siftlode/docker-compose.selfhost.yml

120 lines
4.3 KiB
YAML
Raw Normal View History

# Self-hosting Siftlode — pulls the prebuilt image, no source build needed.
#
# 1. Run ./install.sh (or install.ps1 on Windows) once — it generates a .env with secrets.
# 2. docker compose -f docker-compose.selfhost.yml up -d
# 3. Open the setup wizard at the URL printed in the logs:
# docker compose -f docker-compose.selfhost.yml logs api | grep SETUP
#
# The .env only needs four values (the install script generates all of them):
# POSTGRES_PASSWORD, SECRET_KEY, TOKEN_ENCRYPTION_KEY, OAUTH_REDIRECT_URL
# Everything else — the admin account, Google sign-in, SMTP — is set in the web wizard on
# first run. See docs/self-hosting.md.
services:
db:
image: postgres:16-alpine
environment:
POSTGRES_USER: ${POSTGRES_USER:-siftlode}
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:?POSTGRES_PASSWORD must be set (run install.sh)}
POSTGRES_DB: ${POSTGRES_DB:-siftlode}
volumes:
- siftlode_pgdata:/var/lib/postgresql/data
networks: [internal]
security_opt:
- no-new-privileges:true
healthcheck:
test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-siftlode} -d ${POSTGRES_DB:-siftlode}"]
interval: 10s
timeout: 5s
retries: 12
restart: unless-stopped
api:
image: forge.b1fr0st.eu/peter/siftlode:${IMAGE_TAG:-latest}
env_file:
- .env
environment:
DATABASE_URL: postgresql+psycopg://${POSTGRES_USER:-siftlode}:${POSTGRES_PASSWORD}@db:5432/${POSTGRES_DB:-siftlode}
# This instance owns the background scheduler (single writer).
SCHEDULER_ENABLED: "true"
# Download center: the API serves finished files + builds filmstrips; the worker (below) runs
# the yt-dlp job loop. Read-only root is fine — it only writes to the /downloads mount + tmpfs.
DOWNLOAD_ROOT: /downloads
WORKER_ENABLED: "false"
depends_on:
db:
condition: service_healthy
networks: [internal]
ports:
# Reachable on the host's LAN at http://<host>:8080. Put a reverse proxy (Caddy/Nginx) in
# front for HTTPS / public exposure — and set OAUTH_REDIRECT_URL to the https URL.
- "${HTTP_PORT:-8080}:8000"
volumes:
# Downloaded media. Defaults to a Docker-managed named volume; set DOWNLOAD_HOST_PATH in .env
# to a host directory (e.g. one your Plex server reads) to keep the Plex-style tree there.
- ${DOWNLOAD_HOST_PATH:-siftlode_downloads}:/downloads
security_opt:
- no-new-privileges:true
cap_drop:
- ALL
read_only: true
tmpfs:
- /tmp
healthcheck:
test: ["CMD", "python", "-c", "import urllib.request,sys; sys.exit(0 if urllib.request.urlopen('http://localhost:8000/healthz').status==200 else 1)"]
interval: 15s
timeout: 5s
retries: 5
start_period: 30s
restart: unless-stopped
# Download worker: same image, runs the yt-dlp / ffmpeg job loop instead of the API. Shares the
# DB (job queue) and the downloads mount with the API. Not read-only (yt-dlp/deno/ffmpeg write to
# $HOME caches + the staging dir).
worker:
image: forge.b1fr0st.eu/peter/siftlode:${IMAGE_TAG:-latest}
command: ["python", "-m", "app.worker"]
env_file:
- .env
environment:
DATABASE_URL: postgresql+psycopg://${POSTGRES_USER:-siftlode}:${POSTGRES_PASSWORD}@db:5432/${POSTGRES_DB:-siftlode}
SCHEDULER_ENABLED: "false"
DOWNLOAD_ROOT: /downloads
WORKER_ENABLED: "true"
depends_on:
db:
condition: service_healthy
# Start only after the API is healthy (it applies the DB migrations on startup), so the
# download tables exist before the worker touches them.
api:
condition: service_healthy
bgutil-pot:
condition: service_started
networks: [internal]
volumes:
- ${DOWNLOAD_HOST_PATH:-siftlode_downloads}:/downloads
security_opt:
- no-new-privileges:true
cap_drop:
- ALL
tmpfs:
- /tmp
restart: unless-stopped
# PO-token provider sidecar: mints YouTube Proof-of-Origin tokens so the worker beats bot-detection
# and unlocks high-quality formats (reached at http://bgutil-pot:4416, the config default).
bgutil-pot:
image: brainicism/bgutil-ytdlp-pot-provider:1.3.1
init: true
networks: [internal]
security_opt:
- no-new-privileges:true
restart: unless-stopped
volumes:
siftlode_pgdata:
siftlode_downloads:
networks:
internal: