-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathdocker-compose.yml
More file actions
137 lines (126 loc) · 4.64 KB
/
docker-compose.yml
File metadata and controls
137 lines (126 loc) · 4.64 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
services:
web:
container_name: caddy-proxy-manager-web
image: ghcr.io/fuomag9/caddy-proxy-manager-web:latest
build:
context: .
dockerfile: docker/web/Dockerfile
args:
# User and group IDs for rootless operation
# Set these to match your host user to avoid permission issues
# Find your UID/GID with: id -u / id -g
PUID: ${PUID:-10001}
PGID: ${PGID:-10001}
restart: unless-stopped
ports:
- "3000:3000"
environment:
# Node environment
NODE_ENV: production
# REQUIRED: Session secret for encrypting cookies and sessions
# Generate with: openssl rand -base64 32
# SECURITY: You MUST set this to a unique value in production!
SESSION_SECRET: ${SESSION_SECRET:?ERROR - SESSION_SECRET is required}
# Caddy API endpoint (internal communication)
CADDY_API_URL: ${CADDY_API_URL:-http://caddy:2019}
# Public base URL for the application
BASE_URL: ${BASE_URL:-http://localhost:3000}
# Database configuration
DATABASE_PATH: /app/data/caddy-proxy-manager.db
DATABASE_URL: file:/app/data/caddy-proxy-manager.db
# NextAuth configuration
NEXTAUTH_URL: ${BASE_URL:-http://localhost:3000}
# REQUIRED: Admin credentials for login
# SECURITY: You MUST set these to secure values in production!
# Password must be 12+ chars with uppercase, lowercase, numbers, and special chars
ADMIN_USERNAME: ${ADMIN_USERNAME:?ERROR - ADMIN_USERNAME is required}
ADMIN_PASSWORD: ${ADMIN_PASSWORD:?ERROR - ADMIN_PASSWORD is required}
# OAuth2/OIDC Authentication (Optional - works with Authentik, Authelia, Keycloak, etc.)
OAUTH_ENABLED: ${OAUTH_ENABLED:-false}
OAUTH_PROVIDER_NAME: ${OAUTH_PROVIDER_NAME:-OAuth2}
OAUTH_CLIENT_ID: ${OAUTH_CLIENT_ID:-}
OAUTH_CLIENT_SECRET: ${OAUTH_CLIENT_SECRET:-}
OAUTH_ISSUER: ${OAUTH_ISSUER:-}
OAUTH_AUTHORIZATION_URL: ${OAUTH_AUTHORIZATION_URL:-}
OAUTH_TOKEN_URL: ${OAUTH_TOKEN_URL:-}
OAUTH_USERINFO_URL: ${OAUTH_USERINFO_URL:-}
OAUTH_ALLOW_AUTO_LINKING: ${OAUTH_ALLOW_AUTO_LINKING:-false}
group_add:
- "${CADDY_GID:-10000}" # caddy's GID — lets the web user read /logs/access.log
volumes:
- caddy-manager-data:/app/data
- geoip-data:/usr/share/GeoIP:ro,z
- caddy-logs:/logs:ro
- caddy-data:/caddy-data:ro
depends_on:
caddy:
condition: service_healthy
networks:
- caddy-network
healthcheck:
test: ["CMD", "node", "-e", "require('http').get('http://localhost:3000/api/health', (r) => process.exit(r.statusCode === 200 ? 0 : 1))"]
interval: 30s
timeout: 10s
retries: 3
start_period: 40s
caddy:
container_name: caddy-proxy-manager-caddy
image: ghcr.io/fuomag9/caddy-proxy-manager-caddy:latest
build:
context: .
dockerfile: docker/caddy/Dockerfile
args:
# User and group IDs for rootless operation
# Set these to match your host user to avoid permission issues
# Find your UID/GID with: id -u / id -g
PUID: ${PUID:-10000}
PGID: ${PGID:-10000}
restart: unless-stopped
ports:
- "80:80"
- "80:80/udp"
- "443:443"
- "443:443/udp"
# Admin API (port 2019) is only exposed on internal network for security
# Web UI accesses via http://caddy:2019 internally
# Uncomment the line below to expose metrics externally for Grafana/Prometheus
# - "9090:9090" # Metrics available at http://localhost:9090/metrics (configure in Settings first)
environment:
# Primary domain for Caddy configuration
PRIMARY_DOMAIN: ${PRIMARY_DOMAIN:-caddyproxymanager.com}
volumes:
- caddy-data:/data
- caddy-config:/config
- caddy-logs:/logs
- geoip-data:/usr/share/GeoIP:ro,z
networks:
- caddy-network
healthcheck:
test: ["CMD", "wget", "--quiet", "--tries=1", "-O", "/dev/null", "http://localhost:2019/config/"]
interval: 30s
timeout: 10s
retries: 3
start_period: 10s
geoipupdate:
container_name: geoipupdate-${HOSTNAME}
image: ghcr.io/maxmind/geoipupdate
profiles: [geoipupdate]
restart: always
environment:
- GEOIPUPDATE_ACCOUNT_ID=${GEOIPUPDATE_ACCOUNT_ID:-}
- GEOIPUPDATE_LICENSE_KEY=${GEOIPUPDATE_LICENSE_KEY:-}
- 'GEOIPUPDATE_EDITION_IDS=GeoLite2-ASN GeoLite2-City GeoLite2-Country'
- GEOIPUPDATE_FREQUENCY=72
volumes:
- geoip-data:/usr/share/GeoIP:z
networks:
- caddy-network
networks:
caddy-network:
driver: bridge
volumes:
caddy-manager-data:
caddy-data:
caddy-config:
caddy-logs:
geoip-data: