music-vault/docker-compose.yml at master · rikzun/music-vault · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
name: music-vault

services:
  frontend:
    image: nginx:1.29.4-alpine3.23
    security_opt:
      - no-new-privileges:true
    volumes:
      - ./nginx.conf:/etc/nginx/nginx.conf:ro
      - ./frontend:/usr/share/nginx/html:ro
      - ./uploads:/usr/share/nginx/uploads:ro
    networks:
      - proxy
    labels:
      - traefik.enable=true
      - traefik.http.routers.frontend.rule=Host(`vault.hex3.space`) && !PathPrefix(`/api`)
      - traefik.http.routers.frontend.entrypoints=websecure
      - traefik.http.routers.frontend.tls.certresolver=letsencrypt

  backend:
    image: ragedunicorn/ffmpeg:7.1.1-alpine3.22.2-1
    security_opt:
      - no-new-privileges:true
    user: root
    working_dir: /app/
    volumes:
      - ./vault:/app/vault
      - ./uploads:/app/uploads:rw
    networks:
      - proxy
    expose:
      - 8080
    labels:
      - traefik.enable=true
      - traefik.http.routers.backend.rule=Host(`vault.hex3.space`) && PathPrefix(`/api`)
      - traefik.http.routers.backend.entrypoints=websecure
      - traefik.http.routers.backend.tls.certresolver=letsencrypt
      - traefik.http.services.backend.loadbalancer.server.port=8080
    entrypoint: sh -c "chmod +x /app/vault && /app/vault"
    env_file: .env
    depends_on:
      database:
        condition: service_healthy

  database:
    image: postgres:17.7-alpine3.23
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    volumes:
      - ./database:/var/lib/postgresql/data
    networks:
      - proxy
    environment:
      POSTGRES_DB: ${POSTGRES_NAME}
      POSTGRES_USER: ${POSTGRES_USER}
      POSTGRES_PASSWORD: ${POSTGRES_PASS}
      PGDATABASE: ${POSTGRES_NAME}
      PGUSER: ${POSTGRES_USER}
      PGPASSWORD: ${POSTGRES_PASS}
      POSTGRES_INITDB_ARGS: --encoding=UTF8
    healthcheck:
      test: [CMD-SHELL, pg_isready]
      interval: 1s
      timeout: 5s
      retries: 10

  traefik:
    image: traefik:3.6.6
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - proxy
    command:
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --entrypoints.websecure.http.tls=true
      - --entrypoints.websecure.transport.respondingtimeouts.readtimeout=300
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entrypoints.web.http.redirections.entrypoint.scheme=https
      - --entrypoints.web.http.redirections.entrypoint.permanent=true
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
      - --providers.docker.network=proxy
      - --certificatesresolvers.letsencrypt.acme.email=rik.zunqq@gmail.com
      - --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json
      - --certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web
      - --log.level=INFO
    ports:
      - 80:80
      - 443:443
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./letsencrypt:/letsencrypt

networks:
  proxy:
    name: proxy