# docker-compose.prod.yml -- Production environment override # # Pre-built images (recommended): # docker compose -f docker-compose.yml -f docker-compose.prod.yml --env-file .env.prod up -d # # Build from source: # docker compose -f docker-compose.yml -f docker-compose.prod.yml -f docker-compose.build.yml --env-file .env.prod up -d services: postgres: volumes: - ./docker-data/postgres:/var/lib/postgresql/data - ./scripts/init-postgres-prod.sql:/docker-entrypoint-initdb.d/init.sql:ro healthcheck: test: ["CMD-SHELL", "pg_isready -U postgres -d ${POSTGRES_DB:-tod}"] interval: 5s timeout: 5s retries: 5 api: image: ghcr.io/staack/the-other-dude/api:${TOD_VERSION:-latest} container_name: tod_api env_file: .env.prod environment: ENVIRONMENT: production LOG_LEVEL: info GUNICORN_WORKERS: "2" WIREGUARD_CONFIG_PATH: /data/wireguard WIREGUARD_GATEWAY: wireguard cap_add: - NET_ADMIN user: root command: > sh -c " if [ -n \"$$WIREGUARD_GATEWAY\" ]; then apt-get update -qq && apt-get install -y -qq iproute2 >/dev/null 2>&1 || true; GW_IP=$$(getent hosts $$WIREGUARD_GATEWAY 2>/dev/null | awk '{print $$1}'); [ -z \"$$GW_IP\" ] && GW_IP=$$WIREGUARD_GATEWAY; ip route add 10.10.0.0/16 via $$GW_IP 2>/dev/null || true; echo VPN route: 10.10.0.0/16 via $$GW_IP; fi; exec su -s /bin/sh appuser -c 'gunicorn app.main:app --config gunicorn.conf.py' " ports: - "8001:8000" volumes: - ./docker-data/git-store:/data/git-store - ./docker-data/wireguard:/data/wireguard depends_on: postgres: condition: service_healthy redis: condition: service_healthy nats: condition: service_healthy openbao: condition: service_healthy deploy: resources: limits: memory: 512M restart: unless-stopped logging: driver: json-file options: max-size: "10m" max-file: "3" networks: - tod - tod_remote_worker poller: image: ghcr.io/staack/the-other-dude/poller:${TOD_VERSION:-latest} container_name: tod_poller env_file: .env.prod cap_add: - NET_ADMIN environment: ENVIRONMENT: production LOG_LEVEL: info DATABASE_URL: ${POLLER_DATABASE_URL:-postgres://poller_user:poller_password@postgres:5432/tod} TUNNEL_PORT_MIN: 49000 TUNNEL_PORT_MAX: 49100 TUNNEL_IDLE_TIMEOUT: 300 SSH_RELAY_PORT: 8080 SSH_IDLE_TIMEOUT: 900 SSH_MAX_SESSIONS: 200 SSH_MAX_PER_USER: 10 SSH_MAX_PER_DEVICE: 20 ports: - "127.0.0.1:49000-49100:49000-49100" ulimits: nofile: soft: 8192 hard: 8192 depends_on: postgres: condition: service_healthy redis: condition: service_healthy nats: condition: service_healthy openbao: condition: service_healthy healthcheck: test: ["CMD-SHELL", "wget --spider -q http://localhost:8080/healthz || exit 1"] interval: 30s timeout: 3s retries: 3 deploy: resources: limits: memory: 512M # increased from 256M for tunnel/SSH overhead restart: unless-stopped logging: driver: json-file options: max-size: "10m" max-file: "3" networks: - tod - tod_remote_worker openbao: env_file: .env.prod environment: BAO_ADDR: "http://127.0.0.1:8200" BAO_UNSEAL_KEY: "${BAO_UNSEAL_KEY}" BAO_TOKEN: "${OPENBAO_TOKEN}" ports: [] restart: unless-stopped logging: driver: json-file options: max-size: "10m" max-file: "3" winbox-worker: image: ghcr.io/staack/the-other-dude/winbox-worker:${TOD_VERSION:-latest} environment: LOG_LEVEL: info MAX_CONCURRENT_SESSIONS: 10 logging: driver: json-file options: max-size: "10m" max-file: "3" restart: unless-stopped frontend: image: ghcr.io/staack/the-other-dude/frontend:${TOD_VERSION:-latest} container_name: tod_frontend ports: - "3000:80" depends_on: - api deploy: resources: limits: memory: 64M restart: unless-stopped networks: - tod