-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcompose.base.yaml
173 lines (156 loc) · 5.48 KB
/
compose.base.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
# TODO: Fix logging; it's too messy; some services write
# their logs to stdout/stderr, some to file and some to
# both. Make it cleaner smh :/
#
# TODO: Make the configs as concise as possible (a job for
# later). This includes the compose yaml files as well as
# the global config modules (config_dev.py and config_prod.py).
# They are the messiest things on this project.
services:
web:
build:
# The web and the result processor share most of their codes,
# so we have them both in the same Dockerfile with different
# target build stages to stop at for each one.
context: .
target: web
environment:
POSTGRES_HOST: db
DJANGO_SECRET_KEY: ${DJANGO_SECRET_KEY}
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
EMAIL_HOST_PASSWORD: ${EMAIL_HOST_PASSWORD}
healthcheck:
test: ["CMD", "nc", "-z", "localhost", "8000"]
interval: 1m30s
timeout: 30s
retries: 5
start_period: 5s # just to be sure
start_interval: 1s
expose:
- 8000
volumes:
# Used for 'collectstatic'.
- ./static/:/main/static/
- ./staticfiles/:/main/staticfiles/
depends_on:
redis:
condition: service_healthy
db:
condition: service_healthy
# Currently only for production.
nginx:
build:
context: nginx/
volumes:
- ./staticfiles/:/srv/staticfiles/
environment:
APP_HOSTNAME: web
ports:
- 80:80
- 443:443
depends_on:
web:
condition: service_healthy
# For WebSockets. Later ...
# async_web:
# ...
redis:
build:
context: redis/
healthcheck:
test: ["CMD-SHELL", "redis-cli", "ping"]
interval: 1m30s
timeout: 30s
retries: 5
start_period: 5s # just to be sure
start_interval: 1s
db:
image: postgres:16
# See:
# - https://github.com/docker-library/docs/blob/master/postgres/content.md#docker-secrets
# - https://github.com/docker-library/postgres/issues/175
#
# The following env vars are NOT going to be used for production; they
# are merely there to set the initial superuser for the database. For
# production, a proper user with strict permissions must be created
# after postgres is set up. Finally note that none of these affect the
# "system" user "postgers", which will be the owner of the volumes and
# database files, which we rather not change.
#
# Regardless of what user we use for production, I think it's better
# to use some other username than the default 'postgres' for the initial
# superuser; this way, it would be safer against a brute-force trial of
# passwords for the infamous username 'postgres'.
environment:
POSTGRES_PASSWORD: ${PG_SUPERUSER_PASSWORD}
POSTGRES_USER: ${PG_SUPERUSER_USER}
# Both for development and production. This user must be the owner of
# the volumes and database files, no matter what the username of the
# superuser "database" user will be. Yes: the default name for the
# initial database superuser is "postgres", which we can change using
# the provided environment variables (see above), and that's separate
# from the system user that will own the files and run the DB server.
# This username *can* be changed, but there is not much point to it
# to my current knowledge (and it's just a labour).
user: postgres
healthcheck:
# The "-U ..." isn't really necessary; if we don't do it
# and the default username 'postgres' is not a user, then
# it would complain in the logs that "role 'postgres' does
# not exist". So we keep it here. Also, I don't know why,
# but using CMD-SHELL instead of CMD still causes this
# issue (search later why that is).
test: ["CMD", "/usr/bin/pg_isready", "-U", "${PG_SUPERUSER_USER}"]
interval: 1m30s
timeout: 30s
retries: 5
start_period: 5s # just to be sure
start_interval: 1s
simulator:
build:
context: simulator/
additional_contexts:
project_root: .
volumes:
# Docker unix socket
- /var/run/docker.sock:/var/run/docker.sock
depends_on:
redis:
condition: service_healthy
# This services is rather special; it needs high levels of
# permission, as if it's a daemon in the host machine running
# as root. It has to share the same PID namespace with the
# host, so that the PID namespace of the coderunner containers
# that are created in the host are children of the PID namespace
# of this container (which is host's). Docker also applies a
# default apparmor profile to all the containers, so we have to
# disable the apparmor here to allow ptrace(). We also need the
# certain capabilities, as specified below.
pid: host
user: root
cap_add:
- CAP_SYS_PTRACE # for ptrace()
- CAP_SYS_RESOURCE # for setrlimit()
security_opt:
- apparmor=unconfined
result_processor:
build:
# The web and the result processor share most of their codes,
# so we have them both in the same Dockerfile with different
# target build stages to stop at for each one.
context: .
target: result_processor
environment:
POSTGRES_HOST: db
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
depends_on:
redis:
condition: service_healthy
db:
condition: service_healthy
volumes:
redis_sock_dir:
postgres_data:
external: true
uploaded_files:
external: true