github-personal/firezone
1
0
Fork 0
mirror of https://github.com/outbackdingo/firezone.git synced 2026-01-27 18:18:55 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
3e380cdfc863fb22fb2c19a07cbd9a9966e1fe2c
firezone/docker-compose.yml
Andrew Dryga 28fe571543 Small improvements to make setup process easier for OS contributors (#1171) 
* Remove _build folders for umbrella apps

For umbrella apps everything goes into /_build directory so there no need to ignore directories that should never be created

* Change mix aliases to be more aligned with what OS community would expect

1. We want ecto.create and ecto.migrate to be run on each tests, this will simplify setup steps (no need to run migrations manually)

2. ecto.remigrate is not needed because now you can just run ecto.drop and on tests migrations would be executed anyways.

* Rename docker-compose step name in CONTRIBUTING.md

The step was renamed here: dd67baf629 (diff-67a4805fdcc6145d7b3ada2a6099a9b2e91c9d0fd108c22f95d2f01d219793d1R10)

* Remove .devcontainer

This an is opinionated change. Right now devcontainer doesn't work but should be easy to fix (with renaming step name), but at the same time it forces developers that use VS code to have unified development environment (including plugins for the editor itself).

I feel like it's not a good path to go for OS and for small team - everyone should be allowed to use setup they like. Especially for people like me that tend to recompile ls-elixir for Elixir plugin from master branch.

Plus it's yet another thing to maintain while nobody on the team is using it, which means it will be always causing issues.

* Make fz_http mix.exs aliases aligned with umbrella app ones

* Redirect stderr to stdout in a command called from dev.exs

Otherwise I'm getting this on my MacOS (that has a `route` implementation that doesn't show interfaces) when `mix phx.server` is executed:
```
usage: route [-dnqtv] command [[modifiers] args]
```

* Fix race condition due to static device field values

Both public_key and name are unique and we should not use static values for field covered by unique index, otherwise deadlocks and slow tests are expected.

* Remove unwanted transaction block

The changeset code doesn't have any code that accesses the database and individual Ecto.SQL commands are already wrapped in transactions by default, so there is no need to start it manually and hold for longer than expected (while irrelevant Elixir code is running).

* Use netstat to identify egress interface on MacOS

* Rename uninstall.sh to omnibus-uninstall.sh

* Fix uninstall path in omnibus_build.yml
2022-12-06 15:07:45 -08:00

235 lines
6.2 KiB
YAML
Raw Blame History

version: '3.7'
services:
keycloak:
image: quay.io/keycloak/keycloak:20.0
environment:
- KEYCLOAK_ADMIN=admin
- KEYCLOAK_ADMIN_PASSWORD=admin
volumes:
# Persist dev data
- ./tmp/keycloak:/opt/keycloak/data
command: start-dev
ports:
- 8080:8080
networks:
- app
caddy:
image: caddy:2
volumes:
- ./priv/Caddyfile:/etc/caddy/Caddyfile
- ./priv/pki:/data/caddy/pki
ports:
- 80:80
- 443:443
networks:
app:
ipv4_address: 172.28.0.99
ipv6_address: 2001:3990:3990::99
firezone:
build:
context: .
dockerfile: Dockerfile.dev
args:
DATABASE_URL: postgresql://postgres:postgres@postgres:5432/firezone_dev
image: firezone_dev
volumes:
- ./priv:/var/app/priv
- ./apps:/var/app/apps
- ./config:/var/app/config
- ./mix.exs:/var/app/mix.exs
- ./mix.lock:/var/app/mix.lock
# Mask the following build directories to keep compiled binaries isolated
# from the local project. This is needed when the Docker Host platform
# doesn't match the platform under which Docker Engine is running. e.g.
# WSL, Docker for Mac, etc.
- /var/app/apps/fz_http/assets/node_modules
ports:
- 51820:51820/udp
environment:
LOCAL_AUTH_ENABLED: 'true'
FZ_WALL_CLI_MODULE: FzWall.CLI.Live
cap_add:
- NET_ADMIN
- SYS_MODULE
sysctls:
- net.ipv6.conf.all.disable_ipv6=0
- net.ipv4.ip_forward=1
- net.ipv6.conf.all.forwarding=1
depends_on:
postgres:
condition: 'service_healthy'
networks:
- app
- isolation
postgres:
image: postgres:15
volumes:
- postgres-data:/var/lib/postgresql/data
environment:
POSTGRES_USER: postgres
POSTGRES_PASSWORD: postgres
POSTGRES_DB: firezone_dev
healthcheck:
test: ["CMD-SHELL", "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"]
start_period: 20s
interval: 30s
retries: 5
timeout: 5s
ports:
- 5432:5432
networks:
- app
# Vault can act as an OIDC IdP as well
vault:
image: vault
environment:
- VAULT_ADDR=0.0.0.0:8200
ports:
- 8200:8200/tcp
cap_add:
- IPC_LOCK
networks:
- app
# Only available for amd64 architectures
# zitadel:
# networks:
# - app
# image: ghcr.io/zitadel/zitadel:stable
# command: start-from-init --masterkey "MasterkeyNeedsToHave32Characters" --tlsMode disabled
# environment:
# - ZITADEL_DATABASE_COCKROACH_HOST=crdb
# - ZITADEL_EXTERNALSECURE=false
# depends_on:
# crdb:
# condition: 'service_healthy'
# ports:
# - 8081:8080
# crdb:
# image: cockroachdb/cockroach:v22.1.3
# command: start-single-node --insecure
# healthcheck:
# test: ["CMD", "curl", "-f", "http://localhost:8080/health?ready=1"]
# interval: '10s'
# timeout: '30s'
# retries: 5
# start_period: '20s'
# ports:
# - 9090:8080
# - 26257:26257
# networks:
# - app
# The following services represent more self-hosted IdPs.
# These are much lesser-known and not as trivial to get working
# as KeyCloak, so leaving them here for someone to possibly play
# with later.
# authentik:
# image: ghcr.io/goauthentik/server:2022.10.1
# command: server
# depends_on:
# redis:
# condition: 'service_healthy'
# environment:
# AUTHENTIK_SECRET_KEY: NQgSe9lPF+rYlQY+aOpR6Wbi2PMPXxsunw5CX1wuqv9vB+nW
# AUTHENTIK_REDIS__HOST: redis
# AUTHENTIK_POSTGRESQL__HOST: postgres
# AUTHENTIK_POSTGRESQL__USER: postgres
# AUTHENTIK_POSTGRESQL__NAME: authentik
# AUTHENTIK_POSTGRESQL__PASSWORD: postgres
# AUTHENTIK_ERROR_REPORTING__ENABLED: true
# volumes:
# - ./tmp/authentik/media:/media
# - ./tmp/authentik/custom-templates:/templates
# ports:
# - 9000:9000
# - 9443:9443
#
# authentik-worker:
# depends_on:
# redis:
# condition: 'service_healthy'
# image: ghcr.io/goauthentik/server:2022.10.1
# command: worker
# environment:
# AUTHENTIK_SECRET_KEY: NQgSe9lPF+rYlQY+aOpR6Wbi2PMPXxsunw5CX1wuqv9vB+nW
# AUTHENTIK_REDIS__HOST: redis
# AUTHENTIK_POSTGRESQL__HOST: postgres
# AUTHENTIK_POSTGRESQL__USER: postgres
# AUTHENTIK_POSTGRESQL__NAME: authentik
# AUTHENTIK_POSTGRESQL__PASSWORD: postgres
# AUTHENTIK_ERROR_REPORTING__ENABLED: true
# volumes:
# - ./tmp/authentik/media:/media
# - ./tmp/authentik/certs:/certs
# - ./tmp/authentik/custom-templates:/templates
#
# redis:
# image: docker.io/library/redis:alpine
# command: --save 60 1 --loglevel warning
# restart: unless-stopped
# healthcheck:
# test: ["CMD-SHELL", "redis-cli ping | grep PONG"]
# start_period: 20s
# interval: 30s
# retries: 5
# timeout: 3s
# volumes:
# - redis-data:/data
#
#
# Unfortunately the Linux VM kernel for Docker Desktop is not compiled with
# Dynamic Debug enabled, so we're unable to enable WireGuard debug logging.
# Since WireGuard is designed to be silent by default, this basically does
# nothing.
# wireguard-log:
# image: ubuntu:jammy
# # cap SYSLOG was enough for reading but privilege is required for tailing
# privileged: true
# command: >
# bash -c '
# mount -t debugfs none /sys/kernel/debug
# && echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control
# && dmesg -wT | grep wireguard:'
client:
depends_on:
- firezone
image: linuxserver/wireguard:latest
environment:
- PUID=1000
- PGID=1000
- TZ=UTC
- ALLOWEDIPS="0.0.0.0/0,::/0"
volumes:
- ./priv/wg0.client.conf:/config/wg0.conf
cap_add:
- NET_ADMIN
- SYS_MODULE
sysctls:
- net.ipv6.conf.all.disable_ipv6=0
- net.ipv4.conf.all.src_valid_mark=1
networks:
- isolation
volumes:
postgres-data:
# Disabled due to Authentik being disabled
# redis-data:
networks:
app:
enable_ipv6: true
ipam:
config:
- subnet: 172.28.0.0/16
- subnet: 2001:3990:3990::/64
isolation:
Reference in New Issue View Git Blame Copy Permalink