-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdocker-compose.yml
691 lines (677 loc) · 30.8 KB
/
docker-compose.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
---
version: "3.8"
# Common to all services
x-common: &common
restart: "no"
tty: true # Required for non-root users with selinux enabled.
security_opt:
- label=type:container_runtime_t # Required for selinux to access the docker socket and bind mount files.
x-dev: &dev
profiles: [dev]
secrets:
- source: CERT_PUBLIC_KEY
- source: CERT_PRIVATE_KEY
- source: CERT_AUTHORITY
- source: UID
# Will override what is in x-dev, x-common.
x-prod: &prod
profiles: [prod]
secrets: [] # Development certificates are only needed for development environments.
x-traefik-enable: &traefik-enable
traefik.enable: true
# Used to override dev configuration.
x-traefik-disable: &traefik-disable
traefik.enable: false
x-traefik-https-redirect-middleware: &traefik-https-redirect-middleware
traefik.http.middlewares.https-redirect.redirectscheme.permanent: true
traefik.http.middlewares.https-redirect.redirectscheme.scheme: https
x-traefik-https-redirect: &traefik-https-redirect https-redirect
x-traefik-certresolver: &traefik-certresolver resolver
x-traefik-drupal-labels: &traefik-drupal-labels
traefik.http.routers.drupal_http.entrypoints: http
traefik.http.routers.drupal_http.middlewares: *traefik-https-redirect
traefik.http.routers.drupal_http.service: drupal
traefik.http.routers.drupal_https.entrypoints: https
traefik.http.routers.drupal_https.service: drupal
traefik.http.routers.drupal_https.tls: true
traefik.http.services.drupal.loadbalancer.server.port: 80
x-secrets-jwt-public: &secrets-jwt-public
- source: JWT_ADMIN_TOKEN
- source: JWT_PUBLIC_KEY
networks:
default:
volumes:
activemq-data: {}
blazegraph-data: {}
cantaloupe-data: {}
code-server-data: {}
drupal-private-files: {}
drupal-public-files: {}
drupal-root: {}
drupal-solr-config: {}
fcrepo-data: {}
jetbrains-cache: {}
jetbrains-config: {}
mariadb-data: {}
matomo-data: {}
solr-data: {}
secrets:
# Certificates are only used for development environments.
# In production the expectation is to use lets encrypt, etc.
# See README.md for how to generate them.
CERT_PUBLIC_KEY:
file: ./certs/cert.pem
CERT_PRIVATE_KEY:
file: ./certs/privkey.pem
CERT_AUTHORITY:
file: ./certs/rootCA.pem
# UID is used to map the nginx user id number to that of the host to prevent
# problems when bind mounting files from this repository into the container
# for development purposes.
UID:
file: ./certs/UID
# Production secrets:
#
# Unless otherwise specified the following command can be used to generate
# passwords, wherein:
# The range passed to grep is the valid characters
# - '[!-~]' to include special characters or
# . - [A-Za-z0-9]'
# The number passed to head is the length of the password.
#
# grep -ao '[A-Za-z0-9]' </dev/urandom | head -32 | tr -d '\n' > ./secrets/PASSWORD
ACTIVEMQ_PASSWORD:
file: "./secrets/ACTIVEMQ_PASSWORD"
ACTIVEMQ_WEB_ADMIN_PASSWORD:
file: "./secrets/ACTIVEMQ_WEB_ADMIN_PASSWORD"
ALPACA_JMS_PASSWORD:
file: "./secrets/ACTIVEMQ_PASSWORD"
DB_ROOT_PASSWORD:
file: "./secrets/DB_ROOT_PASSWORD"
DRUPAL_DEFAULT_ACCOUNT_PASSWORD:
file: "./secrets/DRUPAL_DEFAULT_ACCOUNT_PASSWORD"
DRUPAL_DEFAULT_DB_PASSWORD:
file: "./secrets/DRUPAL_DEFAULT_DB_PASSWORD"
# The salt should use the following character range: 'A-Za-z0-9-_'.
# And be 74 characters long.
DRUPAL_DEFAULT_SALT:
file: "./secrets/DRUPAL_DEFAULT_SALT"
FCREPO_DB_PASSWORD:
file: "./secrets/FCREPO_DB_PASSWORD"
JWT_ADMIN_TOKEN:
file: "./secrets/JWT_ADMIN_TOKEN"
# First generate the private key below.
# Then generate with openssl
# openssl rsa -pubout -in ./secrets/JWT_PRIVATE_KEY -out ./secrets/JWT_PUBLIC_KEY &>/dev/null
JWT_PUBLIC_KEY:
file: "./secrets/JWT_PUBLIC_KEY"
# Generate with openssl:
# openssl genrsa -out ./secrets/JWT_PRIVATE_KEY 2048 &>/dev/null
JWT_PRIVATE_KEY:
file: "./secrets/JWT_PRIVATE_KEY"
MATOMO_DB_PASSWORD:
file: "./secrets/MATOMO_DB_PASSWORD"
MATOMO_USER_PASS:
file: "./secrets/MATOMO_USER_PASS"
services:
alpaca-dev: &alpaca
<<: [*dev, *common]
image: ${ISLANDORA_REPOSITORY}/alpaca:${ISLANDORA_TAG}
networks:
default:
aliases: # Allow access without using the `-dev` or `-prod` suffix.
- alpaca
depends_on:
activemq-dev:
condition: service_started
alpaca-prod:
<<: [*prod, *alpaca]
secrets:
- source: ALPACA_JMS_PASSWORD
depends_on:
activemq-prod:
condition: service_started
crayfits:
<<: [*common]
image: ${ISLANDORA_REPOSITORY}/crayfits:${ISLANDORA_TAG}
fits:
<<: [*common]
image: ${ISLANDORA_REPOSITORY}/fits:${ISLANDORA_TAG}
homarus-dev: &homarus
<<: [*dev, *common]
image: ${ISLANDORA_REPOSITORY}/homarus:${ISLANDORA_TAG}
networks:
default:
aliases: # Allow access without using the `-dev` or `-prod` suffix.
- homarus
homarus-prod:
<<: [*prod, *homarus]
secrets: *secrets-jwt-public
houdini-dev: &houdini
<<: [*dev, *common]
image: ${ISLANDORA_REPOSITORY}/houdini:${ISLANDORA_TAG}
networks:
default:
aliases: # Allow access without using the `-dev` or `-prod` suffix.
- houdini
houdini-prod:
<<: [*prod, *houdini]
secrets: *secrets-jwt-public
hypercube-dev: &hypercube
<<: [*dev, *common]
image: ${ISLANDORA_REPOSITORY}/hypercube:${ISLANDORA_TAG}
networks:
default:
aliases: # Allow access without using the `-dev` or `-prod` suffix.
- hypercube
hypercube-prod:
<<: [*prod, *hypercube]
secrets: *secrets-jwt-public
mariadb-dev: &mariadb
<<: [*dev, *common]
image: ${ISLANDORA_REPOSITORY}/mariadb:${ISLANDORA_TAG}
volumes:
- mariadb-data:/var/lib/mysql:Z,rw
networks:
default:
aliases: # Allow access without using the `-dev` or `-prod` suffix.
- mariadb
mariadb-prod:
<<: [*prod, *mariadb]
secrets:
- source: DB_ROOT_PASSWORD
milliner-dev: &milliner
<<: [*dev, *common]
image: ${ISLANDORA_REPOSITORY}/milliner:${ISLANDORA_TAG}
networks:
default:
aliases: # Allow access without using the `-dev` or `-prod` suffix.
- milliner
milliner-prod:
<<: [*prod, *milliner]
secrets: *secrets-jwt-public
activemq-dev: &activemq
<<: [*dev, *common]
image: ${ISLANDORA_REPOSITORY}/activemq:${ISLANDORA_TAG}
labels: &activemq-labels
<<: [*traefik-enable, *traefik-https-redirect-middleware]
traefik.http.routers.activemq_http.entrypoints: http
traefik.http.routers.activemq_http.middlewares: *traefik-https-redirect
traefik.http.routers.activemq_http.rule: &traefik-host-activemq-dev Host(`activemq.islandora.dev`)
traefik.http.routers.activemq_http.service: activemq
traefik.http.routers.activemq_https.entrypoints: https
traefik.http.routers.activemq_https.rule: *traefik-host-activemq-dev
traefik.http.routers.activemq_https.tls: true
traefik.http.services.activemq.loadbalancer.server.port: 8161
traefik.subdomain: activemq
volumes:
- activemq-data:/opt/activemq/data:Z,rw
networks:
default:
aliases: # Allow access without using the `-dev` or `-prod` suffix.
- activemq
activemq-prod:
<<: [*prod, *activemq]
labels:
<<: [*traefik-disable, *activemq-labels]
traefik.http.routers.activemq_http.rule: &traefik-host-activemq-prod Host(`activemq.${DOMAIN}`)
traefik.http.routers.activemq_https.rule: *traefik-host-activemq-prod
traefik.http.routers.activemq_https.tls.certresolver: *traefik-certresolver
secrets:
- source: ACTIVEMQ_PASSWORD
- source: ACTIVEMQ_WEB_ADMIN_PASSWORD
blazegraph-dev: &blazegraph
<<: [*dev, *common]
image: ${ISLANDORA_REPOSITORY}/blazegraph:${ISLANDORA_TAG}
labels: &blazegraph-labels
<<: [*traefik-enable, *traefik-https-redirect-middleware]
traefik.http.routers.blazegraph_http.entrypoints: http
traefik.http.routers.blazegraph_http.middlewares: *traefik-https-redirect
traefik.http.routers.blazegraph_http.rule: &traefik-host-blazegraph-dev Host(`blazegraph.islandora.dev`)
traefik.http.routers.blazegraph_http.service: blazegraph
traefik.http.routers.blazegraph_https.entrypoints: https
traefik.http.routers.blazegraph_https.rule: *traefik-host-blazegraph-dev
traefik.http.routers.blazegraph_https.tls: true
traefik.http.services.blazegraph.loadbalancer.server.port: 8080
volumes:
- blazegraph-data:/data:Z,rw
networks:
default:
aliases: # Allow access without using the `-dev` or `-prod` suffix.
- blazegraph
blazegraph-prod:
<<: [*prod, *blazegraph]
labels:
<<: [*traefik-disable, *blazegraph-labels]
traefik.http.routers.blazegraph_http.rule: &traefik-host-blazegraph-prod Host(`blazegraph.${DOMAIN}`)
traefik.http.routers.blazegraph_https.rule: *traefik-host-blazegraph-prod
traefik.http.routers.blazegraph_https.tls.certresolver: *traefik-certresolver
cantaloupe-dev: &cantaloupe
<<: [*dev, *common]
image: ${ISLANDORA_REPOSITORY}/cantaloupe:${ISLANDORA_TAG}
labels: &cantaloupe-labels
<<: [*traefik-enable, *traefik-https-redirect-middleware]
traefik.http.middlewares.cantaloupe-custom-request-headers.headers.customrequestheaders.X-Forwarded-Path: /cantaloupe
traefik.http.middlewares.cantaloupe-strip-prefix.stripprefix.prefixes: /cantaloupe
traefik.http.middlewares.cantaloupe.chain.middlewares: cantaloupe-strip-prefix,cantaloupe-custom-request-headers
traefik.http.routers.cantaloupe_http.entrypoints: http
traefik.http.routers.cantaloupe_http.middlewares: *traefik-https-redirect
traefik.http.routers.cantaloupe_http.rule: &traefik-host-cantaloupe-dev Host(`islandora.dev`) && PathPrefix(`/cantaloupe`)
traefik.http.routers.cantaloupe_http.service: cantaloupe
traefik.http.routers.cantaloupe_https.middlewares: cantaloupe
traefik.http.routers.cantaloupe_https.entrypoints: https
traefik.http.routers.cantaloupe_https.rule: *traefik-host-cantaloupe-dev
traefik.http.routers.cantaloupe_https.tls: true
traefik.http.services.cantaloupe.loadbalancer.server.port: 8182
volumes:
- cantaloupe-data:/data:Z,rw
networks:
default:
aliases: # Allow access without using the `-dev` or `-prod` suffix.
- cantaloupe
cantaloupe-prod:
<<: [*prod, *cantaloupe]
labels:
<<: [*cantaloupe-labels]
traefik.http.routers.cantaloupe_http.rule: &traefik-host-cantaloupe-prod Host(`${DOMAIN}`) && PathPrefix(`/cantaloupe`)
traefik.http.routers.cantaloupe_https.rule: *traefik-host-cantaloupe-prod
traefik.http.routers.cantaloupe_https.tls.certresolver: *traefik-certresolver
drupal-dev: &drupal
<<: [*dev, *common]
image: ${REPOSITORY}/${COMPOSE_PROJECT_NAME}:${TAG}
build:
context: ./drupal
args:
REPOSITORY: ${ISLANDORA_REPOSITORY}
TAG: ${ISLANDORA_TAG}
x-bake:
platforms: [linux/amd64, linux/arm64]
cache-from:
- type=registry,ref=${REPOSITORY}/${COMPOSE_PROJECT_NAME}:${TAG}
- type=registry,ref=${REPOSITORY}/${COMPOSE_PROJECT_NAME}:latest
cache-to:
- type=inline
environment: &drupal-environment
DEVELOPMENT_ENVIRONMENT: true
DRUPAL_DEFAULT_BROKER_URL: "tcp://activemq:61613"
DRUPAL_DEFAULT_CANTALOUPE_URL: "https://islandora.dev/cantaloupe/iiif/2"
DRUPAL_DEFAULT_CONFIGDIR: "/var/www/drupal/config/sync"
DRUPAL_DEFAULT_FCREPO_HOST: "fcrepo"
DRUPAL_DEFAULT_FCREPO_PORT: 8080
DRUPAL_DEFAULT_FCREPO_URL: "https://fcrepo.islandora.dev/fcrepo/rest/"
DRUPAL_DEFAULT_INSTALL_EXISTING_CONFIG: "true"
DRUPAL_DEFAULT_MATOMO_URL: "https://islandora.dev/matomo/"
DRUPAL_DEFAULT_NAME: "Islandora Digital Collections"
DRUPAL_DEFAULT_PROFILE: "minimal"
DRUPAL_DEFAULT_SITE_URL: "islandora.dev"
DRUPAL_DEFAULT_SOLR_CORE: "default"
DRUPAL_DRUSH_URI: "https://islandora.dev" # Used by docker/drupal/rootfs/usr/local/share/custom/install.sh
volumes:
# Allow code-server to serve Drupal / override it.
- &drupal-root
type: volume
source: drupal-root
target: /var/www/drupal
read_only: false
- &drupal-public-files
type: volume
source: drupal-public-files
target: /var/www/drupal/web/sites/default/files
read_only: false
- &drupal-private-files
type: volume
source: drupal-private-files
target: /var/www/drupal/private
read_only: false
- &drupal-assets ./drupal/rootfs/var/www/drupal/assets:/var/www/drupal/assets:z,rw,${CONSISTENCY}
- &drupal-composer-json ./drupal/rootfs/var/www/drupal/composer.json:/var/www/drupal/composer.json:z,rw,${CONSISTENCY}
- &drupal-composer-lock ./drupal/rootfs/var/www/drupal/composer.lock:/var/www/drupal/composer.lock:z,rw,${CONSISTENCY}
- &drupal-config ./drupal/rootfs/var/www/drupal/config:/var/www/drupal/config:z,rw,${CONSISTENCY}
- &drupal-custom-modules ./drupal/rootfs/var/www/drupal/web/modules/custom:/var/www/drupal/web/modules/custom:z,rw,${CONSISTENCY}
- &drupal-custom-themes ./drupal/rootfs/var/www/drupal/web/themes/custom:/var/www/drupal/web/themes/custom:z,rw,${CONSISTENCY}
- &drupal-solr-config drupal-solr-config:/opt/solr/server/solr/default:z,rw
networks:
default:
aliases: # Allow access without using the `-dev` or `-prod` suffix.
- drupal
drupal-prod:
<<: [*prod, *drupal]
environment:
<<: [*drupal-environment]
DEVELOPMENT_ENVIRONMENT: false
DRUPAL_DEFAULT_CANTALOUPE_URL: "https://${DOMAIN}/cantaloupe/iiif/2"
DRUPAL_DEFAULT_FCREPO_URL: "https://fcrepo.${DOMAIN}/fcrepo/rest/"
DRUPAL_DEFAULT_MATOMO_URL: "https://${DOMAIN}/matomo/"
DRUPAL_DEFAULT_SITE_URL: "${DOMAIN}"
DRUPAL_DRUSH_URI: "https://${DOMAIN}"
labels:
<<: [*traefik-enable, *traefik-https-redirect-middleware, *traefik-drupal-labels]
traefik.http.routers.drupal_http.rule: &traefik-host-drupal-prod Host(`${DOMAIN}`)
traefik.http.routers.drupal_https.rule: *traefik-host-drupal-prod
traefik.http.routers.drupal_https.tls.certresolver: *traefik-certresolver
volumes:
# No bind mounts in production.
# Changes to anything other than data is not persisted.
- *drupal-public-files
- *drupal-private-files
- *drupal-solr-config
secrets:
- source: DB_ROOT_PASSWORD
- source: DRUPAL_DEFAULT_ACCOUNT_PASSWORD
- source: DRUPAL_DEFAULT_DB_PASSWORD
- source: DRUPAL_DEFAULT_SALT
- source: JWT_PRIVATE_KEY
- source: JWT_PUBLIC_KEY
ide:
<<: [*dev, *common] # No production IDE (no dev'ing on prod)
image: ${ISLANDORA_REPOSITORY}/code-server:${ISLANDORA_TAG}
labels:
# All Drupal traefik is routed through the IDE so that XDebug can be
# easily used.
<<: [*traefik-enable, *traefik-https-redirect-middleware, *traefik-drupal-labels]
traefik.http.routers.drupal_http.rule: &traefik-host-drupal-dev Host(`islandora.dev`)
traefik.http.routers.drupal_https.rule: *traefik-host-drupal-dev
traefik.http.routers.ide_http.entrypoints: http
traefik.http.routers.ide_http.middlewares: *traefik-https-redirect
traefik.http.routers.ide_http.rule: &traefik-host-ide-dev Host(`ide.islandora.dev`)
traefik.http.routers.ide_http.service: ide
traefik.http.routers.ide_https.entrypoints: https
traefik.http.routers.ide_https.rule: *traefik-host-ide-dev
traefik.http.routers.ide_https.service: ide
traefik.http.routers.ide_https.tls: true
traefik.http.services.ide.loadbalancer.server.port: 8443
traefik.tcp.routers.ssh.entrypoints: ssh
traefik.tcp.routers.ssh.rule: HostSNI(`*`)
traefik.tcp.routers.ssh.service: ssh
traefik.tcp.services.ssh.loadbalancer.server.port: 22
environment:
<<: [*drupal-environment]
# Allow XDebug to be used with Drush as well.
# Use the following command in the IDE shell to enable it:
# export XDEBUG_SESSION=1
DRUSH_ALLOW_XDEBUG: 1
XDEBUG_MODE: debug
# Do not request a password for accessing the IDE.
CODE_SERVER_AUTHENTICATION: none
# Bump up time outs to allow for debugging.
NGINX_CLIENT_BODY_TIMEOUT: 600s
NGINX_FASTCGI_CONNECT_TIMEOUT: 600s
NGINX_FASTCGI_READ_TIMEOUT: 1200s
NGINX_FASTCGI_SEND_TIMEOUT: 600s
NGINX_KEEPALIVE_TIMEOUT: 750s
NGINX_LINGERING_TIMEOUT: 50s
NGINX_PROXY_CONNECT_TIMEOUT: 600s
NGINX_PROXY_READ_TIMEOUT: 600s
NGINX_PROXY_SEND_TIMEOUT: 600s
NGINX_SEND_TIMEOUT: 600s
PHP_DEFAULT_SOCKET_TIMEOUT: 600
PHP_MAX_EXECUTION_TIME: 300
PHP_MAX_INPUT_TIME: 600
PHP_PROCESS_CONTROL_TIMEOUT: 600
PHP_REQUEST_TERMINATE_TIMEOUT: 600
volumes:
# Cache for when using jetbrains ssh connection feature.
- type: volume
source: jetbrains-cache
target: /var/lib/nginx/.cache/JetBrains
- type: volume
source: jetbrains-config
target: /var/lib/nginx/.config/JetBrains
# Allow access to Docker cli via IDE.
- /var/run/docker.sock:/var/run/docker.sock:z,rw
# Mount and serve contents of Drupal site.
- <<: [*drupal-root]
volume:
nocopy: true
# Mount and serve Drupal public files.
- <<: [*drupal-public-files]
volume:
nocopy: true
# Mount and serve Drupal private files.
- <<: [*drupal-private-files]
volume:
nocopy: true
# Volumes for code-server cache.
- type: volume
source: code-server-data
target: /opt/code-server/data
read_only: false
# Site specific customizations.
# These are all bind mounts to the host.
- *drupal-assets
- *drupal-composer-json
- *drupal-composer-lock
- *drupal-config
- *drupal-custom-modules
- *drupal-custom-themes
# Ensure drupal mounts the shared volumes first.
depends_on:
- drupal-dev
fcrepo-dev: &fcrepo
<<: [*dev, *common]
image: ${ISLANDORA_REPOSITORY}/fcrepo6:${ISLANDORA_TAG}
environment: &fcrepo-environment
FCREPO_ALLOW_EXTERNAL_DEFAULT: "http://default/"
FCREPO_ALLOW_EXTERNAL_DRUPAL: "https://islandora.dev/"
labels: &fcrepo-labels
<<: [*traefik-enable, *traefik-https-redirect-middleware]
# Due to weird logic in `fcrepo/static/js/common.js`, do not use https
# as it assumes it always needs to append /fcr:metadata to every request
# breaking the links. Though for files we do want that page to be accessed
# so check for a file extension.
traefik.http.middlewares.fcrepo-strip-suffix.replacepathregex.regex: "^(.*/fcrepo/rest/[^.]*)/fcr:metadata$$"
traefik.http.middlewares.fcrepo-strip-suffix.replacepathregex.replacement: "$$1"
traefik.http.routers.fcrepo_http.entrypoints: http
traefik.http.routers.fcrepo_http.middlewares: *traefik-https-redirect
traefik.http.routers.fcrepo_http.rule: &traefik-host-fcrepo-dev Host(`fcrepo.islandora.dev`)
traefik.http.routers.fcrepo_http.service: fcrepo
traefik.http.routers.fcrepo_https.entrypoints: https
traefik.http.routers.fcrepo_https.middlewares: fcrepo-strip-suffix
traefik.http.routers.fcrepo_https.rule: *traefik-host-fcrepo-dev
traefik.http.routers.fcrepo_https.tls: true
traefik.http.services.fcrepo.loadbalancer.server.port: 8080
volumes:
- fcrepo-data:/data:Z,rw
networks:
default:
aliases: # Allow access without using the `-dev` or `-prod` suffix.
- fcrepo
depends_on:
activemq-dev:
condition: service_started
fcrepo-prod:
<<: [*prod, *fcrepo]
environment:
<<: [*fcrepo-environment]
FCREPO_ALLOW_EXTERNAL_DRUPAL: "https://${DOMAIN}/"
labels:
<<: [*fcrepo-labels]
traefik.http.routers.fcrepo_http.rule: &traefik-host-fcrepo-prod Host(`fcrepo.${DOMAIN}`)
traefik.http.routers.fcrepo_https.rule: *traefik-host-fcrepo-prod
traefik.http.routers.fcrepo_https.tls.certresolver: *traefik-certresolver
secrets:
- source: DB_ROOT_PASSWORD
- source: FCREPO_DB_PASSWORD
- source: JWT_ADMIN_TOKEN
- source: JWT_PUBLIC_KEY
depends_on:
activemq-prod:
condition: service_started
matomo-dev: &matomo
<<: [*dev, *common]
image: ${ISLANDORA_REPOSITORY}/matomo:${ISLANDORA_TAG}
labels: &matomo-labels
<<: [*traefik-enable, *traefik-https-redirect-middleware]
traefik.http.middlewares.matomo-custom-request-headers.headers.customrequestheaders.X-Forwarded-Uri: /matomo
traefik.http.middlewares.matomo-append-slash.redirectregex.regex: ^(https?://[^/]+/matomo)$$
traefik.http.middlewares.matomo-append-slash.redirectregex.replacement: $${1}/
traefik.http.middlewares.matomo-strip-prefix.stripprefix.prefixes: /matomo
traefik.http.middlewares.matomo.chain.middlewares: matomo-append-slash,matomo-strip-prefix,matomo-custom-request-headers
traefik.http.routers.matomo_http.entrypoints: http
traefik.http.routers.matomo_http.middlewares: *traefik-https-redirect
traefik.http.routers.matomo_http.rule: &traefik-host-matomo-dev Host(`islandora.dev`) && PathPrefix(`/matomo`)
traefik.http.routers.matomo_http.service: matomo
traefik.http.routers.matomo_https.entrypoints: https
traefik.http.routers.matomo_https.middlewares: matomo
traefik.http.routers.matomo_https.rule: *traefik-host-matomo-dev
traefik.http.routers.matomo_https.tls: true
traefik.http.services.matomo.loadbalancer.server.port: 80
environment: &matomo-environment
MATOMO_DEFAULT_HOST: "https://islandora.dev"
volumes:
- matomo-data:/var/www/matomo:Z,rw
networks:
default:
aliases: # Allow access without using the `-dev` or `-prod` suffix.
- matomo
matomo-prod:
<<: [*prod, *matomo]
labels:
<<: [*matomo-labels]
traefik.http.routers.matomo_http.rule: &traefik-host-matomo-prod Host(`${DOMAIN}`) && PathPrefix(`/matomo`)
traefik.http.routers.matomo_https.rule: *traefik-host-matomo-prod
traefik.http.routers.matomo_https.tls.certresolver: *traefik-certresolver
environment:
<<: *matomo-environment
MATOMO_DEFAULT_HOST: "https://${DOMAIN}"
secrets:
- source: DB_ROOT_PASSWORD
- source: MATOMO_DB_PASSWORD
- source: MATOMO_USER_PASS
solr-dev: &solr
<<: [*dev, *common]
image: ${ISLANDORA_REPOSITORY}/solr:${ISLANDORA_TAG}
labels: &solr-labels
<<: [*traefik-enable, *traefik-https-redirect-middleware]
traefik.http.routers.solr_http.entrypoints: http
traefik.http.routers.solr_http.middlewares: *traefik-https-redirect
traefik.http.routers.solr_http.rule: &traefik-host-solr Host(`solr.islandora.dev`)
traefik.http.routers.solr_http.service: solr
traefik.http.routers.solr_https.entrypoints: https
traefik.http.routers.solr_https.rule: *traefik-host-solr
traefik.http.routers.solr_https.tls: true
traefik.http.services.solr.loadbalancer.server.port: 8983
volumes:
- solr-data:/data:Z,rw
- type: volume
source: drupal-solr-config
target: /opt/solr/server/solr/default
read_only: false
volume:
nocopy: true
networks:
default:
aliases: # Allow access without using the `-dev` or `-prod` suffix.
- solr
# Ensure drupal mounts the shared volumes first.
depends_on:
- drupal-dev
solr-prod:
<<: [*prod, *solr]
labels:
<<: [*traefik-disable, *solr-labels]
traefik.http.routers.solr_http.rule: &traefik-host-solr-prod Host(`solr.${DOMAIN}`)
traefik.http.routers.solr_https.rule: *traefik-host-solr-prod
traefik.http.routers.solr_https.tls.certresolver: *traefik-certresolver
# Ensure drupal mounts the shared volumes first.
depends_on:
- drupal-prod
traefik-dev: &traefik
<<: [*dev, *common]
image: traefik:v2.8.3
command: >-
--api.insecure=true
--api.dashboard=true
--api.debug=true
--entryPoints.http.address=:80
--entryPoints.https.address=:443
--entryPoints.ssh.address=:22
--providers.file.filename=/etc/traefik/tls.yml
--providers.docker=true
--providers.docker.network=default
--providers.docker.exposedByDefault=false
labels:
<<: [*traefik-enable, *traefik-https-redirect-middleware]
traefik.http.routers.traefik_http.entrypoints: http
traefik.http.routers.traefik_http.middlewares: *traefik-https-redirect
traefik.http.routers.traefik_http.rule: &traefik-host-traefik Host(`traefik.islandora.dev`)
traefik.http.routers.traefik_http.service: traefik
traefik.http.routers.traefik_https.entrypoints: https
traefik.http.routers.traefik_https.rule: *traefik-host-traefik
traefik.http.routers.traefik_https.tls: true
traefik.http.services.traefik.loadbalancer.server.port: 8080
ports:
- "80:80"
- "443:443"
- "2222:22"
security_opt:
- label=type:container_runtime_t # Required for selinux to access the docker socket.
volumes:
- ./certs:/etc/ssl/traefik:Z,ro
- ./tls.yml:/etc/traefik/tls.yml:Z,ro
- /var/run/docker.sock:/var/run/docker.sock:z
networks:
default:
aliases:
# Allow services to connect on the same name/port as the outside.
- activemq.islandora.dev
- blazegraph.islandora.dev
- fcrepo.islandora.dev
- ide.islandora.dev
- islandora.dev # Drupal is at the root domain.
- solr.islandora.dev
depends_on:
# Sometimes traefik doesn't pick up on new containers so make sure
# they are started before traefik.
- activemq-dev
- blazegraph-dev
- drupal-dev
- fcrepo-dev
- solr-dev
- ide
traefik-prod:
<<: [*prod, *traefik]
# Change caServer to use the staging server when testing changes to the Traefik.
#
# Staging: https://acme-staging-v02.api.letsencrypt.org/directory
# Production: https://acme-v02.api.letsencrypt.org/directory
#
# @See https://letsencrypt.org/docs/staging-environment/
# @See https://doc.traefik.io/traefik/https/acme/
command: >-
--api.insecure=false
--api.dashboard=false
--api.debug=false
--entryPoints.http.address=:80
--entryPoints.https.address=:443
--entrypoints.https.http.tls.certResolver=resolver
--providers.docker
--providers.docker.network=default
--providers.docker.exposedByDefault=false
--certificatesresolvers.resolver.acme.httpchallenge=true
--certificatesresolvers.resolver.acme.httpchallenge.entrypoint=http
--certificatesresolvers.resolver.acme.email=${EMAIL}
--certificatesresolvers.resolver.acme.storage=/acme/acme.json
--certificatesResolvers.resolver.acme.caServer=https://acme-v02.api.letsencrypt.org/directory
labels:
<<: [*traefik-disable] # Do no route to dashboard as it is disabled in production.
volumes:
- /var/run/docker.sock:/var/run/docker.sock:z,rw
- ./certs:/acme:Z
networks:
default:
aliases:
# Allow services to connect on the same name/port as the outside.
- "${DOMAIN}" # Drupal is at the root domain.
- "activemq.${DOMAIN}"
- "blazegraph.${DOMAIN}"
- "fcrepo.${DOMAIN}"
- "solr.${DOMAIN}"
depends_on:
# Sometimes traefik doesn't pick up on new containers so make sure
# they are started before traefik.
- activemq-prod
- blazegraph-prod
- drupal-prod
- fcrepo-prod
- solr-prod