68 lines
2.3 KiB
YAML
68 lines
2.3 KiB
YAML
|
|
# Self-hosting Siftlode — pulls the prebuilt image, no source build needed.
|
||
|
|
#
|
||
|
|
# 1. Run ./install.sh (or install.ps1 on Windows) once — it generates a .env with secrets.
|
||
|
|
# 2. docker compose -f docker-compose.selfhost.yml up -d
|
||
|
|
# 3. Open the setup wizard at the URL printed in the logs:
|
||
|
|
# docker compose -f docker-compose.selfhost.yml logs api | grep SETUP
|
||
|
|
#
|
||
|
|
# The .env only needs four values (the install script generates all of them):
|
||
|
|
# POSTGRES_PASSWORD, SECRET_KEY, TOKEN_ENCRYPTION_KEY, OAUTH_REDIRECT_URL
|
||
|
|
# Everything else — the admin account, Google sign-in, SMTP — is set in the web wizard on
|
||
|
|
# first run. See docs/self-hosting.md.
|
||
|
|
|
||
|
|
services:
|
||
|
|
db:
|
||
|
|
image: postgres:16-alpine
|
||
|
|
environment:
|
||
|
|
POSTGRES_USER: ${POSTGRES_USER:-subfeed}
|
||
|
|
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:?POSTGRES_PASSWORD must be set (run install.sh)}
|
||
|
|
POSTGRES_DB: ${POSTGRES_DB:-subfeed}
|
||
|
|
volumes:
|
||
|
|
- siftlode_pgdata:/var/lib/postgresql/data
|
||
|
|
networks: [internal]
|
||
|
|
security_opt:
|
||
|
|
- no-new-privileges:true
|
||
|
|
healthcheck:
|
||
|
|
test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-subfeed} -d ${POSTGRES_DB:-subfeed}"]
|
||
|
|
interval: 10s
|
||
|
|
timeout: 5s
|
||
|
|
retries: 12
|
||
|
|
restart: unless-stopped
|
||
|
|
|
||
|
|
api:
|
||
|
|
image: forge.b1fr0st.eu/peter/siftlode:${IMAGE_TAG:-latest}
|
||
|
|
env_file:
|
||
|
|
- .env
|
||
|
|
environment:
|
||
|
|
DATABASE_URL: postgresql+psycopg://${POSTGRES_USER:-subfeed}:${POSTGRES_PASSWORD}@db:5432/${POSTGRES_DB:-subfeed}
|
||
|
|
# This instance owns the background scheduler (single writer).
|
||
|
|
SCHEDULER_ENABLED: "true"
|
||
|
|
depends_on:
|
||
|
|
db:
|
||
|
|
condition: service_healthy
|
||
|
|
networks: [internal]
|
||
|
|
ports:
|
||
|
|
# Reachable on the host's LAN at http://<host>:8080. Put a reverse proxy (Caddy/Nginx) in
|
||
|
|
# front for HTTPS / public exposure — and set OAUTH_REDIRECT_URL to the https URL.
|
||
|
|
- "${HTTP_PORT:-8080}:8000"
|
||
|
|
security_opt:
|
||
|
|
- no-new-privileges:true
|
||
|
|
cap_drop:
|
||
|
|
- ALL
|
||
|
|
read_only: true
|
||
|
|
tmpfs:
|
||
|
|
- /tmp
|
||
|
|
healthcheck:
|
||
|
|
test: ["CMD", "python", "-c", "import urllib.request,sys; sys.exit(0 if urllib.request.urlopen('http://localhost:8000/healthz').status==200 else 1)"]
|
||
|
|
interval: 15s
|
||
|
|
timeout: 5s
|
||
|
|
retries: 5
|
||
|
|
start_period: 30s
|
||
|
|
restart: unless-stopped
|
||
|
|
|
||
|
|
volumes:
|
||
|
|
siftlode_pgdata:
|
||
|
|
|
||
|
|
networks:
|
||
|
|
internal:
|