version: "2.0" volumes: certs: {} cert-provider: {} db: {} redis: {} s3: {} services: api: extends: file: ./common.yml service: component image: balena/open-balena-api:${OPENBALENA_API_VERSION_TAG} depends_on: - db - s3 - redis environment: API_VPN_SERVICE_API_KEY: ${OPENBALENA_API_VPN_SERVICE_API_KEY} ROOT_CA: ${OPENBALENA_ROOT_CA} COOKIE_SESSION_SECRET: ${OPENBALENA_COOKIE_SESSION_SECRET} DB_HOST: db DB_PASSWORD: docker DB_PORT: 5432 DB_USER: docker DELTA_HOST: delta.${OPENBALENA_HOST_NAME} DEVICE_CONFIG_OPENVPN_CA: ${OPENBALENA_VPN_CA_CHAIN} DEVICE_CONFIG_SSH_AUTHORIZED_KEYS: ${OPENBALENA_SSH_AUTHORIZED_KEYS} HOST: api.${OPENBALENA_HOST_NAME} IMAGE_MAKER_URL: img.${OPENBALENA_HOST_NAME} IMAGE_STORAGE_BUCKET: resin-production-img-cloudformation IMAGE_STORAGE_PREFIX: images IMAGE_STORAGE_ENDPOINT: s3.amazonaws.com JSON_WEB_TOKEN_EXPIRY_MINUTES: 10080 JSON_WEB_TOKEN_SECRET: ${OPENBALENA_JWT_SECRET} MIXPANEL_TOKEN: __unused__ PRODUCTION_MODE: "${OPENBALENA_PRODUCTION_MODE}" PUBNUB_PUBLISH_KEY: __unused__ PUBNUB_SUBSCRIBE_KEY: __unused__ REDIS_HOST: redis REDIS_PORT: 6379 REGISTRY2_HOST: registry.${OPENBALENA_HOST_NAME} REGISTRY_HOST: registry.${OPENBALENA_HOST_NAME} SENTRY_DSN: "" TOKEN_AUTH_BUILDER_TOKEN: ${OPENBALENA_TOKEN_AUTH_BUILDER_TOKEN} TOKEN_AUTH_CERT_ISSUER: api.${OPENBALENA_HOST_NAME} TOKEN_AUTH_CERT_KEY: ${OPENBALENA_TOKEN_AUTH_KEY} TOKEN_AUTH_CERT_KID: ${OPENBALENA_TOKEN_AUTH_KID} TOKEN_AUTH_CERT_PUB: ${OPENBALENA_TOKEN_AUTH_PUB} TOKEN_AUTH_JWT_ALGO: "ES256" VPN_HOST: vpn.${OPENBALENA_HOST_NAME} VPN_PORT: 443 VPN_SERVICE_API_KEY: ${OPENBALENA_VPN_SERVICE_API_KEY} SUPERUSER_EMAIL: ${OPENBALENA_SUPERUSER_EMAIL} SUPERUSER_PASSWORD: ${OPENBALENA_SUPERUSER_PASSWORD} registry: extends: file: ./common.yml service: component image: balena/open-balena-registry:${OPENBALENA_REGISTRY_VERSION_TAG} depends_on: - s3 - redis environment: API_TOKENAUTH_CRT: ${OPENBALENA_TOKEN_AUTH_PUB} REGISTRY2_HOST: registry.${OPENBALENA_HOST_NAME} ROOT_CA: ${OPENBALENA_ROOT_CA} REGISTRY2_TOKEN_AUTH_ISSUER: api.${OPENBALENA_HOST_NAME} REGISTRY2_TOKEN_AUTH_REALM: https://api.${OPENBALENA_HOST_NAME}/auth/v1/token COMMON_REGION: ${OPENBALENA_S3_REGION} REGISTRY2_CACHE_ENABLED: "false" REGISTRY2_CACHE_ADDR: 127.0.0.1:6379 REGISTRY2_CACHE_DB: 0 REGISTRY2_CACHE_MAXMEMORY_MB: 1024 # megabytes REGISTRY2_CACHE_MAXMEMORY_POLICY: allkeys-lru REGISTRY2_S3_REGION_ENDPOINT: ${OPENBALENA_S3_ENDPOINT} REGISTRY2_S3_BUCKET: ${OPENBALENA_REGISTRY2_S3_BUCKET} REGISTRY2_S3_KEY: ${OPENBALENA_S3_ACCESS_KEY} REGISTRY2_S3_SECRET: ${OPENBALENA_S3_SECRET_KEY} REGISTRY2_SECRETKEY: ${OPENBALENA_REGISTRY_SECRET_KEY} REGISTRY2_STORAGEPATH: /data REGISTRY2_DISABLE_REDIRECT: "false" vpn: extends: file: ./common.yml service: component image: balena/open-balena-vpn:${OPENBALENA_VPN_VERSION_TAG} depends_on: - api cap_add: - NET_ADMIN environment: API_SERVICE_API_KEY: ${OPENBALENA_API_VPN_SERVICE_API_KEY} API_HOST: api.${OPENBALENA_HOST_NAME} ROOT_CA: ${OPENBALENA_ROOT_CA} VPN_PORT: 443 PRODUCTION_MODE: "${OPENBALENA_PRODUCTION_MODE}" VPN_GATEWAY: 10.2.0.1 SENTRY_DSN: "" VPN_HAPROXY_USEPROXYPROTOCOL: "true" VPN_OPENVPN_CA_CRT: ${OPENBALENA_VPN_CA} VPN_OPENVPN_SERVER_CRT: ${OPENBALENA_VPN_SERVER_CRT} VPN_OPENVPN_SERVER_DH: ${OPENBALENA_VPN_SERVER_DH} VPN_OPENVPN_SERVER_KEY: ${OPENBALENA_VPN_SERVER_KEY} VPN_SERVICE_API_KEY: ${OPENBALENA_VPN_SERVICE_API_KEY} db: extends: file: ./common.yml service: system image: balena/open-balena-db:${OPENBALENA_DB_VERSION_TAG} volumes: - db:/var/lib/postgresql/data s3: extends: file: ./common.yml service: component image: balena/open-balena-s3:${OPENBALENA_S3_VERSION_TAG} volumes: - s3:/export environment: S3_MINIO_ACCESS_KEY: ${OPENBALENA_S3_ACCESS_KEY} S3_MINIO_SECRET_KEY: ${OPENBALENA_S3_SECRET_KEY} BUCKETS: ${OPENBALENA_S3_BUCKETS} redis: extends: file: ./common.yml service: system image: redis:alpine volumes: - redis:/data haproxy: extends: file: ./common.yml service: system build: ../src/haproxy depends_on: - api - cert-provider - db - s3 - redis - registry - vpn ports: - "80:80" - "443:443" expose: - "222" - "3128" - "5432" - "6379" networks: default: aliases: - api.${OPENBALENA_HOST_NAME} - registry.${OPENBALENA_HOST_NAME} - vpn.${OPENBALENA_HOST_NAME} - db.${OPENBALENA_HOST_NAME} - s3.${OPENBALENA_HOST_NAME} - redis.${OPENBALENA_HOST_NAME} - tunnel.${OPENBALENA_HOST_NAME} environment: BALENA_HAPROXY_CRT: ${OPENBALENA_ROOT_CRT} BALENA_HAPROXY_KEY: ${OPENBALENA_ROOT_KEY} BALENA_ROOT_CA: ${OPENBALENA_ROOT_CA} HAPROXY_HOSTNAME: ${OPENBALENA_HOST_NAME} volumes: - certs:/certs:ro cert-provider: build: ../src/cert-provider volumes: - certs:/certs - cert-provider:/usr/src/app/certs environment: ACTIVE: ${OPENBALENA_ACME_CERT_ENABLED} DOMAINS: "api.${OPENBALENA_HOST_NAME},registry.${OPENBALENA_HOST_NAME},s3.${OPENBALENA_HOST_NAME},vpn.${OPENBALENA_HOST_NAME},tunnel.${OPENBALENA_HOST_NAME}" OUTPUT_PEM: /certs/open-balena.pem