374 lines
13 KiB
YAML
374 lines
13 KiB
YAML
version: '3.9'
|
|
|
|
x-mayan-container:
|
|
&mayan-container
|
|
env_file: .env
|
|
environment:
|
|
MAYAN_CELERY_BROKER_URL: amqp://${MAYAN_RABBITMQ_USER:-mayan}:${MAYAN_RABBITMQ_PASSWORD:-mayanrabbitpass}@rabbitmq:5672/${MAYAN_RABBITMQ_VHOST:-mayan}
|
|
MAYAN_CELERY_RESULT_BACKEND: redis://:${MAYAN_REDIS_PASSWORD:-mayanredispassword}@redis:6379/1
|
|
MAYAN_DATABASES: "{'default':{'ENGINE':'django.db.backends.postgresql','NAME':'${MAYAN_DATABASE_NAME:-mayan}','PASSWORD':'${MAYAN_DATABASE_PASSWORD:-mayandbpass}','USER':'${MAYAN_DATABASE_USER:-mayan}','HOST':'${MAYAN_DATABASE_HOST:-postgresql}'} }"
|
|
MAYAN_LOCK_MANAGER_BACKEND: mayan.apps.lock_manager.backends.redis_lock.RedisLock
|
|
MAYAN_LOCK_MANAGER_BACKEND_ARGUMENTS: "{'redis_url':'redis://:${MAYAN_REDIS_PASSWORD:-mayanredispassword}@redis:6379/2'}"
|
|
image: ${MAYAN_DOCKER_IMAGE_NAME:-mayanedms/mayanedms}:${MAYAN_DOCKER_IMAGE_TAG:-s4.4}
|
|
networks:
|
|
- mayan
|
|
restart: unless-stopped
|
|
volumes:
|
|
- ${MAYAN_APP_VOLUME:-app}:/var/lib/mayan
|
|
# Optional volumes to access external data like staging or watch folders
|
|
# - /opt/staging_folder:/staging_folder
|
|
# - /opt/watch_folder:/watch_folder
|
|
|
|
x-mayan-traefik-labels:
|
|
&mayan-traefik-labels
|
|
labels:
|
|
- "traefik.enable=${MAYAN_TRAEFIK_FRONTEND_ENABLE:-false}"
|
|
- "traefik.http.middlewares.mayan_frontend_http_redirect.redirectscheme.scheme=https"
|
|
- "traefik.http.middlewares.mayan_frontend_http_redirect.redirectscheme.permanent=false"
|
|
- "traefik.http.routers.mayan_frontend_http.entrypoints=http"
|
|
- "traefik.http.routers.mayan_frontend_http.middlewares=mayan_frontend_http_redirect"
|
|
- "traefik.http.routers.mayan_frontend_http.rule=Host(`${MAYAN_TRAEFIK_EXTERNAL_DOMAIN}`)"
|
|
- "traefik.http.routers.mayan_frontend_https.entrypoints=https"
|
|
- "traefik.http.routers.mayan_frontend_https.rule=Host(`${MAYAN_TRAEFIK_EXTERNAL_DOMAIN}`)"
|
|
- "traefik.http.routers.mayan_frontend_https.service=mayan_frontend_http"
|
|
- "traefik.http.routers.mayan_frontend_https.tls=true"
|
|
- "traefik.http.routers.mayan_frontend_https.tls.certresolver=letsencrypt"
|
|
- "traefik.http.services.mayan_frontend_http.loadbalancer.server.port=8000"
|
|
|
|
x-mayan-frontend-ports:
|
|
&mayan-frontend-ports
|
|
# Disable ports if using Traefik. Set to an empty list `[]`.
|
|
ports:
|
|
- "${MAYAN_FRONTEND_HTTP_PORT:-80}:8000"
|
|
# []
|
|
|
|
networks:
|
|
keycloak:
|
|
driver: bridge
|
|
# Change to true when using Traefik for increased security.
|
|
internal: false
|
|
mayan:
|
|
driver: bridge
|
|
# Change to true when using Traefik for increased security.
|
|
internal: false
|
|
traefik: {}
|
|
|
|
services:
|
|
app:
|
|
<<: [*mayan-container,*mayan-traefik-labels,*mayan-frontend-ports]
|
|
profiles:
|
|
- all_in_one
|
|
|
|
elasticsearch:
|
|
environment:
|
|
- bootstrap.memory_lock=true
|
|
- discovery.type=single-node
|
|
- http.max_content_length=400mb
|
|
- xpack.security.enabled=true
|
|
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
|
|
- ELASTIC_PASSWORD=${MAYAN_ELASTICSEARCH_PASSWORD:-mayanespassword}
|
|
image: ${MAYAN_DOCKER_ELASTICSEARCH_IMAGE:-elasticsearch}:${MAYAN_DOCKER_ELASTICSEARCH_TAG:-7.17.9}
|
|
networks:
|
|
- mayan
|
|
# Enable to allow external access to the database.
|
|
# ports:
|
|
# - "9200:9200"
|
|
profiles:
|
|
- elasticsearch
|
|
restart: unless-stopped
|
|
ulimits:
|
|
memlock:
|
|
soft: -1
|
|
hard: -1
|
|
volumes:
|
|
- ${MAYAN_ELASTICSEARCH_VOLUME:-elasticsearch}:/usr/share/elasticsearch/data
|
|
|
|
keycloak:
|
|
command:
|
|
- start
|
|
environment:
|
|
KEYCLOAK_ADMIN: ${MAYAN_KEYCLOAK_ADMIN:-admin}
|
|
KEYCLOAK_ADMIN_PASSWORD: ${MAYAN_KEYCLOAK_ADMIN_PASSWORD:-admin}
|
|
KC_DB: postgres
|
|
KC_DB_PASSWORD: ${MAYAN_KEYCLOAK_DATABASE_PASSWORD:-keycloakdbpass}
|
|
KC_DB_URL_DATABASE: ${MAYAN_KEYCLOAK_DATABASE_NAME:-keycloak}
|
|
KC_DB_URL_HOST: keycloak-postgres
|
|
KC_DB_USERNAME: ${MAYAN_DATABASE_KEYCLOAK_USER:-keycloak}
|
|
KC_HOSTNAME_URL: http://127.0.0.1:8081/
|
|
KC_HOSTNAME_STRICT: false
|
|
KC_HTTP_ENABLED: true
|
|
image: ${MAYAN_DOCKER_KEYCLOAK_IMAGE:-keycloak/keycloak}:${MAYAN_DOCKER_KEYCLOAK_TAG:-20.0.1}
|
|
labels:
|
|
- "traefik.enable=${MAYAN_TRAEFIK_KEYCLOAK_ENABLE:-false}"
|
|
- "traefik.http.middlewares.keycloak_http_redirect.redirectscheme.scheme=https"
|
|
- "traefik.http.middlewares.keycloak_http_redirect.redirectscheme.permanent=false"
|
|
- "traefik.http.routers.keycloak_http.entrypoints=http"
|
|
- "traefik.http.routers.keycloak_http.middlewares=keycloak_http_redirect"
|
|
- "traefik.http.routers.keycloak_http.rule=Host(`${MAYAN_TRAEFIK_EXTERNAL_DOMAIN}`)"
|
|
- "traefik.http.routers.keycloak_https.entrypoints=https"
|
|
- "traefik.http.routers.keycloak_https.rule=Host(`${MAYAN_TRAEFIK_EXTERNAL_DOMAIN}`)"
|
|
- "traefik.http.routers.keycloak_https.service=keycloak_http"
|
|
- "traefik.http.routers.keycloak_https.tls=true"
|
|
- "traefik.http.routers.keycloak_https.tls.certresolver=letsencrypt"
|
|
- "traefik.http.services.keycloak_http.loadbalancer.server.port=${MAYAN_TRAEFIK_KEYCLOAK_HTTP_PORT:-8081}"
|
|
networks:
|
|
- keycloak
|
|
- mayan
|
|
# Disable ports if using Traefik.
|
|
ports:
|
|
- "${MAYAN_TRAEFIK_KEYCLOAK_HTTP_PORT:-8081}:${MAYAN_TRAEFIK_KEYCLOAK_HTTP_PORT:-8081}"
|
|
profiles:
|
|
- keycloak
|
|
restart: unless-stopped
|
|
|
|
keycloak-postgres:
|
|
environment:
|
|
POSTGRES_DB: ${MAYAN_KEYCLOAK_DATABASE_NAME:-keycloak}
|
|
POSTGRES_PASSWORD: ${MAYAN_KEYCLOAK_DATABASE_PASSWORD:-keycloakdbpass}
|
|
POSTGRES_USER: ${MAYAN_DATABASE_KEYCLOAK_USER:-keycloak}
|
|
image: postgres:${MAYAN_DOCKER_KEYCLOAK_POSTGRES_TAG:-13.8-alpine}
|
|
networks:
|
|
- keycloak
|
|
profiles:
|
|
- keycloak_postgresql
|
|
restart: unless-stopped
|
|
volumes:
|
|
- ${MAYAN_KEYCLOAK_POSTGRES_VOLUME:-keycloak-postgres}:/var/lib/postgresql/data
|
|
|
|
postgresql:
|
|
command:
|
|
- "postgres"
|
|
- "-c"
|
|
- "checkpoint_completion_target=0.6"
|
|
- "-c"
|
|
- "default_statistics_target=200"
|
|
- "-c"
|
|
- "maintenance_work_mem=128MB"
|
|
- "-c"
|
|
- "max_connections=150"
|
|
- "-c"
|
|
- "shared_buffers=256MB"
|
|
- "-c"
|
|
- "work_mem=8MB"
|
|
environment:
|
|
POSTGRES_DB: ${MAYAN_DATABASE_NAME:-mayan}
|
|
POSTGRES_PASSWORD: ${MAYAN_DATABASE_PASSWORD:-mayandbpass}
|
|
POSTGRES_USER: ${MAYAN_DATABASE_USER:-mayan}
|
|
image: ${MAYAN_DOCKER_POSTGRES_IMAGE:-postgres}:${MAYAN_DOCKER_POSTGRES_TAG:-13.10-alpine}
|
|
networks:
|
|
- mayan
|
|
# Enable to allow external access to the database.
|
|
# ports:
|
|
# - "5432:5432"
|
|
profiles:
|
|
- postgresql
|
|
restart: unless-stopped
|
|
volumes:
|
|
- ${MAYAN_POSTGRES_VOLUME:-postgres}:/var/lib/postgresql/data
|
|
|
|
redis:
|
|
command:
|
|
- redis-server
|
|
- --appendonly
|
|
- "no"
|
|
- --databases
|
|
- "3"
|
|
- --maxmemory
|
|
- "100mb"
|
|
- --maxclients
|
|
- "500"
|
|
- --maxmemory-policy
|
|
- "allkeys-lru"
|
|
- --save
|
|
- ""
|
|
- --tcp-backlog
|
|
- "256"
|
|
- --requirepass
|
|
- "${MAYAN_REDIS_PASSWORD:-mayanredispassword}"
|
|
image: ${MAYAN_DOCKER_REDIS_IMAGE:-redis}:${MAYAN_DOCKER_REDIS_TAG:-7.0.10-alpine}
|
|
networks:
|
|
- mayan
|
|
profiles:
|
|
- redis
|
|
restart: unless-stopped
|
|
volumes:
|
|
- ${MAYAN_REDIS_VOLUME:-redis}:/data
|
|
|
|
# Run a frontend gunicorn container
|
|
frontend:
|
|
<<: [*mayan-container,*mayan-traefik-labels,*mayan-frontend-ports]
|
|
command:
|
|
- run_frontend
|
|
profiles:
|
|
- extra_frontend
|
|
|
|
# Enable to run standalone workers
|
|
mountindex:
|
|
<<: *mayan-container
|
|
cap_add:
|
|
- SYS_ADMIN
|
|
devices:
|
|
- "/dev/fuse:/dev/fuse"
|
|
entrypoint:
|
|
- /bin/sh
|
|
- -c
|
|
- 'mkdir --parents /mnt/index && chown mayan:mayan /mnt/index && /usr/local/bin/entrypoint.sh run_command "mirroring_mount_index --allow-other creation_date /mnt/index"' # Replace "creation_date" with the index of your choice.
|
|
profiles:
|
|
- mountindex
|
|
security_opt:
|
|
- apparmor:unconfined
|
|
volumes:
|
|
- type: bind
|
|
source: /mnt/mayan_indexes/creation_date # Host location where the index will show up.
|
|
target: /mnt/index # Location inside the container where the index will be mounted. Must the same is in the "entrypoint" section.
|
|
bind:
|
|
propagation: shared
|
|
|
|
# Run a separate class A worker
|
|
worker_a:
|
|
<<: *mayan-container
|
|
command:
|
|
- run_worker
|
|
- worker_a
|
|
- "--prefetch-multiplier=1"
|
|
profiles:
|
|
- extra_worker_a
|
|
|
|
# Run a separate class B worker
|
|
worker_b:
|
|
<<: *mayan-container
|
|
command:
|
|
- run_worker
|
|
- worker_b
|
|
- "--prefetch-multiplier=1"
|
|
profiles:
|
|
- extra_worker_b
|
|
|
|
# Run a separate class C worker
|
|
worker_c:
|
|
<<: *mayan-container
|
|
command:
|
|
- run_worker
|
|
- worker_c
|
|
- "--prefetch-multiplier=1"
|
|
profiles:
|
|
- extra_worker_c
|
|
|
|
# Run a separate class D worker
|
|
worker_d:
|
|
<<: *mayan-container
|
|
command:
|
|
- run_worker
|
|
- worker_d
|
|
- "--concurrency=1 --prefetch-multiplier=1"
|
|
profiles:
|
|
- extra_worker_d
|
|
|
|
worker_custom_queue:
|
|
<<: *mayan-container
|
|
command:
|
|
- /bin/sh
|
|
- -c
|
|
- 'MAYAN_QUEUE_LIST=${MAYAN_WORKER_CUSTOM_QUEUE_LIST} /usr/local/bin/run_worker.sh --prefetch-multiplier=1'
|
|
profiles:
|
|
- extra_worker_custom
|
|
|
|
# Run a separate Celery beat container
|
|
celery_beat:
|
|
<<: *mayan-container
|
|
command:
|
|
- run_celery
|
|
- "beat --pidfile= --loglevel=ERROR"
|
|
profiles:
|
|
- extra_celery_beat
|
|
|
|
setup_or_upgrade:
|
|
<<: *mayan-container
|
|
command:
|
|
- run_initial_setup_or_perform_upgrade
|
|
profiles:
|
|
- extra_setup_or_upgrade
|
|
restart: "no"
|
|
|
|
rabbitmq:
|
|
image: ${MAYAN_DOCKER_RABBITMQ_IMAGE:-rabbitmq}:${MAYAN_DOCKER_RABBITMQ_TAG:-3.11.13-management-alpine}
|
|
environment:
|
|
RABBITMQ_DEFAULT_USER: ${MAYAN_RABBITMQ_USER:-mayan}
|
|
RABBITMQ_DEFAULT_PASS: ${MAYAN_RABBITMQ_PASSWORD:-mayanrabbitpass}
|
|
RABBITMQ_DEFAULT_VHOST: ${MAYAN_RABBITMQ_VHOST:-mayan}
|
|
labels:
|
|
- "traefik.enable=${MAYAN_TRAEFIK_RABBITMQ_ENABLE:-false}"
|
|
- "traefik.http.routers.rabbitmq_admin_http.entrypoints=rabbitmq_admin_http"
|
|
- "traefik.http.routers.rabbitmq_admin_http.rule=Host(`${MAYAN_TRAEFIK_EXTERNAL_DOMAIN}`)"
|
|
- "traefik.http.routers.rabbitmq_admin_http.service=rabbitmq_admin_http"
|
|
- "traefik.http.routers.rabbitmq_admin_http.tls=true"
|
|
- "traefik.http.routers.rabbitmq_admin_http.tls.certresolver=letsencrypt"
|
|
- "traefik.http.services.rabbitmq_admin_http.loadbalancer.server.port=15672"
|
|
networks:
|
|
- mayan
|
|
# Enable to allow access to the administration interface.
|
|
# ports:
|
|
# - "${MAYAN_RABBITMQ_ADMIN_PORT:-15672}:15672"
|
|
profiles:
|
|
- rabbitmq
|
|
restart: unless-stopped
|
|
volumes:
|
|
- ${MAYAN_RABBITMQ_VOLUME:-rabbitmq}:/var/lib/rabbitmq
|
|
|
|
traefik:
|
|
container_name: "traefik"
|
|
command:
|
|
# - "--log.level=DEBUG"
|
|
- "--api.dashboard=true"
|
|
- "--api.insecure=${MAYAN_TRAEFIK_API_INSECURE:-false}"
|
|
- "--certificatesresolvers.letsencrypt.acme.caserver=${MAYAN_TRAEFIK_LETS_ENCRYPT_SERVER:-https://acme-staging-v02.api.letsencrypt.org/directory}"
|
|
- "--certificatesresolvers.letsencrypt.acme.dnschallenge=${MAYAN_TRAEFIK_LETS_ENCRYPT_DNS_CHALLENGE:-false}"
|
|
- "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=${MAYAN_TRAEFIK_LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER}"
|
|
- "--certificatesresolvers.letsencrypt.acme.email=${MAYAN_TRAEFIK_LETS_ENCRYPT_EMAIL}"
|
|
- "--certificatesresolvers.letsencrypt.acme.storage=/traefik-certificates-letsencrypt/acme.json"
|
|
- "--certificatesresolvers.letsencrypt.acme.tlschallenge=${MAYAN_TRAEFIK_LETS_ENCRYPT_TLS_CHALLENGE:-false}"
|
|
- "--entrypoints.http.address=:80"
|
|
- "--entrypoints.https.address=:443"
|
|
- "--entrypoints.keycloak_http.address=:${MAYAN_TRAEFIK_KEYCLOAK_HTTP_PORT:-8081}"
|
|
- "--entrypoints.rabbitmq_admin_http.address=:15672"
|
|
- "--entrypoints.traefik_dashboard_http.address=:8080"
|
|
- "--providers.docker=true"
|
|
- "--providers.docker.exposedbydefault=false"
|
|
# - Add DNS provider variables (https://doc.traefik.io/traefik/https/acme/#providers)
|
|
# environment:
|
|
image: ${MAYAN_DOCKER_TRAEFIK_IMAGE:-traefik}:${MAYAN_DOCKER_TRAEFIK_TAG:-v2.5}
|
|
labels:
|
|
- "traefik.enable=${MAYAN_TRAEFIK_DASHBOARD_ENABLE:-false}"
|
|
- "traefik.http.middlewares.basic-auth-global.basicauth.users=${MAYAN_TRAEFIK_DASHBOARD_AUTHENTICATION}"
|
|
- "traefik.http.routers.traefik_https.entrypoints=traefik_dashboard_http"
|
|
- "traefik.http.routers.traefik_https.middlewares=basic-auth-global"
|
|
- "traefik.http.routers.traefik_https.rule=Host(`${MAYAN_TRAEFIK_EXTERNAL_DOMAIN}`)"
|
|
- "traefik.http.routers.traefik_https.service=api@internal"
|
|
- "traefik.http.routers.traefik_https.tls=true"
|
|
- "traefik.http.routers.traefik_https.tls.certresolver=letsencrypt"
|
|
networks:
|
|
- mayan
|
|
- traefik
|
|
ports:
|
|
- "${MAYAN_RABBITMQ_ADMIN_HTTP_PORT:-15672}:15672"
|
|
- "${MAYAN_TRAEFIK_DASHBOARD_HTTP_PORT:-8080}:8080"
|
|
- "${MAYAN_TRAEFIK_KEYCLOAK_HTTP_PORT:-8081}:8081"
|
|
- "${MAYAN_TRAEFIK_HTTP_PORT:-80}:80"
|
|
- "${MAYAN_TRAEFIK_HTTPS_PORT:-443}:443"
|
|
profiles:
|
|
- traefik
|
|
restart: unless-stopped
|
|
volumes:
|
|
- /var/run/docker.sock:/var/run/docker.sock:ro
|
|
- ${MAYAN_TRAEFIK_LETSENCRYPT_VOLUME:-traefik-certificates-letsencrypt}:/traefik-certificates-letsencrypt
|
|
|
|
volumes:
|
|
app:
|
|
elasticsearch:
|
|
keycloak-postgres:
|
|
postgres:
|
|
mountindex:
|
|
rabbitmq:
|
|
redis:
|
|
traefik-certificates-letsencrypt:
|