mirror of
https://github.com/balena-io/open-balena.git
synced 2025-01-19 03:06:25 +00:00
99dd615e55
Add a service which will acquire certificates from an ACME cert provider, such as LetsEncrypt (), to allow an openBalena instance to use a publicly trusted certificate instead of the self-signed one it wil generate on setup. Change-type: patch Signed-off-by: Rich Bayliss <rich@balena.io>
180 lines
5.3 KiB
YAML
180 lines
5.3 KiB
YAML
version: "2.1"
|
|
|
|
volumes:
|
|
certs: {}
|
|
cert-provider: {}
|
|
db: {}
|
|
redis: {}
|
|
registry: {}
|
|
s3: {}
|
|
|
|
services:
|
|
api:
|
|
extends:
|
|
file: ./common.yml
|
|
service: component
|
|
image: balena/open-balena-api:${OPENBALENA_API_VERSION_TAG:-master}
|
|
depends_on:
|
|
- db
|
|
- s3
|
|
- redis
|
|
environment:
|
|
API_VPN_SERVICE_API_KEY: ${OPENBALENA_API_VPN_SERVICE_API_KEY}
|
|
BALENA_ROOT_CA: ${OPENBALENA_ROOT_CA}
|
|
COOKIE_SESSION_SECRET: ${OPENBALENA_COOKIE_SESSION_SECRET}
|
|
DB_HOST: db
|
|
DB_PASSWORD: docker
|
|
DB_PORT: 5432
|
|
DB_USER: docker
|
|
DELTA_HOST: delta.${OPENBALENA_HOST_NAME}
|
|
DEVICE_CONFIG_OPENVPN_CONFIG: ${OPENBALENA_VPN_CONFIG}
|
|
DEVICE_CONFIG_OPENVPN_CA: ${OPENBALENA_VPN_CA_CHAIN}
|
|
DEVICE_CONFIG_SSH_AUTHORIZED_KEYS: ${OPENBALENA_SSH_AUTHORIZED_KEYS}
|
|
HOST: api.${OPENBALENA_HOST_NAME}
|
|
IMAGE_MAKER_URL: img.${OPENBALENA_HOST_NAME}
|
|
IMAGE_STORAGE_BUCKET: resin-production-img-cloudformation
|
|
IMAGE_STORAGE_PREFIX: resinos
|
|
IMAGE_STORAGE_ENDPOINT: s3.amazonaws.com
|
|
JSON_WEB_TOKEN_EXPIRY_MINUTES: 10080
|
|
JSON_WEB_TOKEN_SECRET: ${OPENBALENA_JWT_SECRET}
|
|
MIXPANEL_TOKEN: __unused__
|
|
PRODUCTION_MODE: "${OPENBALENA_PRODUCTION_MODE}"
|
|
PUBNUB_PUBLISH_KEY: __unused__
|
|
PUBNUB_SUBSCRIBE_KEY: __unused__
|
|
REDIS_HOST: redis
|
|
REDIS_PORT: 6379
|
|
REGISTRY2_HOST: registry.${OPENBALENA_HOST_NAME}
|
|
REGISTRY_HOST: registry.${OPENBALENA_HOST_NAME}
|
|
SENTRY_DSN:
|
|
TOKEN_AUTH_BUILDER_TOKEN: ${OPENBALENA_TOKEN_AUTH_BUILDER_TOKEN}
|
|
TOKEN_AUTH_CERT_ISSUER: api.${OPENBALENA_HOST_NAME}
|
|
TOKEN_AUTH_CERT_KEY: ${OPENBALENA_TOKEN_AUTH_KEY}
|
|
TOKEN_AUTH_CERT_KID: ${OPENBALENA_TOKEN_AUTH_KID}
|
|
TOKEN_AUTH_CERT_PUB: ${OPENBALENA_TOKEN_AUTH_PUB}
|
|
TOKEN_AUTH_JWT_ALGO: "ES256"
|
|
VPN_HOST: vpn.${OPENBALENA_HOST_NAME}
|
|
VPN_PORT: 443
|
|
VPN_SERVICE_API_KEY: ${OPENBALENA_VPN_SERVICE_API_KEY}
|
|
SUPERUSER_EMAIL: ${OPENBALENA_SUPERUSER_EMAIL}
|
|
SUPERUSER_PASSWORD: ${OPENBALENA_SUPERUSER_PASSWORD}
|
|
|
|
registry:
|
|
extends:
|
|
file: ./common.yml
|
|
service: component
|
|
image: balena/open-balena-registry:${OPENBALENA_REGISTRY_VERSION_TAG:-master}
|
|
depends_on:
|
|
- api
|
|
- s3
|
|
- redis
|
|
volumes:
|
|
- registry:/data
|
|
environment:
|
|
API_TOKENAUTH_CRT: ${OPENBALENA_TOKEN_AUTH_PUB}
|
|
BALENA_REGISTRY2_HOST: registry.${OPENBALENA_HOST_NAME}
|
|
BALENA_ROOT_CA: ${OPENBALENA_ROOT_CA}
|
|
BALENA_TOKEN_AUTH_ISSUER: api.${OPENBALENA_HOST_NAME}
|
|
BALENA_TOKEN_AUTH_REALM: https://api.${OPENBALENA_HOST_NAME}/auth/v1/token
|
|
COMMON_REGION:
|
|
REGISTRY2_S3_BUCKET:
|
|
REGISTRY2_S3_KEY:
|
|
REGISTRY2_S3_SECRET:
|
|
REGISTRY2_SECRETKEY: ${OPENBALENA_REGISTRY_SECRET_KEY}
|
|
REGISTRY2_STORAGEPATH: /data
|
|
|
|
vpn:
|
|
extends:
|
|
file: ./common.yml
|
|
service: component
|
|
image: balena/open-balena-vpn:${OPENBALENA_VPN_VERSION_TAG:-master}
|
|
depends_on:
|
|
- api
|
|
cap_add:
|
|
- NET_ADMIN
|
|
environment:
|
|
API_SERVICE_API_KEY: ${OPENBALENA_API_VPN_SERVICE_API_KEY}
|
|
BALENA_API_HOST: api.${OPENBALENA_HOST_NAME}
|
|
BALENA_ROOT_CA: ${OPENBALENA_ROOT_CA}
|
|
BALENA_VPN_PORT: 443
|
|
PRODUCTION_MODE: "${OPENBALENA_PRODUCTION_MODE}"
|
|
RESIN_VPN_GATEWAY: 10.2.0.1
|
|
SENTRY_DSN:
|
|
VPN_HAPROXY_USEPROXYPROTOCOL: "true"
|
|
VPN_OPENVPN_CA_CRT: ${OPENBALENA_VPN_CA}
|
|
VPN_OPENVPN_SERVER_CRT: ${OPENBALENA_VPN_SERVER_CRT}
|
|
VPN_OPENVPN_SERVER_DH: ${OPENBALENA_VPN_SERVER_DH}
|
|
VPN_OPENVPN_SERVER_KEY: ${OPENBALENA_VPN_SERVER_KEY}
|
|
VPN_SERVICE_API_KEY: ${OPENBALENA_VPN_SERVICE_API_KEY}
|
|
|
|
db:
|
|
extends:
|
|
file: ./common.yml
|
|
service: system
|
|
image: balena/open-balena-db:${OPENBALENA_DB_VERSION_TAG:-master}
|
|
volumes:
|
|
- db:/var/lib/postgresql/data
|
|
|
|
s3:
|
|
extends:
|
|
file: ./common.yml
|
|
service: system
|
|
image: balena/open-balena-s3:${OPENBALENA_S3_VERSION_TAG:-master}
|
|
volumes:
|
|
- s3:/export
|
|
|
|
redis:
|
|
extends:
|
|
file: ./common.yml
|
|
service: system
|
|
image: redis:alpine
|
|
volumes:
|
|
- redis:/data
|
|
|
|
haproxy:
|
|
extends:
|
|
file: ./common.yml
|
|
service: system
|
|
build: ../haproxy
|
|
depends_on:
|
|
- api
|
|
- cert-provider
|
|
- db
|
|
- s3
|
|
- redis
|
|
- registry
|
|
- vpn
|
|
ports:
|
|
- "80:80"
|
|
- "443:443"
|
|
- "3128:3128"
|
|
expose:
|
|
- "222"
|
|
- "5432"
|
|
- "6379"
|
|
networks:
|
|
default:
|
|
aliases:
|
|
- api.${OPENBALENA_HOST_NAME}
|
|
- registry.${OPENBALENA_HOST_NAME}
|
|
- vpn.${OPENBALENA_HOST_NAME}
|
|
- db.${OPENBALENA_HOST_NAME}
|
|
- s3.${OPENBALENA_HOST_NAME}
|
|
- redis.${OPENBALENA_HOST_NAME}
|
|
environment:
|
|
BALENA_HAPROXY_CRT: ${OPENBALENA_ROOT_CRT}
|
|
BALENA_HAPROXY_KEY: ${OPENBALENA_ROOT_KEY}
|
|
BALENA_ROOT_CA: ${OPENBALENA_ROOT_CA}
|
|
HAPROXY_HOSTNAME: ${OPENBALENA_HOST_NAME}
|
|
volumes:
|
|
- certs:/certs:ro
|
|
|
|
cert-provider:
|
|
build: ../cert-provider
|
|
volumes:
|
|
- certs:/certs
|
|
- cert-provider:/usr/src/app/certs
|
|
environment:
|
|
ACTIVE: ${OPENBALENA_ACME_CERT_ENABLED}
|
|
DOMAINS: "api.${OPENBALENA_HOST_NAME},registry.${OPENBALENA_HOST_NAME},s3.${OPENBALENA_HOST_NAME},vpn.${OPENBALENA_HOST_NAME}"
|
|
OUTPUT_PEM: /certs/open-balena.pem
|