infra/docker-stack.yml at master · razzie-cloud/infra · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
version: "3.9"

secrets:
  postgres_password:
    external: true
  dragonfly_password:
    external: true
  hanko_secret_key:
    external: true
  oauth2_proxy_client_secret:
    external: true

networks:
  web:
    driver: overlay
    attachable: true
  internal:
    driver: overlay

volumes:
  postgres_data:
  caddy_data:
  caddy_config:

services:
  postgres:
    image: postgres:17-alpine
    environment:
      POSTGRES_DB: razcloud
      POSTGRES_USER: razcloud
      # Use Docker secret file
      POSTGRES_PASSWORD_FILE: /run/secrets/postgres_password
    secrets:
      - postgres_password
    networks:
      - internal
    volumes:
      - postgres_data:/var/lib/postgresql/data
    deploy:
      placement:
        constraints:
          - node.role == manager
      restart_policy:
        condition: on-failure

  dragonfly:
    image: docker.dragonflydb.io/dragonflydb/dragonfly
    # Dragonfly has no *_FILE env; read the secret file and pass as arg
    command: >
      sh -c 'dragonfly
             --requirepass "$$(cat /run/secrets/dragonfly_password)"
             --bind 0.0.0.0:6379'
    secrets:
      - dragonfly_password
    networks:
      - internal
    deploy:
      placement:
        constraints:
          - node.role == manager
      restart_policy:
        condition: on-failure

  # DB broker that creates per-app DBs and returns URIs
  database-broker:
    image: ghcr.io/razzie-cloud/database-broker:1.0.2
    depends_on:
      - postgres
      - dragonfly
    secrets:
      - postgres_password
      - dragonfly_password
    environment:
      POSTGRES_URI: postgresql://razcloud@postgres:5432/razcloud
      POSTGRES_PASSWORD_FILE: /run/secrets/postgres_password
      DRAGONFLY_URI: redis://dragonfly:6379
      DRAGONFLY_PASSWORD_FILE: /run/secrets/dragonfly_password
    networks:
      - internal
    deploy:
      restart_policy:
        condition: on-failure

  hanko:
    image: ghcr.io/razzie-cloud/hanko:latest
    networks:
      - internal
      - web
    depends_on:
      - database-broker
    secrets:
      - hanko_secret_key
    deploy:
      labels:
        # Hanko public API & UI
        caddy: auth.razzie.cloud
        caddy.reverse_proxy: "{{upstreams 8000}}"
      restart_policy:
        condition: on-failure

  oauth2-proxy:
    image: quay.io/oauth2-proxy/oauth2-proxy:v7.13.0
    networks:
      - web
      - internal
    depends_on:
      - hanko
    secrets:
      - oauth2_proxy_client_secret
    environment:
      # Use Hanko as an OIDC provider (you must configure the client in Hanko)
      OAUTH2_PROXY_PROVIDER: oidc
      OAUTH2_PROXY_OIDC_ISSUER_URL: https://auth.razzie.cloud
      OAUTH2_PROXY_CLIENT_ID: hanko-oauth-client
      OAUTH2_PROXY_CLIENT_SECRET_FILE: /run/secrets/oauth2_proxy_client_secret
      OAUTH2_PROXY_REDIRECT_URL: https://oauth2.razzie.cloud/oauth2/callback
      # Generic oauth2-proxy bits
      OAUTH2_PROXY_COOKIE_SECURE: "false"
      OAUTH2_PROXY_EMAIL_DOMAINS: "*"
      OAUTH2_PROXY_HTTP_ADDRESS: "0.0.0.0:4180"
      # For Caddy forward_auth integration :contentReference[oaicite:0]{index=0}
      OAUTH2_PROXY_REVERSE_PROXY: "true"
      OAUTH2_PROXY_UPSTREAMS: "static://202"
    deploy:
      labels:
        # Expose oauth2-proxy itself (for /oauth2/* endpoints)
        caddy: oauth2.razzie.cloud
        caddy.reverse_proxy: "{{upstreams 4180}}"
      restart_policy:
        condition: on-failure

  # Whoami demo app, fully hidden behind auth wall
  whoami:
    image: traefik/whoami
    networks:
      - web
    deploy:
      labels:
        caddy: whoami.razzie.cloud
        caddy.reverse_proxy: "{{upstreams 80}}"
        # Apply auth snippet defined on the Caddy service
        caddy.import: oauth2_forward_auth
      restart_policy:
        condition: on-failure

  # Caddy + caddy-docker-proxy, 80/443 open to the world
  caddy-docker-proxy:
    image: lucaslorentz/caddy-docker-proxy:2.8-alpine
    networks:
      - web
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - caddy_data:/data
      - caddy_config:/config
    environment:
      CADDY_INGRESS_NETWORKS: "${STACK_NAME}_web"
      # CADDY_EMAIL: "system@razzie.cloud"   # optionally set ACME email
    deploy:
      placement:
        constraints:
          - node.role == manager
      restart_policy:
        condition: on-failure
      labels:
        # Define a reusable forward_auth snippet to oauth2-proxy :contentReference[oaicite:1]{index=1}
        caddy: (oauth2_forward_auth)
        caddy.forward_auth: oauth2-proxy:4180
        caddy.forward_auth.uri: /oauth2/auth