zeroone/docker-compose.yml at main · PotLock/zeroone · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
services:
  # ── Traefik Reverse Proxy ───────────────────────────────────────────────────
  traefik:
    image: traefik:v3.6
    container_name: traefik
    restart: unless-stopped
    command:
      # Providers
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
      - --providers.docker.network=zeroone-net
      # Entry points
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      # Global HTTP → HTTPS redirect (handled per-router instead)
      # Let's Encrypt (ACME via HTTP challenge - more reliable on GCP)
      - --certificatesresolvers.letsencrypt.acme.email=${ACME_EMAIL}
      - --certificatesresolvers.letsencrypt.acme.storage=/acme/acme.json
      - --certificatesresolvers.letsencrypt.acme.httpchallenge=true
      - --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web
      # Dashboard (internal only, no public exposure)
      - --api.dashboard=true
    ports:
      - "80:80"
      - "443:443"
    environment:
      - DOCKER_API_VERSION=1.47
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - traefik-acme:/acme
    networks:
      - zeroone-net
    labels:
      - traefik.enable=true
      # HTTP → HTTPS redirect middleware
      - traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https
      - traefik.http.middlewares.redirect-to-https.redirectscheme.permanent=true
      # Traefik dashboard — accessible at https://traefik.${DOMAIN}
      - traefik.http.routers.traefik-dashboard.rule=Host(`traefik.${DOMAIN}`)
      - traefik.http.routers.traefik-dashboard.entrypoints=websecure
      - traefik.http.routers.traefik-dashboard.tls.certresolver=letsencrypt
      - traefik.http.routers.traefik-dashboard.service=api@internal
      - traefik.http.routers.traefik-dashboard.middlewares=traefik-auth
      # Dashboard HTTP (redirects to HTTPS)
      - traefik.http.routers.traefik-dashboard-http.rule=Host(`traefik.${DOMAIN}`)
      - traefik.http.routers.traefik-dashboard-http.entrypoints=web
      - traefik.http.routers.traefik-dashboard-http.middlewares=redirect-to-https
      # Basic auth for dashboard (generate with: htpasswd -nb admin yourpassword)
      - traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_DASHBOARD_AUTH}

  # ── Backend (Express API + Docker Orchestrator) ─────────────────────────────
  backend:
    build:
      context: ./backend
      dockerfile: Dockerfile
    container_name: zeroone-backend
    restart: unless-stopped
    environment:
      NODE_ENV: production
      PORT: 3001
      DATABASE_URL: ${DATABASE_URL}
      JWT_SECRET: ${JWT_SECRET}
      ENCRYPTION_KEY: ${ENCRYPTION_KEY}
      CLERK_SECRET_KEY: ${CLERK_SECRET_KEY}
      CLERK_WEBHOOK_SECRET: ${CLERK_WEBHOOK_SECRET:-}
      RESEND_API_KEY: ${RESEND_API_KEY:-}
      RESEND_FROM_EMAIL: ${RESEND_FROM_EMAIL:-ZeroOne <noreply@zeroonec.xyz>}
      MODELARK_API_KEY: ${MODELARK_API_KEY}
      TRAEFIK_DOMAIN: ${DOMAIN}
      DOCKER_NETWORK: zeroone-net
      BACKEND_IN_DOCKER: "true"
      DOCKER_SOCKET: /var/run/docker.sock
      ZEROCLAW_IMAGE: ${ZEROCLAW_IMAGE:-ghcr.io/zeroclaw-labs/zeroclaw:latest}
      CORS_ORIGIN: ${CORS_ORIGIN:-http://localhost:3000}
      FRONTEND_URL: ${FRONTEND_URL:-https://${DOMAIN}}
      # Stripe Payments (Credit Cards + Bank Transfer)
      STRIPE_SECRET_KEY: ${STRIPE_SECRET_KEY:-}
      STRIPE_WEBHOOK_SECRET: ${STRIPE_WEBHOOK_SECRET:-}
      STRIPE_PRICE_ID_PRO_MONTHLY: ${STRIPE_PRICE_ID_PRO_MONTHLY:-}
      STRIPE_PRICE_ID_PRO_YEARLY: ${STRIPE_PRICE_ID_PRO_YEARLY:-}
      STRIPE_PRICE_ID_BUSINESS_MONTHLY: ${STRIPE_PRICE_ID_BUSINESS_MONTHLY:-}
      STRIPE_PRICE_ID_BUSINESS_YEARLY: ${STRIPE_PRICE_ID_BUSINESS_YEARLY:-}
      # Coinbase Commerce (Cryptocurrency Payments)
      COINBASE_COMMERCE_API_KEY: ${COINBASE_COMMERCE_API_KEY:-}
      COINBASE_COMMERCE_WEBHOOK_SECRET: ${COINBASE_COMMERCE_WEBHOOK_SECRET:-}
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - zeroone-net
    labels:
      - traefik.enable=true
      # HTTPS router
      - traefik.http.routers.backend.rule=Host(`api.${DOMAIN}`)
      - traefik.http.routers.backend.entrypoints=websecure
      - traefik.http.routers.backend.tls.certresolver=letsencrypt
      - traefik.http.services.backend.loadbalancer.server.port=3001
      # HTTP router (redirects to HTTPS)
      - traefik.http.routers.backend-http.rule=Host(`api.${DOMAIN}`)
      - traefik.http.routers.backend-http.entrypoints=web
      - traefik.http.routers.backend-http.middlewares=redirect-to-https@docker
    healthcheck:
      test: ["CMD", "wget", "--spider", "-q", "http://localhost:3001/health"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 40s


networks:
  zeroone-net:
    name: zeroone-net
    driver: bridge

volumes:
  traefik-acme: