-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathcompose.prod.yaml
More file actions
190 lines (176 loc) · 6.87 KB
/
Copy pathcompose.prod.yaml
File metadata and controls
190 lines (176 loc) · 6.87 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
# OntoKit Production Infrastructure Stack
# Run with: docker compose -f compose.prod.yaml up -d
#
# This configuration runs ONLY infrastructure services in Docker.
# Application services (API, frontend) run directly on the host machine.
#
# Use this for:
# - Production deployments where you want more control
# - Development when you want to run the API outside Docker
# - Debugging with hot reload and IDE integration
services:
# ============================================================================
# PostgreSQL Database (shared by Zitadel and OntoKit API)
# ============================================================================
postgres:
image: postgres:17-alpine
container_name: ontokit-postgres
restart: unless-stopped
environment:
POSTGRES_USER: postgres
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-postgres}
POSTGRES_DB: postgres
PGUSER: postgres
ports:
- "${POSTGRES_PORT:-5432}:5432"
volumes:
- postgres_data:/var/lib/postgresql/data
- ./scripts/init-db.sh:/docker-entrypoint-initdb.d/init-db.sh:ro
healthcheck:
test: ["CMD-SHELL", "pg_isready -d zitadel -U postgres && pg_isready -d ontokit -U ontokit"]
interval: 10s
timeout: 5s
retries: 5
networks:
- ontokit
# ============================================================================
# Redis for caching and pub/sub
# ============================================================================
redis:
image: redis:7-alpine
container_name: ontokit-redis
restart: unless-stopped
command: redis-server --appendonly yes ${REDIS_PASSWORD:+--requirepass $REDIS_PASSWORD}
ports:
- "${REDIS_PORT:-6379}:6379"
volumes:
- redis_data:/data
healthcheck:
test: ["CMD", "redis-cli", "ping"]
interval: 5s
timeout: 5s
retries: 5
networks:
- ontokit
# ============================================================================
# MinIO for object storage
# ============================================================================
minio:
image: minio/minio:latest
container_name: ontokit-minio
restart: unless-stopped
command: server /data --console-address ":9001"
environment:
MINIO_ROOT_USER: ${MINIO_ROOT_USER:-minio}
MINIO_ROOT_PASSWORD: ${MINIO_ROOT_PASSWORD:-minio123}
ports:
- "${MINIO_API_PORT:-9000}:9000"
- "${MINIO_CONSOLE_PORT:-9001}:9001"
volumes:
- minio_data:/data
healthcheck:
test: ["CMD", "mc", "ready", "local"]
interval: 5s
timeout: 5s
retries: 5
networks:
- ontokit
# ============================================================================
# Zitadel Identity Provider
# ============================================================================
zitadel:
image: ghcr.io/zitadel/zitadel:latest
container_name: ontokit-zitadel
restart: unless-stopped
command: 'start-from-init --masterkey "${ZITADEL_MASTERKEY:-MasterkeyNeedsToHave32Characters}"'
environment:
ZITADEL_EXTERNALDOMAIN: ${ZITADEL_DOMAIN:-localhost}
ZITADEL_EXTERNALSECURE: ${ZITADEL_SECURE:-false}
ZITADEL_TLS_ENABLED: ${ZITADEL_TLS:-false}
# Database configuration
ZITADEL_DATABASE_POSTGRES_HOST: postgres
ZITADEL_DATABASE_POSTGRES_PORT: 5432
ZITADEL_DATABASE_POSTGRES_DATABASE: zitadel
ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME: postgres
ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD: ${POSTGRES_PASSWORD:-postgres}
ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE: disable
ZITADEL_DATABASE_POSTGRES_USER_USERNAME: zitadel
ZITADEL_DATABASE_POSTGRES_USER_PASSWORD: ${ZITADEL_DB_PASSWORD:-zitadel}
ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE: disable
# Login V2 configuration
ZITADEL_FIRSTINSTANCE_LOGINCLIENTPATPATH: /zitadel-data/login-client.pat
ZITADEL_FIRSTINSTANCE_ORG_HUMAN_PASSWORDCHANGEREQUIRED: ${ZITADEL_REQUIRE_PASSWORD_CHANGE:-true}
ZITADEL_FIRSTINSTANCE_ORG_LOGINCLIENT_MACHINE_USERNAME: login-client
ZITADEL_FIRSTINSTANCE_ORG_LOGINCLIENT_MACHINE_NAME: Login V2 Client
ZITADEL_FIRSTINSTANCE_ORG_LOGINCLIENT_PAT_EXPIRATIONDATE: '2030-01-01T00:00:00Z'
# Enable Login V2
ZITADEL_DEFAULTINSTANCE_FEATURES_LOGINV2_REQUIRED: true
ZITADEL_DEFAULTINSTANCE_FEATURES_LOGINV2_BASEURI: ${ZITADEL_LOGIN_URL:-http://localhost:8081}/ui/v2/login
ZITADEL_OIDC_DEFAULTLOGINURLV2: ${ZITADEL_LOGIN_URL:-http://localhost:8081}/ui/v2/login/login?authRequest=
ZITADEL_OIDC_DEFAULTLOGOUTURLV2: ${ZITADEL_LOGIN_URL:-http://localhost:8081}/ui/v2/login/logout?post_logout_redirect=
ZITADEL_SAML_DEFAULTLOGINURLV2: ${ZITADEL_LOGIN_URL:-http://localhost:8081}/ui/v2/login/login?samlRequest=
# Admin machine user
ZITADEL_FIRSTINSTANCE_PATPATH: /zitadel-data/admin.pat
ZITADEL_FIRSTINSTANCE_ORG_MACHINE_MACHINE_USERNAME: api-admin
ZITADEL_FIRSTINSTANCE_ORG_MACHINE_MACHINE_NAME: API Admin Machine User
ZITADEL_FIRSTINSTANCE_ORG_MACHINE_PAT_EXPIRATIONDATE: '2030-01-01T00:00:00Z'
# Human admin user
ZITADEL_FIRSTINSTANCE_ORG_NAME: ${ZITADEL_ORG_NAME:-OntoKit}
ZITADEL_FIRSTINSTANCE_ORG_HUMAN_USERNAME: ${ZITADEL_ADMIN_USER:-admin}
ZITADEL_FIRSTINSTANCE_ORG_HUMAN_PASSWORD: ${ZITADEL_ADMIN_PASSWORD:-Admin123!}
# Logging (reduce in production)
ZITADEL_LOG_LEVEL: ${ZITADEL_LOG_LEVEL:-info}
ZITADEL_LOGSTORE_ACCESS_STDOUT_ENABLED: ${ZITADEL_ACCESS_LOG:-false}
healthcheck:
test: ["CMD", "/app/zitadel", "ready"]
interval: 10s
timeout: 60s
retries: 5
start_period: 10s
user: "0"
volumes:
- zitadel_data:/zitadel-data
ports:
- "${ZITADEL_PORT:-8080}:8080"
- "${ZITADEL_LOGIN_PORT:-8081}:3000"
networks:
- ontokit
depends_on:
postgres:
condition: service_healthy
# Login V2 - Next.js based login UI
login:
image: ghcr.io/zitadel/zitadel-login:latest
container_name: ontokit-zitadel-login
restart: unless-stopped
environment:
ZITADEL_API_URL: ${ZITADEL_URL:-http://localhost:8080}
NEXT_PUBLIC_BASE_PATH: /ui/v2/login
ZITADEL_SERVICE_USER_TOKEN_FILE: /zitadel-data/login-client.pat
EMAIL_VERIFICATION: true
healthcheck:
test:
- CMD
- node
- -e
- "const http = require('http'); const req = http.get('http://localhost:3000/ui/v2/login', (res) => { process.exit(res.statusCode === 200 ? 0 : 1); }); req.on('error', () => process.exit(1)); req.setTimeout(5000, () => { req.destroy(); process.exit(1); });"
interval: 30s
timeout: 10s
retries: 3
start_period: 30s
network_mode: service:zitadel
user: "0"
volumes:
- zitadel_data:/zitadel-data:ro
depends_on:
zitadel:
condition: service_healthy
restart: false
networks:
ontokit:
driver: bridge
volumes:
postgres_data:
redis_data:
minio_data:
zitadel_data: