postgres.garden/docker-compose.yml at develop · DanielFGray/postgres.garden · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
x-restart: &restart
  restart: unless-stopped

x-internal: &internal
  networks:
    - internal

services:
  app:
    build:
      context: .
      args:
        VITE_OTEL_COLLECTOR_URL: ${VITE_OTEL_COLLECTOR_URL:-}
    <<: [*restart, *internal]
    env_file:
      - .env
    depends_on:
      db:
        condition: service_healthy
      valkey:
        condition: service_healthy
    networks:
      - internal
      - dokploy-network
    labels:
      - "traefik.enable=true"
      - "traefik.http.services.postgres-garden.loadbalancer.server.port=3000"
      # Shared middlewares
      - "traefik.http.middlewares.postgres-garden-headers.headers.customresponseheaders.Cross-Origin-Embedder-Policy=credentialless"
      - "traefik.http.middlewares.postgres-garden-headers.headers.customresponseheaders.Cross-Origin-Opener-Policy=same-origin"
      - "traefik.http.middlewares.postgres-garden-headers.headers.customresponseheaders.Cross-Origin-Resource-Policy=cross-origin"
      - "traefik.http.middlewares.postgres-garden-ratelimit.ratelimit.average=10"
      - "traefik.http.middlewares.postgres-garden-ratelimit.ratelimit.burst=20"
      - "traefik.http.middlewares.postgres-garden-ratelimit.ratelimit.period=1s"
      # Main router: static assets + SPA (headers only, no rate limit)
      - "traefik.http.routers.postgres-garden.rule=Host(`postgres.garden`)"
      - "traefik.http.routers.postgres-garden.entrypoints=websecure"
      - "traefik.http.routers.postgres-garden.tls.certResolver=letsencrypt"
      - "traefik.http.routers.postgres-garden.service=postgres-garden"
      - "traefik.http.routers.postgres-garden.middlewares=postgres-garden-headers"
      # API router: /api, /auth, /webhooks (rate limited)
      - "traefik.http.routers.postgres-garden-api.rule=Host(`postgres.garden`) && (PathPrefix(`/api`) || PathPrefix(`/auth`) || PathPrefix(`/webhooks`))"
      - "traefik.http.routers.postgres-garden-api.entrypoints=websecure"
      - "traefik.http.routers.postgres-garden-api.tls.certResolver=letsencrypt"
      - "traefik.http.routers.postgres-garden-api.service=postgres-garden"
      - "traefik.http.routers.postgres-garden-api.middlewares=postgres-garden-ratelimit,postgres-garden-headers"

  worker:
    build: .
    <<: [*restart, *internal]
    command: ["sh", "-c", "cd worker && bun graphile-worker"]
    env_file:
      - .env
    depends_on:
      db:
        condition: service_healthy
      valkey:
        condition: service_healthy

  db:
    image: postgres:17-alpine
    <<: [*restart, *internal]
    environment:
      - POSTGRES_USER=${ROOT_DATABASE_USER}
      - POSTGRES_PASSWORD=${ROOT_DATABASE_PASSWORD}
    command:
      - postgres
      - -c
      - shared_preload_libraries=pg_stat_statements
      - -c
      - pg_stat_statements.track=all
    volumes:
      - pgdata:/var/lib/postgresql/data
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U ${ROOT_DATABASE_USER}"]
      interval: 5s
      timeout: 5s
      retries: 10

  valkey:
    image: valkey/valkey:8-alpine
    <<: [*restart, *internal]
    volumes:
      - valkeydata:/data
    command: valkey-server --save 60 1 --loglevel warning
    healthcheck:
      test: ["CMD-SHELL", "valkey-cli ping | grep PONG"]
      interval: 5s
      timeout: 5s
      retries: 5

volumes:
  pgdata:
  valkeydata:

networks:
  internal:
  dokploy-network:
    external: true