2026-05-13 14:08:11 +00:00
|
|
|
name: tx-os
|
|
|
|
|
|
|
|
|
|
services:
|
2026-05-13 19:47:05 +00:00
|
|
|
postgres:
|
2026-05-13 14:08:11 +00:00
|
|
|
image: postgres:16-alpine
|
|
|
|
|
restart: unless-stopped
|
|
|
|
|
environment:
|
2026-05-13 19:47:05 +00:00
|
|
|
POSTGRES_USER: ${POSTGRES_USER:-tx}
|
|
|
|
|
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-tx_dev_password}
|
|
|
|
|
POSTGRES_DB: ${POSTGRES_DB:-tx}
|
2026-05-13 14:08:11 +00:00
|
|
|
volumes:
|
2026-05-13 19:47:05 +00:00
|
|
|
- postgres_data:/var/lib/postgresql/data
|
2026-05-13 14:08:11 +00:00
|
|
|
healthcheck:
|
2026-05-13 19:47:05 +00:00
|
|
|
test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-tx} -d ${POSTGRES_DB:-tx}"]
|
|
|
|
|
interval: 5s
|
2026-05-13 14:08:11 +00:00
|
|
|
timeout: 5s
|
2026-05-13 19:47:05 +00:00
|
|
|
retries: 20
|
2026-05-13 14:08:11 +00:00
|
|
|
|
2026-05-13 19:47:05 +00:00
|
|
|
migrate:
|
|
|
|
|
build:
|
|
|
|
|
context: .
|
|
|
|
|
dockerfile: docker/api-server.Dockerfile
|
|
|
|
|
image: tx-os/api-server:latest
|
2026-05-13 14:08:11 +00:00
|
|
|
depends_on:
|
2026-05-13 19:47:05 +00:00
|
|
|
postgres:
|
2026-05-13 14:08:11 +00:00
|
|
|
condition: service_healthy
|
|
|
|
|
environment:
|
2026-05-13 19:47:05 +00:00
|
|
|
NODE_ENV: production
|
|
|
|
|
DATABASE_URL: postgres://${POSTGRES_USER:-tx}:${POSTGRES_PASSWORD:-tx_dev_password}@postgres:5432/${POSTGRES_DB:-tx}
|
2026-05-14 07:32:58 +00:00
|
|
|
# Seed passwords are now optional. When unset, the seed script
|
|
|
|
|
# creates roles/permissions only and leaves admin creation to
|
|
|
|
|
# the first-run Setup Wizard (/api/setup/complete).
|
|
|
|
|
SEED_ADMIN_PASSWORD: ${SEED_ADMIN_PASSWORD:-}
|
|
|
|
|
SEED_USER_PASSWORD: ${SEED_USER_PASSWORD:-}
|
2026-05-15 10:38:44 +00:00
|
|
|
SEED_DEMO_MEETINGS: ${SEED_DEMO_MEETINGS:-false}
|
2026-05-14 07:32:58 +00:00
|
|
|
PUBLIC_BASE_URL: ${PUBLIC_BASE_URL:-http://localhost:${APP_PORT:-3000}}
|
2026-05-13 19:47:05 +00:00
|
|
|
user: root
|
|
|
|
|
entrypoint: ["/usr/bin/tini", "--"]
|
|
|
|
|
command: ["/bin/bash", "/usr/local/bin/migrate.sh"]
|
2026-05-13 14:08:11 +00:00
|
|
|
restart: "no"
|
|
|
|
|
|
|
|
|
|
api:
|
|
|
|
|
build:
|
|
|
|
|
context: .
|
2026-05-13 19:47:05 +00:00
|
|
|
dockerfile: docker/api-server.Dockerfile
|
|
|
|
|
image: tx-os/api-server:latest
|
2026-05-13 14:08:11 +00:00
|
|
|
restart: unless-stopped
|
|
|
|
|
depends_on:
|
2026-05-13 19:47:05 +00:00
|
|
|
postgres:
|
2026-05-13 14:08:11 +00:00
|
|
|
condition: service_healthy
|
2026-05-13 19:47:05 +00:00
|
|
|
migrate:
|
|
|
|
|
condition: service_completed_successfully
|
2026-05-13 14:08:11 +00:00
|
|
|
environment:
|
|
|
|
|
NODE_ENV: production
|
2026-05-13 19:47:05 +00:00
|
|
|
PORT: 8080
|
|
|
|
|
DATABASE_URL: postgres://${POSTGRES_USER:-tx}:${POSTGRES_PASSWORD:-tx_dev_password}@postgres:5432/${POSTGRES_DB:-tx}
|
|
|
|
|
SESSION_SECRET: ${SESSION_SECRET:?SESSION_SECRET is required — copy .env.docker.example to .env and edit it}
|
|
|
|
|
LOCAL_STORAGE_SIGNING_SECRET: ${LOCAL_STORAGE_SIGNING_SECRET:-${SESSION_SECRET}}
|
|
|
|
|
LOCAL_STORAGE_ROOT: /app/storage
|
|
|
|
|
STORAGE_DRIVER: ${STORAGE_DRIVER:-local}
|
|
|
|
|
PRIVATE_OBJECT_DIR: ${PRIVATE_OBJECT_DIR:-/app/storage/private}
|
|
|
|
|
PUBLIC_OBJECT_SEARCH_PATHS: ${PUBLIC_OBJECT_SEARCH_PATHS:-/app/storage/public}
|
|
|
|
|
DEFAULT_OBJECT_STORAGE_BUCKET_ID: ${DEFAULT_OBJECT_STORAGE_BUCKET_ID:-tx-local}
|
|
|
|
|
ALLOWED_ORIGINS: ${ALLOWED_ORIGINS:-http://localhost:${APP_PORT:-3000}}
|
|
|
|
|
PUBLIC_BASE_URL: ${PUBLIC_BASE_URL:-http://localhost:${APP_PORT:-3000}}
|
2026-05-15 10:38:44 +00:00
|
|
|
TRUST_PROXY_HTTPS: ${TRUST_PROXY_HTTPS:-false}
|
2026-05-13 14:08:11 +00:00
|
|
|
LOG_LEVEL: ${LOG_LEVEL:-info}
|
2026-05-14 07:32:58 +00:00
|
|
|
HTTPS_MODE: ${HTTPS_MODE:-local}
|
|
|
|
|
LOCAL_DOMAIN: ${LOCAL_DOMAIN:-}
|
|
|
|
|
LOCAL_IP: ${LOCAL_IP:-}
|
2026-05-13 14:08:11 +00:00
|
|
|
SMTP_HOST: ${SMTP_HOST:-}
|
|
|
|
|
SMTP_PORT: ${SMTP_PORT:-}
|
|
|
|
|
SMTP_USER: ${SMTP_USER:-}
|
|
|
|
|
SMTP_PASS: ${SMTP_PASS:-}
|
|
|
|
|
SMTP_FROM: ${SMTP_FROM:-}
|
2026-05-13 19:47:05 +00:00
|
|
|
SMTP_SECURE: ${SMTP_SECURE:-}
|
2026-05-16 15:26:18 +00:00
|
|
|
VAPID_PUBLIC_KEY: ${VAPID_PUBLIC_KEY:-}
|
|
|
|
|
VAPID_PRIVATE_KEY: ${VAPID_PRIVATE_KEY:-}
|
|
|
|
|
VAPID_SUBJECT: ${VAPID_SUBJECT:-}
|
2026-05-13 19:47:05 +00:00
|
|
|
volumes:
|
|
|
|
|
- app_storage:/app/storage
|
2026-05-13 14:08:11 +00:00
|
|
|
|
|
|
|
|
web:
|
|
|
|
|
build:
|
|
|
|
|
context: .
|
2026-05-13 19:47:05 +00:00
|
|
|
dockerfile: docker/tx-os.Dockerfile
|
2026-05-13 14:08:11 +00:00
|
|
|
image: tx-os/web:latest
|
|
|
|
|
restart: unless-stopped
|
|
|
|
|
depends_on:
|
2026-05-13 19:47:05 +00:00
|
|
|
- api
|
2026-05-14 07:32:58 +00:00
|
|
|
# No host port binding — Caddy is the single public edge.
|
|
|
|
|
expose:
|
|
|
|
|
- "80"
|
|
|
|
|
|
|
|
|
|
caddy:
|
|
|
|
|
image: caddy:2.8-alpine
|
|
|
|
|
restart: unless-stopped
|
|
|
|
|
depends_on:
|
|
|
|
|
- api
|
|
|
|
|
- web
|
|
|
|
|
environment:
|
|
|
|
|
LOCAL_DOMAIN: ${LOCAL_DOMAIN:-tx.local}
|
|
|
|
|
LOCAL_IP: ${LOCAL_IP:-127.0.0.1}
|
|
|
|
|
HTTPS_MODE: ${HTTPS_MODE:-local}
|
2026-05-16 16:28:42 +00:00
|
|
|
PUBLIC_DOMAIN: ${PUBLIC_DOMAIN:-}
|
|
|
|
|
ACME_EMAIL: ${ACME_EMAIL:-}
|
|
|
|
|
# Pick the Caddyfile at boot:
|
|
|
|
|
# * HTTPS_MODE=auto → Caddyfile.auto (Let's Encrypt for PUBLIC_DOMAIN)
|
|
|
|
|
# * HTTPS_MODE=skip → Caddyfile.skip (plain HTTP, dev only)
|
|
|
|
|
# * /certs missing → Caddyfile.skip (graceful fall-back)
|
|
|
|
|
# * otherwise → Caddyfile (BYO cert under /certs)
|
2026-05-14 07:36:52 +00:00
|
|
|
entrypoint:
|
|
|
|
|
- /bin/sh
|
|
|
|
|
- -c
|
|
|
|
|
- |
|
2026-05-16 16:28:42 +00:00
|
|
|
if [ "$${HTTPS_MODE}" = "auto" ]; then
|
|
|
|
|
if [ -z "$${PUBLIC_DOMAIN}" ]; then
|
|
|
|
|
echo "HTTPS_MODE=auto requires PUBLIC_DOMAIN to be set (e.g. tx.example.com)" >&2
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
if [ -n "$${ACME_EMAIL}" ]; then
|
|
|
|
|
export ACME_EMAIL_DIRECTIVE="email $${ACME_EMAIL}"
|
|
|
|
|
else
|
|
|
|
|
export ACME_EMAIL_DIRECTIVE=""
|
|
|
|
|
fi
|
|
|
|
|
exec caddy run --config /etc/caddy/Caddyfile.auto --adapter caddyfile
|
|
|
|
|
elif [ "$${HTTPS_MODE}" = "skip" ] || [ ! -f /certs/local-cert.pem ] || [ ! -f /certs/local-key.pem ]; then
|
2026-05-14 07:36:52 +00:00
|
|
|
exec caddy run --config /etc/caddy/Caddyfile.skip --adapter caddyfile
|
|
|
|
|
else
|
|
|
|
|
exec caddy run --config /etc/caddy/Caddyfile --adapter caddyfile
|
|
|
|
|
fi
|
2026-05-13 14:12:40 +00:00
|
|
|
ports:
|
2026-05-14 07:59:50 +00:00
|
|
|
# HTTP edge: defaults to APP_PORT so the legacy http://localhost:${APP_PORT}
|
|
|
|
|
# URL keeps working without modifying start.sh.
|
|
|
|
|
- "${HTTP_PORT:-${APP_PORT:-3000}}:80"
|
2026-05-14 08:02:29 +00:00
|
|
|
# HTTPS edge: HTTPS_PORT is the operator-facing variable used by
|
|
|
|
|
# both .env.example (default 443, for local-setup.sh users) and
|
|
|
|
|
# .env.docker.example (default 8443, for start.sh users on hosts
|
|
|
|
|
# without privileged-port access). When HTTPS_MODE=skip the
|
|
|
|
|
# entrypoint loads Caddyfile.skip which doesn't listen on :443,
|
|
|
|
|
# so a high default keeps the bind harmless either way.
|
|
|
|
|
- "${HTTPS_PORT:-443}:443"
|
2026-05-14 07:32:58 +00:00
|
|
|
volumes:
|
|
|
|
|
- ./docker/Caddyfile:/etc/caddy/Caddyfile:ro
|
2026-05-14 07:36:52 +00:00
|
|
|
- ./docker/Caddyfile.skip:/etc/caddy/Caddyfile.skip:ro
|
2026-05-16 16:28:42 +00:00
|
|
|
- ./docker/Caddyfile.auto:/etc/caddy/Caddyfile.auto:ro
|
2026-05-14 07:32:58 +00:00
|
|
|
- ./certs:/certs:ro
|
|
|
|
|
- caddy_data:/data
|
|
|
|
|
- caddy_config:/config
|
2026-05-13 14:08:11 +00:00
|
|
|
|
|
|
|
|
volumes:
|
2026-05-13 19:47:05 +00:00
|
|
|
postgres_data:
|
|
|
|
|
app_storage:
|
2026-05-14 07:32:58 +00:00
|
|
|
caddy_data:
|
|
|
|
|
caddy_config:
|