-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathdocker-compose.prod.yml
More file actions
163 lines (157 loc) · 4.07 KB
/
docker-compose.prod.yml
File metadata and controls
163 lines (157 loc) · 4.07 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
# docker-compose.prod.yml -- Production environment override
# Usage: docker compose -f docker-compose.yml -f docker-compose.prod.yml --env-file .env.prod up -d
services:
postgres:
volumes:
- ./docker-data/postgres:/var/lib/postgresql/data
- ./scripts/init-postgres-prod.sql:/docker-entrypoint-initdb.d/init.sql:ro
healthcheck:
test: ["CMD-SHELL", "pg_isready -U postgres -d ${POSTGRES_DB:-tod}"]
interval: 5s
timeout: 5s
retries: 5
api:
build:
context: .
dockerfile: infrastructure/docker/Dockerfile.api
container_name: tod_api
env_file: .env.prod
environment:
ENVIRONMENT: production
LOG_LEVEL: info
GUNICORN_WORKERS: "2"
WIREGUARD_CONFIG_PATH: /data/wireguard
WIREGUARD_GATEWAY: wireguard
cap_add:
- NET_ADMIN
user: root
command: >
sh -c "
if [ -n \"$$WIREGUARD_GATEWAY\" ]; then
apt-get update -qq && apt-get install -y -qq iproute2 >/dev/null 2>&1 || true;
GW_IP=$$(getent hosts $$WIREGUARD_GATEWAY 2>/dev/null | awk '{print $$1}');
[ -z \"$$GW_IP\" ] && GW_IP=$$WIREGUARD_GATEWAY;
ip route add 10.10.0.0/16 via $$GW_IP 2>/dev/null || true;
echo VPN route: 10.10.0.0/16 via $$GW_IP;
fi;
exec su -s /bin/sh appuser -c 'gunicorn app.main:app --config gunicorn.conf.py'
"
ports:
- "8001:8000"
volumes:
- ./docker-data/git-store:/data/git-store
- ./docker-data/wireguard:/data/wireguard
depends_on:
postgres:
condition: service_healthy
redis:
condition: service_healthy
nats:
condition: service_healthy
openbao:
condition: service_healthy
deploy:
resources:
limits:
memory: 512M
restart: unless-stopped
logging:
driver: json-file
options:
max-size: "10m"
max-file: "3"
networks:
- tod
- tod_remote_worker
poller:
build:
context: ./poller
dockerfile: ./Dockerfile
container_name: tod_poller
env_file: .env.prod
cap_add:
- NET_ADMIN
environment:
ENVIRONMENT: production
LOG_LEVEL: info
DATABASE_URL: ${POLLER_DATABASE_URL:-postgres://poller_user:poller_password@postgres:5432/tod}
TUNNEL_PORT_MIN: 49000
TUNNEL_PORT_MAX: 49100
TUNNEL_IDLE_TIMEOUT: 300
SSH_RELAY_PORT: 8080
SSH_IDLE_TIMEOUT: 900
SSH_MAX_SESSIONS: 200
SSH_MAX_PER_USER: 10
SSH_MAX_PER_DEVICE: 20
ports:
- "127.0.0.1:49000-49100:49000-49100"
ulimits:
nofile:
soft: 8192
hard: 8192
depends_on:
postgres:
condition: service_healthy
redis:
condition: service_healthy
nats:
condition: service_healthy
openbao:
condition: service_healthy
healthcheck:
test: ["CMD-SHELL", "wget --spider -q http://localhost:8080/healthz || exit 1"]
interval: 30s
timeout: 3s
retries: 3
deploy:
resources:
limits:
memory: 512M # increased from 256M for tunnel/SSH overhead
restart: unless-stopped
logging:
driver: json-file
options:
max-size: "10m"
max-file: "3"
networks:
- tod
- tod_remote_worker
openbao:
env_file: .env.prod
environment:
BAO_ADDR: "http://127.0.0.1:8200"
BAO_UNSEAL_KEY: "${BAO_UNSEAL_KEY}"
BAO_TOKEN: "${OPENBAO_TOKEN}"
ports: []
restart: unless-stopped
logging:
driver: json-file
options:
max-size: "10m"
max-file: "3"
winbox-worker:
environment:
LOG_LEVEL: info
MAX_CONCURRENT_SESSIONS: 10
logging:
driver: json-file
options:
max-size: "10m"
max-file: "3"
restart: unless-stopped
frontend:
build:
context: .
dockerfile: infrastructure/docker/Dockerfile.frontend
container_name: tod_frontend
ports:
- "3000:80"
depends_on:
- api
deploy:
resources:
limits:
memory: 64M
restart: unless-stopped
networks:
- tod