docker-compose.yml

version: "3.8"

services:

  reverse-proxy:
    image: traefik:v2.10
    container_name: vaultexe-reverse-proxy
    restart: always
    networks:
      - ${VAULTEXE_PROXY_NETWORK?}
    ports:
      - "80:80"
      - "443:443"
    labels:
      # Enable Traefik
      - traefik.enable=true
      # Attach to the traefik-public network
      - traefik.docker.network=${VAULTEXE_PROXY_NETWORK?}
      # HTTP middlewares
      - traefik.http.middlewares.https-redirect.redirectscheme.scheme=https
      - traefik.http.middlewares.https-redirect.redirectscheme.permanent=true
    command:
      # Enable Docker as a provider
      - --providers.docker
      # Disable automatic exposure of Docker services
      - --providers.docker.exposedbydefault=false
      # Entrypoints ports
      - --entrypoints.http.address=:80
      - --entrypoints.https.address=:443
      # TLS certificates resolver
      - --certificatesresolvers.letsencrypt.acme.email=${LETSENCRYPT_ACME_EMAIL?}
      - --certificatesresolvers.letsencrypt.acme.storage=/certificates/acme.json
      - --certificatesresolvers.letsencrypt.acme.tlschallenge=true
    volumes:
      # Add Docker as mounted volume so that Traefik can listen to Docker services labels
      # :ro means that the volume is mounted in read-only mode
      - /var/run/docker.sock:/var/run/docker.sock:ro
      # Mount the volume to store TLS certificates
      - le-tls-certificates:/certificates
    depends_on:
      - backend

  backend:
    image: ${BACKEND_IMAGE?}
    container_name: vaultexe-backend
    restart: always
    depends_on:
      - db
      - redis
    env_file:
      - env/.env
      - server/env/.env
    build:
      context: ./server
      dockerfile: docker/Dockerfile
    networks:
      - ${VAULTEXE_PROXY_NETWORK?}
    ports:
      - ${BACKEND_PORT?}:${BACKEND_PORT?}
    labels:
      # Enable Traefik
      - traefik.enable=true
      # Attach to the traefik-public network
      - traefik.docker.network=${VAULTEXE_PROXY_NETWORK?}
      # HTTP router
      - traefik.http.routers.backend-http.entrypoints=http
      - traefik.http.routers.backend-http.rule=Host(`${BACKEND_DOMAIN?}`)
      # - traefik.http.routers.backend-http.middlewares=https-redirect
      # HTTPS router
      - traefik.http.routers.backend-https.entrypoints=https
      - traefik.http.routers.backend-https.rule=Host(`${BACKEND_DOMAIN?}`)
      - traefik.http.routers.backend-https.tls=true
      - traefik.http.routers.backend-https.tls.certresolver=letsencrypt
    healthcheck:
      test: curl -f http://${DOMAIN}:${BACKEND_PORT}/health
      interval: 1m
      timeout: 10s
      retries: 3
      start_period: 30s

  db:
    image: postgres:alpine3.18
    container_name: vaultexe-db
    restart: always
    env_file:
      - env/.env
    volumes:
      - postgres-db:/var/lib/postgresql/data
    networks:
      - ${VAULTEXE_PROXY_NETWORK?}
    ports:
      - ${POSTGRES_PORT?}:${POSTGRES_PORT?}

  redis:
    image: redis:7.2-rc2-alpine
    container_name: vaultexe-redis
    restart: always
    volumes:
      - redis-data:/data
    networks:
      - ${VAULTEXE_PROXY_NETWORK?}
    ports:
        - ${REDIS_PORT?}:${REDIS_PORT?}
    command:
      - redis-server
      - --requirepass $REDIS_PASSWORD

  rq-worker:
    image: ${RQ_WORKER_DOCKER_IMAGE?}
    container_name: vaultexe-rq-worker
    restart: always
    depends_on:
      - redis
      - db
    env_file:
      - env/.env
      - server/env/.env
    build:
      context: ./server
      dockerfile: docker/Dockerfile.worker
    networks:
      - ${VAULTEXE_PROXY_NETWORK?}

volumes:
  # Volume to store the TLS certificates
  # *Constraint* :  Traefik is always deployed on the same Docker node
  #                 with the same volume containing the TLS certificates
  le-tls-certificates:
  # Volume to store the postgres database data
  postgres-db:
  # Volume to store the redis data
  redis-data:

networks:
  vaultexe_proxy_network:
    external: false
    name: ${VAULTEXE_PROXY_NETWORK?}