-
Notifications
You must be signed in to change notification settings - Fork 8
/
Copy pathdocker-compose.instance.yaml
105 lines (93 loc) · 4.45 KB
/
docker-compose.instance.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
#! This is a ytt template file for docker-compose.override.yaml
#! References:
#! https://carvel.dev/ytt
#! https://docs.docker.com/compose/extends/#adding-and-overriding-configuration
#! https://github.com/enigmacurry/d.rymcg.tech#overriding-docker-composeyaml-per-instance
#! ### Standard project vars:
#@ load("@ytt:data", "data")
#@ project = data.values.project
#@ instance = data.values.instance
#@ context = data.values.context
#@ traefik_host = data.values.traefik_host
#@ webhook_host = data.values.webhook_host
#@ ip_sourcerange = data.values.ip_sourcerange
#@ enable_http_auth = len(data.values.http_auth.strip()) > 0
#@ http_auth = data.values.http_auth_var
#@ enable_oauth2 = data.values.oauth2 == "true"
#@ authorized_group = data.values.authorized_group
#@ enable_mtls_auth = data.values.enable_mtls_auth == "true"
#@ mtls_authorized_certs = data.values.mtls_authorized_certs
#@ enabled_middlewares = []
#@ enable_docker = data.values.enable_docker == "true"
#@ reloader_path_prefix = data.values.reloader_path_prefix
#!
#@ def get_volume_mounts(volumes_str):
#@ if volumes_str.strip() == "":
#@ return []
#@ end
#@ pairs = volumes_str.split(",")
#@ volume_mounts = []
#@ for pair in pairs:
#@ pair = pair.strip()
#@ if ":" not in pair:
#@ fail("extra_volumes must be a comma-separated list of colon-delimited pairs")
#@ end
#@ volume_mounts.append(pair)
#@ end
#@ return volume_mounts
#@ end
#@ volume_mounts = get_volume_mounts(data.values.extra_volumes)
#!
#@yaml/text-templated-strings
services:
homepage:
#@ service = "homepage"
volumes:
- config:/app/config
#@ if enable_docker:
- /var/run/docker.sock:/var/run/docker.sock:ro #! (optional) For docker integrations
#@ end
- config:/app/public/images #! (optional) So Homepage can use images from config dir
#@ for vol in volume_mounts:
- (@= vol @)
#@ end
labels:
- "backup-volume.stop-during-backup=true"
#! Services must opt-in to be proxied by Traefik:
- "traefik.enable=true"
#! 'router' is the fully qualified key in traefik for this router/service: project + instance + service
#@ router = "{}-{}-{}".format(project,instance,service)
#@ reloader_router = "{}-{}-{}".format(project,instance,"reloader")
#! The host matching router rule:
- "traefik.http.routers.(@= router @).rule=Host(`(@= traefik_host @)`)"
- "traefik.http.routers.(@= router @).entrypoints=websecure"
- "traefik.http.routers.(@= router @).service=(@= router @)"
#@ enabled_middlewares.append("{}-ipallowlist".format(router))
- "traefik.http.middlewares.(@= router @)-ipallowlist.ipallowlist.sourcerange=(@= ip_sourcerange @)"
#@ if enable_http_auth:
#@ enabled_middlewares.append("{}-basicauth".format(router))
- "traefik.http.middlewares.(@= router @)-basicauth.basicauth.users=(@= http_auth @)"
- "traefik.http.middlewares.(@= router @)-basicauth.basicauth.headerField=X-Forwarded-User"
#@ end
#@ if enable_oauth2:
#@ enabled_middlewares.append("traefik-forward-auth@docker")
#@ enabled_middlewares.append("header-authorization-group-{}@file".format(authorized_group))
#@ end
#@ if enable_mtls_auth:
- "traefik.http.routers.(@= router @).tls.options=step_ca_mTLS@file"
#@ if len(mtls_authorized_certs):
- "traefik.http.middlewares.mtlsauth-(@= router @).plugin.certauthz.domains=(@= mtls_authorized_certs @)"
#@ enabled_middlewares.append("mtlsauth-{}".format(router))
#@ end
#@ enabled_middlewares.append("mtls-header@file")
#@ end
- "traefik.http.services.(@= router @).loadbalancer.server.port=3000"
#! Apply all middlewares (do this at the end!)
- "traefik.http.routers.(@= router @).middlewares=(@= ','.join(enabled_middlewares) @)"
- "traefik.http.routers.(@= reloader_router @).rule=Host(`(@= webhook_host @)`) && PathPrefix(`(@= reloader_path_prefix @)`)"
- "traefik.http.routers.(@= reloader_router @).entrypoints=websecure"
#! Override the default port that whoami binds to, so that it lives in userspace >1024:
#! You don't normally need to do this, as long as your image has
#! an EXPOSE directive in it, Traefik will autodetect it, but this is how you can override it:
- "traefik.http.services.(@= reloader_router @).loadbalancer.server.port=8070"
- "traefik.http.routers.(@= reloader_router @).service=(@= reloader_router @)"