-
-
Notifications
You must be signed in to change notification settings - Fork 16
Expand file tree
/
Copy pathdocker-compose.yml
More file actions
252 lines (236 loc) · 9.25 KB
/
Copy pathdocker-compose.yml
File metadata and controls
252 lines (236 loc) · 9.25 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
services:
web:
container_name: caddy-proxy-manager-web
image: ghcr.io/fuomag9/caddy-proxy-manager-web:latest
build:
context: .
dockerfile: docker/web/Dockerfile
args:
# User and group IDs for rootless operation
# Set these to match your host user to avoid permission issues
# Find your UID/GID with: id -u / id -g
PUID: ${PUID:-10001}
PGID: ${PGID:-10001}
restart: unless-stopped
ports:
- "3000:3000"
environment:
# Node environment
NODE_ENV: production
# REQUIRED: Session secret for encrypting cookies and sessions
# Generate with: openssl rand -base64 32
# SECURITY: You MUST set this to a unique value in production!
SESSION_SECRET: ${SESSION_SECRET:?ERROR - SESSION_SECRET is required}
# Caddy API endpoint (internal communication)
CADDY_API_URL: ${CADDY_API_URL:-http://caddy:2019}
# Public base URL for the application
BASE_URL: ${BASE_URL:-http://localhost:3000}
# Database configuration
DATABASE_PATH: /app/data/caddy-proxy-manager.db
DATABASE_URL: file:/app/data/caddy-proxy-manager.db
# NextAuth configuration
NEXTAUTH_URL: ${BASE_URL:-http://localhost:3000}
# REQUIRED: Admin credentials for login
# SECURITY: You MUST set these to secure values in production!
# Password must be 12+ chars with uppercase, lowercase, numbers, and special chars
ADMIN_USERNAME: ${ADMIN_USERNAME:?ERROR - ADMIN_USERNAME is required}
ADMIN_PASSWORD: ${ADMIN_PASSWORD:?ERROR - ADMIN_PASSWORD is required}
# Email/password self-registration is disabled unless explicitly enabled
AUTH_ALLOW_SELF_REGISTRATION: ${AUTH_ALLOW_SELF_REGISTRATION:-false}
# OAuth2/OIDC Authentication (Optional - works with Authentik, Authelia, Keycloak, etc.)
OAUTH_ENABLED: ${OAUTH_ENABLED:-false}
OAUTH_PROVIDER_NAME: ${OAUTH_PROVIDER_NAME:-OAuth2}
OAUTH_CLIENT_ID: ${OAUTH_CLIENT_ID:-}
OAUTH_CLIENT_SECRET: ${OAUTH_CLIENT_SECRET:-}
OAUTH_ISSUER: ${OAUTH_ISSUER:-}
OAUTH_AUTHORIZATION_URL: ${OAUTH_AUTHORIZATION_URL:-}
OAUTH_TOKEN_URL: ${OAUTH_TOKEN_URL:-}
OAUTH_USERINFO_URL: ${OAUTH_USERINFO_URL:-}
OAUTH_ALLOW_AUTO_LINKING: ${OAUTH_ALLOW_AUTO_LINKING:-false}
# ClickHouse analytics database (optional — omit CLICKHOUSE_PASSWORD to disable analytics)
CLICKHOUSE_URL: ${CLICKHOUSE_URL:-http://clickhouse:8123}
CLICKHOUSE_USER: ${CLICKHOUSE_USER:-cpm}
CLICKHOUSE_PASSWORD: ${CLICKHOUSE_PASSWORD:-}
CLICKHOUSE_DB: ${CLICKHOUSE_DB:-analytics}
# Days of analytics data to keep before TTL deletes it (default 30)
CLICKHOUSE_RETENTION_DAYS: ${CLICKHOUSE_RETENTION_DAYS:-30}
group_add:
- "${CADDY_GID:-10000}" # caddy's GID — lets the web user read /logs/access.log
volumes:
- caddy-manager-data:/app/data
- geoip-data:/usr/share/GeoIP:ro,z
- caddy-logs:/logs:ro
# Custom ACME CA root PEM written here by web, read by caddy (issue #192)
- acme-ca:/acme-ca
depends_on:
caddy:
condition: service_healthy
clickhouse:
condition: service_healthy
required: false
networks:
- caddy-network
healthcheck:
test: ["CMD", "node", "-e", "require('http').get('http://localhost:3000/api/health',r=>{process.exit(r.statusCode<400?0:1)}).on('error',()=>process.exit(1))"]
interval: 30s
timeout: 10s
retries: 3
start_period: 40s
caddy:
container_name: caddy-proxy-manager-caddy
image: ghcr.io/fuomag9/caddy-proxy-manager-caddy:latest
build:
context: .
dockerfile: docker/caddy/Dockerfile
args:
# User and group IDs for rootless operation
# Set these to match your host user to avoid permission issues
# Find your UID/GID with: id -u / id -g
PUID: ${PUID:-10000}
PGID: ${PGID:-10000}
restart: unless-stopped
ports:
- "80:80"
- "80:80/udp"
- "443:443"
- "443:443/udp"
# - "2019:2019" # Admin API
# Admin API (port 2019) is only exposed on internal network for security, enable at your risk
# Web UI accesses via http://caddy:2019 internally
# Uncomment the line below to expose metrics externally for Grafana/Prometheus
# - "9090:9090" # Metrics available at http://localhost:9090/metrics (configure in Settings first)
environment:
# Primary domain for Caddy configuration
PRIMARY_DOMAIN: ${PRIMARY_DOMAIN:-caddyproxymanager.com}
volumes:
- caddy-data:/data
- caddy-config:/config
- caddy-logs:/logs
- geoip-data:/usr/share/GeoIP:ro,z
# Custom ACME CA root PEM written by web, read here for trusted_roots_pem_files (issue #192)
- acme-ca:/acme-ca:ro
networks:
- caddy-network
healthcheck:
test: ["CMD", "wget", "--quiet", "--tries=1", "-O", "/dev/null", "http://localhost:2019/config/"]
interval: 30s
timeout: 10s
retries: 3
start_period: 10s
# Docker socket proxy — restricts API surface exposed to l4-port-manager.
# Allows container management and network inspection (needed by docker compose up
# to inspect caddy-network when recreating the caddy container for L4 port changes).
docker-socket-proxy:
container_name: caddy-proxy-manager-docker-proxy
image: tecnativa/docker-socket-proxy:latest
restart: unless-stopped
environment:
CONTAINERS: 1
POST: 1
NETWORKS: 1
VOLUMES: 1
IMAGES: 1
SECRETS: 0
# Deny everything else by default
EXEC: 0
SWARM: 0
AUTH: 0
BUILD: 0
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
# Security: keep the socket proxy off the shared app network. Only the
# l4-port-manager sidecar needs to reach its container-create API; exposing
# it to web/caddy/clickhouse would turn any container compromise into host
# root (POST + CONTAINERS = create a privileged container that mounts the
# host fs). This network is `internal: true` (no egress) and carries only
# the proxy + sidecar.
networks:
- socket-proxy
# L4 Port Manager sidecar — automatically recreates the caddy container
# when L4 proxy host ports change.
# Uses Docker socket proxy instead of direct Docker socket access.
l4-port-manager:
container_name: caddy-proxy-manager-l4-ports
image: ghcr.io/fuomag9/caddy-proxy-manager-l4-port-manager:latest
build:
context: .
dockerfile: docker/l4-port-manager/Dockerfile
restart: unless-stopped
environment:
DATA_DIR: /data
COMPOSE_DIR: /compose
POLL_INTERVAL: "${L4_PORT_MANAGER_POLL_INTERVAL:-2}"
DOCKER_HOST: tcp://docker-socket-proxy:2375
volumes:
- caddy-manager-data:/data
- .:/compose:ro
depends_on:
caddy:
condition: service_healthy
docker-socket-proxy:
condition: service_started
# Reaches Docker only via the socket proxy (over the isolated socket-proxy
# network) and recreates caddy through the mounted compose dir — it does not
# need the shared app network.
networks:
- socket-proxy
clickhouse:
container_name: caddy-proxy-manager-clickhouse
image: clickhouse/clickhouse-server:latest-alpine
profiles: [clickhouse]
restart: always
environment:
CLICKHOUSE_DB: ${CLICKHOUSE_DB:-analytics}
CLICKHOUSE_USER: ${CLICKHOUSE_USER:-cpm}
CLICKHOUSE_PASSWORD: ${CLICKHOUSE_PASSWORD:?ERROR - CLICKHOUSE_PASSWORD is required}
CLICKHOUSE_DEFAULT_ACCESS_MANAGEMENT: 1
volumes:
- clickhouse-data:/var/lib/clickhouse
# Mount only our single override file, not the whole config.d directory.
# Bind-mounting the directory would shadow the image's docker_related_config.xml
# (which sets listen_host to ::/0.0.0.0), leaving ClickHouse bound to loopback
# only so the web container could no longer reach it.
- ./docker/clickhouse/config.d/low-disk-write.xml:/etc/clickhouse-server/config.d/low-disk-write.xml:ro
networks:
- caddy-network
healthcheck:
test: ["CMD-SHELL", "clickhouse-client --user ${CLICKHOUSE_USER:-cpm} --password ${CLICKHOUSE_PASSWORD:?ERROR - CLICKHOUSE_PASSWORD is required} --query 'SELECT 1'"]
interval: 30s
timeout: 10s
retries: 5
start_period: 30s
ulimits:
nofile:
soft: 262144
hard: 262144
geoipupdate:
container_name: geoipupdate-${HOSTNAME}
image: ghcr.io/maxmind/geoipupdate
profiles: [geoipupdate]
restart: always
environment:
- GEOIPUPDATE_ACCOUNT_ID=${GEOIPUPDATE_ACCOUNT_ID:-}
- GEOIPUPDATE_LICENSE_KEY=${GEOIPUPDATE_LICENSE_KEY:-}
- 'GEOIPUPDATE_EDITION_IDS=GeoLite2-ASN GeoLite2-City GeoLite2-Country'
- GEOIPUPDATE_FREQUENCY=72
volumes:
- geoip-data:/usr/share/GeoIP:z
networks:
- caddy-network
networks:
caddy-network:
driver: bridge
# Isolated network for the Docker socket proxy and the l4-port-manager sidecar
# only. `internal: true` prevents external connectivity; no other service is
# attached, so a compromise of web/caddy/etc. cannot reach the socket proxy.
socket-proxy:
driver: bridge
internal: true
volumes:
caddy-manager-data:
caddy-data:
caddy-config:
caddy-logs:
geoip-data:
clickhouse-data:
acme-ca: