-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathdocker-compose.yml
More file actions
91 lines (88 loc) · 3.79 KB
/
Copy pathdocker-compose.yml
File metadata and controls
91 lines (88 loc) · 3.79 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
services:
api:
build: .
ports:
- "8080:8080"
environment:
# Development enables auto-migration and ephemeral signing keys for a
# local quickstart. Do NOT expose this stack to the internet as-is: set
# ASPNETCORE_ENVIRONMENT=Production (which additionally enforces signing
# certificates and refuses the password grant), apply migrations
# externally, and trust your reverse proxy via a comma-separated
# ForwardedHeaders__KnownProxies=10.0.0.5,10.0.0.6 (or
# ForwardedHeaders__KnownNetworks=10.0.0.0/8). Without it X-Forwarded-For
# is ignored and per-IP rate limiting keys every client to the proxy IP.
ASPNETCORE_ENVIRONMENT: Development
Database__DefaultConnection: "Host=postgres;Port=5432;Database=simplemodule;Username=simplemodule;Password=${POSTGRES_PASSWORD:-simplemodule}"
Database__Provider: PostgreSQL
# Set to your public URL so OpenIddict registers correct redirect URIs.
# Examples: https://app.simplemodule.dev, http://localhost:8080
OpenIddict__BaseUrl: ${APP_BASE_URL:-http://localhost:8080}
# The ROPC password grant stays off even in this Development quickstart —
# combined with seeded credentials it would hand out fully-privileged
# tokens with a single POST /connect/token.
OpenIddict__AllowPasswordGrant: "false"
# Required: password for the seeded admin account. There is deliberately
# no default — put SEED_ADMIN_PASSWORD in your .env file.
Seed__AdminPassword: ${SEED_ADMIN_PASSWORD:?Set SEED_ADMIN_PASSWORD in .env}
# Optional: password for the seeded demo user (outside Development the
# demo user is skipped entirely when this is unset).
Seed__UserPassword: ${SEED_USER_PASSWORD:-}
# api stays in Producer mode — it enqueues jobs but never runs them.
# All IModuleJob execution lives in the worker service below.
BackgroundJobs__WorkerMode: Producer
volumes:
# Shared with the worker so uploaded blobs are visible to both
# producer (web upload path) and consumer (background job path).
- storage_data:/app/storage
depends_on:
postgres:
condition: service_healthy
healthcheck:
test: ["CMD-SHELL", "curl -sf http://localhost:8080/health/live || exit 1"]
interval: 30s
timeout: 5s
start_period: 15s
retries: 3
restart: unless-stopped
worker:
build:
context: .
dockerfile: Dockerfile.worker
environment:
DOTNET_ENVIRONMENT: Development
Database__DefaultConnection: "Host=postgres;Port=5432;Database=simplemodule;Username=simplemodule;Password=${POSTGRES_PASSWORD:-simplemodule}"
Database__Provider: PostgreSQL
BackgroundJobs__WorkerMode: Consumer
# The worker runs the same module set as the api, including the user
# seeder. It must see the SAME seed passwords — otherwise whichever
# process wins the startup race seeds the admin account, and a worker
# without these would silently seed the compiled-in default password,
# defeating the api's required SEED_ADMIN_PASSWORD.
Seed__AdminPassword: ${SEED_ADMIN_PASSWORD:?Set SEED_ADMIN_PASSWORD in .env}
Seed__UserPassword: ${SEED_USER_PASSWORD:-}
volumes:
- storage_data:/app/storage
depends_on:
postgres:
condition: service_healthy
restart: unless-stopped
postgres:
image: postgres:17
environment:
POSTGRES_USER: simplemodule
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-simplemodule}
POSTGRES_DB: simplemodule
ports:
- "5432:5432"
volumes:
- pgdata:/var/lib/postgresql/data
healthcheck:
test: ["CMD-SHELL", "pg_isready -U simplemodule"]
interval: 10s
timeout: 5s
retries: 5
restart: unless-stopped
volumes:
pgdata:
storage_data: