-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathdocker-compose.yml
More file actions
211 lines (203 loc) · 9.38 KB
/
Copy pathdocker-compose.yml
File metadata and controls
211 lines (203 loc) · 9.38 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
services:
# ── RemnaCore ───────────────────────────────────────────────────────────────
remnacore:
restart: unless-stopped
mem_limit: ${REMNACORE_MEM_LIMIT:-768m}
build:
context: .
dockerfile: deploy/docker/Dockerfile
read_only: true
cap_drop:
- ALL
security_opt:
- no-new-privileges:true
tmpfs:
- /tmp
volumes:
- ./keys:/etc/remnacore/keys:ro
environment:
APP_PORT: "4000"
APP_LOG_LEVEL: "${LOG_LEVEL:-info}"
APP_LOG_FORMAT: "${LOG_FORMAT:-json}"
# The app connects as the least-privilege runtime role (NOSUPERUSER,
# NOBYPASSRLS) provisioned by scripts/provision-app-role.sh — NOT as the
# bootstrap superuser (${PLATFORM_DB_USER}), which migrations use. A
# superuser/BYPASSRLS connection is rejected at boot (voids tenant RLS).
DATABASE_URL: "postgres://${PLATFORM_APP_DB_USER:-remnacore_app}:${PLATFORM_APP_DB_PASSWORD:-app_secret}@platform-db:5432/${PLATFORM_DB_NAME:-remnacore}?sslmode=disable"
DATABASE_MIN_CONNS: "${DATABASE_MIN_CONNS:-5}"
DATABASE_CONN_MAX_IDLE_TIME: "${DATABASE_CONN_MAX_IDLE_TIME:-1m}"
DATABASE_HEALTH_CHECK_PERIOD: "${DATABASE_HEALTH_CHECK_PERIOD:-30s}"
VALKEY_URL: "redis://valkey:6379"
NATS_URL: "nats://nats:4222"
JWT_PRIVATE_KEY_PATH: "${JWT_PRIVATE_KEY_PATH:-/etc/remnacore/keys/private.pem}"
JWT_PUBLIC_KEY_PATH: "${JWT_PUBLIC_KEY_PATH:-/etc/remnacore/keys/public.pem}"
# Go 1.26 Green Tea GC tuning. Green Tea GC is enabled by default and
# provides 10-40% lower GC overhead for allocation-heavy workloads.
# GOGC: target heap growth ratio (100 = double before GC). Lower = less
# memory, more CPU on GC. Try 50 for lower tail latency.
# GOMEMLIMIT: soft memory ceiling. Set to ~80% of container memory limit.
# Prevents OOM by triggering GC earlier when approaching the limit.
# Monitor via /metrics: go_gc_duration_seconds, go_memstats_heap_inuse_bytes
GOGC: "${GOGC:-100}"
GOMEMLIMIT: "${GOMEMLIMIT:-512MiB}"
REMNAWAVE_URL: "http://remnawave-backend:3000"
REMNAWAVE_API_TOKEN: "${REMNAWAVE_API_TOKEN:-changeme}"
# Required (first-deploy.sh generates it). An empty webhook secret makes
# inbound Remnawave webhooks forgeable (empty-key HMAC), so fail fast.
REMNAWAVE_WEBHOOK_SECRET: "${REMNAWAVE_WEBHOOK_SECRET:?set REMNAWAVE_WEBHOOK_SECRET in .env}"
# At-rest encryption for per-shop bot tokens. Without it the shop-bot
# feature fails at runtime; first-deploy.sh generates it into .env.
SECURITY_ENCRYPTION_KEY: "${SECURITY_ENCRYPTION_KEY:-}"
OUTBOX_RELAY_WORKERS: "${OUTBOX_RELAY_WORKERS:-1}"
OUTBOX_PARTITION_LOOKAHEAD: "${OUTBOX_PARTITION_LOOKAHEAD:-2}"
OUTBOX_RETENTION_DAYS: "${OUTBOX_RETENTION_DAYS:-90}"
healthcheck:
# busybox wget (present in the alpine runtime image). /readyz aggregates
# Postgres/Valkey/NATS/outbox checkers, so Caddy only routes once ready.
test: ["CMD", "wget", "-q", "-O", "/dev/null", "http://localhost:4000/readyz"]
interval: 10s
timeout: 5s
retries: 5
start_period: 40s
depends_on:
platform-db:
condition: service_healthy
valkey:
condition: service_started
nats:
condition: service_started
# ── Platform PostgreSQL ─────────────────────────────────────────────────────
platform-db:
restart: unless-stopped
mem_limit: ${PLATFORM_DB_MEM_LIMIT:-1280m}
image: postgres:18
# PG18 async I/O and performance tuning (sized for 1GB container, SSD storage).
# Data checksums are enabled by default in PG18 (initdb --data-checksums).
# Use SHOW data_checksums; to verify at runtime.
#
# PostgreSQL 18 I/O method configuration:
# worker — thread-pool based (default, works everywhere)
# io_uring — Linux 5.1+ kernel, up to 2x IOPS on NVMe storage
#
# To enable io_uring in Docker:
# 1. Host kernel must be Linux 5.1+ (check: uname -r)
# 2. Container needs --privileged or --cap-add SYS_ADMIN
# 3. Set PG_IO_METHOD=io_uring in .env
#
# The application logs a warning at startup if io_method != io_uring
# (see internal/adapter/postgres/module.go).
command:
- "postgres"
- "-c"
- "io_method=${PG_IO_METHOD:-worker}"
- "-c"
- "io_combine_limit=${PG_IO_COMBINE_LIMIT:-128}"
- "-c"
- "effective_io_concurrency=${PG_EFFECTIVE_IO_CONCURRENCY:-200}"
- "-c"
- "maintenance_io_concurrency=${PG_MAINTENANCE_IO_CONCURRENCY:-10}"
- "-c"
- "shared_buffers=${PG_SHARED_BUFFERS:-256MB}"
- "-c"
- "work_mem=${PG_WORK_MEM:-16MB}"
- "-c"
- "shared_preload_libraries=pg_stat_statements"
environment:
POSTGRES_DB: "${PLATFORM_DB_NAME:-remnacore}"
POSTGRES_USER: "${PLATFORM_DB_USER:-platform}"
POSTGRES_PASSWORD: "${PLATFORM_DB_PASSWORD:-secret}"
POSTGRES_HOST_AUTH_METHOD: "${POSTGRES_AUTH_METHOD:-scram-sha-256}"
volumes:
- platform_pgdata:/var/lib/postgresql
healthcheck:
test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-platform} -d ${POSTGRES_DB:-remnacore}"]
interval: 10s
timeout: 5s
retries: 10
start_period: 30s
# ── Valkey (Redis-compatible) ───────────────────────────────────────────────
valkey:
restart: unless-stopped
mem_limit: ${VALKEY_MEM_LIMIT:-320m}
image: valkey/valkey:9-alpine
command: --maxmemory 256mb --maxmemory-policy allkeys-lru
# ── NATS with JetStream ────────────────────────────────────────────────────
nats:
restart: unless-stopped
mem_limit: ${NATS_MEM_LIMIT:-320m}
image: nats:2.12-alpine
command: --jetstream --store_dir /data --http_port 8222
volumes:
- nats_data:/data
# ── Remnawave Backend ──────────────────────────────────────────────────────
remnawave-backend:
restart: unless-stopped
mem_limit: ${REMNAWAVE_BACKEND_MEM_LIMIT:-1024m}
image: remnawave/backend:2
environment:
APP_PORT: "3000"
METRICS_PORT: "3001"
DATABASE_URL: "postgres://${REMNAWAVE_DB_USER:-remnawave}:${REMNAWAVE_DB_PASSWORD:-secret}@remnawave-db:5432/${REMNAWAVE_DB_NAME:-remnawave}?sslmode=disable"
JWT_AUTH_SECRET: "${REMNAWAVE_JWT_AUTH_SECRET:-changeme}"
JWT_API_TOKENS_SECRET: "${REMNAWAVE_JWT_API_TOKENS_SECRET:-changeme}"
SUB_PUBLIC_DOMAIN: "${SUB_PUBLIC_DOMAIN:-https://sub.example.com}"
PANEL_DOMAIN: "${PANEL_DOMAIN:-https://panel.example.com}"
FRONT_END_DOMAIN: "${FRONT_END_DOMAIN:-https://panel.example.com}"
METRICS_USER: "${METRICS_USER:-metrics}"
# Required (first-deploy.sh generates it) — never ship admin/admin.
METRICS_PASS: "${METRICS_PASS:?set METRICS_PASS in .env}"
REDIS_HOST: "remnawave-valkey"
REDIS_PORT: "6379"
IS_DOCS_ENABLED: "${IS_DOCS_ENABLED:-true}"
WEBHOOK_ENABLED: "true"
WEBHOOK_URL: "http://remnacore:4000/api/webhooks/remnawave"
WEBHOOK_SECRET_KEY: "${REMNAWAVE_WEBHOOK_SECRET:-changeme}"
WEBHOOK_SECRET_HEADER: "${REMNAWAVE_WEBHOOK_SECRET_HEADER:-abcdefghijklmnopqrstuvwxyz123456}"
ALLOW_PLAIN_HTTP: "true"
depends_on:
remnawave-db:
condition: service_healthy
remnawave-valkey:
condition: service_started
# ── Remnawave PostgreSQL ───────────────────────────────────────────────────
remnawave-db:
restart: unless-stopped
mem_limit: ${REMNAWAVE_DB_MEM_LIMIT:-768m}
image: postgres:17
environment:
POSTGRES_DB: "${REMNAWAVE_DB_NAME:-remnawave}"
POSTGRES_USER: "${REMNAWAVE_DB_USER:-remnawave}"
POSTGRES_PASSWORD: "${REMNAWAVE_DB_PASSWORD:-secret}"
volumes:
- remnawave_pgdata:/var/lib/postgresql/data
healthcheck:
test: ["CMD", "pg_isready", "-U", "remnawave", "-d", "remnawave"]
interval: 5s
timeout: 3s
retries: 5
# ── Remnawave Valkey ───────────────────────────────────────────────────────
remnawave-valkey:
restart: unless-stopped
mem_limit: ${REMNAWAVE_VALKEY_MEM_LIMIT:-320m}
image: valkey/valkey:9-alpine
# ── Caddy Reverse Proxy ─────────────────────────────────────────────────────
caddy:
image: caddy:2-alpine
ports:
- "80:80"
- "8080:8080"
- "8081:8081"
volumes:
- ./deploy/caddy/Caddyfile:/etc/caddy/Caddyfile:ro
- ./web/cabinet/dist:/srv/cabinet:ro
- ./web/admin/dist:/srv/admin:ro
depends_on:
remnacore:
condition: service_healthy
remnawave-backend:
condition: service_started
restart: unless-stopped
volumes:
platform_pgdata:
remnawave_pgdata:
nats_data: