version: '3.9' x-mayan-container: &mayan-container env_file: .env environment: MAYAN_CELERY_BROKER_URL: amqp://${MAYAN_RABBITMQ_USER:-mayan}:${MAYAN_RABBITMQ_PASSWORD:-mayanrabbitpass}@rabbitmq:5672/${MAYAN_RABBITMQ_VHOST:-mayan} MAYAN_CELERY_RESULT_BACKEND: redis://:${MAYAN_REDIS_PASSWORD:-mayanredispassword}@redis:6379/1 MAYAN_DATABASES: "{'default':{'ENGINE':'django.db.backends.postgresql','NAME':'${MAYAN_DATABASE_NAME:-mayan}','PASSWORD':'${MAYAN_DATABASE_PASSWORD:-mayandbpass}','USER':'${MAYAN_DATABASE_USER:-mayan}','HOST':'${MAYAN_DATABASE_HOST:-postgresql}'} }" MAYAN_LOCK_MANAGER_BACKEND: mayan.apps.lock_manager.backends.redis_lock.RedisLock MAYAN_LOCK_MANAGER_BACKEND_ARGUMENTS: "{'redis_url':'redis://:${MAYAN_REDIS_PASSWORD:-mayanredispassword}@redis:6379/2'}" image: ${MAYAN_DOCKER_IMAGE_NAME:-mayanedms/mayanedms}:${MAYAN_DOCKER_IMAGE_TAG:-s4.4} networks: - mayan restart: unless-stopped volumes: - ${MAYAN_APP_VOLUME:-app}:/var/lib/mayan # Optional volumes to access external data like staging or watch folders # - /opt/staging_folder:/staging_folder # - /opt/watch_folder:/watch_folder x-mayan-traefik-labels: &mayan-traefik-labels labels: - "traefik.enable=${MAYAN_TRAEFIK_FRONTEND_ENABLE:-false}" - "traefik.http.middlewares.mayan_frontend_http_redirect.redirectscheme.scheme=https" - "traefik.http.middlewares.mayan_frontend_http_redirect.redirectscheme.permanent=false" - "traefik.http.routers.mayan_frontend_http.entrypoints=http" - "traefik.http.routers.mayan_frontend_http.middlewares=mayan_frontend_http_redirect" - "traefik.http.routers.mayan_frontend_http.rule=Host(`${MAYAN_TRAEFIK_EXTERNAL_DOMAIN}`)" - "traefik.http.routers.mayan_frontend_https.entrypoints=https" - "traefik.http.routers.mayan_frontend_https.rule=Host(`${MAYAN_TRAEFIK_EXTERNAL_DOMAIN}`)" - "traefik.http.routers.mayan_frontend_https.service=mayan_frontend_http" - "traefik.http.routers.mayan_frontend_https.tls=true" - "traefik.http.routers.mayan_frontend_https.tls.certresolver=letsencrypt" - "traefik.http.services.mayan_frontend_http.loadbalancer.server.port=8000" x-mayan-frontend-ports: &mayan-frontend-ports # Disable ports if using Traefik. Set to an empty list `[]`. ports: - "${MAYAN_FRONTEND_HTTP_PORT:-80}:8000" # [] networks: keycloak: driver: bridge # Change to true when using Traefik for increased security. internal: false mayan: driver: bridge # Change to true when using Traefik for increased security. internal: false traefik: {} services: app: <<: [*mayan-container,*mayan-traefik-labels,*mayan-frontend-ports] profiles: - all_in_one elasticsearch: environment: - bootstrap.memory_lock=true - discovery.type=single-node - http.max_content_length=400mb - xpack.security.enabled=true - "ES_JAVA_OPTS=-Xms512m -Xmx512m" - ELASTIC_PASSWORD=${MAYAN_ELASTICSEARCH_PASSWORD:-mayanespassword} image: ${MAYAN_DOCKER_ELASTICSEARCH_IMAGE:-elasticsearch}:${MAYAN_DOCKER_ELASTICSEARCH_TAG:-7.17.9} networks: - mayan # Enable to allow external access to the database. # ports: # - "9200:9200" profiles: - elasticsearch restart: unless-stopped ulimits: memlock: soft: -1 hard: -1 volumes: - ${MAYAN_ELASTICSEARCH_VOLUME:-elasticsearch}:/usr/share/elasticsearch/data keycloak: command: - start environment: KEYCLOAK_ADMIN: ${MAYAN_KEYCLOAK_ADMIN:-admin} KEYCLOAK_ADMIN_PASSWORD: ${MAYAN_KEYCLOAK_ADMIN_PASSWORD:-admin} KC_DB: postgres KC_DB_PASSWORD: ${MAYAN_KEYCLOAK_DATABASE_PASSWORD:-keycloakdbpass} KC_DB_URL_DATABASE: ${MAYAN_KEYCLOAK_DATABASE_NAME:-keycloak} KC_DB_URL_HOST: keycloak-postgres KC_DB_USERNAME: ${MAYAN_DATABASE_KEYCLOAK_USER:-keycloak} KC_HOSTNAME_URL: http://127.0.0.1:8081/ KC_HOSTNAME_STRICT: false KC_HTTP_ENABLED: true image: ${MAYAN_DOCKER_KEYCLOAK_IMAGE:-keycloak/keycloak}:${MAYAN_DOCKER_KEYCLOAK_TAG:-20.0.1} labels: - "traefik.enable=${MAYAN_TRAEFIK_KEYCLOAK_ENABLE:-false}" - "traefik.http.middlewares.keycloak_http_redirect.redirectscheme.scheme=https" - "traefik.http.middlewares.keycloak_http_redirect.redirectscheme.permanent=false" - "traefik.http.routers.keycloak_http.entrypoints=http" - "traefik.http.routers.keycloak_http.middlewares=keycloak_http_redirect" - "traefik.http.routers.keycloak_http.rule=Host(`${MAYAN_TRAEFIK_EXTERNAL_DOMAIN}`)" - "traefik.http.routers.keycloak_https.entrypoints=https" - "traefik.http.routers.keycloak_https.rule=Host(`${MAYAN_TRAEFIK_EXTERNAL_DOMAIN}`)" - "traefik.http.routers.keycloak_https.service=keycloak_http" - "traefik.http.routers.keycloak_https.tls=true" - "traefik.http.routers.keycloak_https.tls.certresolver=letsencrypt" - "traefik.http.services.keycloak_http.loadbalancer.server.port=${MAYAN_TRAEFIK_KEYCLOAK_HTTP_PORT:-8081}" networks: - keycloak - mayan # Disable ports if using Traefik. ports: - "${MAYAN_TRAEFIK_KEYCLOAK_HTTP_PORT:-8081}:${MAYAN_TRAEFIK_KEYCLOAK_HTTP_PORT:-8081}" profiles: - keycloak restart: unless-stopped keycloak-postgres: environment: POSTGRES_DB: ${MAYAN_KEYCLOAK_DATABASE_NAME:-keycloak} POSTGRES_PASSWORD: ${MAYAN_KEYCLOAK_DATABASE_PASSWORD:-keycloakdbpass} POSTGRES_USER: ${MAYAN_DATABASE_KEYCLOAK_USER:-keycloak} image: postgres:${MAYAN_DOCKER_KEYCLOAK_POSTGRES_TAG:-13.8-alpine} networks: - keycloak profiles: - keycloak_postgresql restart: unless-stopped volumes: - ${MAYAN_KEYCLOAK_POSTGRES_VOLUME:-keycloak-postgres}:/var/lib/postgresql/data postgresql: command: - "postgres" - "-c" - "checkpoint_completion_target=0.6" - "-c" - "default_statistics_target=200" - "-c" - "maintenance_work_mem=128MB" - "-c" - "max_connections=150" - "-c" - "shared_buffers=256MB" - "-c" - "work_mem=8MB" environment: POSTGRES_DB: ${MAYAN_DATABASE_NAME:-mayan} POSTGRES_PASSWORD: ${MAYAN_DATABASE_PASSWORD:-mayandbpass} POSTGRES_USER: ${MAYAN_DATABASE_USER:-mayan} image: ${MAYAN_DOCKER_POSTGRES_IMAGE:-postgres}:${MAYAN_DOCKER_POSTGRES_TAG:-13.10-alpine} networks: - mayan # Enable to allow external access to the database. # ports: # - "5432:5432" profiles: - postgresql restart: unless-stopped volumes: - ${MAYAN_POSTGRES_VOLUME:-postgres}:/var/lib/postgresql/data redis: command: - redis-server - --appendonly - "no" - --databases - "3" - --maxmemory - "100mb" - --maxclients - "500" - --maxmemory-policy - "allkeys-lru" - --save - "" - --tcp-backlog - "256" - --requirepass - "${MAYAN_REDIS_PASSWORD:-mayanredispassword}" image: ${MAYAN_DOCKER_REDIS_IMAGE:-redis}:${MAYAN_DOCKER_REDIS_TAG:-7.0.10-alpine} networks: - mayan profiles: - redis restart: unless-stopped volumes: - ${MAYAN_REDIS_VOLUME:-redis}:/data # Run a frontend gunicorn container frontend: <<: [*mayan-container,*mayan-traefik-labels,*mayan-frontend-ports] command: - run_frontend profiles: - extra_frontend # Enable to run standalone workers mountindex: <<: *mayan-container cap_add: - SYS_ADMIN devices: - "/dev/fuse:/dev/fuse" entrypoint: - /bin/sh - -c - 'mkdir --parents /mnt/index && chown mayan:mayan /mnt/index && /usr/local/bin/entrypoint.sh run_command "mirroring_mount_index --allow-other creation_date /mnt/index"' # Replace "creation_date" with the index of your choice. profiles: - mountindex security_opt: - apparmor:unconfined volumes: - type: bind source: /mnt/mayan_indexes/creation_date # Host location where the index will show up. target: /mnt/index # Location inside the container where the index will be mounted. Must the same is in the "entrypoint" section. bind: propagation: shared # Run a separate class A worker worker_a: <<: *mayan-container command: - run_worker - worker_a - "--prefetch-multiplier=1" profiles: - extra_worker_a # Run a separate class B worker worker_b: <<: *mayan-container command: - run_worker - worker_b - "--prefetch-multiplier=1" profiles: - extra_worker_b # Run a separate class C worker worker_c: <<: *mayan-container command: - run_worker - worker_c - "--prefetch-multiplier=1" profiles: - extra_worker_c # Run a separate class D worker worker_d: <<: *mayan-container command: - run_worker - worker_d - "--concurrency=1 --prefetch-multiplier=1" profiles: - extra_worker_d worker_custom_queue: <<: *mayan-container command: - /bin/sh - -c - 'MAYAN_QUEUE_LIST=${MAYAN_WORKER_CUSTOM_QUEUE_LIST} /usr/local/bin/run_worker.sh --prefetch-multiplier=1' profiles: - extra_worker_custom # Run a separate Celery beat container celery_beat: <<: *mayan-container command: - run_celery - "beat --pidfile= --loglevel=ERROR" profiles: - extra_celery_beat setup_or_upgrade: <<: *mayan-container command: - run_initial_setup_or_perform_upgrade profiles: - extra_setup_or_upgrade restart: "no" rabbitmq: image: ${MAYAN_DOCKER_RABBITMQ_IMAGE:-rabbitmq}:${MAYAN_DOCKER_RABBITMQ_TAG:-3.11.13-management-alpine} environment: RABBITMQ_DEFAULT_USER: ${MAYAN_RABBITMQ_USER:-mayan} RABBITMQ_DEFAULT_PASS: ${MAYAN_RABBITMQ_PASSWORD:-mayanrabbitpass} RABBITMQ_DEFAULT_VHOST: ${MAYAN_RABBITMQ_VHOST:-mayan} labels: - "traefik.enable=${MAYAN_TRAEFIK_RABBITMQ_ENABLE:-false}" - "traefik.http.routers.rabbitmq_admin_http.entrypoints=rabbitmq_admin_http" - "traefik.http.routers.rabbitmq_admin_http.rule=Host(`${MAYAN_TRAEFIK_EXTERNAL_DOMAIN}`)" - "traefik.http.routers.rabbitmq_admin_http.service=rabbitmq_admin_http" - "traefik.http.routers.rabbitmq_admin_http.tls=true" - "traefik.http.routers.rabbitmq_admin_http.tls.certresolver=letsencrypt" - "traefik.http.services.rabbitmq_admin_http.loadbalancer.server.port=15672" networks: - mayan # Enable to allow access to the administration interface. # ports: # - "${MAYAN_RABBITMQ_ADMIN_PORT:-15672}:15672" profiles: - rabbitmq restart: unless-stopped volumes: - ${MAYAN_RABBITMQ_VOLUME:-rabbitmq}:/var/lib/rabbitmq traefik: container_name: "traefik" command: # - "--log.level=DEBUG" - "--api.dashboard=true" - "--api.insecure=${MAYAN_TRAEFIK_API_INSECURE:-false}" - "--certificatesresolvers.letsencrypt.acme.caserver=${MAYAN_TRAEFIK_LETS_ENCRYPT_SERVER:-https://acme-staging-v02.api.letsencrypt.org/directory}" - "--certificatesresolvers.letsencrypt.acme.dnschallenge=${MAYAN_TRAEFIK_LETS_ENCRYPT_DNS_CHALLENGE:-false}" - "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=${MAYAN_TRAEFIK_LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER}" - "--certificatesresolvers.letsencrypt.acme.email=${MAYAN_TRAEFIK_LETS_ENCRYPT_EMAIL}" - "--certificatesresolvers.letsencrypt.acme.storage=/traefik-certificates-letsencrypt/acme.json" - "--certificatesresolvers.letsencrypt.acme.tlschallenge=${MAYAN_TRAEFIK_LETS_ENCRYPT_TLS_CHALLENGE:-false}" - "--entrypoints.http.address=:80" - "--entrypoints.https.address=:443" - "--entrypoints.keycloak_http.address=:${MAYAN_TRAEFIK_KEYCLOAK_HTTP_PORT:-8081}" - "--entrypoints.rabbitmq_admin_http.address=:15672" - "--entrypoints.traefik_dashboard_http.address=:8080" - "--providers.docker=true" - "--providers.docker.exposedbydefault=false" # - Add DNS provider variables (https://doc.traefik.io/traefik/https/acme/#providers) # environment: image: ${MAYAN_DOCKER_TRAEFIK_IMAGE:-traefik}:${MAYAN_DOCKER_TRAEFIK_TAG:-v2.5} labels: - "traefik.enable=${MAYAN_TRAEFIK_DASHBOARD_ENABLE:-false}" - "traefik.http.middlewares.basic-auth-global.basicauth.users=${MAYAN_TRAEFIK_DASHBOARD_AUTHENTICATION}" - "traefik.http.routers.traefik_https.entrypoints=traefik_dashboard_http" - "traefik.http.routers.traefik_https.middlewares=basic-auth-global" - "traefik.http.routers.traefik_https.rule=Host(`${MAYAN_TRAEFIK_EXTERNAL_DOMAIN}`)" - "traefik.http.routers.traefik_https.service=api@internal" - "traefik.http.routers.traefik_https.tls=true" - "traefik.http.routers.traefik_https.tls.certresolver=letsencrypt" networks: - mayan - traefik ports: - "${MAYAN_RABBITMQ_ADMIN_HTTP_PORT:-15672}:15672" - "${MAYAN_TRAEFIK_DASHBOARD_HTTP_PORT:-8080}:8080" - "${MAYAN_TRAEFIK_KEYCLOAK_HTTP_PORT:-8081}:8081" - "${MAYAN_TRAEFIK_HTTP_PORT:-80}:80" - "${MAYAN_TRAEFIK_HTTPS_PORT:-443}:443" profiles: - traefik restart: unless-stopped volumes: - /var/run/docker.sock:/var/run/docker.sock:ro - ${MAYAN_TRAEFIK_LETSENCRYPT_VOLUME:-traefik-certificates-letsencrypt}:/traefik-certificates-letsencrypt volumes: app: elasticsearch: keycloak-postgres: postgres: mountindex: rabbitmq: redis: traefik-certificates-letsencrypt: