cryptic/docker-compose.yml at main · etnt/cryptic · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
# Docker Compose configuration for Cryptic Server
version: "3.8"

services:
  cryptic-server:
    build:
      context: .
      dockerfile: Dockerfile
    image: cryptic-server:latest
    container_name: cryptic-server

    # Port mapping
    ports:
      - "8443:8443"

    # Environment variables (override Dockerfile defaults if needed)
    environment:
      - CRYPTIC_SERVER_HOST=0.0.0.0
      - CRYPTIC_SERVER_PORT=8443
      # Set server directory - all server data stored here
      # Paths in sys.config (e.g., "priv/ssl/ca.crt") are relative to this directory
      - CRYPTIC_SERVER_DIR=/opt/cryptic/server_data
      - CRYPTIC_EVENT_HANDLERS=cryptic_file_logger
      # Optional: Enable debug logging (set to "true" for verbose output)
      - CRYPTIC_DEBUG=true

    # Volume mounts for certificates and persistent data
    volumes:
      # Single mount point for all server data (priv/, logs/, data/)
      # Note: /opt/cryptic contains Erlang release, so mount to subdirectory
      - ./server_data:/opt/cryptic/server_data:rw

      # Shared GPG keyring - allows GPG key generation inside container
      # Keys generated in container are available on host and vice versa
      - ${HOME}/.gnupg:/home/cryptic/.gnupg:rw

    # Restart policy
    restart: unless-stopped

    # Network configuration
    networks:
      - cryptic-network

    # Health check
    healthcheck:
      test: ["CMD", "nc", "-z", "localhost", "8443"]
      interval: 30s
      timeout: 3s
      retries: 3
      start_period: 10s

  # Cryptic TUI Client (interactive terminal UI)
  # NOTE: Requires cryptic-tui repository as sibling directory during build
  # See docs/DOCKER.md for setup instructions
  cryptic-tui:
    build:
      context: ..  # Parent directory to access both cryptic/ and cryptic-tui/
      dockerfile: cryptic/Dockerfile.tui
    image: cryptic-tui:latest
    container_name: cryptic-tui

    # Interactive mode with TTY
    stdin_open: true
    tty: true

    # Environment variables (map to bin/cryptic script options)
    environment:
      # Username for authentication (required)
      # Set via CRYPTIC_USERNAME environment variable when running:
      # CRYPTIC_USERNAME=kalle docker compose run --rm cryptic-tui
      - CRYPTIC_USERNAME=${CRYPTIC_USERNAME:-alice}

      # Server connection details (can be overridden)
      # Default to host.docker.internal which maps to host machine via extra_hosts
      # Override with CRYPTIC_SERVER_HOST=cryptic-server for Docker server
      # or CRYPTIC_SERVER_HOST=relay.example.com for remote server
      - CRYPTIC_SERVER_HOST=${CRYPTIC_SERVER_HOST:-host.docker.internal}
      - CRYPTIC_SERVER_PORT=${CRYPTIC_SERVER_PORT:-8443}

      # Erlang node configuration
      - CRYPTIC_NODE_NAME=${CRYPTIC_NODE_NAME:-localhost}

      # Enable encrypted message storage (optional)
      - CRYPTIC_ENABLE_DB=${CRYPTIC_ENABLE_DB:-false}

      # Debug logging (optional)
      - CRYPTIC_DEBUG=${CRYPTIC_DEBUG:-false}

      # Terminal configuration
      - TERM=xterm-256color

    # Volume mounts for cryptographic keys, database, and logs
    volumes:
      # CRITICAL: Mount entire .cryptic directory for persistent storage
      # This directory contains ALL user data:
      # - certificates/          mTLS client certificates
      # - keys.encrypted         Encrypted X3DH identity keys
      # - sessions/*.session     Double Ratchet session states (encrypted)
      # - cryptic_chat.db        SQLite message history (if --enable-db)
      # - logs/                  Application logs
      #
      # MUST be read-write because:
      # - cryptic_lib saves/loads encrypted identity keys
      # - cryptic_engine updates session states after each message
      # - cryptic_chat_storage writes to SQLite database
      # - Application writes log files
      - ${HOME}/.cryptic:/home/cryptic/.cryptic

      # Shared GPG keyring - required for certificate auto-renewal
      # The GPG secret key is needed to sign CSRs when renewing certificates
      # Keys are shared between host and container
      - ${HOME}/.gnupg:/home/cryptic/.gnupg:rw

    # NOTE: No depends_on - client can connect to any server (local or remote)
    # If connecting to local cryptic-server, start it separately first

    # Network configuration (only needed if connecting to local server)
    networks:
      - cryptic-network

    # Map host.docker.internal in container to host machine (for Mac/Windows Docker Desktop)
    # This allows container to connect to server running on host machine
    # Note: Don't use "localhost" as it conflicts with container's own 127.0.0.1
    extra_hosts:
      - "cryptic-server:host-gateway"

    # Don't auto-restart (this is an interactive client)
    restart: "no"

# Named volumes for persistent data
volumes:
  cryptic-logs:
    driver: local
  cryptic-ca-data:
    driver: local
  cryptic-data:
    driver: local
  # Note: cryptic-tui-logs removed - using host ~/.cryptic mount instead

# Network configuration
networks:
  cryptic-network:
    driver: bridge