portal-tunnel/docker-compose.yml at main · gosuda/portal-tunnel · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
services:
  nginx:
    image: nginx:stable-alpine
    depends_on:
      - portal
      - portal-frontend
      - portal-api
    ports:
      - "${HTTP_PORT:-80}:80"
      - "${HTTPS_PORT:-443}:443"
    environment:
      PORTAL_URL: ${PORTAL_URL:-https://localhost}
      NGINX_CERT_FILE: ${NGINX_CERT_FILE:-/etc/nginx/certs/fullchain.pem}
      NGINX_CERT_KEY: ${NGINX_CERT_KEY:-/etc/nginx/certs/privatekey.pem}
    volumes:
      - ./nginx.conf.template:/etc/nginx/templates/nginx.conf.template:ro
      - ./.portal-certs:/etc/nginx/certs:ro
    command:
      - /bin/sh
      - -c
      - |
        portal_host="$${PORTAL_URL#*://}"
        portal_host="$${portal_host%%/*}"
        portal_host="$${portal_host%%:*}"
        export PORTAL_HOST="$${portal_host:-localhost}"

        export NGINX_CERT_FILE="$${NGINX_CERT_FILE:-/etc/nginx/certs/fullchain.pem}"
        export NGINX_CERT_KEY="$${NGINX_CERT_KEY:-/etc/nginx/certs/privatekey.pem}"
        envsubst '$$PORTAL_HOST $$NGINX_CERT_FILE $$NGINX_CERT_KEY' \
          < /etc/nginx/templates/nginx.conf.template \
          > /etc/nginx/nginx.conf

        until [ -s "$$NGINX_CERT_FILE" ] && [ -s "$$NGINX_CERT_KEY" ]; do
          echo "waiting for TLS certificate files: $$NGINX_CERT_FILE and $$NGINX_CERT_KEY"
          sleep 1
        done
        exec nginx -g 'daemon off;'
    restart: unless-stopped

  # Optional: uncomment to enable auto-generated thumbnails for tunnel apps.
  # See docs/src/routes/deployment/+page.md for details.
  # headless-shell:
  #   image: chromedp/headless-shell:stable
  #   restart: unless-stopped

  portal-api:
    image: ghcr.io/gosuda/portal-api:2
    build:
      context: ./frontend
      dockerfile: Dockerfile
      target: api
    depends_on:
      - portal
      # Uncomment with the headless-shell service above to enable generated screenshots.
      # - headless-shell
    environment:
      PORT: 8081
      PORTAL_API_BASE_URL: https://portal:4017
      LANDING_PAGE_ENABLED: ${LANDING_PAGE_ENABLED:-false}
      PORTAL_FRONTEND_STATE_PATH: /frontend-state/state.json
      # Leave empty to disable generated screenshots without removing the service.
      HEADLESS_SHELL_URL: ${HEADLESS_SHELL_URL:-}
      # HEADLESS_SHELL_URL: ${HEADLESS_SHELL_URL:-ws://headless-shell:9222}
    volumes:
      - ./.portal-certs/frontend-state:/frontend-state
    restart: unless-stopped

  portal-frontend:
    image: ghcr.io/gosuda/portal-frontend:2
    build:
      context: ./frontend
      dockerfile: Dockerfile
    depends_on:
      - portal
      - portal-api
    restart: unless-stopped

  portal:
    image: ghcr.io/gosuda/portal:2
    build:
      context: .
      dockerfile: Dockerfile
    stop_grace_period: 30s
    ports:
      - "${WIREGUARD_PORT:-51820}:${WIREGUARD_PORT:-51820}/udp"
      # Uncomment for UDP backhaul, public UDP lease ports, and raw TCP lease ports as needed.
      # - "443:443/udp"
      # - "${MIN_PORT:-40000}-${MAX_PORT:-40009}:${MIN_PORT:-40000}-${MAX_PORT:-40009}/udp"
      # - "${MIN_PORT:-40000}-${MAX_PORT:-40009}:${MIN_PORT:-40000}-${MAX_PORT:-40009}"
      # Uncomment with PPROF_ENABLED=true and PPROF_ADDR=:6060 to inspect pprof from the host.
      # - "${PPROF_PORT:-6060}:${PPROF_PORT:-6060}"
    environment:
      # Public routing, discovery, and relay identity persistence
      PORTAL_URL: ${PORTAL_URL:-https://localhost}
      BOOTSTRAPS: ${BOOTSTRAPS:-}
      DISCOVERY: ${DISCOVERY:-true}
      IDENTITY_PATH: ${IDENTITY_PATH:-/portal-certs}

      API_PORT: 4017
      SNI_PORT: 443
      WIREGUARD_PORT: ${WIREGUARD_PORT:-51820}

      # Shared lease port range.
      MIN_PORT: ${MIN_PORT:-40000}
      MAX_PORT: ${MAX_PORT:-40009}
      UDP_ENABLED: ${UDP_ENABLED:-false}
      TCP_ENABLED: ${TCP_ENABLED:-false}

      # Admin/auth configuration
      ADMIN_WALLETS: ${ADMIN_WALLETS:-}
      TRUST_PROXY_HEADERS: ${TRUST_PROXY_HEADERS:-true}
      TRUSTED_PROXY_CIDRS: ${TRUSTED_PROXY_CIDRS:-}

      # Optional: relay-local x402 facilitator exposed under /api/x402
      X402_FACILITATOR_ENABLED: ${X402_FACILITATOR_ENABLED:-false}
      X402_NETWORK: ${X402_NETWORK:-eip155:84532}
      X402_RPC_URL: ${X402_RPC_URL:-https://base-sepolia-rpc.publicnode.com}

      # Optional diagnostics; keep loopback unless the pprof port is protected.
      PPROF_ENABLED: ${PPROF_ENABLED:-false}
      PPROF_ADDR: ${PPROF_ADDR:-127.0.0.1:6060}

      # TLS/ACME materials and DNS automation
      ACME_DNS_PROVIDER: ${ACME_DNS_PROVIDER:-}
      ENS_GASLESS_ENABLED: ${ENS_GASLESS_ENABLED:-false}
      CLOUDFLARE_TOKEN: ${CLOUDFLARE_TOKEN:-}
      GCP_PROJECT_ID: ${GCP_PROJECT_ID:-}
      GCP_MANAGED_ZONE: ${GCP_MANAGED_ZONE:-}
      GOOGLE_APPLICATION_CREDENTIALS: ${GOOGLE_APPLICATION_CREDENTIALS:-}
      HETZNER_API_TOKEN: ${HETZNER_API_TOKEN:-}
      AWS_ACCESS_KEY_ID: ${AWS_ACCESS_KEY_ID:-}
      AWS_SECRET_ACCESS_KEY: ${AWS_SECRET_ACCESS_KEY:-}
      AWS_SESSION_TOKEN: ${AWS_SESSION_TOKEN:-}
      AWS_REGION: ${AWS_REGION:-}
      AWS_DEFAULT_REGION: ${AWS_DEFAULT_REGION:-}
      AWS_HOSTED_ZONE_ID: ${AWS_HOSTED_ZONE_ID:-}
      AWS_DNSSEC_KMS_KEY_ARN: ${AWS_DNSSEC_KMS_KEY_ARN:-}
      VULTR_API_KEY: ${VULTR_API_KEY:-}
      NJALLA_TOKEN: ${NJALLA_TOKEN:-}
    volumes:
      - ./.portal-certs:${IDENTITY_PATH:-/portal-certs}
      # Uncomment when using a Google Cloud service account file for gcloud automation.
      # - ./gcp-dns.json:/run/secrets/gcp-dns.json:ro
    restart: unless-stopped