-
Notifications
You must be signed in to change notification settings - Fork 19
/
Copy pathproduction.yml
181 lines (168 loc) · 7.27 KB
/
production.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
version: '3'
volumes:
production_postgres_data: {}
production_postgres_data_backups: {}
production_traefik: {}
services:
# The main webserver for katago website
django: &django
build:
context: .
dockerfile: ./compose/production/django/Dockerfile
image: katago_server_production_django
depends_on:
- postgres
- redis
env_file:
- ./envs/production/django
- ./envs/production/postgres
volumes:
- ${UPLOADED_DATA_DIRECTORY:-./data}:/data
command: /start
labels:
traefik.enable: "true"
# Incoming http to our domain name via websecure entrypoint gets routed to django, modulo priority
traefik.http.routers.djangoroute.rule: "Host(`${TRAEFIK_ROUTER_DOMAIN_NAME:?traefik_router_domain_name_missing}`)"
traefik.http.routers.djangoroute.entrypoints: "websecure"
traefik.http.routers.djangoroute.tls.certresolver: "letsencrypt"
traefik.http.routers.djangoroute.priority: 10
# Django internally listens on port 5000 by default - presumably we could configure django to listen on port 80 or 443,
# but we can also just tell traefik to listen here.
traefik.http.services.djangoroute.loadbalancer.server.port: 5000
# Define the "csrf" middleware and make djangoroute use it
traefik.http.middlewares.csrf.headers.hostsProxyHeaders: "X-CSRFToken"
traefik.http.routers.djangoroute.middlewares: "csrf"
# The database server for the website
postgres:
build:
context: .
dockerfile: ./compose/production/postgres/Dockerfile
image: katago_server_production_postgres
volumes:
- ./compose/production/postgres/postgres.conf:/etc/postgresql/postgresql.conf
- production_postgres_data:/var/lib/postgresql/data
- production_postgres_data_backups:/backups
env_file:
- ./envs/production/postgres
command: ["-c", "config_file=/etc/postgresql/postgresql.conf"]
# Performs incoming request URL routing for the website
traefik:
build:
context: .
dockerfile: ./compose/production/traefik/Dockerfile
image: katago_server_production_traefik
depends_on:
- django
- nginx
volumes:
- production_traefik:/etc/traefik/acme
# Map the docker socket on the real machine read-only to the inside of the container
# so that traefik can query the real docker for all the containers that exist
- /var/run/docker.sock:/var/run/docker.sock:ro
ports:
# Listen to these ports from the outside world and map them to these ports inside the container
- "0.0.0.0:80:80"
- "0.0.0.0:443:443"
- "0.0.0.0:5555:5555"
# Map this port if using the API for debugging
# - "0.0.0.0:8080:8080"
command:
- "--log=true"
- "--log.level=DEBUG"
# Define "web" entrypoint as anything that comes in on port 80, and redirect it to websecure
- "--entrypoints.web.address=:80"
- "--entrypoints.web.http.redirections.entryPoint.to=websecure"
- "--entrypoints.web.http.redirections.entryPoint.scheme=https"
- "--entrypoints.web.http.redirections.entrypoint.permanent=true"
# TLS certificates must be specified in a file, boooooooo
- "--providers.file.filename=/etc/traefik/traefik_dynamic.toml"
# Define "websecure" entrypoint as anything that comes in on port 443
- "--entrypoints.websecure.address=:443"
# Define "flower" entrypoint as anything that comes in on port 5555
- "--entrypoints.flower.address=:5555"
- "--certificatesresolvers.letsencrypt=true"
- "--certificatesresolvers.letsencrypt.acme.email=${TRAEFIK_LETSENCRYPT_EMAIL:?traefik_letsencrypt_email_env_missing}"
- "--certificatesresolvers.letsencrypt.acme.storage=/etc/traefik/acme/acme.json"
- "--certificatesresolvers.letsencrypt.acme.httpchallenge=true"
- "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web"
# Tell traefik to look at the docker socket and set up routing automatically based on all the labels
# of the various containers
- "--providers.docker=true"
# Containers must explicitly opt in to being mapped by traefik by specifying label traefik.enable: "true"
- "--providers.docker.exposedbydefault=false"
# Uncomment these to enable the API for debugging. This is insecure though and could allow anyone to do stuff on
# to the site routing however!
# - "--api=true"
# - "--api.insecure=true"
# - "--api.dashboard=true"
# Serves uploaded sgfs and npz files
nginx:
build:
context: .
dockerfile: ./compose/production/nginx/Dockerfile
image: katago_server_production_nginx
depends_on:
- django
env_file:
- ./envs/production/nginx
command: [ "/make_nginx_conf.sh", "nginx", "-g", "daemon off;"]
volumes:
- ${UPLOADED_DATA_DIRECTORY:-./data}/:/data
labels:
traefik.enable: "true"
# Incoming http to our domain name via websecure entrypoint asking for stuff under /media gets routed to nginx.
# Higher priority to djangoroute, so takes precedence.
# In our server setup, nginx directly serves files under /media (namely, SGFs and NPZs), without going through django.
traefik.http.routers.nginxroute.rule: "Host(`${TRAEFIK_ROUTER_DOMAIN_NAME:?traefik_router_domain_name_missing}`) && PathPrefix(`/media`)"
traefik.http.routers.nginxroute.entrypoints: "websecure"
traefik.http.routers.nginxroute.tls.certresolver: "letsencrypt"
traefik.http.routers.nginxroute.priority: 20
traefik.http.services.nginxroute.loadbalancer.server.port: 18080
# Define the "csrf" middleware and make nginxroute use it
traefik.http.middlewares.csrf.headers.hostsProxyHeaders: "X-CSRFToken"
traefik.http.routers.nginxroute.middlewares: "csrf"
redis:
image: redis:5.0
ulimits:
nproc: 65535
nofile:
soft: 26677
hard: 46677
sysctls:
net.core.somaxconn: '511'
celeryworker:
<<: *django
image: katago_server_production_celeryworker
command: /start-celeryworker
labels:
# Make sure to override traefik.enable: "true" from django
traefik.enable: "false"
celerybeat:
<<: *django
image: katago_server_production_celerybeat
command: /start-celerybeat
# Celery beat does not need access to django storage volume
volumes: []
labels:
# Make sure to override traefik.enable: "true" from django
traefik.enable: "false"
flower:
<<: *django
image: katago_server_production_flower
# Flower does not need access to postgres so override that from django
depends_on:
- redis
# Flower does not need access to postgres so override that from django
env_file:
- ./envs/production/django
# Flower does not need access to django storage volume
volumes: []
command: /start-flower
labels:
traefik.enable: "true"
# Incoming stuff to our domain name via flower entrypoint gets routed to flower.
traefik.http.routers.flowerroute.rule: "Host(`${TRAEFIK_ROUTER_DOMAIN_NAME:?traefik_router_domain_name_missing}`)"
traefik.http.routers.flowerroute.entrypoints: "flower"
traefik.http.routers.flowerroute.tls.certresolver: "letsencrypt"
traefik.http.routers.flowerroute.priority: 10
traefik.http.services.flowerroute.loadbalancer.server.port: 5555