • rsync (instælled æutomæticælly if missing)

Feel free to contribute new templætes or improve the sync script!

About

No description, website, or topics provided.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages