mastodon/compose.yml

259 lines
7.8 KiB
YAML

---
version: "3.8"
services:
db:
image: postgres:9.6-alpine
networks: &internalNetwork
- internal_network
healthcheck:
test: ["CMD", "pg_isready", "-U", "postgres"]
volumes:
- postgres:/var/lib/postgresql/data
secrets:
- db_password
environment:
- POSTGRES_DB=${DB_NAME}
- POSTGRES_PASSWORD=${DB_PASS}
- POSTGRES_PASSWORD_FILE=/run/secrets/db_password
- POSTGRES_USER=${DB_USER}
redis:
image: redis:6.0-alpine
networks: *internalNetwork
healthcheck:
test: ["CMD", "redis-cli", "ping"]
volumes:
- redis:/data
es:
image: docker.elastic.co/elasticsearch/elasticsearch-oss:6.8.10
environment:
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
- "cluster.name=es-mastodon"
- "discovery.type=single-node"
- "bootstrap.memory_lock=true"
networks:
- internal_network
healthcheck:
test: ["CMD-SHELL", "curl --silent --fail localhost:9200/_cluster/health || exit 1"]
volumes:
- es:/usr/share/elasticsearch/data
ulimits:
memlock:
soft: -1
hard: -1
web:
image: &image tootsuite/mastodon:v3.3.0
command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000"
networks: &bothNetworks
- proxy
- internal_network
healthcheck:
test:
[
"CMD-SHELL",
"wget -q --spider --proxy=off localhost:3000/health || exit 1",
]
deploy:
update_config:
failure_action: rollback
order: start-first
labels:
- "traefik.enable=true"
- "traefik.docker.network=proxy"
- "traefik.http.services.${STACK_NAME}_web.loadbalancer.server.port=3000"
- "traefik.http.routers.${STACK_NAME}_web.rule=Host(`${DOMAIN}`)"
- "traefik.http.routers.${STACK_NAME}_web.entrypoints=web-secure"
- "traefik.http.routers.${STACK_NAME}_web.tls.certresolver=${LETS_ENCRYPT_ENV}"
# WEB_DOMAIN redirect
#- "traefik.http.routers.${STACK_NAME}_web.rule=(Host(`${DOMAIN}`) || (Host(`${LOCAL_DOMAIN}`) && Path(`/.well-known/webfinger`)))"
# - "traefik.http.middlewares.mastodon-webfinger.redirectregex.regex=^https?://${LOCAL_DOMAIN}/.*" #^(http|https)://${LOCAL_DOMAIN}/.well-known/webfinger"
# # - "traefik.http.middlewares.mastodon-webfinger.redirectregex.permanent=true"
# - "traefik.http.middlewares.mastodon-webfinger.redirectregex.replacement=https://${WEB_DOMAIN}/.well-known/webfinger"
# - "traefik.http.routers.${STACK_NAME}_hack.rule=(Host(`${LOCAL_DOMAIN}`) && Path(`/.well-known/`))"
# - "traefik.http.routers.${STACK_NAME}_hack.entrypoints=websecure"
# - "traefik.http.routers.${STACK_NAME}_hack.middlewares=mastodon-webfinger@docker"
configs: &configs
- source: entrypoint_sh
target: /usr/local/bin/entrypoint.sh
mode: 0555
entrypoint: &entrypoint /usr/local/bin/entrypoint.sh
volumes: &appVolume
- app:/mastodon
secrets: &secrets
- db_password
- otp_secret
- secret_key_base
- smtp_password
- vapid_private_key
environment: &env
- DB_HOST
- DB_USER
- DB_NAME
- DB_PASS_FILE=/run/secrets/db_password
- DB_PORT
- REDIS_HOST
- REDIS_PORT
- REDIS_URL
- REDIS_NAMESPACE
- CACHE_REDIS_HOST
- CACHE_REDIS_PORT
- CACHE_REDIS_URL
- CACHE_REDIS_NAMESPACE
- ES_ENABLED
- ES_HOST
- ES_PORT
- ES_PREFIX
- STATSD_ADDR
- STATSD_NAMESPACE
- VAPID_PRIVATE_KEY_FILE=/run/secrets/vapid_private_key
- VAPID_PUBLIC_KEY
- OTP_SECRET_FILE=/run/secrets/otp_secret
- SECRET_KEY_BASE_FILE=/run/secrets/secret_key_base
- LOCAL_DOMAIN
- WEB_DOMAIN
- ALTERNATE_DOMAINS
- AUTHORIZED_FETCH
- LIMITED_FEDERATION_MODE
- RAILS_ENV
- RAILS_SERVE_STATIC_FILES
- SINGLE_USER_MODE
- EMAIL_DOMAIN_ALLOWLIST
- EMAIL_DOMAIN_DENYLIST
- DEFAULT_LOCALE
- MAX_SESSION_ACTIVATIONS
- USER_ACTIVE_DAYS
- SMTP_SERVER
- SMTP_PORT
- SMTP_LOGIN
- SMTP_PASSWORD_FILE=/run/secrets/smtp_password
- SMTP_FROM_ADDRESS
- SMTP_DOMAIN
- SMTP_DELIVERY_METHOD
- SMTP_AUTH_METHOD
- SMTP_CA_FILE
- SMTP_OPENSSL_VERIFY_MODE
- SMTP_ENABLE_STARTTLS_AUTO
- SMTP_TLS
- SMTP_SSL
- PAPERCLIP_ROOT_PATH
- PAPERCLIP_ROOT_URL
- OAUTH_REDIRECT_AT_SIGN_IN
- LDAP_ENABLED
- LDAP_HOST
- LDAP_PORT
- LDAP_METHOD
- LDAP_BASE
- LDAP_BIND_DN
- LDAP_PASSWORD
- LDAP_UID
- LDAP_SEARCH_FILTER
- LDAP_MAIL
- LDAP_UID_CONVERSTION_ENABLED
- SAML_ENABLED
- SAML_ACS_URL
- SAML_ISSUER
- SAML_IDP_SSO_TARGET_URL
- SAML_IDP_CERT
- SAML_IDP_CERT_FINGERPRINT
- SAML_NAME_IDENTIFIER_FORMAT
- SAML_CERT
- SAML_PRIVATE_KEY
- SAML_SECURITY_WANT_ASSERTION_SIGNED
- SAML_SECURITY_WANT_ASSERTION_ENCRYPTED
- SAML_SECURITY_ASSUME_EMAIL_IS_VERIFIED
- SAML_ATTRIBUTES_STATEMENTS_UID
- SAML_ATTRIBUTES_STATEMENTS_EMAIL
- SAML_ATTRIBUTES_STATEMENTS_FULL_NAME
- SAML_ATTRIBUTES_STATEMENTS_FIRST_NAME
- SAML_ATTRIBUTES_STATEMENTS_LAST_NAME
- SAML_UID_ATTRIBUTE
- SAML_ATTRIBUTES_STATEMENTS_VERIFIED
- SAML_ATTRIBUTES_STATEMENTS_VERIFIED_EMAIL
- http_proxy # yes, this should be lowercase
- ALLOW_ACCESS_TO_HIDDEN_SERVICE
streaming:
image: *image
command: node ./streaming
configs: *configs
entrypoint: *entrypoint
secrets: *secrets
networks: *bothNetworks
healthcheck:
test:
[
"CMD-SHELL",
"wget -q --spider --proxy=off localhost:4000/api/v1/streaming/health || exit 1",
]
deploy:
update_config:
failure_action: rollback
order: start-first
labels:
- "traefik.enable=true"
- "traefik.docker.network=proxy"
- "traefik.http.services.${STACK_NAME}_streaming.loadbalancer.server.port=4000"
- "traefik.http.routers.${STACK_NAME}_streaming.rule=(Host(`${DOMAIN}`) && PathPrefix(`/api/v1/streaming`))"
- "traefik.http.routers.${STACK_NAME}_streaming.entrypoints=web-secure"
- "traefik.http.routers.${STACK_NAME}_streaming.tls.certresolver=${LETS_ENCRYPT_ENV}"
## Redirect from EXTRA_DOMAINS to DOMAIN
#- "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect"
#- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
#- "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
environment: *env
volumes: *appVolume # used to make sure this volume is created
sidekiq:
image: *image
secrets: *secrets
command: bundle exec sidekiq
configs: *configs
entrypoint: *entrypoint
deploy:
update_config:
failure_action: rollback
order: start-first
networks: *bothNetworks
volumes: *appVolume
environment: *env
secrets:
secret_key_base:
name: ${STACK_NAME}_secret_key_base_${SECRET_KEY_BASE_VERSION}
external: true
otp_secret:
name: ${STACK_NAME}_otp_secret_${SECRET_OTP_SECRET_VERSION}
external: true
vapid_private_key:
name: ${STACK_NAME}_vapid_private_key_${SECRET_VAPID_PRIVATE_KEY_VERSION}
external: true
db_password:
name: ${STACK_NAME}_db_password_${SECRET_DB_PASSWORD_VERSION}
external: true
smtp_password:
name: ${STACK_NAME}_smtp_password_${SECRET_SMTP_PASSWORD_VERSION}
external: true
volumes:
app:
redis:
postgres:
es:
networks:
proxy:
external: true
internal_network:
internal: true
configs:
entrypoint_sh:
name: ${STACK_NAME}_entrypoint_conf_${ENTRYPOINT_CONF_VERSION}
file: entrypoint.sh.tmpl
template_driver: golang