forked from firezone/firezone
-
Notifications
You must be signed in to change notification settings - Fork 0
/
docker-compose.prod.yml
101 lines (93 loc) · 2.64 KB
/
docker-compose.prod.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
# Example compose file for production deployment on Linux.
#
# Note: This file is meant to serve as a template. Please modify it
# according to your needs. Read more about Docker Compose:
#
# https://docs.docker.com/compose/compose-file/
#
#
x-deploy: &default-deploy
restart_policy:
condition: unless-stopped
delay: 5s
window: 120s
update_config:
order: start-first
version: '3.7'
services:
caddy:
image: caddy:2
volumes:
- ${FZ_INSTALL_DIR:-.}/caddy:/data/caddy
# See Caddy's documentation for customizing this line
# https://caddyserver.com/docs/quick-starts/reverse-proxy
command:
- /bin/sh
- -c
- |
cat <<EOF > /etc/caddy/Caddyfile && caddy run --config /etc/caddy/Caddyfile
https:// {
log
reverse_proxy * 172.25.0.100:${PHOENIX_PORT:-13000}
${TLS_OPTS:-}
}
EOF
network_mode: "host"
deploy:
<<: *default-deploy
firezone:
image: firezone/firezone:${VERSION:-latest}
ports:
- ${WIREGUARD_PORT:-51820}:${WIREGUARD_PORT:-51820}/udp
env_file:
# This should contain a list of env vars for configuring Firezone.
# See https://www.firezone.dev/docs/reference/env-vars for more info.
- ${FZ_INSTALL_DIR:-.}/.env
volumes:
# IMPORTANT: Persists WireGuard private key and other data. If
# /var/firezone/private_key exists when Firezone starts, it is
# used as the WireGuard private. Otherwise, one is generated.
- ${FZ_INSTALL_DIR:-.}/firezone:/var/firezone
cap_add:
# Needed for WireGuard and firewall support.
- NET_ADMIN
- SYS_MODULE
sysctls:
# Needed for masquerading and NAT.
- net.ipv6.conf.all.disable_ipv6=0
- net.ipv4.ip_forward=1
- net.ipv6.conf.all.forwarding=1
depends_on:
- postgres
networks:
firezone-network:
ipv4_address: 172.25.0.100
ipv6_address: 2001:3990:3990::99
deploy:
<<: *default-deploy
postgres:
image: postgres:15
volumes:
- postgres-data:/var/lib/postgresql/data
environment:
POSTGRES_DB: ${DATABASE_NAME:-firezone}
POSTGRES_USER: ${DATABASE_USER:-postgres}
POSTGRES_PASSWORD: ${DATABASE_PASSWORD:?err}
networks:
- firezone-network
deploy:
<<: *default-deploy
update_config:
order: stop-first
# Postgres needs a named volume to prevent perms issues on non-linux platforms
volumes:
postgres-data:
networks:
firezone-network:
enable_ipv6: true
driver: bridge
ipam:
config:
- subnet: 172.25.0.0/16
- subnet: 2001:3990:3990::/64
gateway: 2001:3990:3990::1