-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathdocker-compose.yaml
More file actions
328 lines (318 loc) · 10.7 KB
/
Copy pathdocker-compose.yaml
File metadata and controls
328 lines (318 loc) · 10.7 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
services:
postgres:
image: postgres:latest
restart: always
volumes:
- pg_data:/var/lib/postgresql/data
environment:
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
POSTGRES_USER: ${POSTGRES_USER}
POSTGRES_DB: ${POSTGRES_DB}
ports:
- 5432:5432
healthcheck:
test: ["CMD-SHELL", "pg_isready", "-d", "db_prod"]
interval: 30s
timeout: 60s
retries: 5
start_period: 80s
# One-shot migration runner: applies the Prisma migrations (baselining a
# database created by the old Hasura migrations on first contact) and exits.
# The api only starts after it succeeds, so every `up` on an updated image
# migrates the schema before serving traffic.
api-migrate:
build:
context: .
dockerfile: apps/api/Dockerfile
restart: "no"
depends_on:
postgres:
condition: service_healthy
environment:
DATABASE_URL: ${DATABASE_URL}
command: ["npx", "tsx", "src/migrate.ts"]
# GraphQL backend (Node + Prisma), serving the same endpoint and dialect the
# Hasura engine did: /v1/graphql behind the proxy's /api route, roles
# public / zxplay-user (JWT) / admin (X-Hasura-Admin-Secret header, used by
# the auth service), the four compile actions, and the project-list
# subscription over websocket.
api:
build:
context: .
dockerfile: apps/api/Dockerfile
restart: always
depends_on:
postgres:
condition: service_healthy
api-migrate:
condition: service_completed_successfully
ports:
- 4000:8080
environment:
DATABASE_URL: ${DATABASE_URL}
ADMIN_SECRET: ${ADMIN_SECRET}
JWT_SECRET: ${JWT_SECRET}
JWT_AUDIENCE: ${JWT_AUDIENCE}
JWT_ISSUER: ${JWT_ISSUER}
healthcheck:
test:
[
"CMD",
"node",
"-e",
"fetch('http://localhost:8080/healthz').then(r=>process.exit(r.ok?0:1)).catch(()=>process.exit(1))",
]
interval: 30s
timeout: 5s
retries: 3
start_period: 20s
# Untrusted-input compilers. Defence in depth against a hostile source
# exhausting the host: the root FS is read-only with only a size-capped
# tmpfs for scratch (so compiler output/intermediates are RAM-backed,
# bounded, and cleared on restart — they cannot fill host disk or touch the
# image layer), privileges are dropped, and CPU/mem/pids are capped. Each
# compile also runs under per-process RLIMITs (CPU/file-size/address-space)
# set in the app, and uvicorn --limit-concurrency sheds load as 503 rather
# than letting a flood OOM the box. NET_BIND_SERVICE is the one capability
# kept, so the non-root uvicorn can bind port 80.
z88dk:
build:
context: ./apps/z88dk
dockerfile: Dockerfile
restart: always
mem_limit: 2g
cpus: 2.0
pids_limit: 512
read_only: true
tmpfs:
- /tmp:size=256m,mode=1777
cap_drop: [ALL]
cap_add:
- NET_BIND_SERVICE
security_opt:
- no-new-privileges:true
healthcheck:
test:
[
"CMD",
"python",
"-c",
"import urllib.request,sys; sys.exit(0 if urllib.request.urlopen('http://127.0.0.1:80/health',timeout=3).status==200 else 1)",
]
interval: 30s
timeout: 5s
retries: 3
start_period: 20s
sjasmplus:
build:
context: ./apps/sjasmplus
dockerfile: Dockerfile
restart: always
mem_limit: 2g
cpus: 2.0
pids_limit: 512
read_only: true
tmpfs:
- /tmp:size=256m,mode=1777
cap_drop: [ALL]
cap_add:
- NET_BIND_SERVICE
security_opt:
- no-new-privileges:true
healthcheck:
test:
[
"CMD",
"python",
"-c",
"import urllib.request,sys; sys.exit(0 if urllib.request.urlopen('http://127.0.0.1:80/health',timeout=3).status==200 else 1)",
]
interval: 30s
timeout: 5s
retries: 3
start_period: 20s
pasta80:
build:
context: ./apps/pasta80
dockerfile: Dockerfile
restart: always
mem_limit: 2g
cpus: 2.0
pids_limit: 512
read_only: true
tmpfs:
- /tmp:size=256m,mode=1777
cap_drop: [ALL]
cap_add:
- NET_BIND_SERVICE
security_opt:
- no-new-privileges:true
healthcheck:
test:
[
"CMD",
"python",
"-c",
"import urllib.request,sys; sys.exit(0 if urllib.request.urlopen('http://127.0.0.1:80/health',timeout=3).status==200 else 1)",
]
interval: 30s
timeout: 5s
retries: 3
start_period: 20s
zxbasic:
build:
context: ./apps/zxbasic
dockerfile: Dockerfile
restart: always
mem_limit: 2g
cpus: 2.0
pids_limit: 512
read_only: true
tmpfs:
- /tmp:size=256m,mode=1777
cap_drop: [ALL]
cap_add:
- NET_BIND_SERVICE
security_opt:
- no-new-privileges:true
healthcheck:
test:
[
"CMD",
"python",
"-c",
"import urllib.request,sys; sys.exit(0 if urllib.request.urlopen('http://127.0.0.1:80/health',timeout=3).status==200 else 1)",
]
interval: 30s
timeout: 5s
retries: 3
start_period: 20s
# Headless emulator: compiles a program to .tap and renders it running to
# GIF/MP4. Renders inline BASIC, or a public project looked up from the api
# (compiling asm/bas2tap in-process; zxbasic/c/sjasmplus/pascal via the
# api's compile mutations).
# Talks to the api as the unauthenticated `public` role, so it holds no
# secrets. Does untrusted execution; not exposed publicly.
gif-service:
build:
context: .
dockerfile: apps/gif-service/Dockerfile
restart: always
depends_on:
- api
# Local dev: publish on host :5001 so the host Caddy's `/screenshots/*`
# reverse_proxy (localhost:5001) can reach it. Prod fronts this differently
# and should not expose the port.
ports:
- "5001:5001"
environment:
GRAPHQL_URL: http://api:8080/v1/graphql
# The zx_go core is ONE global machine per process: every render drives
# the same wasm emulator. Classic renders only serialize by accident
# (their frame loop never yields); the Next path awaits during its boot
# poll, so a concurrent render would reboot the machine under it and
# corrupt both captures. Keep renders strictly sequential.
MAX_CONCURRENT_RENDERS: "1"
# Licensed NextZXOS assets (ROMs + SD image) for the Next render path;
# never committed, so bind-mounted from the repo below rather than baked
# into the image. Without them a Next-machine screenshot 500s at boot and
# the card falls back to the cartridge. Prod bakes next-assets/ into the
# image at build instead.
NEXT_ASSETS_DIR: /next-assets
# Untrusted execution: cap CPU/mem/processes and drop privileges. Root FS is
# read-only with a writable tmpfs for the temp mp4/f32le files it creates.
# NOTE: verify `user: node` + `read_only` on first deploy — the image must
# let the node user read /app and tsx must cache under /tmp.
# A Next MP4 render peaks at ~1 GiB (64MB SD image + NextZXOS/Layer 2 wasm
# heap + ~1500 buffered frames for a 30s clip); 1g OOM-kills it mid-render.
# 2g gives headroom, and MAX_CONCURRENT_RENDERS=1 caps it to one at a time.
mem_limit: 2g
cpus: 2.0
pids_limit: 512
user: node
read_only: true
tmpfs:
- /tmp
volumes:
- screenshot_cache:/cache
# Read-only: the SD image is read into memory at boot, never written back.
- ./apps/play/public/next:/next-assets:ro
cap_drop: [ALL]
security_opt:
- no-new-privileges:true
healthcheck:
test:
[
"CMD",
"node",
"-e",
"fetch('http://localhost:5001/health').then(r=>process.exit(r.ok?0:1)).catch(()=>process.exit(1))",
]
interval: 30s
timeout: 5s
retries: 3
start_period: 20s
# NETWORK ISOLATION (prod): gif-service + zxbasic + z88dk + sjasmplus need no inbound
# internet, only intra-stack traffic (gif-service -> api; api ->
# zxbasic/z88dk/sjasmplus). In the prod compose put them on an `internal: true`
# network that also carries the api. The gif-service network must ALSO carry
# the proxy (prod.Caddyfile serves /screenshots/* and the OG-crawler routes
# from gif-service:5001) and mastodon-bot — omitting the proxy leg 502s
# every screenshot. Not wired here to avoid breaking dev connectivity that
# can't be validated in this repo.
#
# AUTO-RESTART ON HANG: plain `restart: always` restarts on exit, NOT on an
# unhealthy healthcheck. To recover a wedged event loop automatically, run
# an autoheal sidecar (or Swarm). With compile now isolated in a killable
# child and the render wall-clock guard, the remaining wedge risk is small.
# GoToSocial: the bot's federated identity, served at social.zxplay.org but
# presenting handles as @user@zxplay.org via the account-domain webfinger trick.
# TLS is terminated by the Caddy proxy, so Let's Encrypt is disabled here.
gotosocial:
image: superseriousbusiness/gotosocial:latest
restart: always
# Social stack: only started with `docker compose --profile social up`.
# Plain `docker compose up` brings up the core dev stack without it.
profiles: ["social"]
environment:
GTS_HOST: social.zxplay.org
GTS_ACCOUNT_DOMAIN: zxplay.org
GTS_PROTOCOL: https
GTS_BIND_ADDRESS: 0.0.0.0
GTS_PORT: "8080"
GTS_DB_TYPE: sqlite
GTS_DB_ADDRESS: /gotosocial/storage/sqlite.db
GTS_STORAGE_LOCAL_BASE_PATH: /gotosocial/storage
GTS_LETSENCRYPT_ENABLED: "false"
GTS_ACCOUNTS_REGISTRATION_OPEN: "false"
# Trust X-Forwarded-* from the proxy on the Docker network. Tighten to the
# proxy's actual subnet in production.
GTS_TRUSTED_PROXIES: "172.16.0.0/12"
volumes:
- gotosocial_data:/gotosocial/storage
# The Mastodon adapter: holds the access token, watches mentions, calls
# gif-service, posts replies. Runs no untrusted code.
mastodon-bot:
build:
context: .
dockerfile: apps/mastodon-bot/Dockerfile
restart: always
# Social stack: only started with `docker compose --profile social up`.
profiles: ["social"]
depends_on:
- gif-service
- gotosocial
environment:
# Use the public host so the Host header matches GTS_HOST (GoToSocial
# rejects API requests whose Host is not its configured host).
MASTODON_INSTANCE_URL: https://social.zxplay.org
MASTODON_ACCESS_TOKEN: ${MASTODON_ACCESS_TOKEN}
GIF_SERVICE_URL: http://gif-service:5001
STATE_FILE: /data/state.json
volumes:
- bot_data:/data
volumes:
pg_data:
gotosocial_data:
bot_data:
screenshot_cache: