feat(prod): add production Docker Compose with Caddy SSL (#4)

Barazo Docker Compose templates for self-hosting barazo.forum

Single-community production deployment with 6 services:
- PostgreSQL 16 (pgvector), Valkey 8, Tap (firehose), barazo-api,
barazo-web, and Caddy reverse proxy with automatic Let's Encrypt SSL.

Two-network segmentation (frontend/backend), health check dependencies
for startup ordering, restart policies, and commented resource limits.
Caddyfile routes /api/* to API, /docs to API, everything else to Web.

authored by

Guido X Jansen and committed by

GitHub 1 month ago 7fe67899 c1e15d57

+249

2 changed files

expand all

Caddyfile

docker-compose.yml

+41

Caddyfile

··· 1 + # Barazo Caddyfile -- Reverse Proxy with Automatic SSL 2 + # 3 + # Caddy handles: 4 + # - Automatic HTTPS via Let's Encrypt (auto-renews) 5 + # - HTTP -> HTTPS redirect (automatic) 6 + # - HTTP/3 (QUIC) support 7 + # - Reverse proxy routing to API and Web services 8 + # 9 + # Set COMMUNITY_DOMAIN in your .env file (e.g., "forum.example.com"). 10 + 11 + { 12 + admin off 13 + } 14 + 15 + {$COMMUNITY_DOMAIN} { 16 + # Block /api/health/ready from external access (internal monitoring only) 17 + @healthReady path /api/health/ready 18 + handle @healthReady { 19 + respond "Forbidden" 403 { 20 + close 21 + } 22 + } 23 + 24 + # API routes -> barazo-api:3000 25 + handle /api/* { 26 + reverse_proxy barazo-api:3000 27 + } 28 + 29 + # API documentation -> barazo-api:3000 30 + handle /docs { 31 + reverse_proxy barazo-api:3000 32 + } 33 + handle /docs/* { 34 + reverse_proxy barazo-api:3000 35 + } 36 + 37 + # Everything else -> barazo-web:3001 38 + handle { 39 + reverse_proxy barazo-web:3001 40 + } 41 + }

+208

docker-compose.yml

··· 1 + # Barazo Production Docker Compose -- Single Community 2 + # 3 + # Deploys a complete Barazo forum with automatic SSL via Caddy. 4 + # Only ports 80 and 443 are exposed externally. 5 + # 6 + # Usage: 7 + # cp .env.example .env 8 + # # Edit .env with your domain, passwords, and community settings 9 + # docker compose up -d 10 + # 11 + # Startup order: postgres -> valkey -> tap -> barazo-api -> barazo-web -> caddy 12 + 13 + services: 14 + # --------------------------------------------------------------------------- 15 + # PostgreSQL 16 with pgvector (full-text + optional semantic search) 16 + # --------------------------------------------------------------------------- 17 + postgres: 18 + image: pgvector/pgvector:pg16 19 + restart: unless-stopped 20 + environment: 21 + POSTGRES_USER: ${POSTGRES_USER} 22 + POSTGRES_PASSWORD: ${POSTGRES_PASSWORD} 23 + POSTGRES_DB: ${POSTGRES_DB} 24 + volumes: 25 + - pgdata:/var/lib/postgresql/data 26 + networks: 27 + - backend 28 + healthcheck: 29 + test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER}"] 30 + interval: 10s 31 + timeout: 5s 32 + retries: 5 33 + # Uncomment to set resource limits: 34 + # mem_limit: 1g 35 + # cpus: 1.0 36 + 37 + # --------------------------------------------------------------------------- 38 + # Valkey 8 (Redis-compatible cache for sessions, rate limiting, queues) 39 + # --------------------------------------------------------------------------- 40 + valkey: 41 + image: valkey/valkey:8-alpine 42 + restart: unless-stopped 43 + command: > 44 + valkey-server 45 + --requirepass ${VALKEY_PASSWORD} 46 + --rename-command FLUSHALL "" 47 + --rename-command FLUSHDB "" 48 + --rename-command CONFIG "" 49 + --rename-command DEBUG "" 50 + --rename-command KEYS "" 51 + volumes: 52 + - valkeydata:/data 53 + networks: 54 + - backend 55 + healthcheck: 56 + test: ["CMD", "valkey-cli", "-a", "${VALKEY_PASSWORD}", "ping"] 57 + interval: 10s 58 + timeout: 5s 59 + retries: 3 60 + # Uncomment to set resource limits: 61 + # mem_limit: 512m 62 + # cpus: 0.5 63 + 64 + # --------------------------------------------------------------------------- 65 + # Tap (AT Protocol firehose consumer -- filters forum.barazo.* records) 66 + # --------------------------------------------------------------------------- 67 + tap: 68 + image: ghcr.io/bluesky-social/indigo/tap:latest 69 + platform: linux/amd64 70 + restart: unless-stopped 71 + environment: 72 + TAP_RELAY_URL: ${RELAY_URL:-wss://bsky.network} 73 + TAP_SIGNAL_COLLECTION: forum.barazo.topic.post 74 + TAP_COLLECTION_FILTERS: forum.barazo.topic.post,forum.barazo.topic.reply,forum.barazo.interaction.reaction 75 + TAP_DATABASE_URL: sqlite:///data/tap.db 76 + TAP_ADMIN_PASSWORD: ${TAP_ADMIN_PASSWORD} 77 + volumes: 78 + - tapdata:/data 79 + networks: 80 + - backend 81 + # Uncomment to set resource limits: 82 + # mem_limit: 512m 83 + # cpus: 0.5 84 + 85 + # --------------------------------------------------------------------------- 86 + # Barazo API (AppView backend -- Fastify, REST API, firehose indexing) 87 + # --------------------------------------------------------------------------- 88 + barazo-api: 89 + image: ghcr.io/barazo-forum/barazo-api:${BARAZO_API_VERSION:-latest} 90 + restart: unless-stopped 91 + environment: 92 + NODE_ENV: production 93 + DATABASE_URL: ${DATABASE_URL} 94 + VALKEY_URL: redis://:${VALKEY_PASSWORD}@valkey:6379 95 + RELAY_URL: ${RELAY_URL:-wss://bsky.network} 96 + COMMUNITY_DID: ${COMMUNITY_DID} 97 + COMMUNITY_NAME: ${COMMUNITY_NAME} 98 + COMMUNITY_MODE: ${COMMUNITY_MODE:-single} 99 + OAUTH_CLIENT_ID: ${OAUTH_CLIENT_ID} 100 + OAUTH_REDIRECT_URI: ${OAUTH_REDIRECT_URI} 101 + PLUGINS_ENABLED: ${PLUGINS_ENABLED:-true} 102 + PLUGIN_REGISTRY_URL: ${PLUGIN_REGISTRY_URL:-https://registry.npmjs.org} 103 + EMBEDDING_URL: ${EMBEDDING_URL:-} 104 + AI_EMBEDDING_DIMENSIONS: ${AI_EMBEDDING_DIMENSIONS:-768} 105 + AI_ENCRYPTION_KEY: ${AI_ENCRYPTION_KEY:-} 106 + FEATURE_CROSSPOST_FRONTPAGE: ${FEATURE_CROSSPOST_FRONTPAGE:-false} 107 + GLITCHTIP_DSN: ${GLITCHTIP_DSN:-} 108 + LOG_LEVEL: ${LOG_LEVEL:-info} 109 + volumes: 110 + - plugins:/app/plugins 111 + networks: 112 + - frontend 113 + - backend 114 + depends_on: 115 + postgres: 116 + condition: service_healthy 117 + valkey: 118 + condition: service_healthy 119 + healthcheck: 120 + test: ["CMD-SHELL", "wget -qO- http://localhost:3000/api/health/ready || exit 1"] 121 + interval: 30s 122 + timeout: 10s 123 + retries: 3 124 + start_period: 30s 125 + # Uncomment to set resource limits: 126 + # mem_limit: 1g 127 + # cpus: 1.0 128 + 129 + # --------------------------------------------------------------------------- 130 + # Barazo Web (Next.js frontend) 131 + # --------------------------------------------------------------------------- 132 + barazo-web: 133 + image: ghcr.io/barazo-forum/barazo-web:${BARAZO_WEB_VERSION:-latest} 134 + restart: unless-stopped 135 + environment: 136 + NODE_ENV: production 137 + NEXT_PUBLIC_API_URL: ${NEXT_PUBLIC_API_URL} 138 + NEXT_PUBLIC_SITE_URL: ${NEXT_PUBLIC_SITE_URL} 139 + networks: 140 + - frontend 141 + depends_on: 142 + barazo-api: 143 + condition: service_healthy 144 + healthcheck: 145 + test: ["CMD-SHELL", "wget -qO- http://localhost:3001/api/health || exit 1"] 146 + interval: 30s 147 + timeout: 10s 148 + retries: 3 149 + start_period: 20s 150 + # Uncomment to set resource limits: 151 + # mem_limit: 512m 152 + # cpus: 0.5 153 + 154 + # --------------------------------------------------------------------------- 155 + # Caddy (reverse proxy with automatic SSL via Let's Encrypt) 156 + # --------------------------------------------------------------------------- 157 + caddy: 158 + image: caddy:2-alpine 159 + restart: unless-stopped 160 + ports: 161 + - "80:80" 162 + - "443:443" 163 + - "443:443/udp" # HTTP/3 (QUIC) 164 + volumes: 165 + - ./Caddyfile:/etc/caddy/Caddyfile:ro 166 + - caddydata:/data 167 + - caddyconfig:/config 168 + networks: 169 + - frontend 170 + depends_on: 171 + barazo-api: 172 + condition: service_healthy 173 + barazo-web: 174 + condition: service_healthy 175 + healthcheck: 176 + test: ["CMD", "caddy", "version"] 177 + interval: 30s 178 + timeout: 5s 179 + retries: 3 180 + # Uncomment to set resource limits: 181 + # mem_limit: 256m 182 + # cpus: 0.25 183 + 184 + # ============================================================================= 185 + # Networks -- two-network segmentation 186 + # ============================================================================= 187 + # 188 + # frontend: Caddy, barazo-web, barazo-api (external-facing services) 189 + # backend: barazo-api, PostgreSQL, Valkey, Tap (database-connected services) 190 + # 191 + # barazo-api bridges both networks. PostgreSQL and Valkey are NOT reachable 192 + # from Caddy or barazo-web. Only Caddy is exposed externally (ports 80, 443). 193 + 194 + networks: 195 + frontend: 196 + backend: 197 + 198 + # ============================================================================= 199 + # Volumes -- persistent data 200 + # ============================================================================= 201 + 202 + volumes: 203 + pgdata: # PostgreSQL data (critical -- back up regularly) 204 + valkeydata: # Valkey cache (low priority -- regenerated on restart) 205 + tapdata: # Tap firehose cursor + SQLite DB 206 + caddydata: # SSL certificates (medium priority) 207 + caddyconfig: # Caddy configuration cache 208 + plugins: # Installed plugin npm packages