-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathdocker-compose.yml
More file actions
52 lines (50 loc) · 1.65 KB
/
docker-compose.yml
File metadata and controls
52 lines (50 loc) · 1.65 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
# Springtale — Docker Compose for local development and production
#
# Usage:
# docker compose up # start springtaled
# docker compose down # stop and remove
#
# Before first run:
# 1. Create secrets: mkdir -p secrets && echo -n "your-passphrase" > secrets/passphrase.txt
# 2. Create a vault: docker compose run --rm springtaled springtale init
#
# Data persisted in ./data/ directory (vault.bin, springtale.db)
# Passphrase loaded from file (not env var) per security audit requirements.
secrets:
springtale_passphrase:
file: ./secrets/passphrase.txt
services:
springtaled:
build: .
container_name: springtaled
ports:
- "8080:8080"
volumes:
- ./data:/data
- ./springtale.toml:/etc/springtale/springtale.toml:ro
secrets:
- springtale_passphrase
environment:
# Passphrase loaded from Docker secret file (not env var).
# boot.rs reads SPRINGTALE_PASSPHRASE_FILE first, falls back to SPRINGTALE_PASSPHRASE.
- SPRINGTALE_PASSPHRASE_FILE=/run/secrets/springtale_passphrase
# Double underscore (__) separates config nesting levels.
- SPRINGTALE_STORE__PATH=/data/springtale.db
- SPRINGTALE_CRYPTO__VAULT_PATH=/data/vault.bin
- SPRINGTALE_TRANSPORT__SOCKET_PATH=/data/springtale.sock
- SPRINGTALE_API__BIND=0.0.0.0:8080
- RUST_LOG=info
read_only: true
tmpfs:
- /tmp
cap_drop:
- ALL
security_opt:
- no-new-privileges:true
healthcheck:
test: ["CMD", "wget", "-q", "--spider", "http://localhost:8080/health"]
interval: 30s
timeout: 5s
retries: 3
start_period: 10s
restart: unless-stopped