-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcompose.yaml
107 lines (101 loc) · 3.63 KB
/
compose.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
services:
proxy:
image: traefik:v2.11.18
command:
- "--configFile=/etc/traefik/traefik.yaml"
ports:
- 80:80
- 443:443
env_file:
- .env
volumes:
- ./traefik.yaml:/etc/traefik/traefik.yaml:ro
- ./acme.json:/etc/traefik/acme.json
- /var/run/docker.sock:/var/run/docker.sock:ro
networks:
- web
labels:
- "traefik.enable=true"
- "traefik.http.routers.dashboard.rule=Host(`monitor.reo.pawel.in`)"
- "traefik.http.routers.dashboard.service=api@internal"
- "traefik.http.routers.dashboard.entrypoints=websecure"
- "traefik.http.routers.dashboard.tls.certresolver=letsencrypt"
- "traefik.http.routers.dashboard.middlewares=auth-middleware"
- "traefik.http.middlewares.auth-middleware.basicauth.users=admin:admin123"
frontend:
container_name: reo-client-v${TAG}
build:
context: ./web
dockerfile: Dockerfile
env_file:
- .env
networks:
- web
labels:
- "traefik.enable=true"
- "traefik.http.routers.frontend.rule=Host(`reo.pawel.in`)"
- "traefik.http.routers.frontend.entrypoints=websecure"
- "traefik.http.routers.frontend.tls.certresolver=letsencrypt"
- "traefik.http.services.frontend.loadbalancer.server.port=80"
# Security headers
- "traefik.http.middlewares.security-headers.headers.browserXssFilter=true"
- "traefik.http.middlewares.security-headers.headers.contentTypeNosniff=true"
- "traefik.http.middlewares.security-headers.headers.forceSTSHeader=true"
- "traefik.http.middlewares.security-headers.headers.stsIncludesSubdomains=true"
- "traefik.http.middlewares.security-headers.headers.stsPreload=true"
- "traefik.http.middlewares.security-headers.headers.stsSeconds=31536000"
# Rate limiting avg: 100, burst: 50
- "traefik.http.middlewares.rate-limit.ratelimit.average=100"
- "traefik.http.middlewares.rate-limit.ratelimit.burst=50"
# Apply middlewares
- "traefik.http.routers.frontend.middlewares=security-headers@docker,rate-limit@docker"
backend:
container_name: reo-server-v${TAG}
build:
context: ./api
dockerfile: Dockerfile
env_file:
- .env
networks:
- web
- internal
labels:
- "traefik.enable=true"
- "traefik.http.routers.backend.rule=Host(`reo.pawel.in`) && PathPrefix(`/api/`)"
- "traefik.http.routers.backend.entrypoints=websecure"
- "traefik.http.routers.backend.tls.certresolver=letsencrypt"
- "traefik.services.backend.loadbalancer.server.port=8000"
- "traefik.http.middlewares.api-security.headers.customResponseHeaders.Access-Control-Allow-Methods=GET,POST"
- "traefik.http.middlewares.api-security.headers.customResponseHeaders.Access-Control-Allow-Headers=Content-Type,Authorization"
- "traefik.http.middlewares.api-rate-limit.ratelimit.average=30"
- "traefik.http.middlewares.api-rate-limit.ratelimit.burst=10"
- "traefik.http.routers.backend.middlewares=api-security@docker,api-rate-limit@docker"
depends_on:
db:
condition: service_healthy
db:
image: postgres:16.6-alpine3.21
networks:
- internal
env_file:
- .env
volumes:
- postgres_data:/var/lib/postgresql/data
healthcheck:
test: ["CMD-SHELL", "pg_isready -U pawel -d reo-pb"]
interval: 5s
timeout: 5s
retries: 5
secrets:
- db_password
command: ["postgres", "-c", "log_statement=all", "-c", "log_connections=on"]
networks:
web:
external: true
internal:
internal: true
volumes:
postgres_data:
secrets:
db_password:
file: ./secrets/db_password.txt