josedario87
be1a1e971b
All checks were successful
build-and-deploy / build-and-deploy (push) Successful in 16s
- Cambiar de dominio público a nombre de contenedor: ak-outpost-exterior-lvl2:9000 - Consistente con patrón usado en otros servicios (ak-outpost-lvl0)
96 lines
4.2 KiB
YAML
96 lines
4.2 KiB
YAML
version: '3.8'
|
|
|
|
services:
|
|
postgres:
|
|
image: postgres:16-alpine
|
|
container_name: ${APP_NAME}_postgres
|
|
restart: unless-stopped
|
|
environment:
|
|
- POSTGRES_DB=${POSTGRES_DB:-riocata}
|
|
- POSTGRES_USER=${POSTGRES_USER:-riocata_user}
|
|
- POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
|
|
- PGDATA=/var/lib/postgresql/data/pgdata
|
|
volumes:
|
|
- postgres_data:/var/lib/postgresql/data
|
|
- ./postgres/init:/docker-entrypoint-initdb.d:ro
|
|
networks:
|
|
- principal
|
|
healthcheck:
|
|
test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-riocata_user} -d ${POSTGRES_DB:-riocata}"]
|
|
interval: 10s
|
|
timeout: 5s
|
|
retries: 5
|
|
|
|
app:
|
|
image: ${REG}/${REPO_OWNER}/${APP_NAME}:latest
|
|
container_name: ${APP_NAME}
|
|
restart: unless-stopped
|
|
depends_on:
|
|
postgres:
|
|
condition: service_healthy
|
|
environment:
|
|
# Node Environment
|
|
- NODE_ENV=production
|
|
- NUXT_HOST=0.0.0.0
|
|
- NUXT_PORT=3000
|
|
# Public URL
|
|
- NUXT_PUBLIC_APP_URL=${NUXT_PUBLIC_APP_URL}
|
|
# Database Connection
|
|
- DATABASE_URL=postgresql://${POSTGRES_USER:-riocata_user}:${POSTGRES_PASSWORD}@postgres:5432/${POSTGRES_DB:-riocata}
|
|
- POSTGRES_HOST=postgres
|
|
- POSTGRES_PORT=5432
|
|
- POSTGRES_DB=${POSTGRES_DB:-riocata}
|
|
- POSTGRES_USER=${POSTGRES_USER:-riocata_user}
|
|
- POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
|
|
networks:
|
|
- principal
|
|
- traefik-network
|
|
labels:
|
|
# Traefik labels
|
|
- "traefik.enable=true"
|
|
- "traefik.docker.network=traefik-network"
|
|
|
|
# Service (shared by both routers)
|
|
- "traefik.http.services.${APP_NAME}.loadbalancer.server.port=3000"
|
|
|
|
# Router 1: Public PWA resources (no auth) - Higher priority
|
|
- "traefik.http.routers.${APP_NAME}-public.rule=Host(`${APP_DOMAIN}`) && (PathPrefix(`/manifest.webmanifest`) || PathPrefix(`/sw.js`) || PathPrefix(`/workbox-`) || PathPrefix(`/icon-`) || PathPrefix(`/apple-touch-icon`) || PathPrefix(`/favicon.ico`) || PathPrefix(`/robots.txt`) || PathPrefix(`/offline.html`) || PathPrefix(`/api/_nuxt_icon/`))"
|
|
- "traefik.http.routers.${APP_NAME}-public.entrypoints=websecure"
|
|
- "traefik.http.routers.${APP_NAME}-public.tls.certresolver=letsencrypt"
|
|
- "traefik.http.routers.${APP_NAME}-public.priority=100"
|
|
- "traefik.http.routers.${APP_NAME}-public.service=${APP_NAME}"
|
|
- "traefik.http.routers.${APP_NAME}-public.middlewares=${APP_NAME}-headers,${APP_NAME}-cors"
|
|
|
|
# Router 2: Protected application (with auth) - Normal priority
|
|
- "traefik.http.routers.${APP_NAME}.rule=Host(`${APP_DOMAIN}`)"
|
|
- "traefik.http.routers.${APP_NAME}.entrypoints=websecure"
|
|
- "traefik.http.routers.${APP_NAME}.tls.certresolver=letsencrypt"
|
|
- "traefik.http.routers.${APP_NAME}.priority=10"
|
|
- "traefik.http.routers.${APP_NAME}.service=${APP_NAME}"
|
|
- "traefik.http.routers.${APP_NAME}.middlewares=${APP_NAME}-authentik,${APP_NAME}-headers"
|
|
|
|
# Middleware de autenticación usando outpost exteriorlvl2
|
|
- "traefik.http.middlewares.${APP_NAME}-authentik.forwardauth.address=http://ak-outpost-exterior-lvl2:9000/outpost.goauthentik.io/auth/traefik"
|
|
- "traefik.http.middlewares.${APP_NAME}-authentik.forwardauth.trustForwardHeader=true"
|
|
- "traefik.http.middlewares.${APP_NAME}-authentik.forwardauth.authResponseHeaders=X-authentik-username,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-groups,X-authentik-entitlements,Set-Cookie"
|
|
|
|
# Custom headers middleware
|
|
- "traefik.http.middlewares.${APP_NAME}-headers.headers.customrequestheaders.X-Forwarded-Proto=https"
|
|
- "traefik.http.middlewares.${APP_NAME}-headers.headers.customrequestheaders.X-Forwarded-Scheme=https"
|
|
|
|
# CORS middleware for public resources
|
|
- "traefik.http.middlewares.${APP_NAME}-cors.headers.accesscontrolallowmethods=GET,OPTIONS"
|
|
- "traefik.http.middlewares.${APP_NAME}-cors.headers.accesscontrolalloworiginlist=https://${APP_DOMAIN}"
|
|
- "traefik.http.middlewares.${APP_NAME}-cors.headers.accesscontrolmaxage=100"
|
|
- "traefik.http.middlewares.${APP_NAME}-cors.headers.addvaryheader=true"
|
|
|
|
volumes:
|
|
postgres_data:
|
|
name: ${APP_NAME}_postgres_data
|
|
|
|
networks:
|
|
principal:
|
|
external: true
|
|
traefik-network:
|
|
external: true
|