sheaf/docker-compose.yml at main · sheaf-project/sheaf · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
services:
  app:
    build:
      context: .
      dockerfile: Dockerfile.backend
      args:
        INCLUDE_DEV_TOOLS: "${INCLUDE_DEV_TOOLS:-false}"
        # Optional pip index overrides — empty unless set in .env on the
        # host. Selfhosters who run a private PyPI mirror or cache (e.g.
        # proxpi, devpi, Artifactory) drop one of these into their
        # gitignored .env and rebuild. See docs/SELFHOSTING.md.
        PIP_INDEX_URL: "${PIP_INDEX_URL:-}"
        PIP_EXTRA_INDEX_URL: "${PIP_EXTRA_INDEX_URL:-}"
        # Build provenance surfaced at GET /v1/version. CI-built ghcr
        # images set these automatically; for a local `compose build` they
        # are empty unless you pass them from the host, where git is
        # available (compose can't run git itself). One-liner:
        #   GIT_COMMIT=$(git rev-parse --short HEAD) \
        #   GIT_TAG=$(git describe --tags --always) \
        #   BUILD_TIME=$(date -u +%Y-%m-%dT%H:%M:%SZ) \
        #   docker compose up --build -d app
        GIT_COMMIT: "${GIT_COMMIT:-}"
        GIT_TAG: "${GIT_TAG:-}"
        BUILD_TIME: "${BUILD_TIME:-}"
    ports:
      - "${SHEAF_PORT:-8000}:${SHEAF_PORT:-8000}"
      # Metrics endpoint. The host side publishes on loopback by default
      # (same posture as db/redis above) — METRICS_PUBLISH_HOST controls
      # that. The in-container bind is separately controlled by
      # METRICS_BIND_HOST inside the app; flip it to 0.0.0.0 in .env so
      # the listener is reachable through this port mapping at all (it
      # defaults to 127.0.0.1 inside the container for selfhosters who
      # haven't thought about it). See docs/METRICS.md.
      - "${METRICS_PUBLISH_HOST:-127.0.0.1}:${METRICS_BIND_PORT:-8090}:8090"
    env_file:
      - path: .env
        required: false
    environment:
      SHEAF_PORT: "${SHEAF_PORT:-8000}"
    volumes:
      - appdata:/app/data
    depends_on:
      db:
        condition: service_healthy
      redis:
        condition: service_healthy
    healthcheck:
      test: ["CMD-SHELL", "python -c \"import urllib.request; urllib.request.urlopen('http://localhost:${SHEAF_PORT:-8000}/health')\""]
      interval: 10s
      timeout: 5s
      retries: 5

  db:
    image: postgres:16-alpine
    ports:
      # Bound to loopback by default — the app talks to Postgres over the
      # compose network, so the published port is only for local tooling.
      # Set POSTGRES_BIND_HOST=0.0.0.0 only if you deliberately want it
      # reachable off-host.
      - "${POSTGRES_BIND_HOST:-127.0.0.1}:${POSTGRES_PORT:-5432}:5432"
    volumes:
      - pgdata:/var/lib/postgresql/data
    environment:
      POSTGRES_DB: sheaf
      POSTGRES_USER: sheaf
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-changeme-in-production}
      POSTGRES_INITDB_ARGS: "--data-checksums"
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U sheaf"]
      interval: 5s
      timeout: 5s
      retries: 5

  redis:
    image: redis:7-alpine
    ports:
      # Loopback by default — see the note on the db service above.
      - "${REDIS_BIND_HOST:-127.0.0.1}:${REDIS_PORT:-6379}:6379"
    volumes:
      - redisdata:/data
    healthcheck:
      test: ["CMD", "redis-cli", "ping"]
      interval: 5s
      timeout: 5s
      retries: 5

  minio:
    image: minio/minio:latest
    profiles: ["s3"]
    ports:
      # Bind to loopback by default, same posture as db / redis. Set
      # MINIO_BIND_HOST=0.0.0.0 to expose the API or console off-host
      # (e.g. to reach the console from another LAN device). The
      # localdev defaults assume nobody but the operator should
      # touch these.
      - "${MINIO_BIND_HOST:-127.0.0.1}:${MINIO_API_PORT:-9000}:9000"
      - "${MINIO_BIND_HOST:-127.0.0.1}:${MINIO_CONSOLE_PORT:-9001}:9001"
    volumes:
      - miniodata:/data
    environment:
      # Default creds are intentionally the well-known MinIO defaults
      # for one-shot localdev. Anything beyond localdev MUST override
      # both S3_ACCESS_KEY and S3_SECRET_KEY in .env — selfhosters
      # using this compose file as a template should treat the
      # defaults the same way they treat the default DB password.
      MINIO_ROOT_USER: ${S3_ACCESS_KEY:-minioadmin}
      MINIO_ROOT_PASSWORD: ${S3_SECRET_KEY:-minioadmin}
    command: server /data --console-address ":9001"
    healthcheck:
      test: ["CMD", "mc", "ready", "local"]
      interval: 5s
      timeout: 5s
      retries: 5

  minio-init:
    image: minio/mc:latest
    profiles: ["s3"]
    depends_on:
      minio:
        condition: service_healthy
    # Create the bucket. No anonymous-download policy: the app uses
    # signed URLs by default (`IMAGE_SERVING=signed`), and a public
    # bucket on top of that is both redundant and contradicts the
    # privacy posture for any deployment that flips images to private.
    # Selfhosters who want unsigned public images should set
    # `IMAGE_SERVING=unsigned` + `S3_PUBLIC_URL` and configure the
    # anonymous policy explicitly themselves.
    entrypoint: >
      sh -c "mc alias set sheaf http://minio:9000 $${MINIO_ROOT_USER:-minioadmin} $${MINIO_ROOT_PASSWORD:-minioadmin} &&
             mc mb --ignore-existing sheaf/$${S3_BUCKET:-sheaf-files}"

volumes:
  pgdata:
  redisdata:
  appdata:
  miniodata: