BudgetExperiment/docker-compose.pi.yml at main · becauseimclever/BudgetExperiment · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
# Docker Compose configuration for Raspberry Pi deployment
# Pulls pre-built multi-architecture images from GitHub Container Registry
#
# Prerequisites:
# 1. Create a GitHub Personal Access Token (classic) with read:packages scope
# 2. Log in to ghcr.io: docker login ghcr.io -u YOUR_GITHUB_USERNAME -p YOUR_GITHUB_TOKEN
# 3. Create a .env file with your database connection string
#
# Usage:
#   docker-compose -f docker-compose.pi.yml up -d
#
# For a zero-config demo (bundled PostgreSQL, no auth), use docker-compose.demo.yml instead.
# For authentication provider setup, see docs/AUTH-PROVIDERS.md.
#
# Example .env file:
#   DB_CONNECTION_STRING=Host=your-db-server;Port=5432;Database=budgetexperiment;Username=your-user;Password=your-password
#   ENCRYPTION_MASTER_KEY=base64-encoded-32-byte-key
#   AUTHENTIK_ENABLED=true
#   AUTHENTIK_AUTHORITY=https://auth.example.com/application/o/budget-experiment/
#   AUTHENTIK_AUDIENCE=budget-experiment
#   AUTHENTIK_REQUIRE_HTTPS=true

services:
  budgetexperiment:
    image: ghcr.io/becauseimclever/budgetexperiment:3
    container_name: budgetexperiment
    ports:
      - "5099:8080"
    environment:
      # ASP.NET Core configuration
      - ASPNETCORE_ENVIRONMENT=Production
      - ASPNETCORE_URLS=http://+:8080

      # Database connection (from .env file or Docker secrets)
      - ConnectionStrings__AppDb=${DB_CONNECTION_STRING}

      # Feature 163 encryption key (required for encrypted financial data)
      - ENCRYPTION_MASTER_KEY=${ENCRYPTION_MASTER_KEY:?ENCRYPTION_MASTER_KEY must be set for production deployments}

      # Authentication (Authentik OIDC)
      - Authentication__Authentik__Enabled=${AUTHENTIK_ENABLED:-false}
      - Authentication__Authentik__Authority=${AUTHENTIK_AUTHORITY:-}
      - Authentication__Authentik__Audience=${AUTHENTIK_AUDIENCE:-}
      - Authentication__Authentik__RequireHttpsMetadata=${AUTHENTIK_REQUIRE_HTTPS:-true}

      # Logging
      - Logging__LogLevel__Default=Information
      - Logging__LogLevel__Microsoft.AspNetCore=Warning

      # CORS (adjust as needed for production)
      - AllowedHosts=*

    restart: unless-stopped

    # No container-level healthcheck — chiseled .NET images have no shell or curl.
    # Monitor via external HTTP access to /health endpoint.

    # Resource limits (adjust based on your Raspberry Pi model)
    deploy:
      resources:
        limits:
          cpus: '2'
          memory: 1G
        reservations:
          cpus: '0.5'
          memory: 256M

    # Network configuration
    networks:
      - budget-network

networks:
  budget-network:
    driver: bridge