deeploy/docker-compose.yml at main · deeploy-sh/deeploy · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
# Production-ready config.
# Dev overrides are in docker-compose.override.yml.
# Docker Compose auto-loads both files during normal local `docker compose` commands.

# THE NETWORK: All containers that need to talk to each other must be here.
# Traefik routes traffic -> needs to reach containers -> must be in same network.
networks:
  deeploy:
    # Fixed name so Go code can join new containers to this network
    # See: internal/server/docker/docker.go -> NetworkName -> RunContainer()
    name: deeploy

services:
  traefik:
    image: traefik:v3.6
    container_name: deeploy-traefik
    networks:
      - deeploy
    command:
      #─────────────────────────────────────────────────────────────────────────
      # DOCKER PROVIDER
      # Traefik auto-discovers containers and reads their labels for routing
      #─────────────────────────────────────────────────────────────────────────

      # Enable Docker provider: auto-discover containers with traefik labels
      - "--providers.docker=true"
      # Security: Don't expose containers unless they have traefik.enable=true
      - "--providers.docker.exposedbydefault=false"
      # Network: Which Docker network to use when connecting to containers
      - "--providers.docker.network=deeploy"

      #─────────────────────────────────────────────────────────────────────────
      # ENTRYPOINTS (Ports where Traefik listens for traffic)
      #─────────────────────────────────────────────────────────────────────────

      # HTTP entrypoint on port 80
      # Used for: ACME HTTP challenge + redirect to HTTPS
      - "--entrypoints.web.address=:80"
      # HTTPS entrypoint on port 443
      # Used for: All actual traffic (encrypted)
      - "--entrypoints.websecure.address=:443"

      # Auto-redirect: HTTP → HTTPS
      # When someone visits http://... they get redirected to https://...
      # This ensures no accidental unencrypted traffic
      - "--entrypoints.web.http.redirections.entryPoint.to=websecure"
      - "--entrypoints.web.http.redirections.entryPoint.scheme=https"

      #─────────────────────────────────────────────────────────────────────────
      # ACME / LET'S ENCRYPT (Automatic SSL Certificates)
      # ACME = Automatic Certificate Management Environment
      #─────────────────────────────────────────────────────────────────────────

      # Enable HTTP challenge for certificate verification
      # How it works:
      # 1. Traefik asks Let's Encrypt for a certificate
      # 2. Let's Encrypt visits http://yourdomain/.well-known/acme-challenge/xxx
      # 3. Traefik responds with a secret token (proves we control the domain)
      # 4. Let's Encrypt issues the certificate
      - "--certificatesresolvers.letsencrypt.acme.httpchallenge=true"
      # Which entrypoint to use for the HTTP challenge (must be port 80)
      - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web"
      # Where to store certificates (persisted via volume)
      # IMPORTANT: Without persistence, new certs are requested on every restart
      # Rate limit: Max 50 certificates per week per domain!
      - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"

      #─────────────────────────────────────────────────────────────────────────
      # FILE PROVIDER
      # Traefik watches YAML files for dynamic routing configuration
      # Used for: Server domain routing (deeploy-app writes config files here)
      #─────────────────────────────────────────────────────────────────────────
      - "--providers.file.directory=/traefik/dynamic"
      - "--providers.file.watch=true"

    ports:
      # HTTP traffic (port 80) - used for ACME challenge + redirect to HTTPS
      - "80:80"
      # HTTPS traffic (port 443) - all actual encrypted traffic
      - "443:443"
    volumes:
      # Docker socket: Traefik reads container labels to configure routing
      - /var/run/docker.sock:/var/run/docker.sock:ro
      # Let's Encrypt certificates: persist across restarts
      # Without this volume, Traefik would request new certs on every restart
      # and hit Let's Encrypt rate limits (50 certs/week/domain)
      - letsencrypt_certs:/letsencrypt
      # Dynamic config: deeploy-app writes, Traefik reads (server domain routing)
      - /opt/deeploy/traefik:/traefik/dynamic
    restart: unless-stopped

  deeploy:
    image: ghcr.io/deeploy-sh/deeploy:${DEEPLOY_VERSION:-latest}
    container_name: deeploy-app
    networks:
      - deeploy
    ports:
      - "8090:8090"
    volumes:
      # Docker socket: App needs to build images and start/stop containers
      # Without this, the Go Docker SDK can't reach the host's Docker daemon
      - /var/run/docker.sock:/var/run/docker.sock
      # Dynamic config: App writes Traefik config files here (server domain routing)
      - /opt/deeploy/traefik:/traefik/dynamic
      # SQLite database file
      - /opt/deeploy/data:/data
    environment:
      APP_ENV: production
      JWT_SECRET: ${JWT_SECRET}
      ENCRYPTION_KEY: ${ENCRYPTION_KEY}
    restart: unless-stopped

volumes:
  # Let's Encrypt certificates storage
  # Persists SSL certs across container restarts to avoid rate limits
  letsencrypt_certs: