09a760e025
All checks were successful
Build & Publish Docker Image / build-and-push (push) Successful in 44s
155 lines
6.0 KiB
YAML
155 lines
6.0 KiB
YAML
networks:
|
|
traefik_public:
|
|
driver: bridge
|
|
internal:
|
|
driver: bridge
|
|
internal: true
|
|
|
|
volumes:
|
|
mysql_data:
|
|
traefik_certs:
|
|
logs:
|
|
|
|
# ── Anchor: variabili d'ambiente comuni a tutte le repliche ─────────────────
|
|
x-api-env: &api-env
|
|
PORT: "8080"
|
|
DB_DSN: "root:${MYSQL_ROOT_PASSWORD}@tcp(mysql:3306)/${DATABASE_NAME}?parseTime=true&loc=UTC"
|
|
DATABASE_NAME: ${DATABASE_NAME}
|
|
API_KEY: ${API_KEY}
|
|
ADMIN_KEY: ${ADMIN_KEY}
|
|
DB_MAX_OPEN_CONNS: ${DB_MAX_OPEN_CONNS:-25}
|
|
DB_MAX_IDLE_CONNS: ${DB_MAX_IDLE_CONNS:-5}
|
|
DB_CONN_MAX_LIFETIME: ${DB_CONN_MAX_LIFETIME:-5}
|
|
RL_UNAUTH_MAX_REQS: ${RL_UNAUTH_MAX_REQS:-10}
|
|
RL_UNAUTH_WINDOW: ${RL_UNAUTH_WINDOW:-5m}
|
|
RL_UNAUTH_MAX_FAILS: ${RL_UNAUTH_MAX_FAILS:-5}
|
|
RL_UNAUTH_BAN_DUR: ${RL_UNAUTH_BAN_DUR:-15m}
|
|
RL_AUTH_MAX_REQS: ${RL_AUTH_MAX_REQS:-100}
|
|
RL_AUTH_WINDOW: ${RL_AUTH_WINDOW:-1m}
|
|
RL_AUTH_MAX_FAILS: ${RL_AUTH_MAX_FAILS:-20}
|
|
RL_AUTH_BAN_DUR: ${RL_AUTH_BAN_DUR:-5m}
|
|
|
|
# ── Anchor: configurazione base del servizio API ────────────────────────────
|
|
x-api-base: &api-base
|
|
build: .
|
|
restart: unless-stopped
|
|
networks:
|
|
- traefik_public
|
|
- internal
|
|
volumes:
|
|
- logs:/logs
|
|
logging:
|
|
driver: "json-file"
|
|
options:
|
|
max-size: "10m"
|
|
max-file: "5"
|
|
depends_on:
|
|
mysql:
|
|
condition: service_healthy
|
|
labels:
|
|
# Traefik: abilita il container e definisce il router HTTPS
|
|
- "traefik.enable=true"
|
|
- "traefik.http.routers.emly-api.rule=Host(`${API_DOMAIN}`)"
|
|
- "traefik.http.routers.emly-api.entrypoints=websecure"
|
|
- "traefik.http.routers.emly-api.tls.certresolver=letsencrypt"
|
|
- "traefik.http.routers.emly-api.middlewares=rl,hsts"
|
|
# Load balancer: tutte le repliche condividono lo stesso service name
|
|
- "traefik.http.services.emly-api.loadbalancer.server.port=8080"
|
|
- "traefik.http.services.emly-api.loadbalancer.healthcheck.path=/v1/health"
|
|
- "traefik.http.services.emly-api.loadbalancer.healthcheck.interval=10s"
|
|
- "traefik.http.services.emly-api.loadbalancer.healthcheck.timeout=3s"
|
|
# Rate limiting edge (condiviso tra repliche, applicato prima del LB)
|
|
- "traefik.http.middlewares.rl.ratelimit.average=${TRAEFIK_RL_AVERAGE:-30}"
|
|
- "traefik.http.middlewares.rl.ratelimit.burst=${TRAEFIK_RL_BURST:-10}"
|
|
- "traefik.http.middlewares.rl.ratelimit.period=${TRAEFIK_RL_PERIOD:-1m}"
|
|
# HSTS
|
|
- "traefik.http.middlewares.hsts.headers.stsSeconds=31536000"
|
|
- "traefik.http.middlewares.hsts.headers.stsIncludeSubdomains=true"
|
|
- "traefik.http.middlewares.hsts.headers.forceSTSHeader=true"
|
|
# Watchtower: aggiorna automaticamente questa immagine
|
|
- "com.centurylinklabs.watchtower.enable=true"
|
|
|
|
# ── Servizi ─────────────────────────────────────────────────────────────────
|
|
services:
|
|
|
|
# ── Traefik ──────────────────────────────────────────────────────────────
|
|
traefik:
|
|
image: traefik:v3
|
|
restart: unless-stopped
|
|
command:
|
|
- "--api=false"
|
|
# Entry points
|
|
- "--entrypoints.web.address=:80"
|
|
- "--entrypoints.web.http.redirections.entrypoint.to=websecure"
|
|
- "--entrypoints.web.http.redirections.entrypoint.scheme=https"
|
|
- "--entrypoints.websecure.address=:443"
|
|
# Docker provider
|
|
- "--providers.docker=true"
|
|
- "--providers.docker.exposedbydefault=false"
|
|
- "--providers.docker.network=traefik_public"
|
|
# ACME / Let's Encrypt (TLS challenge)
|
|
- "--certificatesresolvers.letsencrypt.acme.email=${ACME_EMAIL}"
|
|
- "--certificatesresolvers.letsencrypt.acme.storage=/certificates/acme.json"
|
|
- "--certificatesresolvers.letsencrypt.acme.tlschallenge=true"
|
|
- "--log.level=INFO"
|
|
ports:
|
|
- "80:80"
|
|
- "443:443"
|
|
volumes:
|
|
- /var/run/docker.sock:/var/run/docker.sock:ro
|
|
- traefik_certs:/certificates
|
|
networks:
|
|
- traefik_public
|
|
|
|
# ── MySQL ────────────────────────────────────────────────────────────────
|
|
mysql:
|
|
image: mysql:8
|
|
restart: unless-stopped
|
|
environment:
|
|
MYSQL_ROOT_PASSWORD: ${MYSQL_ROOT_PASSWORD}
|
|
MYSQL_DATABASE: ${DATABASE_NAME}
|
|
volumes:
|
|
- mysql_data:/var/lib/mysql
|
|
networks:
|
|
- internal
|
|
healthcheck:
|
|
test: ["CMD-SHELL", "mysqladmin ping -h localhost -p${MYSQL_ROOT_PASSWORD} --silent"]
|
|
interval: 10s
|
|
timeout: 5s
|
|
retries: 5
|
|
start_period: 30s
|
|
|
|
# ── API replica 1 ────────────────────────────────────────────────────────
|
|
api-1:
|
|
<<: *api-base
|
|
environment:
|
|
<<: *api-env
|
|
INSTANCE_NAME: api-1
|
|
|
|
# ── API replica 2 ────────────────────────────────────────────────────────
|
|
api-2:
|
|
<<: *api-base
|
|
environment:
|
|
<<: *api-env
|
|
INSTANCE_NAME: api-2
|
|
|
|
# ── API replica 3 ────────────────────────────────────────────────────────
|
|
api-3:
|
|
<<: *api-base
|
|
environment:
|
|
<<: *api-env
|
|
INSTANCE_NAME: api-3
|
|
|
|
# ── Watchtower ───────────────────────────────────────────────────────────
|
|
watchtower:
|
|
image: containrrr/watchtower
|
|
restart: unless-stopped
|
|
command:
|
|
- "--cleanup"
|
|
- "--schedule"
|
|
- "0 0 * * * *"
|
|
environment:
|
|
WATCHTOWER_LABEL_ENABLE: "true"
|
|
volumes:
|
|
- /var/run/docker.sock:/var/run/docker.sock:ro
|