full-stack/docker-compose.yml at main · hyperninjas/full-stack · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
networks:
  appnet:
    driver: bridge

volumes:
  db_data:
  traefik_letsencrypt:

services:
  db:
    image: postgres:18-alpine
    container_name: db
    restart: unless-stopped
    environment:
      POSTGRES_DB: ${POSTGRES_DB:-appdb}
      POSTGRES_USER: ${POSTGRES_USER:-appuser}
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-appsecret}
    ports:
      - "5432:5432"
    volumes:
      - db_data:/var/lib/postgresql/data
      - ./containers/postgres/init:/docker-entrypoint-initdb.d:ro
    networks:
      - appnet

  server:
    build:
      context: .
      dockerfile: apps/server/Dockerfile
    image: server:prod
    container_name: server
    depends_on:
      - db
    restart: unless-stopped
    env_file:
      - ./apps/server/.env
    environment:
      NODE_ENV: production
      PORT: ${SERVER_PORT:-4000}
      DATABASE_URL: ${DATABASE_URL:-postgres://appuser:appsecret@db:5432/appdb}
    networks:
      - appnet
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=full-stack_appnet"
      # API router: same host, path /api -> server:4000
      - "traefik.http.routers.api.rule=Host(`${APP_DOMAIN}`) && PathPrefix(`/api`)"
      - "traefik.http.routers.api.entrypoints=web,websecure"
      - "traefik.http.routers.api.tls=true"
      - "traefik.http.routers.api.tls.certresolver=le"
      - "traefik.http.services.api.loadbalancer.server.port=4000"
      # Attach security, rate-limit, and basic auth (preprod) middlewares
      - "traefik.http.routers.api.middlewares=basic-auth@file,security-headers@file,rate-limit@file"

  client:
    build:
      context: .
      dockerfile: apps/client/Dockerfile
    image: client:prod
    container_name: client
    depends_on:
      - server
    restart: unless-stopped
    env_file:
      - ./apps/client/.env
    environment:
      NODE_ENV: production
      PORT: ${CLIENT_PORT:-3000}
      NEXT_PUBLIC_API_URL: ${NEXT_PUBLIC_API_URL:-/api} # client calls go to /api on same host
    networks:
      - appnet
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=full-stack_appnet"
      # Client router: same host root served by client:3000
      - "traefik.http.routers.client.rule=Host(`${APP_DOMAIN}`) && PathPrefix(`/`)"
      - "traefik.http.routers.client.entrypoints=web,websecure"
      - "traefik.http.routers.client.tls=true"
      - "traefik.http.routers.client.tls.certresolver=le"
      - "traefik.http.services.client.loadbalancer.server.port=3000"
      # Attach security headers and rate limit for client
      - "traefik.http.routers.client.middlewares=security-headers@file,rate-limit@file"

  traefik:
    image: traefik:v3.1
    container_name: traefik
    command:
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --entrypoints.metrics.address=:8082
      # Redirect HTTP -> HTTPS
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entrypoints.web.http.redirections.entrypoint.scheme=https
      # ACME (Let's Encrypt)
      - --certificatesresolvers.le.acme.email=${TRAEFIK_ACME_EMAIL}
      - --certificatesresolvers.le.acme.storage=/letsencrypt/acme.json
      - --certificatesresolvers.le.acme.httpchallenge=true
      - --certificatesresolvers.le.acme.httpchallenge.entrypoint=web
      # File provider for dynamic middlewares
      - --providers.file.filename=/dynamic.yml
      # Access logs
      - --accesslog=true
      - --accesslog.format=json
      # Metrics
      - --metrics.prometheus=true
      - --metrics.prometheus.entryPoint=metrics
      # Tracing (OTLP/HTTP). Point to your collector endpoint via env.
      - --tracing=true
      - --tracing.otlp=true
      - --tracing.otlp.http.endpoint=${TRACING_OTLP_HTTP_ENDPOINT:-http://otel-collector:4318}
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - traefik_letsencrypt:/letsencrypt
      - ./containers/traefik/dynamic.yml:/dynamic.yml:ro
    networks:
      - appnet