Marc Mintel
289e41a040
Some checks failed
Build & Deploy / 🔍 Prepare (push) Successful in 6s
Build & Deploy / 🧪 QA (push) Failing after 1m10s
Build & Deploy / 🏗️ Build (push) Has been skipped
Build & Deploy / 🚀 Deploy (push) Has been skipped
Build & Deploy / 🧪 Post-Deploy Verification (push) Has been skipped
Build & Deploy / 🔔 Notify (push) Successful in 2s
149 lines
6.9 KiB
YAML
149 lines
6.9 KiB
YAML
services:
|
||
klz-app:
|
||
image: registry.infra.mintel.me/mintel/klz-2026:${IMAGE_TAG:-latest}
|
||
restart: unless-stopped
|
||
networks:
|
||
default:
|
||
infra:
|
||
aliases:
|
||
- klz.localhost
|
||
env_file:
|
||
- ${ENV_FILE:-.env}
|
||
environment:
|
||
POSTGRES_URI: postgres://${PAYLOAD_DB_USER:-payload}:${PAYLOAD_DB_PASSWORD:-payload}@klz-db:5432/${PAYLOAD_DB_NAME:-payload}
|
||
PAYLOAD_SECRET: ${PAYLOAD_SECRET:-fallback-secret-for-production-needs-change}
|
||
volumes:
|
||
- klz_media_data:/app/public/media
|
||
labels:
|
||
- "traefik.enable=true"
|
||
# HTTP ⇒ HTTPS redirect
|
||
- "traefik.http.routers.${PROJECT_NAME:-klz}-web.rule=${TRAEFIK_HOST_RULE:-Host(`${TRAEFIK_HOST:-klz-cables.com}`)}"
|
||
- "traefik.http.routers.${PROJECT_NAME:-klz}-web.entrypoints=web"
|
||
- "traefik.http.routers.${PROJECT_NAME:-klz}-web.middlewares=redirect-https"
|
||
# HTTPS router (Standard)
|
||
- "traefik.http.routers.${PROJECT_NAME:-klz}.rule=${TRAEFIK_HOST_RULE:-Host(`${TRAEFIK_HOST:-klz-cables.com}`)}"
|
||
- "traefik.http.routers.${PROJECT_NAME:-klz}.entrypoints=${TRAEFIK_ENTRYPOINT:-web}"
|
||
- "traefik.http.routers.${PROJECT_NAME:-klz}.tls.certresolver=${TRAEFIK_CERT_RESOLVER:-}"
|
||
- "traefik.http.routers.${PROJECT_NAME:-klz}.tls=${TRAEFIK_TLS:-false}"
|
||
- "traefik.http.routers.${PROJECT_NAME:-klz}.service=${PROJECT_NAME:-klz}-app-svc"
|
||
- "traefik.http.routers.${PROJECT_NAME:-klz}.middlewares=${AUTH_MIDDLEWARE:-klz-ratelimit,klz-forward,klz-compress}"
|
||
|
||
# Public Router – paths that bypass Gatekeeper auth (health, SEO, static assets, OG images)
|
||
- "traefik.http.routers.${PROJECT_NAME:-klz}-public.rule=(${TRAEFIK_HOST_RULE:-Host(`${TRAEFIK_HOST:-klz-cables.com}`)}) && PathRegexp(`^/([a-z]{2}/)?(health|login|gatekeeper|uploads|media|robots\\.txt|manifest\\.webmanifest|sitemap(-[0-9]+)?\\.xml|(.*/)?api/og(/.*)?|(.*/)?opengraph-image.*)`)"
|
||
- "traefik.http.routers.${PROJECT_NAME:-klz}-public.entrypoints=${TRAEFIK_ENTRYPOINT:-web}"
|
||
- "traefik.http.routers.${PROJECT_NAME:-klz}-public.tls.certresolver=${TRAEFIK_CERT_RESOLVER:-}"
|
||
- "traefik.http.routers.${PROJECT_NAME:-klz}-public.tls=${TRAEFIK_TLS:-false}"
|
||
- "traefik.http.routers.${PROJECT_NAME:-klz}-public.service=${PROJECT_NAME:-klz}-app-svc"
|
||
- "traefik.http.routers.${PROJECT_NAME:-klz}-public.priority=2000"
|
||
|
||
- "traefik.http.services.${PROJECT_NAME:-klz}-app-svc.loadbalancer.server.port=3000"
|
||
- "traefik.docker.network=infra"
|
||
|
||
# Middlewares
|
||
- "traefik.http.middlewares.${PROJECT_NAME:-klz}-compress.compress=true"
|
||
- "traefik.http.middlewares.${PROJECT_NAME:-klz}-ratelimit.ratelimit.average=100"
|
||
- "traefik.http.middlewares.${PROJECT_NAME:-klz}-ratelimit.ratelimit.burst=50"
|
||
- "traefik.http.middlewares.${PROJECT_NAME:-klz}-forward.headers.customrequestheaders.X-Forwarded-Proto=https"
|
||
- "traefik.http.middlewares.${PROJECT_NAME:-klz}-forward.headers.customrequestheaders.X-Forwarded-Ssl=on"
|
||
|
||
# Login redirect – the app's middleware sends users to /login but login lives at /gatekeeper/login
|
||
- "traefik.http.middlewares.${PROJECT_NAME:-klz}-loginredirect.redirectregex.regex=^https?://[^/]+/([a-z]{2}/)?login(.*)"
|
||
- "traefik.http.middlewares.${PROJECT_NAME:-klz}-loginredirect.redirectregex.replacement=https://${TRAEFIK_HOST:-klz-cables.com}/gatekeeper/login$${2}"
|
||
- "traefik.http.middlewares.${PROJECT_NAME:-klz}-loginredirect.redirectregex.permanent=false"
|
||
- "traefik.http.routers.${PROJECT_NAME:-klz}-loginredir.rule=(${TRAEFIK_HOST_RULE:-Host(`${TRAEFIK_HOST:-klz-cables.com}`)}) && PathRegexp(`^/([a-z]{2}/)?login`)"
|
||
- "traefik.http.routers.${PROJECT_NAME:-klz}-loginredir.entrypoints=${TRAEFIK_ENTRYPOINT:-web}"
|
||
- "traefik.http.routers.${PROJECT_NAME:-klz}-loginredir.tls.certresolver=${TRAEFIK_CERT_RESOLVER:-}"
|
||
- "traefik.http.routers.${PROJECT_NAME:-klz}-loginredir.tls=${TRAEFIK_TLS:-false}"
|
||
- "traefik.http.routers.${PROJECT_NAME:-klz}-loginredir.middlewares=${PROJECT_NAME:-klz}-loginredirect"
|
||
- "traefik.http.routers.${PROJECT_NAME:-klz}-loginredir.service=${PROJECT_NAME:-klz}-app-svc"
|
||
- "traefik.http.routers.${PROJECT_NAME:-klz}-loginredir.priority=2002"
|
||
|
||
klz-gatekeeper:
|
||
profiles: [ "gatekeeper" ]
|
||
image: registry.infra.mintel.me/mintel/gatekeeper:testing
|
||
restart: unless-stopped
|
||
networks:
|
||
infra:
|
||
aliases:
|
||
- ${PROJECT_NAME:-klz}-gatekeeper
|
||
env_file:
|
||
- ${ENV_FILE:-.env}
|
||
environment:
|
||
PORT: 3000
|
||
labels:
|
||
- "traefik.enable=true"
|
||
- "traefik.http.services.${PROJECT_NAME:-klz}-gatekeeper-svc.loadbalancer.server.port=3000"
|
||
- "traefik.http.middlewares.${PROJECT_NAME:-klz}-auth.forwardauth.address=http://${PROJECT_NAME:-klz}-gatekeeper:3000/gatekeeper/api/verify"
|
||
- "traefik.http.middlewares.${PROJECT_NAME:-klz}-auth.forwardauth.trustForwardHeader=true"
|
||
- "traefik.http.middlewares.${PROJECT_NAME:-klz}-auth.forwardauth.authResponseHeaders=X-Auth-User"
|
||
- "traefik.docker.network=infra"
|
||
|
||
# Gatekeeper Public Router (Login/Auth UI) — basePath mode on main domain
|
||
- "traefik.http.routers.${PROJECT_NAME:-klz}-gatekeeper.rule=(${TRAEFIK_HOST_RULE:-Host(`${TRAEFIK_HOST:-klz-cables.com}`)}) && PathPrefix(`/gatekeeper`)"
|
||
- "traefik.http.routers.${PROJECT_NAME:-klz}-gatekeeper.entrypoints=${TRAEFIK_ENTRYPOINT:-web}"
|
||
- "traefik.http.routers.${PROJECT_NAME:-klz}-gatekeeper.tls.certresolver=${TRAEFIK_CERT_RESOLVER:-}"
|
||
- "traefik.http.routers.${PROJECT_NAME:-klz}-gatekeeper.tls=${TRAEFIK_TLS:-false}"
|
||
- "traefik.http.routers.${PROJECT_NAME:-klz}-gatekeeper.service=${PROJECT_NAME:-klz}-gatekeeper-svc"
|
||
- "traefik.http.routers.${PROJECT_NAME:-klz}-gatekeeper.priority=2001"
|
||
|
||
klz-db:
|
||
image: postgres:15-alpine
|
||
restart: unless-stopped
|
||
env_file:
|
||
- ${ENV_FILE:-.env}
|
||
environment:
|
||
POSTGRES_DB: ${PAYLOAD_DB_NAME:-payload}
|
||
POSTGRES_USER: ${PAYLOAD_DB_USER:-payload}
|
||
POSTGRES_PASSWORD: ${PAYLOAD_DB_PASSWORD:-payload}
|
||
volumes:
|
||
- klz_db_data:/var/lib/postgresql/data
|
||
networks:
|
||
- default
|
||
|
||
klz-redis:
|
||
image: redis:7-alpine
|
||
restart: unless-stopped
|
||
networks:
|
||
- default
|
||
|
||
klz-qdrant:
|
||
image: qdrant/qdrant:v1.13.2
|
||
restart: unless-stopped
|
||
ports:
|
||
- "6333:6333"
|
||
environment:
|
||
QDRANT__SERVICE__HTTP_PORT: 6333
|
||
QDRANT__SERVICE__GRPC_PORT: 6334
|
||
volumes:
|
||
- klz_qdrant_data:/qdrant/storage
|
||
networks:
|
||
- default
|
||
|
||
klz-kabelfachmann:
|
||
image: registry.infra.mintel.me/mintel/kabelfachmann-mcp:${IMAGE_TAG:-latest}
|
||
restart: unless-stopped
|
||
networks:
|
||
- default
|
||
env_file:
|
||
- ${ENV_FILE:-.env}
|
||
environment:
|
||
QDRANT_URL: http://klz-qdrant:6333
|
||
ports:
|
||
- "3007:3007"
|
||
depends_on:
|
||
- klz-qdrant
|
||
|
||
networks:
|
||
default:
|
||
name: ${PROJECT_NAME:-klz-cables}-internal
|
||
infra:
|
||
external: true
|
||
|
||
volumes:
|
||
klz_db_data:
|
||
external: false
|
||
klz_media_data:
|
||
external: false
|
||
klz_qdrant_data:
|
||
external: false
|