DD-UI/docker-compose.yml at main · prplanit/DD-UI · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
version: "3.8"
services:

  dd-ui-postgres:
    container_name: dd-ui-postgres
    image: postgres:16-alpine
    environment:
      - POSTGRES_DB=dd-ui
      - POSTGRES_USER=prplanit
      - POSTGRES_PASSWORD_FILE=/run/secrets/postgres_pass
    ports:
      - 5432:5432
    volumes:
      - /opt/docker/dd-ui/postgres:/var/lib/postgresql/data
    secrets:
      - postgres_pass
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U $POSTGRES_USER -d $POSTGRES_DB"]
      interval: 5s
      timeout: 3s
      retries: 20

  dd-ui-app:
    container_name: dd-ui-app
    depends_on:
      dd-ui-postgres:
        condition: service_healthy
    image: prplanit/dd-ui:v0.4.7
    ports:
      - "3000:443"
    env_file: stack.env
    environment:
      # General Config
      #- DD_UI_BIND=0.0.0.0:443
      # - DD_UI_DEFAULT_OWNER= # (email)
      - DD_UI_INVENTORY_PATH=/data/inventory
      - DD_UI_LOCAL_HOST=anchorage
      - DD_UI_UI_ORIGIN=https://dd-ui.pcfae.com

      # Authentication / OIDC
      - DD_UI_COOKIE_SECURE=true
      - DD_UI_COOKIE_DOMAIN=dd-ui.pcfae.com
      - OIDC_CLIENT_ID_FILE=/run/secrets/oidc_client_id
      - OIDC_CLIENT_SECRET_FILE=/run/secrets/oidc_client_secret
      - OIDC_ISSUER_URL=https://sso.prplanit.com
      - OIDC_REDIRECT_URL=https://dd-ui.pcfae.com/auth/callback
      - OIDC_POST_LOGOUT_REDIRECT_URL=https://dd-ui.pcfae.com/login
      - OIDC_SCOPES=openid email profile
        # - OIDC_ALLOWED_EMAIL_DOMAIN # (optional; blocks others)

      # Database (Postgres) Configuration:
      - DD_UI_DB_HOST=dd-ui-postgres
      - DD_UI_DB_PORT=5432
      - DD_UI_DB_NAME=dd-ui
      - DD_UI_DB_USER=prplanit
      - DD_UI_DB_PASS_FILE=/run/secrets/postgres_pass
      - DD_UI_DB_SSLMODE=disable
      - DD_UI_DB_MIGRATE=false
        # or provide a single DSN:
        # - DD_UI_DB_DSN=postgres://dd-ui:...@db:5432/dd-ui?sslmode=disable

      # Docker Connection Config
      - DOCKER_CONNECTION_METHOD=local

      # Encryption / SOPS Config
      - DD_UI_ALLOW_SOPS_DECRYPT=true
      - SOPS_AGE_KEY_FILE=/run/secrets/sops_age_key
      - DD_UI_SESSION_SECRET_FILE=/run/secrets/session_secret

      # SSH Config
      - SSH_USER=kai           # or a limited user in docker group
      - SSH_PORT=22
      - SSH_KEY_FILE=/run/secrets/ssh_key
      - SSH_USE_SUDO=false      # true if your user needs sudo
      - SSH_STRICT_HOST_KEY=false

      # Auto DevOps Config
      - DD_UI_DEVOPS_APPLY=false

      # Scanning Config - Docker Host(s) States
      - DD_UI_SCAN_DOCKER_AUTO=true
      - DD_UI_SCAN_DOCKER_INTERVAL=1m
      - DD_UI_SCAN_DOCKER_HOST_TIMEOUT=45s
      - DD_UI_SCAN_DOCKER_CONCURRENCY=3
      - DD_UI_SCAN_DOCKER_ON_START=true
      - DD_UI_SCAN_DOCKER_DEBUG=true

      # Scannning Config - IAC
      - DD_UI_IAC_ROOT=/data
      - DD_UI_IAC_DIRNAME=docker-compose
      - DD_UI_SCAN_IAC_AUTO=true
      - DD_UI_SCAN_IAC_INTERVAL=90s

    secrets:
      - oidc_client_id
      - oidc_client_secret
      - postgres_pass
      - session_secret
      - sops_age_key
      - ssh_key
    volumes:
      - /opt/docker/dd-ui/data:/data
      - /var/run/docker.sock:/var/run/docker.sock

secrets:
  oidc_client_id:
    file: /opt/docker/dd-ui/secrets/oidc_client_id
  oidc_client_secret:
    file: /opt/docker/dd-ui/secrets/oidc_client_secret
  postgres_pass:
    file: /opt/docker/dd-ui/secrets/postgres_password
  session_secret:
    file: /opt/docker/dd-ui/secrets/session_secret
  sops_age_key:
    file: /opt/docker/dd-ui/secrets/sops_age_key
  ssh_key:
    file: /opt/docker/dd-ui/secrets/id_ed25519   # your private key