mirror of
https://github.com/balena-io/open-balena.git
synced 2025-01-18 02:40:09 +00:00
da4c1678ec
Port 3128, which was used for tunneling into devices, was plain TCP and has now been closed. Tunnelling is now via `tunnel.mydomain.com:443` (see #101). balena-cli versions before v12.38.5 are now incompatible and using the tunnel command will throw an error. Refs: #101 Change-type: patch
189 lines
5.8 KiB
YAML
189 lines
5.8 KiB
YAML
version: "2.0"
|
|
|
|
volumes:
|
|
certs: {}
|
|
cert-provider: {}
|
|
db: {}
|
|
redis: {}
|
|
registry: {}
|
|
s3: {}
|
|
|
|
services:
|
|
api:
|
|
extends:
|
|
file: ./common.yml
|
|
service: component
|
|
image: balena/open-balena-api:${OPENBALENA_API_VERSION_TAG}
|
|
depends_on:
|
|
- db
|
|
- s3
|
|
- redis
|
|
environment:
|
|
API_VPN_SERVICE_API_KEY: ${OPENBALENA_API_VPN_SERVICE_API_KEY}
|
|
BALENA_ROOT_CA: ${OPENBALENA_ROOT_CA}
|
|
COOKIE_SESSION_SECRET: ${OPENBALENA_COOKIE_SESSION_SECRET}
|
|
DB_HOST: db
|
|
DB_PASSWORD: docker
|
|
DB_PORT: 5432
|
|
DB_USER: docker
|
|
DELTA_HOST: delta.${OPENBALENA_HOST_NAME}
|
|
DEVICE_CONFIG_OPENVPN_CA: ${OPENBALENA_VPN_CA_CHAIN}
|
|
DEVICE_CONFIG_SSH_AUTHORIZED_KEYS: ${OPENBALENA_SSH_AUTHORIZED_KEYS}
|
|
HOST: api.${OPENBALENA_HOST_NAME}
|
|
IMAGE_MAKER_URL: img.${OPENBALENA_HOST_NAME}
|
|
IMAGE_STORAGE_BUCKET: resin-production-img-cloudformation
|
|
IMAGE_STORAGE_PREFIX: images
|
|
IMAGE_STORAGE_ENDPOINT: s3.amazonaws.com
|
|
JSON_WEB_TOKEN_EXPIRY_MINUTES: 10080
|
|
JSON_WEB_TOKEN_SECRET: ${OPENBALENA_JWT_SECRET}
|
|
MIXPANEL_TOKEN: __unused__
|
|
PRODUCTION_MODE: "${OPENBALENA_PRODUCTION_MODE}"
|
|
PUBNUB_PUBLISH_KEY: __unused__
|
|
PUBNUB_SUBSCRIBE_KEY: __unused__
|
|
REDIS_HOST: redis
|
|
REDIS_PORT: 6379
|
|
REGISTRY2_HOST: registry.${OPENBALENA_HOST_NAME}
|
|
REGISTRY_HOST: registry.${OPENBALENA_HOST_NAME}
|
|
SENTRY_DSN: ""
|
|
TOKEN_AUTH_BUILDER_TOKEN: ${OPENBALENA_TOKEN_AUTH_BUILDER_TOKEN}
|
|
TOKEN_AUTH_CERT_ISSUER: api.${OPENBALENA_HOST_NAME}
|
|
TOKEN_AUTH_CERT_KEY: ${OPENBALENA_TOKEN_AUTH_KEY}
|
|
TOKEN_AUTH_CERT_KID: ${OPENBALENA_TOKEN_AUTH_KID}
|
|
TOKEN_AUTH_CERT_PUB: ${OPENBALENA_TOKEN_AUTH_PUB}
|
|
TOKEN_AUTH_JWT_ALGO: "ES256"
|
|
VPN_HOST: vpn.${OPENBALENA_HOST_NAME}
|
|
VPN_PORT: 443
|
|
VPN_SERVICE_API_KEY: ${OPENBALENA_VPN_SERVICE_API_KEY}
|
|
SUPERUSER_EMAIL: ${OPENBALENA_SUPERUSER_EMAIL}
|
|
SUPERUSER_PASSWORD: ${OPENBALENA_SUPERUSER_PASSWORD}
|
|
|
|
registry:
|
|
extends:
|
|
file: ./common.yml
|
|
service: component
|
|
image: balena/open-balena-registry:${OPENBALENA_REGISTRY_VERSION_TAG}
|
|
depends_on:
|
|
- s3
|
|
- redis
|
|
volumes:
|
|
- registry:/data
|
|
environment:
|
|
API_TOKENAUTH_CRT: ${OPENBALENA_TOKEN_AUTH_PUB}
|
|
BALENA_REGISTRY2_HOST: registry.${OPENBALENA_HOST_NAME}
|
|
BALENA_ROOT_CA: ${OPENBALENA_ROOT_CA}
|
|
BALENA_TOKEN_AUTH_ISSUER: api.${OPENBALENA_HOST_NAME}
|
|
BALENA_TOKEN_AUTH_REALM: https://api.${OPENBALENA_HOST_NAME}/auth/v1/token
|
|
COMMON_REGION: ${OPENBALENA_S3_REGION}
|
|
REGISTRY2_CACHE_ENABLED: "false"
|
|
REGISTRY2_CACHE_ADDR: 127.0.0.1:6379
|
|
REGISTRY2_CACHE_DB: 0
|
|
REGISTRY2_CACHE_MAXMEMORY_MB: 1024 # megabytes
|
|
REGISTRY2_CACHE_MAXMEMORY_POLICY: allkeys-lru
|
|
REGISTRY2_S3_REGION_ENDPOINT: ${OPENBALENA_S3_ENDPOINT}
|
|
REGISTRY2_S3_BUCKET: ${OPENBALENA_REGISTRY2_S3_BUCKET}
|
|
REGISTRY2_S3_KEY: ${OPENBALENA_S3_ACCESS_KEY}
|
|
REGISTRY2_S3_SECRET: ${OPENBALENA_S3_SECRET_KEY}
|
|
REGISTRY2_SECRETKEY: ${OPENBALENA_REGISTRY_SECRET_KEY}
|
|
REGISTRY2_STORAGEPATH: /data
|
|
|
|
vpn:
|
|
extends:
|
|
file: ./common.yml
|
|
service: component
|
|
image: balena/open-balena-vpn:${OPENBALENA_VPN_VERSION_TAG}
|
|
depends_on:
|
|
- api
|
|
cap_add:
|
|
- NET_ADMIN
|
|
environment:
|
|
API_SERVICE_API_KEY: ${OPENBALENA_API_VPN_SERVICE_API_KEY}
|
|
BALENA_API_HOST: api.${OPENBALENA_HOST_NAME}
|
|
BALENA_ROOT_CA: ${OPENBALENA_ROOT_CA}
|
|
BALENA_VPN_PORT: 443
|
|
PRODUCTION_MODE: "${OPENBALENA_PRODUCTION_MODE}"
|
|
RESIN_VPN_GATEWAY: 10.2.0.1
|
|
SENTRY_DSN: ""
|
|
VPN_HAPROXY_USEPROXYPROTOCOL: "true"
|
|
VPN_OPENVPN_CA_CRT: ${OPENBALENA_VPN_CA}
|
|
VPN_OPENVPN_SERVER_CRT: ${OPENBALENA_VPN_SERVER_CRT}
|
|
VPN_OPENVPN_SERVER_DH: ${OPENBALENA_VPN_SERVER_DH}
|
|
VPN_OPENVPN_SERVER_KEY: ${OPENBALENA_VPN_SERVER_KEY}
|
|
VPN_SERVICE_API_KEY: ${OPENBALENA_VPN_SERVICE_API_KEY}
|
|
|
|
db:
|
|
extends:
|
|
file: ./common.yml
|
|
service: system
|
|
image: balena/open-balena-db:${OPENBALENA_DB_VERSION_TAG}
|
|
volumes:
|
|
- db:/var/lib/postgresql/data
|
|
|
|
s3:
|
|
extends:
|
|
file: ./common.yml
|
|
service: component
|
|
image: balena/open-balena-s3:${OPENBALENA_S3_VERSION_TAG}
|
|
volumes:
|
|
- s3:/export
|
|
environment:
|
|
S3_MINIO_ACCESS_KEY: ${OPENBALENA_S3_ACCESS_KEY}
|
|
S3_MINIO_SECRET_KEY: ${OPENBALENA_S3_SECRET_KEY}
|
|
BUCKETS: ${OPENBALENA_S3_BUCKETS}
|
|
|
|
redis:
|
|
extends:
|
|
file: ./common.yml
|
|
service: system
|
|
image: redis:alpine
|
|
volumes:
|
|
- redis:/data
|
|
|
|
haproxy:
|
|
extends:
|
|
file: ./common.yml
|
|
service: system
|
|
build: ../src/haproxy
|
|
depends_on:
|
|
- api
|
|
- cert-provider
|
|
- db
|
|
- s3
|
|
- redis
|
|
- registry
|
|
- vpn
|
|
ports:
|
|
- "80:80"
|
|
- "443:443"
|
|
expose:
|
|
- "222"
|
|
- "3128"
|
|
- "5432"
|
|
- "6379"
|
|
networks:
|
|
default:
|
|
aliases:
|
|
- api.${OPENBALENA_HOST_NAME}
|
|
- registry.${OPENBALENA_HOST_NAME}
|
|
- vpn.${OPENBALENA_HOST_NAME}
|
|
- db.${OPENBALENA_HOST_NAME}
|
|
- s3.${OPENBALENA_HOST_NAME}
|
|
- redis.${OPENBALENA_HOST_NAME}
|
|
- tunnel.${OPENBALENA_HOST_NAME}
|
|
environment:
|
|
BALENA_HAPROXY_CRT: ${OPENBALENA_ROOT_CRT}
|
|
BALENA_HAPROXY_KEY: ${OPENBALENA_ROOT_KEY}
|
|
BALENA_ROOT_CA: ${OPENBALENA_ROOT_CA}
|
|
HAPROXY_HOSTNAME: ${OPENBALENA_HOST_NAME}
|
|
volumes:
|
|
- certs:/certs:ro
|
|
|
|
cert-provider:
|
|
build: ../src/cert-provider
|
|
volumes:
|
|
- certs:/certs
|
|
- cert-provider:/usr/src/app/certs
|
|
environment:
|
|
ACTIVE: ${OPENBALENA_ACME_CERT_ENABLED}
|
|
DOMAINS: "api.${OPENBALENA_HOST_NAME},registry.${OPENBALENA_HOST_NAME},s3.${OPENBALENA_HOST_NAME},vpn.${OPENBALENA_HOST_NAME},tunnel.${OPENBALENA_HOST_NAME}"
|
|
OUTPUT_PEM: /certs/open-balena.pem
|