firezone/docker-compose.prod.yml

# Example compose deployment

x-deploy: &default-deploy
  restart_policy:
    condition: on-failure
    delay: 5s
    max_attempts: 3
    window: 120s
  update_config:
    order: start-first

version: '3.7'

services:
  caddy:
    image: caddy:2
    volumes:
      - /data/firezone/caddy:/data/caddy
    ports:
      - 80:80
      - 443:443
    command: caddy reverse-proxy --to firezone:13000 --from ${EXTERNAL_URL?err}
    deploy:
      <<: *default-deploy

  firezone:
    image: firezone/firezone
    ports:
      - 51820:51820/udp
    env_file:
      # This should contain a list of env vars for configuring Firezone.
      # See https://docs.firezone.dev/reference/env-vars for more info.
      - .env
    volumes:
      # IMPORTANT: Persists WireGuard private key and other data. If
      # /var/firezone/private_key exists when Firezone starts, it is
      # used as the WireGuard private. Otherwise, one is generated.
      - /data/firezone/firezone:/var/firezone
    cap_add:
      # Needed for WireGuard and firewall support.
      - NET_ADMIN
      - SYS_MODULE
    sysctls:
      # Needed for masquerading and NAT.
      - net.ipv6.conf.all.disable_ipv6=0
      - net.ipv4.ip_forward=1
      - net.ipv6.conf.all.forwarding=1
    depends_on:
      - postgres
    deploy:
      <<: *default-deploy

  postgres:
    image: postgres:15
    volumes:
      - /data/firezone/postgres:/var/lib/postgresql/data
    environment:
      POSTGRES_DB: ${DATABASE_NAME:-firezone}
      POSTGRES_USER: ${DATABASE_USER:-postgres}
      POSTGRES_PASSWORD: ${DATABASE_PASSWORD:?err}
    deploy:
      <<: *default-deploy
      update_config:
        order: stop-first