2025SELab2-project-Dwengo/compose.production.yml

#
# Use this configuration to deploy the project on a server.
#
# This configuration builds the frontend and backend services as Docker images,
# and uses the paths for the services, instead of ports, and enables SSL.
#
services:
    web:
        build:
            context: .
            dockerfile: frontend/Dockerfile
        restart: unless-stopped
        networks:
            - dwengo-1
        labels:
            - 'traefik.enable=true'
            - 'traefik.http.routers.web.rule=PathPrefix(`/`)'
            - 'traefik.http.services.web.loadbalancer.server.port=8080'

    api:
        build:
            context: .
            dockerfile: backend/Dockerfile
        restart: unless-stopped
        volumes:
            # TODO Replace with environment keys
            - ./backend/.env:/app/dwengo/backend/.env
        depends_on:
            - db
            - logging
        networks:
            - dwengo-1
        labels:
            - 'traefik.enable=true'
            - 'traefik.http.routers.api.rule=PathPrefix(`/api`)'
            - 'traefik.http.services.api.loadbalancer.server.port=3000'

    db:
        extends:
            file: ./compose.yml
            service: db
        networks:
            - dwengo-1

    keycloak-db:
        image: postgres:latest
        ports:
            - '5442:5432' # Port number 10 higher than normal postgres ports
        restart: unless-stopped
        volumes:
            - dwengo_postgres_keycloak:/var/lib/postgresql/keycloak
        environment:
            POSTGRES_USER: keycloak
            POSTGRES_PASSWORD: ChangeMe
            POSTGRES_DB: keycloak
        networks:
            - dwengo-1

    idp:
        extends:
            file: ./compose.yml
            service: idp
        command: ['start', '--http-port', '7080', '--https-port', '7443']
        networks:
            - dwengo-1
        labels:
            - 'traefik.enable=true'
            - 'traefik.http.routers.idp.rule=PathPrefix(`/idp`)'
            - 'traefik.http.services.idp.loadbalancer.server.port=7080'
        depends_on:
            - keycloak-db
        volumes:
            - /etc/keycloak:/keycloak
        env_file:
            - ./config/idp/.env
        environment:
            KC_HOSTNAME: 'sel2-1.ugent.be'
            PROXY_ADDRESS_FORWARDING: 'true'
            KC_PROXY_HEADERS: 'xforwarded'
            KC_HTTP_ENABLED: 'true'
            KC_HTTP_RELATIVE_PATH: '/idp'
            KC_HTTPS_CERTIFICATE_FILE: '/keycloak/cert.pem'
            KC_HTTPS_CERTIFICATE_KEY_FILE: '/keycloak/key.pem'
            KC_HTTP_MAX_QUEUED_REQUESTS: 30 # Prevent overload situations by limiting number of requests
            KC_DB: 'postgres'
            KC_DB_USERNAME: 'keycloak'
            KC_DB_PASSWORD: 'ChangeMe'
            KC_DB_URL: 'jdbc:postgresql://keycloak-db:5432/keycloak'

    reverse-proxy:
        image: traefik:v3.3
        ports:
            - '80:80/tcp'
            - '443:443/tcp'
        command:
            # Enable web UI
            - '--api=true'

            # Add Docker provider
            - '--providers.docker=true'
            - '--providers.docker.exposedbydefault=false'

            # Add web entrypoint
            - '--entrypoints.web.address=:80/tcp'
            - '--entrypoints.web.http.redirections.entryPoint.to=websecure'
            - '--entrypoints.web.http.redirections.entryPoint.scheme=https'

            # Add websecure entrypoint
            - '--entrypoints.websecure.address=:443/tcp'
            - '--entrypoints.websecure.http.tls=true'
            - '--entrypoints.websecure.http.tls.certResolver=letsencrypt'
            - '--entrypoints.websecure.http.tls.domains[0].main=sel2-1.ugent.be'

            # Certificates
            - '--certificatesresolvers.letsencrypt.acme.httpchallenge=true'
            - '--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web'
            - '--certificatesresolvers.letsencrypt.acme.email=timo.demeyst@ugent.be'
            - '--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json'
        labels:
            # BasicAuth middleware
            # To create a user:password pair, the following command can be used:
            # echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g
            - 'traefik.http.middlewares.protected-sub-path.basicauth.users=dwengo.org:$$apr1$$FdALqAjI$$7ZhPq0I/qEQ6k3OYqxJKZ1'
            # Proxying
            - 'traefik.enable=true'
            - 'traefik.http.routers.proxy.middlewares=protected-sub-path'
            - 'traefik.http.routers.proxy.service=api@internal'
            - 'traefik.http.routers.proxy.rule=PathPrefix(`/proxy`)'
            - 'traefik.http.services.proxy.loadbalancer.server.port=8080'
        restart: unless-stopped
        volumes:
            - /var/run/docker.sock:/var/run/docker.sock:ro
            - dwengo_letsencrypt:/letsencrypt
        networks:
            - dwengo-1

    logging:
        image: grafana/loki:latest
        ports:
            - '9001:3102'
            - '9095:9095'
        command: -config.file=/etc/loki/config.yaml
        restart: unless-stopped
        volumes:
            - ./config/loki/config.yml:/etc/loki/config.yaml
            - dwengo_loki_data:/loki
        networks:
            - dwengo-1

    dashboards:
        image: grafana/grafana:latest
        labels:
            - 'traefik.enable=true'
            - 'traefik.http.routers.graphs.rule=PathPrefix(`/graphs`)'
            - 'traefik.http.services.graphs.loadbalancer.server.port=3000'
        restart: unless-stopped
        volumes:
            - dwengo_grafana_data:/var/lib/grafana

    caching:
        image: memcached
        restart: always
        ports:
            - '11211:11211'
        command:
            - --conn-limit=1024
            - --memory-limit=2048
            - -I 128m
            - --threads=4

volumes:
    dwengo_grafana_data:
    dwengo_letsencrypt:
    dwengo_loki_data:
    dwengo_postgres_keycloak:

networks:
    dwengo-1: