mirror of
https://github.com/Crosstalk-Solutions/project-nomad.git
synced 2026-03-31 05:59:26 +02:00
b0d7709a6c
MySQL (3306) and Redis (6379) were published to all host interfaces despite only being accessed by the admin container via Docker's internal network. Redis has no authentication, so anyone on the LAN could connect. Removes the port mappings — containers still communicate internally via Docker service names. Closes #279 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
97 lines
3.0 KiB
YAML
97 lines
3.0 KiB
YAML
name: project-nomad
|
|
services:
|
|
admin:
|
|
image: ghcr.io/crosstalk-solutions/project-nomad:latest
|
|
pull_policy: always
|
|
container_name: nomad_admin
|
|
restart: unless-stopped
|
|
extra_hosts:
|
|
- "host.docker.internal:host-gateway" # Enables host.docker.internal on Linux
|
|
ports:
|
|
- "8080:8080"
|
|
volumes:
|
|
- /opt/project-nomad/storage:/app/storage
|
|
- /tmp/nomad-disk-info.json:/app/storage/nomad-disk-info.json
|
|
- /var/run/docker.sock:/var/run/docker.sock # Allows the admin service to communicate with the Host's Docker daemon
|
|
- ./entrypoint.sh:/usr/local/bin/entrypoint.sh
|
|
- ./wait-for-it.sh:/usr/local/bin/wait-for-it.sh
|
|
- nomad-update-shared:/app/update-shared # Shared volume for update communication
|
|
environment:
|
|
- NODE_ENV=production
|
|
- PORT=8080
|
|
- LOG_LEVEL=debug
|
|
- APP_KEY=replaceme
|
|
- HOST=0.0.0.0
|
|
- URL=replaceme
|
|
- DB_HOST=mysql
|
|
- DB_PORT=3306
|
|
- DB_DATABASE=nomad
|
|
- DB_USER=nomad_user
|
|
- DB_PASSWORD=replaceme
|
|
- DB_NAME=nomad
|
|
- DB_SSL=false
|
|
- REDIS_HOST=redis
|
|
- REDIS_PORT=6379
|
|
depends_on:
|
|
mysql:
|
|
condition: service_healthy
|
|
redis:
|
|
condition: service_healthy
|
|
entrypoint: ["/usr/local/bin/entrypoint.sh"]
|
|
healthcheck:
|
|
test: ["CMD", "curl", "-f", "http://localhost:8080/api/health"]
|
|
interval: 30s
|
|
timeout: 10s
|
|
retries: 3
|
|
dozzle:
|
|
image: amir20/dozzle:v10.0
|
|
container_name: nomad_dozzle
|
|
restart: unless-stopped
|
|
ports:
|
|
- "9999:8080"
|
|
volumes:
|
|
- /var/run/docker.sock:/var/run/docker.sock # Allows Dozzle to read logs from the Host's Docker daemon
|
|
environment:
|
|
- DOZZLE_ENABLE_ACTIONS=true # Enables the action buttons (restart, stop, etc.)
|
|
- DOZZLE_ENABLE_SHELL=true # Enables web-based shell access
|
|
mysql:
|
|
image: mysql:8.0
|
|
container_name: nomad_mysql
|
|
restart: unless-stopped
|
|
environment:
|
|
- MYSQL_ROOT_PASSWORD=replaceme
|
|
- MYSQL_DATABASE=nomad
|
|
- MYSQL_USER=nomad_user
|
|
- MYSQL_PASSWORD=replaceme
|
|
volumes:
|
|
- /opt/project-nomad/mysql:/var/lib/mysql
|
|
healthcheck:
|
|
test: ["CMD", "mysqladmin", "ping", "-h", "localhost"]
|
|
interval: 30s
|
|
timeout: 10s
|
|
retries: 3
|
|
redis:
|
|
image: redis:7-alpine
|
|
container_name: nomad_redis
|
|
restart: unless-stopped
|
|
volumes:
|
|
- /opt/project-nomad/redis:/data
|
|
healthcheck:
|
|
test: ["CMD", "redis-cli", "ping"]
|
|
interval: 30s
|
|
timeout: 10s
|
|
retries: 3
|
|
updater:
|
|
build:
|
|
context: ./sidecar-updater
|
|
dockerfile: Dockerfile
|
|
container_name: nomad_updater
|
|
restart: unless-stopped
|
|
volumes:
|
|
- /var/run/docker.sock:/var/run/docker.sock # Allows communication with the Host's Docker daemon
|
|
- /opt/project-nomad:/opt/project-nomad # Writable access required so the updater can set the correct image tag in compose.yml
|
|
- nomad-update-shared:/shared # Shared volume for communication with admin container
|
|
|
|
volumes:
|
|
nomad-update-shared:
|
|
driver: local |