The worker and API start in parallel; the API applies migrations on its own startup, so on a fresh deploy the worker hit a missing download_jobs table and crash-looped until migrations landed. The worker now polls for the schema before recovering orphans, and (belt-and-suspenders) the compose files gate it on the API being healthy. Fixes the observed prod restart-loop on the v0.22.0 deploy.
119 lines
4.3 KiB
YAML
119 lines
4.3 KiB
YAML
# Self-hosting Siftlode — pulls the prebuilt image, no source build needed.
|
|
#
|
|
# 1. Run ./install.sh (or install.ps1 on Windows) once — it generates a .env with secrets.
|
|
# 2. docker compose -f docker-compose.selfhost.yml up -d
|
|
# 3. Open the setup wizard at the URL printed in the logs:
|
|
# docker compose -f docker-compose.selfhost.yml logs api | grep SETUP
|
|
#
|
|
# The .env only needs four values (the install script generates all of them):
|
|
# POSTGRES_PASSWORD, SECRET_KEY, TOKEN_ENCRYPTION_KEY, OAUTH_REDIRECT_URL
|
|
# Everything else — the admin account, Google sign-in, SMTP — is set in the web wizard on
|
|
# first run. See docs/self-hosting.md.
|
|
|
|
services:
|
|
db:
|
|
image: postgres:16-alpine
|
|
environment:
|
|
POSTGRES_USER: ${POSTGRES_USER:-siftlode}
|
|
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:?POSTGRES_PASSWORD must be set (run install.sh)}
|
|
POSTGRES_DB: ${POSTGRES_DB:-siftlode}
|
|
volumes:
|
|
- siftlode_pgdata:/var/lib/postgresql/data
|
|
networks: [internal]
|
|
security_opt:
|
|
- no-new-privileges:true
|
|
healthcheck:
|
|
test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-siftlode} -d ${POSTGRES_DB:-siftlode}"]
|
|
interval: 10s
|
|
timeout: 5s
|
|
retries: 12
|
|
restart: unless-stopped
|
|
|
|
api:
|
|
image: forge.b1fr0st.eu/peter/siftlode:${IMAGE_TAG:-latest}
|
|
env_file:
|
|
- .env
|
|
environment:
|
|
DATABASE_URL: postgresql+psycopg://${POSTGRES_USER:-siftlode}:${POSTGRES_PASSWORD}@db:5432/${POSTGRES_DB:-siftlode}
|
|
# This instance owns the background scheduler (single writer).
|
|
SCHEDULER_ENABLED: "true"
|
|
# Download center: the API serves finished files + builds filmstrips; the worker (below) runs
|
|
# the yt-dlp job loop. Read-only root is fine — it only writes to the /downloads mount + tmpfs.
|
|
DOWNLOAD_ROOT: /downloads
|
|
WORKER_ENABLED: "false"
|
|
depends_on:
|
|
db:
|
|
condition: service_healthy
|
|
networks: [internal]
|
|
ports:
|
|
# Reachable on the host's LAN at http://<host>:8080. Put a reverse proxy (Caddy/Nginx) in
|
|
# front for HTTPS / public exposure — and set OAUTH_REDIRECT_URL to the https URL.
|
|
- "${HTTP_PORT:-8080}:8000"
|
|
volumes:
|
|
# Downloaded media. Defaults to a Docker-managed named volume; set DOWNLOAD_HOST_PATH in .env
|
|
# to a host directory (e.g. one your Plex server reads) to keep the Plex-style tree there.
|
|
- ${DOWNLOAD_HOST_PATH:-siftlode_downloads}:/downloads
|
|
security_opt:
|
|
- no-new-privileges:true
|
|
cap_drop:
|
|
- ALL
|
|
read_only: true
|
|
tmpfs:
|
|
- /tmp
|
|
healthcheck:
|
|
test: ["CMD", "python", "-c", "import urllib.request,sys; sys.exit(0 if urllib.request.urlopen('http://localhost:8000/healthz').status==200 else 1)"]
|
|
interval: 15s
|
|
timeout: 5s
|
|
retries: 5
|
|
start_period: 30s
|
|
restart: unless-stopped
|
|
|
|
# Download worker: same image, runs the yt-dlp / ffmpeg job loop instead of the API. Shares the
|
|
# DB (job queue) and the downloads mount with the API. Not read-only (yt-dlp/deno/ffmpeg write to
|
|
# $HOME caches + the staging dir).
|
|
worker:
|
|
image: forge.b1fr0st.eu/peter/siftlode:${IMAGE_TAG:-latest}
|
|
command: ["python", "-m", "app.worker"]
|
|
env_file:
|
|
- .env
|
|
environment:
|
|
DATABASE_URL: postgresql+psycopg://${POSTGRES_USER:-siftlode}:${POSTGRES_PASSWORD}@db:5432/${POSTGRES_DB:-siftlode}
|
|
SCHEDULER_ENABLED: "false"
|
|
DOWNLOAD_ROOT: /downloads
|
|
WORKER_ENABLED: "true"
|
|
depends_on:
|
|
db:
|
|
condition: service_healthy
|
|
# Start only after the API is healthy (it applies the DB migrations on startup), so the
|
|
# download tables exist before the worker touches them.
|
|
api:
|
|
condition: service_healthy
|
|
bgutil-pot:
|
|
condition: service_started
|
|
networks: [internal]
|
|
volumes:
|
|
- ${DOWNLOAD_HOST_PATH:-siftlode_downloads}:/downloads
|
|
security_opt:
|
|
- no-new-privileges:true
|
|
cap_drop:
|
|
- ALL
|
|
tmpfs:
|
|
- /tmp
|
|
restart: unless-stopped
|
|
|
|
# PO-token provider sidecar: mints YouTube Proof-of-Origin tokens so the worker beats bot-detection
|
|
# and unlocks high-quality formats (reached at http://bgutil-pot:4416, the config default).
|
|
bgutil-pot:
|
|
image: brainicism/bgutil-ytdlp-pot-provider:1.3.1
|
|
init: true
|
|
networks: [internal]
|
|
security_opt:
|
|
- no-new-privileges:true
|
|
restart: unless-stopped
|
|
|
|
volumes:
|
|
siftlode_pgdata:
|
|
siftlode_downloads:
|
|
|
|
networks:
|
|
internal:
|