backend/docker-compose.prod.yml at main · OpenHub-Store/backend · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
services:
  postgres:
    image: postgres:17-alpine
    restart: unless-stopped
    # 3 GB ceiling. Postgres on a 4 vCPU / 8 GB host with shared_buffers at
    # the Alpine default sits well under this.
    mem_limit: 3g
    environment:
      POSTGRES_DB: githubstore
      POSTGRES_USER: githubstore
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
    # Bind to VPS localhost only (not internet) so SSH tunnel can reach it
    ports:
      - "127.0.0.1:5432:5432"
    volumes:
      - pgdata:/var/lib/postgresql/data
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U githubstore"]
      interval: 5s
      timeout: 3s
      retries: 5
    logging:
      driver: "json-file"
      options:
        max-size: "50m"
        max-file: "5"

  meilisearch:
    image: getmeili/meilisearch:v1.14
    restart: unless-stopped
    mem_limit: 2g
    environment:
      MEILI_MASTER_KEY: ${MEILI_MASTER_KEY}
      MEILI_ENV: production
    volumes:
      - msdata:/meili_data
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:7700/health"]
      interval: 5s
      timeout: 3s
      retries: 5
    logging:
      driver: "json-file"
      options:
        max-size: "50m"
        max-file: "5"

  app:
    build: .
    restart: unless-stopped
    # 2 GB ceiling. Combined with Postgres + Meilisearch + Caddy this fits
    # on the 8 GB VPS with ~750 MB headroom for kernel + system.
    # -XX:MaxRAMPercentage=50 in the Dockerfile reads this.
    mem_limit: 2g
    # Defense in depth: the fat-jar runs with no need to write outside
    # /tmp. read_only mounts the rootfs RO; tmpfs gives the JVM somewhere
    # to drop class-data archives, sockets, etc.
    read_only: true
    tmpfs:
      - /tmp
    environment:
      DATABASE_URL: jdbc:postgresql://postgres:5432/githubstore
      DATABASE_USER: githubstore
      DATABASE_PASSWORD: ${POSTGRES_PASSWORD}
      MEILI_URL: http://meilisearch:7700
      MEILI_MASTER_KEY: ${MEILI_MASTER_KEY}
      SENTRY_DSN: ${SENTRY_DSN}
      # Fallback token for the on-demand GitHub passthrough + background
      # workers when the client doesn't send X-GitHub-Token. Used alone during
      # the daily fetcher's quiet window (default 01:00–04:00 UTC) so the
      # Python fetcher gets the full 4-token pool during its run.
      GITHUB_TOKEN: ${GH_TOKEN_TOPICS}
      # Rotation pool. Outside the quiet window, the backend round-robins
      # across these so user traffic doesn't concentrate on any one token.
      GH_TOKEN_TRENDING: ${GH_TOKEN_TRENDING}
      GH_TOKEN_NEW_RELEASES: ${GH_TOKEN_NEW_RELEASES}
      GH_TOKEN_MOST_POPULAR: ${GH_TOKEN_MOST_POPULAR}
      GH_TOKEN_TOPICS: ${GH_TOKEN_TOPICS}
      # Quiet-window UTC hours. Change if the fetcher schedule moves.
      TOKEN_QUIET_START_UTC: "1"
      TOKEN_QUIET_END_UTC: "4"
      # OAuth App client_id, used by both /v1/auth/device/* and the
      # /v1/oauth/* web flow. Same value the KMP client has in BuildKonfig —
      # device-flow needs identical client_id at both ends so codes can move
      # between primary and fallback paths. Renamed from GITHUB_OAUTH_CLIENT_ID
      # alongside the web-flow rollout; old env name is no longer read.
      OAUTH_CLIENT_ID: ${OAUTH_CLIENT_ID}
      # OAuth App client_secret. Only the backend ever sees this — never the
      # client app, never the website. Required for /v1/oauth/exchange to
      # call GitHub's token endpoint.
      OAUTH_CLIENT_SECRET: ${OAUTH_CLIENT_SECRET}
      # Shared secret with the website (github-store.org). Same value goes
      # to Cloudflare Worker via `wrangler secret put OAUTH_SERVICE_TOKEN`.
      # Mismatches → 401 service_auth_required on /v1/oauth/state and
      # /v1/oauth/exchange.
      OAUTH_SERVICE_TOKEN: ${OAUTH_SERVICE_TOKEN}
      # Host header allowlist for the two S2S OAuth endpoints. Defence in
      # depth on top of the shared secret. Empty in prod = every S2S call
      # rejected, so the app refuses to start without it.
      OAUTH_SERVICE_ALLOWED_HOSTS: ${OAUTH_SERVICE_ALLOWED_HOSTS}
      # GitHub OAuth App "Authorization callback URL". Must EXACTLY match
      # what's registered at github.com/settings/applications/<app-id> or
      # GitHub rejects /v1/oauth/exchange with redirect_uri_mismatch.
      OAUTH_WEB_CALLBACK_URL: ${OAUTH_WEB_CALLBACK_URL}
      # Optional per-iteration kill switch for the cleanup worker. Empty in
      # .env means "run normally"; set to "true" to pause expired-row reaping
      # if it ever contends with /exchange or /handoff under load.
      OAUTH_CLEANUP_DISABLED: ${OAUTH_CLEANUP_DISABLED:-}
      # Comma-separated allowlist of forge hosts /v1/external-match may fan
      # out to when the request body sources include forge short-names
      # (codeberg, gitea, disroot). Empty → ForgejoSearchClient falls back
      # to its hardcoded canonical set. SSRF + DoS hardening — backend
      # never calls a forge host outside this allowlist.
      FORGEJO_TRUSTED_HOSTS: ${FORGEJO_TRUSTED_HOSTS:-}
      # Comma-separated F-Droid index URLs the forge crawler ingests daily
      # to seed signing fingerprints for forge-distributed APKs. Empty →
      # falls back to ForgejoFdroidSeedWorker.DEFAULT_INDEX_URLS.
      FORGEJO_FDROID_INDEX_URLS: ${FORGEJO_FDROID_INDEX_URLS:-}
      # Explicit environment marker. Internal routes (/v1/internal/*) refuse to
      # register if ADMIN_TOKEN is unset under APP_ENV=production — no
      # accidentally-open dashboard after a bad deploy.
      APP_ENV: production
      ADMIN_TOKEN: ${ADMIN_TOKEN}
      # Pepper for hashing device IDs before they hit Postgres. Required in
      # production; rotating this invalidates existing hashes (acceptable —
      # privacy hardening V6).
      DEVICE_ID_PEPPER: ${DEVICE_ID_PEPPER}
    depends_on:
      postgres:
        condition: service_healthy
      meilisearch:
        condition: service_healthy
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8080/v1/health"]
      interval: 10s
      timeout: 5s
      retries: 3
      start_period: 30s
    logging:
      driver: "json-file"
      options:
        max-size: "50m"
        max-file: "5"

  # Komi Store paid-tier backend. Lives at /opt/komi-paid-backend on the VPS,
  # synced there by paid-backend/deploy.sh. Shares postgres + caddy from this
  # stack so the two backends sit on one VPS without duplicating infra.
  # Separate database (komistore_paid) created manually before first deploy.
  #
  # mem_limit set to 1.5g: VPS is 8 GB, current ceilings are postgres 3g +
  # meilisearch 2g + app 2g + caddy 256m + vector 256m = 7.5g committed.
  # paid-app at 1.5g brings the sum to 9g (1g overcommit). Mem limits are
  # caps not reservations so the kernel handles it unless every container
  # peaks simultaneously — operator should reduce free-tier app to 1.5g if
  # OOM-kill events start showing up.
  paid-app:
    build: ../komi-paid-backend
    restart: unless-stopped
    mem_limit: 1.5g
    read_only: true
    tmpfs:
      - /tmp
    environment:
      # Database — shared postgres container, isolated paid-tier database.
      DATABASE_URL: jdbc:postgresql://postgres:5432/komistore_paid
      DATABASE_USER: komistore_paid
      DATABASE_PASSWORD: ${KOMI_PAID_DB_PASSWORD}
      # Internal-auth shared secret with the website backend (when it exists).
      KOMI_INTERNAL_TOKEN: ${KOMI_INTERNAL_TOKEN}
      INTERNAL_AUTH_ALLOWED_HOSTS: ${INTERNAL_AUTH_ALLOWED_HOSTS}
      # Ed25519 signing keys. Default is `env` so a missing KOMI_KEY_SOURCE
      # surfaces immediately as "env var ED25519_PRIVATE_KEY not set" rather
      # than booting cleanly and silently failing at first KV fetch. Operators
      # that want CF KV (production setup) must set KOMI_KEY_SOURCE=cloudflare_kv
      # in /opt/github-store-backend/.env. The paid-backend SigningConfig
      # additionally fail-fasts on empty CF_ACCOUNT_ID / CF_KV_NAMESPACE_ID
      # when KEY_SOURCE=cloudflare_kv, so a half-configured CF deploy crashes
      # at AppConfig.from(), not at signing time.
      KEY_SOURCE: ${KOMI_KEY_SOURCE:-env}
      CF_ACCOUNT_ID: ${CF_ACCOUNT_ID:-}
      CF_KV_NAMESPACE_ID: ${CF_KV_NAMESPACE_ID:-}
      CF_API_TOKEN: ${CF_API_TOKEN:-}
      # Env-mode fallback for the signing key (only used when KEY_SOURCE=env).
      ED25519_PRIVATE_KEY: ${ED25519_PRIVATE_KEY:-}
      ED25519_PUBLIC_KEY:  ${ED25519_PUBLIC_KEY:-}
      # Stripe billing.
      STRIPE_SECRET_KEY:     ${STRIPE_SECRET_KEY}
      STRIPE_WEBHOOK_SECRET: ${STRIPE_WEBHOOK_SECRET}
      STRIPE_PRICE_ID_LIBRARY_SYNC_MONTHLY: ${STRIPE_PRICE_ID_LIBRARY_SYNC_MONTHLY:-}
      STRIPE_PRICE_ID_LIBRARY_SYNC_YEARLY:  ${STRIPE_PRICE_ID_LIBRARY_SYNC_YEARLY:-}
      STRIPE_PRICE_ID_DEV_PRO_MONTHLY:      ${STRIPE_PRICE_ID_DEV_PRO_MONTHLY:-}
      STRIPE_PRICE_ID_DEV_PRO_YEARLY:       ${STRIPE_PRICE_ID_DEV_PRO_YEARLY:-}
      # Cloudflare R2 for E2E-encrypted sync bundles.
      STORAGE_BUCKET:                 ${KOMI_STORAGE_BUCKET:-komi-sync}
      STORAGE_ENDPOINT:               ${KOMI_STORAGE_ENDPOINT}
      STORAGE_ACCESS_KEY_ID:          ${KOMI_STORAGE_ACCESS_KEY_ID}
      STORAGE_SECRET_ACCESS_KEY:      ${KOMI_STORAGE_SECRET_ACCESS_KEY}
      APP_ENV: production
    depends_on:
      postgres:
        condition: service_healthy
    healthcheck:
      test: ["CMD", "wget", "-q", "-O-", "http://localhost:8080/health"]
      interval: 10s
      timeout: 5s
      retries: 3
      start_period: 30s
    logging:
      driver: "json-file"
      options:
        max-size: "50m"
        max-file: "5"

  caddy:
    image: caddy:2-alpine
    restart: unless-stopped
    mem_limit: 256m
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./Caddyfile.prod:/etc/caddy/Caddyfile
      - caddy_data:/data
      - caddy_config:/config
    depends_on:
      app:
        condition: service_healthy
    logging:
      driver: "json-file"
      options:
        max-size: "50m"
        max-file: "5"

  # Centralized log shipper. Scrapes every container on the host via the
  # docker socket (read-only mount) and ships NDJSON to Better Stack. One
  # agent covers both the free-tier stack and the paid-backend stack
  # because docker socket sees all containers regardless of which compose
  # file launched them. Token sourced from .env on the VPS.
  vector:
    image: timberio/vector:0.45.0-alpine
    restart: unless-stopped
    mem_limit: 256m
    environment:
      BETTERSTACK_SOURCE_TOKEN: ${BETTERSTACK_SOURCE_TOKEN}
      BETTERSTACK_INGEST_HOST: ${BETTERSTACK_INGEST_HOST}
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./ops/vector.toml:/etc/vector/vector.toml:ro
    # Vector's own logs go to local docker (json-file). If we shipped
    # them through itself we'd bill for our own chatter and create a loop.
    logging:
      driver: "json-file"
      options:
        max-size: "20m"
        max-file: "3"

volumes:
  pgdata:
  msdata:
  caddy_data:
  caddy_config: