freundebuch/docker-compose.prod.yml at main · datenknoten/freundebuch · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
services:
  nginx:
    image: ghcr.io/enko/freundebuch2-nginx:${VERSION:-latest}
    container_name: freundebuch-nginx
    restart: unless-stopped
    environment:
      BACKEND_HOST: backend
      BACKEND_PORT: 3000
      SABREDAV_HOST: sabredav
      SABREDAV_PORT: 9000
      NGINX_ACCESS_LOG: ${NGINX_ACCESS_LOG:-off}
      NGINX_ERROR_LOG_LEVEL: ${NGINX_ERROR_LOG_LEVEL:-warn}
    networks:
      - traefik
      - internal
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.freundebuch.rule=Host(`freundebuch.schumacher.im`)"
      - "traefik.http.routers.freundebuch.entrypoints=websecure"
      - "traefik.http.routers.freundebuch.tls=true"
      - "traefik.http.routers.freundebuch.tls.certresolver=letsencrypt"
      - "traefik.http.services.freundebuch.loadbalancer.server.port=80"
      # HTTP to HTTPS redirect
      - "traefik.http.routers.freundebuch-http.rule=Host(`freundebuch.schumacher.im`)"
      - "traefik.http.routers.freundebuch-http.entrypoints=web"
      - "traefik.http.routers.freundebuch-http.middlewares=https-redirect"
      - "traefik.http.middlewares.https-redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.https-redirect.redirectscheme.permanent=true"
    healthcheck:
      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost/health"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 40s
    depends_on:
      backend:
        condition: service_healthy
      sabredav:
        condition: service_healthy

  backend:
    image: ghcr.io/enko/freundebuch2-backend:${VERSION:-latest}
    container_name: freundebuch-backend
    restart: unless-stopped
    environment:
      # Database
      DATABASE_URL: ${DATABASE_URL}
      DATABASE_POOL_MIN: ${DATABASE_POOL_MIN:-2}
      DATABASE_POOL_MAX: ${DATABASE_POOL_MAX:-10}

      # Server
      NODE_ENV: production
      PORT: 3000
      FRONTEND_URL: https://freundebuch.schumacher.im
      BACKEND_URL: https://freundebuch.schumacher.im

      # Authentication
      JWT_SECRET: ${JWT_SECRET}
      JWT_EXPIRY: ${JWT_EXPIRY:-604800}
      SESSION_SECRET: ${SESSION_SECRET}
      SESSION_EXPIRY_DAYS: ${SESSION_EXPIRY_DAYS:-7}
      PASSWORD_RESET_EXPIRY_HOURS: ${PASSWORD_RESET_EXPIRY_HOURS:-1}

      # Logging
      LOG_LEVEL: ${LOG_LEVEL:-info}

      # PostGIS Address Lookup (enable after running OSM import)
      POSTGIS_ADDRESS_ENABLED: ${POSTGIS_ADDRESS_ENABLED:-false}
      POSTGIS_ADDRESS_DACH_ONLY: ${POSTGIS_ADDRESS_DACH_ONLY:-true}
    volumes:
      - freundebuch_uploads:/app/uploads
    networks:
      - internal
    healthcheck:
      test: ["CMD", "node", "-e", "require('http').get('http://localhost:3000/health', (r) => process.exit(r.statusCode === 200 ? 0 : 1))"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 30s
    depends_on:
      postgres:
        condition: service_healthy

  sabredav:
    image: ghcr.io/enko/freundebuch2-sabredav:${VERSION:-latest}
    container_name: freundebuch-sabredav
    restart: unless-stopped
    environment:
      DATABASE_URL: ${DATABASE_URL}
    networks:
      - internal
    healthcheck:
      test: ["CMD-SHELL", "pidof php-fpm > /dev/null || exit 1"]
      interval: 30s
      timeout: 5s
      retries: 3
      start_period: 10s
    depends_on:
      postgres:
        condition: service_healthy

  postgres:
    image: imresamu/postgis:18-3.6.1-trixie  # PostGIS 3.6 + PostgreSQL 18, arm64 support
    container_name: freundebuch-postgres
    restart: unless-stopped
    environment:
      POSTGRES_DB: ${POSTGRES_DB:-freundebuch}
      POSTGRES_USER: ${POSTGRES_USER:-freundebuch}
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
    volumes:
      - postgres_data:/var/lib/postgresql/data
    networks:
      - internal
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-freundebuch} -d ${POSTGRES_DB:-freundebuch}"]
      interval: 10s
      timeout: 5s
      retries: 5

  # OSM address data import (run manually with --profile import)
  osm-import:
    image: ghcr.io/enko/freundebuch2-osm-import:${VERSION:-latest}
    container_name: freundebuch-osm-import
    profiles:
      - import  # Only runs when explicitly requested
    environment:
      DATABASE_URL: postgresql://${POSTGRES_USER:-freundebuch}:${POSTGRES_PASSWORD}@postgres:5432/${POSTGRES_DB:-freundebuch}
    volumes:
      - osm_data:/app/data  # Persist downloaded PBF files
    networks:
      - internal
    depends_on:
      postgres:
        condition: service_healthy

networks:
  traefik:
    external: true
  internal:
    driver: bridge

volumes:
  postgres_data:
  freundebuch_uploads:
  osm_data:  # Cached OSM PBF files for imports