# Self-hosting Siftlode — pulls the prebuilt image, no source build needed. # # 1. Run ./install.sh (or install.ps1 on Windows) once — it generates a .env with secrets. # 2. docker compose -f docker-compose.selfhost.yml up -d # 3. Open the setup wizard at the URL printed in the logs: # docker compose -f docker-compose.selfhost.yml logs api | grep SETUP # # The .env only needs four values (the install script generates all of them): # POSTGRES_PASSWORD, SECRET_KEY, TOKEN_ENCRYPTION_KEY, OAUTH_REDIRECT_URL # Everything else — the admin account, Google sign-in, SMTP — is set in the web wizard on # first run. See docs/self-hosting.md. services: db: image: postgres:16-alpine environment: POSTGRES_USER: ${POSTGRES_USER:-siftlode} POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:?POSTGRES_PASSWORD must be set (run install.sh)} POSTGRES_DB: ${POSTGRES_DB:-siftlode} volumes: - siftlode_pgdata:/var/lib/postgresql/data networks: [internal] security_opt: - no-new-privileges:true healthcheck: test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-siftlode} -d ${POSTGRES_DB:-siftlode}"] interval: 10s timeout: 5s retries: 12 restart: unless-stopped api: image: forge.b1fr0st.eu/peter/siftlode:${IMAGE_TAG:-latest} env_file: - .env environment: DATABASE_URL: postgresql+psycopg://${POSTGRES_USER:-siftlode}:${POSTGRES_PASSWORD}@db:5432/${POSTGRES_DB:-siftlode} # This instance owns the background scheduler (single writer). SCHEDULER_ENABLED: "true" # Download center: the API serves finished files + builds filmstrips; the worker (below) runs # the yt-dlp job loop. Read-only root is fine — it only writes to the /downloads mount + tmpfs. DOWNLOAD_ROOT: /downloads WORKER_ENABLED: "false" depends_on: db: condition: service_healthy networks: [internal] ports: # Reachable on the host's LAN at http://:8080. Put a reverse proxy (Caddy/Nginx) in # front for HTTPS / public exposure — and set OAUTH_REDIRECT_URL to the https URL. - "${HTTP_PORT:-8080}:8000" volumes: # Downloaded media. Defaults to a Docker-managed named volume; set DOWNLOAD_HOST_PATH in .env # to a host directory (e.g. one your Plex server reads) to keep the Plex-style tree there. - ${DOWNLOAD_HOST_PATH:-siftlode_downloads}:/downloads security_opt: - no-new-privileges:true cap_drop: - ALL read_only: true tmpfs: - /tmp healthcheck: test: ["CMD", "python", "-c", "import urllib.request,sys; sys.exit(0 if urllib.request.urlopen('http://localhost:8000/healthz').status==200 else 1)"] interval: 15s timeout: 5s retries: 5 start_period: 30s restart: unless-stopped # Download worker: same image, runs the yt-dlp / ffmpeg job loop instead of the API. Shares the # DB (job queue) and the downloads mount with the API. Not read-only (yt-dlp/deno/ffmpeg write to # $HOME caches + the staging dir). worker: image: forge.b1fr0st.eu/peter/siftlode:${IMAGE_TAG:-latest} command: ["python", "-m", "app.worker"] env_file: - .env environment: DATABASE_URL: postgresql+psycopg://${POSTGRES_USER:-siftlode}:${POSTGRES_PASSWORD}@db:5432/${POSTGRES_DB:-siftlode} SCHEDULER_ENABLED: "false" DOWNLOAD_ROOT: /downloads WORKER_ENABLED: "true" depends_on: db: condition: service_healthy bgutil-pot: condition: service_started networks: [internal] volumes: - ${DOWNLOAD_HOST_PATH:-siftlode_downloads}:/downloads security_opt: - no-new-privileges:true cap_drop: - ALL tmpfs: - /tmp restart: unless-stopped # PO-token provider sidecar: mints YouTube Proof-of-Origin tokens so the worker beats bot-detection # and unlocks high-quality formats (reached at http://bgutil-pot:4416, the config default). bgutil-pot: image: brainicism/bgutil-ytdlp-pot-provider:1.3.1 init: true networks: [internal] security_opt: - no-new-privileges:true restart: unless-stopped volumes: siftlode_pgdata: siftlode_downloads: networks: internal: