-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathdocker-compose.prod.yml
More file actions
133 lines (125 loc) · 3.8 KB
/
docker-compose.prod.yml
File metadata and controls
133 lines (125 loc) · 3.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
version: "3.9"
# Production docker-compose for Aliyun ECS deployment
# Usage: docker compose -f docker-compose.prod.yml up -d
services:
db:
image: postgres:15-alpine
restart: unless-stopped
environment:
POSTGRES_DB: ${POSTGRES_DB:-aiguardrails}
POSTGRES_USER: ${POSTGRES_USER:-app}
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-changeme-db-password}
volumes:
- db_data:/var/lib/postgresql/data
healthcheck:
test: [ "CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-app}" ]
interval: 10s
timeout: 5s
retries: 5
networks:
- internal
redis:
image: redis:7-alpine
restart: unless-stopped
command: [ "redis-server", "--appendonly", "yes", "--requirepass", "${REDIS_PASSWORD:-changeme-redis}" ]
volumes:
- redis_data:/data
healthcheck:
test: [ "CMD", "redis-cli", "-a", "${REDIS_PASSWORD:-changeme-redis}", "ping" ]
interval: 10s
timeout: 5s
retries: 5
networks:
- internal
api:
build:
context: ./backend
restart: unless-stopped
depends_on:
db:
condition: service_healthy
redis:
condition: service_healthy
environment:
# Database
DATABASE_URL: postgres://${POSTGRES_USER:-app}:${POSTGRES_PASSWORD:-changeme-db-password}@db:5432/${POSTGRES_DB:-aiguardrails}?sslmode=disable
# Redis
REDIS_URL: redis://:${REDIS_PASSWORD:-changeme-redis}@redis:6379
REDIS_NAMESPACE: ${REDIS_NAMESPACE:-aiguardrails}
# Security
ADMIN_TOKEN: ${ADMIN_TOKEN}
ADMIN_JWT_SECRET: ${ADMIN_JWT_SECRET}
ADMIN_BOOT_USER: ${ADMIN_BOOT_USER:-admin@example.com}
ADMIN_BOOT_PASSWORD: ${ADMIN_BOOT_PASSWORD:-ChangeMe123!}
# OIDC
OIDC_ISSUER: ${OIDC_ISSUER:-}
OIDC_AUDIENCE: ${OIDC_AUDIENCE:-aiguardrails}
OIDC_JWKS_URL: ${OIDC_JWKS_URL:-}
OIDC_ADMIN_ROLE: ${OIDC_ADMIN_ROLE:-tenant_admin}
OIDC_USER_ROLE: ${OIDC_USER_ROLE:-tenant_user}
# QWEN (AI Content Moderation)
QWEN_API_BASE: ${QWEN_API_BASE:-https://dashscope.aliyuncs.com/api/v1/services/aigc/text-moderation}
QWEN_API_TOKEN: ${QWEN_API_TOKEN:-}
QWEN_MODEL: ${QWEN_MODEL:-qwen-moderation}
QWEN_TIMEOUT_SEC: ${QWEN_TIMEOUT_SEC:-8}
OUTPUT_MODE: ${OUTPUT_MODE:-mark}
# OPA
OPA_ENABLED: ${OPA_ENABLED:-true}
OPA_REGO_PATH: ${OPA_REGO_PATH:-opa/policies}
# Social Auth
SOCIAL_AUTH_CALLBACK_URL: ${SOCIAL_AUTH_CALLBACK_URL:-}
WECHAT_APP_ID: ${WECHAT_APP_ID:-}
WECHAT_APP_SECRET: ${WECHAT_APP_SECRET:-}
ALIPAY_APP_ID: ${ALIPAY_APP_ID:-}
ALIPAY_PRIVATE_KEY: ${ALIPAY_PRIVATE_KEY:-}
ALIPAY_PUBLIC_KEY: ${ALIPAY_PUBLIC_KEY:-}
# SMS
SMS_PROVIDER: ${SMS_PROVIDER:-}
SMS_ACCESS_KEY: ${SMS_ACCESS_KEY:-}
SMS_SECRET_KEY: ${SMS_SECRET_KEY:-}
SMS_SIGN_NAME: ${SMS_SIGN_NAME:-}
SMS_TEMPLATE_CODE: ${SMS_TEMPLATE_CODE:-}
# Misc
ALLOWED_ORIGINS: ${ALLOWED_ORIGINS:-*}
networks:
- internal
- external
labels:
- "traefik.enable=true"
- "traefik.http.routers.api.rule=PathPrefix(`/v1`)"
frontend:
build:
context: ./frontend
args:
VITE_API_BASE: ${VITE_API_BASE:-/api}
VITE_ADMIN_TOKEN: ${ADMIN_TOKEN}
restart: unless-stopped
depends_on:
- api
networks:
- internal
- external
nginx:
image: nginx:1.25-alpine
restart: unless-stopped
depends_on:
- api
- frontend
ports:
- "${HTTP_PORT:-80}:80"
- "${HTTPS_PORT:-443}:443"
volumes:
- ./deploy/nginx/nginx.conf:/etc/nginx/nginx.conf:ro
- ./deploy/nginx/ssl:/etc/nginx/ssl:ro
- ./deploy/nginx/logs:/var/log/nginx
networks:
- internal
- external
networks:
internal:
driver: bridge
external:
driver: bridge
volumes:
db_data:
redis_data: