This repository has been archived by the owner on Mar 2, 2024. It is now read-only.
/
docker-compose.yml
207 lines (193 loc) · 8.5 KB
/
docker-compose.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
# Most Neolace services run on port 555x:
#
# 5550
# 5551
# 5552 - authentication server (public port)
# 5553 - redis (cache, message queue)
# 5554 - backend (REST API)
# 5555 - frontend (local development)
# 5556 - TypeSense (search)
# 5557 - imgproxy (optional, used to serve image thumbnails)
# 5558 - imgproxy gateway (used to restrict access to imgproxy)
# 5559 - authentication server (private port for backend use only)
# 7474 - Neo4j web UI
# 7687 - Neo4j Bolt interface
# 9000 - MinIO (S3-compatible object storage)
#
# For tests, these same services run on ports with the 444x prefix instead of 555x
# Configuration for our development and test environments
version: '3'
x-service-templates:
neo4j:
&neo4j-defaults
image: neo4j:5.2.0
environment:
# Set default password to "neolace"
NEO4J_AUTH: neo4j/neolace
# We need trigger functionality, which is part of "APOC" and must be enabled:
NEO4J_server_directories_plugins: /var/lib/neo4j/labs
NEO4J_dbms_security_procedures_unrestricted: apoc.*
# Enable trigger functionality:
apoc.trigger.enabled: "true"
# The following is needed for apoc.export.cypher.all, even though we're only exporting to memory, not disk.
apoc.export.file.enabled: "true"
# Enable a transaction timeout so we don't get long transactions that run forever:
NEO4J_db_transaction_timeout: "120s"
NEO4J_db_lock_acquisition_timeout: "30s"
authn:
&authn-defaults
image: keratin/authn-server:1.15.0
depends_on:
- redis
environment:
&authn-environment-defaults
PORT: 5559
PUBLIC_PORT: 5552
# The backend runs on the host, not inside docker, so these are the URLs for authn to post to:
APP_PASSWORDLESS_TOKEN_URL: http://host.docker.internal:5554/auth/passwordless-login
APP_PASSWORD_RESET_URL: http://host.docker.internal:5554/auth/password-reset
# authn's database requirements are very basic so we use sqlite:
DATABASE_URL: sqlite3://localcontainer/data/authn.sqlite3?cache=shared
SECRET_KEY_BASE: neolace-dev
HTTP_AUTH_USERNAME: authn
HTTP_AUTH_PASSWORD: neolace
REDIS_URL: redis://:devpassword@redis:6379/8
USERNAME_IS_EMAIL: "false"
PASSWORD_CHANGE_LOGOUT: "true" # user password changes will expire all other sessions
# Public URL as reachable by end users. NOTE: it's not really https for local dev! But usings https tells AuthN to
# set the required 'Secure' attribute on the cookie, and Firefox and Chrome treat local dev sites as secure.
AUTHN_URL: https://local.neolace.net:5552
APP_DOMAINS: "*.local.neolace.net:5555"
# We create users via the private 'import' flow, not the public 'signup' flow
ENABLE_SIGNUP: "false"
# Since authn runs on a separate domain, we need same site "none" -see https://github.com/keratin/authn-server/blob/main/docs/config.md#same_site
SAME_SITE: "NONE"
entrypoint: ["/bin/sh", "-c", "./authn migrate && ./authn server"] # Override to ensure migrations get run
services:
################################################################
# Redis cache / message queue
################################################################
redis:
image: redis:7.0-alpine
command: >
--requirepass devpassword
# Redis DB 0 is used by the neolace backend.
# Redis DB 1 is used by the neolace backend (tests).
# Redis DB 8 is used by AuthN microservice.
ports:
- 5553:6379
################################################################
# Neo4j graph database
################################################################
neo4j:
<< : *neo4j-defaults
ports:
- 7474:7474 # Browse on your host at http://localhost:7474/browser/?connectURL=neo4j://localhost:7687
- 7687:7687 # Bolt
volumes:
- neo4j-data:/data
# A separate copy of Neo4j just for the test suite; this one has ephemeral data.
# This is necessary because Neo4j community doesn't support multiple databases
neo4j-test:
<< : *neo4j-defaults
ports:
- 4474:7474 # Browse on your host at http://localhost:4474/browser/?connectURL=neo4j://localhost:4687
- 4687:7687 # Bolt
################################################################
# Authentication Server
################################################################
authn:
<< : *authn-defaults
ports:
- 5552:5552 # Expose public port to the host computer so users can log in
- 5559:5559 # Private port
volumes:
- authn-data:/data
authn-test:
<< : *authn-defaults
environment:
<< : *authn-environment-defaults
AUTHN_URL: http://authn-test:4442 # Public URL as reachable by end users
APP_DOMAINS: backend:4445
GODEBUG: netdns=go # Work around weird "dial tcp: lookup redis: device or resource busy" error on GitHub actions
ports:
- 4442:5552 # Expose public port to the host computer so users can log in
- 4449:5559 # Expose public port to the host computer so users can log in
volumes:
- authn-data:/data
################################################################
# TypeSense (search server)
################################################################
search:
image: typesense/typesense:0.23.1
ports:
- 5556:8108
command: >
--data-dir /data --api-key=typesensedevkey --enable-cors
volumes:
- typesense-data:/data
# Suppress TypeSense's extremely noisy logging by default
logging:
driver: none
################################################################
# S3-compatible object storage (used only for development)
################################################################
objstore:
image: minio/minio:RELEASE.2022-07-08T00-05-23Z
entrypoint: sh
# command: ["server", "/data"]
# Create the two default buckets for dev and test configurations, then start the server:
command: -c 'mkdir -p /data/neolace-objects && mkdir -p /data/neolace-test-objects && minio server /data'
environment:
MINIO_ROOT_USER: AKIA_NEOLACE_DEV
MINIO_ROOT_PASSWORD: neolace123
MINIO_REGION_NAME: dev-region
ports:
- 9000:9000
- 5557:5557 # For the imgproxy, if being used. See note in "imgproxy" service definition
- 5558:5558 # For the imgproxy-gateway, if being used.
volumes:
- objstore-data:/data/
createbuckets:
# Make sure buckets exist and allow public read ("download")
image: minio/mc:RELEASE.2022-09-16T09-16-47Z # Note: when upgrading this, will need to change 'mc policy' to 'mc anonymous'
depends_on:
- objstore
entrypoint: >
/bin/sh -c "
sleep 3;
mc config host add objstore http://objstore:9000 AKIA_NEOLACE_DEV neolace123;
mc policy set download objstore/neolace-objects;
mc policy set download objstore/neolace-test-objects;
exit 0;
"
################################################################
# Image Proxy (run this via docker-compose.override.yml) if you
# want to test prod-like image thumbnailing + CDN
################################################################
# imgproxy:
# image: darthsim/imgproxy:v3.3.3
# environment:
# IMGPROXY_BIND: ":5557"
# IMGPROXY_KEY: 6E656F6C616365313233 # "neolace123" is the secret key (imgproxy needs it hex encoded)
# IMGPROXY_SALT: 6E656F73616C74 # "neosalt" is the salt
# IMGPROXY_MAX_SRC_RESOLUTION: 30 # Don't give errors on medium-sized files, only super huge ones.
# IMGPROXY_CACHE_CONTROL_PASSTHROUGH: "true" # Pass through our "immutable" cache-control headers; don't use the 1 hour default
# # Run imgproxy on the same network as objstore, so that it can resolve "localhost:9000" URLs without us
# # having to sometimes use "objstore:9000" and other times use "localhost:9000" depending on whether
# # the end user's browser or imgproxy is handling the request.
# network_mode: "service:objstore"
# imgproxy-gateway:
# image: ghcr.io/neolace-dev/improxy-gateway:build-docker-img
# environment:
# IMGPROXY_KEY: 6E656F6C616365313233
# IMGPROXY_SALT: 6E656F73616C74
# # IMGPROXY_GATEWAY_ALLOWED_WIDTHS: "[256, 640, 1000, 2000, 4000]"
# # IMGPROXY_GATEWAY_IMGPROXY_URL: http://localhost:5557
# # IMGPROXY_GATEWAY_OBJSTORE_PUBLIC_URL_PREFIX: http://localhost:9000/neolace-objects
# network_mode: "service:objstore" # Run imgproxy gateway on the same network as objstore, for same reason as imgproxy
volumes:
neo4j-data:
authn-data:
objstore-data:
typesense-data: