Stefan Mogeritsch
d6a484c347
All checks were successful
Build and Publish Docker Images / build-and-push (., backend/infrastructure/gateway/Dockerfile, api-gateway, api-gateway) (push) Successful in 6m48s
Build and Publish Docker Images / build-and-push (., backend/services/ping/Dockerfile, ping-service, ping-service) (push) Successful in 6m40s
Build and Publish Docker Images / build-and-push (., config/docker/caddy/web-app/Dockerfile, web-app, web-app) (push) Successful in 1m44s
Build and Publish Docker Images / build-and-push (., config/docker/keycloak/Dockerfile, keycloak, keycloak) (push) Successful in 1m31s
- Enabled `directAccessGrants` for `frontend-client` in `meldestelle-realm.json` to support ROPC login flow. - Strengthened admin credentials in realm configuration to meet password policy requirements. - Upgraded Keycloak to `26.5.5` with updated Docker healthcheck logic: - Replaced `curl` with bash `/dev/tcp` for compatibility with `ubi9-micro` image. - Switched health endpoint from `/ready` to `/live` for single-node use. - Adjusted healthcheck timings (`start_period`, `timeout`, `interval`) for smoother startup. - Removed deprecated v1 hostname parameter `KC_HOSTNAME_STRICT_HTTPS`. Signed-off-by: Stefan Mogeritsch <stefan.mo.co@gmail.com>
171 lines
6.2 KiB
YAML
171 lines
6.2 KiB
YAML
name: "${PROJECT_NAME:-meldestelle}"
|
|
|
|
services:
|
|
# ==========================================
|
|
# 1. INFRASTRUCTURE (Stateful & Core)
|
|
# ==========================================
|
|
|
|
# --- DATABASE: PostgreSQL ---
|
|
postgres:
|
|
image: "${POSTGRES_IMAGE:-postgres:16-alpine}"
|
|
container_name: "${PROJECT_NAME:-meldestelle}-postgres"
|
|
restart: unless-stopped
|
|
profiles: [ "infra", "all" ]
|
|
ports:
|
|
- "${POSTGRES_PORT:-5432:5432}"
|
|
environment:
|
|
POSTGRES_USER: "${POSTGRES_USER:-pg-user}"
|
|
POSTGRES_PASSWORD: "${POSTGRES_PASSWORD:-pg-password}"
|
|
POSTGRES_DB: "${POSTGRES_DB:-pg-meldestelle-db}"
|
|
volumes:
|
|
- "postgres-data:/var/lib/postgresql/data"
|
|
- "./config/docker/postgres:/docker-entrypoint-initdb.d:Z"
|
|
- "./config/docker/postgres/postgresql.conf:/etc/postgresql/postgresql.conf:Z"
|
|
command:
|
|
- "postgres"
|
|
- "-c"
|
|
- "config_file=/etc/postgresql/postgresql.conf"
|
|
- "-c"
|
|
- "shared_buffers=${POSTGRES_SHARED_BUFFERS:-256MB}"
|
|
- "-c"
|
|
- "effective_cache_size=${POSTGRES_EFFECTIVE_CACHE_SIZE:-768MB}"
|
|
healthcheck:
|
|
test: [ "CMD-SHELL", "pg_isready -U ${POSTGRES_USER} -d ${POSTGRES_DB}" ]
|
|
interval: "10s"
|
|
timeout: "5s"
|
|
retries: "5"
|
|
start_period: "10s"
|
|
networks:
|
|
meldestelle-network:
|
|
aliases:
|
|
- "postgres"
|
|
|
|
# --- CACHE: Valkey ---
|
|
valkey:
|
|
image: "${VALKEY_IMAGE:-valkey/valkey:9-alpine}"
|
|
container_name: "${PROJECT_NAME:-meldestelle}-valkey"
|
|
restart: unless-stopped
|
|
profiles: [ "infra", "all" ]
|
|
ports:
|
|
- "${VALKEY_PORT:-6379:6379}"
|
|
volumes:
|
|
- "valkey-data:/data"
|
|
- "./config/docker/valkey/valkey.conf:/etc/valkey/valkey.conf:Z"
|
|
command:
|
|
- "sh"
|
|
- "-lc"
|
|
- |
|
|
exec valkey-server /etc/valkey/valkey.conf \
|
|
--protected-mode no \
|
|
--maxmemory ${VALKEY_MAX_MEMORY:-256MB} \
|
|
--maxmemory-policy ${VALKEY_POLICY:-allkeys-lru} \
|
|
${VALKEY_PASSWORD:+--requirepass $VALKEY_PASSWORD}
|
|
healthcheck:
|
|
test: [ "CMD-SHELL", "[ -z \"$VALKEY_PASSWORD\" ] && valkey-cli ping | grep PONG || valkey-cli -a \"$VALKEY_PASSWORD\" ping | grep PONG" ]
|
|
interval: "10s"
|
|
timeout: "5s"
|
|
retries: "3"
|
|
networks:
|
|
meldestelle-network:
|
|
aliases:
|
|
- "valkey"
|
|
|
|
# --- IAM: Keycloak (Zora-Optimiert) ---
|
|
keycloak:
|
|
build:
|
|
context: .
|
|
dockerfile: config/docker/keycloak/Dockerfile
|
|
args:
|
|
KEYCLOAK_IMAGE_TAG: "${KEYCLOAK_IMAGE_TAG:-26.5.5}"
|
|
image: "${DOCKER_REGISTRY:-git.mo-code.at/mocode-software}/keycloak:${KEYCLOAK_IMAGE_TAG:-26.5.5}"
|
|
container_name: "${PROJECT_NAME:-meldestelle}-keycloak"
|
|
restart: unless-stopped
|
|
profiles: [ "infra", "all" ]
|
|
environment:
|
|
KC_BOOTSTRAP_ADMIN_USERNAME: "${KC_ADMIN_USERNAME:-kc-admin}"
|
|
KC_BOOTSTRAP_ADMIN_PASSWORD: "${KC_ADMIN_PASSWORD:-kc-password}"
|
|
KC_DB: "${KC_DB:-postgres}"
|
|
KC_DB_SCHEMA: "${KC_DB_SCHEMA:-keycloak}"
|
|
KC_DB_URL: "jdbc:postgresql://postgres:5432/${POSTGRES_DB:-pg-meldestelle-db}"
|
|
KC_DB_USERNAME: "${POSTGRES_USER:-pg-user}"
|
|
KC_DB_PASSWORD: "${POSTGRES_PASSWORD:-pg-password}"
|
|
# Hostname-Konfiguration: Für lokale Entwicklung "localhost", auf dem Server die echte IP/Domain setzen
|
|
KC_HOSTNAME: "${KC_HOSTNAME:-localhost}"
|
|
# WICHTIG: false erlaubt Zugriff über beliebige Hostnamen (nötig für Server-Betrieb ohne TLS)
|
|
KC_HOSTNAME_STRICT: "${KC_HOSTNAME_STRICT:-false}"
|
|
# KC_HOSTNAME_STRICT_HTTPS wurde entfernt — deprecated v1-Option in Keycloak 26.x (hostname v2).
|
|
# HTTP-Zugriff wird ausschließlich über KC_HTTP_ENABLED gesteuert.
|
|
KC_HTTP_ENABLED: "true"
|
|
# Admin-Interface explizit auf allen Interfaces binden (0.0.0.0)
|
|
KC_HTTP_MANAGEMENT_PORT: "9000"
|
|
KC_HEALTH_ENABLED: "true"
|
|
KC_METRICS_ENABLED: "true"
|
|
# Integration der Power-Flags
|
|
JAVA_OPTS_APPEND: "-Xms${KC_HEAP_MIN:-512M} -Xmx${KC_HEAP_MAX:-1024M} ${JVM_OPTS_ARM64}"
|
|
ports:
|
|
- "${KC_PORT:-8180:8080}"
|
|
- "${KC_MANAGEMENT_PORT:-9000:9000}"
|
|
depends_on:
|
|
postgres:
|
|
condition: "service_healthy"
|
|
healthcheck:
|
|
# Keycloak basiert auf ubi9-micro — curl/wget sind NICHT im Image enthalten!
|
|
# Lösung: Bash /dev/tcp — kein externes Tool nötig, funktioniert auf jedem bash-Image.
|
|
# Management-Port 9000: Health-Endpoints (/health/live, /health/ready) laufen hier.
|
|
# /health/live: prüft nur Prozess-Liveness — kein Warten auf JGroups-Cluster-Formation.
|
|
test: [ "CMD-SHELL", "exec 3<>/dev/tcp/localhost/9000 && printf 'GET /health/live HTTP/1.0\\r\\nHost: localhost\\r\\n\\r\\n' >&3 && cat <&3 | grep -q '\"UP\"'" ]
|
|
interval: "15s"
|
|
timeout: "10s"
|
|
retries: 5
|
|
start_period: "90s"
|
|
volumes:
|
|
- "./config/docker/keycloak:/opt/keycloak/data/import:Z"
|
|
# start --optimized nutzt das pre-built Image (kc.sh build im Dockerfile)
|
|
# start-dev würde den Pre-Build ignorieren und im Dev-Modus starten (Konflikt mit Registry-Images!)
|
|
command: "${KC_COMMAND:-start --optimized --import-realm}"
|
|
networks:
|
|
meldestelle-network:
|
|
aliases:
|
|
- "keycloak"
|
|
- "auth.mo-code.at"
|
|
|
|
# --- SERVICE DISCOVERY: Consul ---
|
|
consul:
|
|
image: "${CONSUL_IMAGE:-hashicorp/consul:1.22.1}"
|
|
container_name: "${PROJECT_NAME:-meldestelle}-consul"
|
|
restart: unless-stopped
|
|
profiles: [ "infra", "all" ]
|
|
ports:
|
|
- "${CONSUL_PORT:-8500:8500}"
|
|
- "${CONSUL_UDP_PORT:-8600:8600/udp}"
|
|
command: "agent -server -bootstrap-expect=1 -ui -client=0.0.0.0"
|
|
healthcheck:
|
|
test: [ "CMD", "curl", "-f", "http://localhost:8500/v1/status/leader" ]
|
|
interval: "30s"
|
|
networks:
|
|
meldestelle-network:
|
|
aliases:
|
|
- "consul"
|
|
|
|
# --- TRACING: Zipkin ---
|
|
zipkin:
|
|
image: "${ZIPKIN_IMAGE:-openzipkin/zipkin:3}"
|
|
container_name: "${PROJECT_NAME:-meldestelle}-zipkin"
|
|
restart: unless-stopped
|
|
profiles: [ "infra", "all" ]
|
|
environment:
|
|
JAVA_OPTS: "-Xms${ZIPKIN_MIN_HEAP:-256M} -Xmx${ZIPKIN_MAX_HEAP:-512M} ${JVM_OPTS_ARM64}"
|
|
ports:
|
|
- "${ZIPKIN_PORT:-9411:9411}"
|
|
networks:
|
|
meldestelle-network:
|
|
|
|
volumes:
|
|
postgres-data:
|
|
valkey-data:
|
|
mailpit-data:
|
|
|
|
networks:
|
|
meldestelle-network:
|
|
driver: bridge
|