endurain/docker-compose.yml.secrets.example

# Docker Compose example with File-Based Secrets
# This file demonstrates how to use file-based Docker secrets for sensitive environment variables
# like DB_PASSWORD, SECRET_KEY, and FERNET_KEY.

services:
  endurain:
    container_name: endurain-app
    image: ghcr.io/endurain-project/endurain:latest
    environment:
      # Use _FILE variants to read secrets from files
      - DB_PASSWORD_FILE=/run/secrets/db_password
      - SECRET_KEY_FILE=/run/secrets/secret_key
      - FERNET_KEY_FILE=/run/secrets/fernet_key
      # Regular environment variables
      - TZ=Europe/Lisbon
      - DB_TYPE=postgres
      - DB_HOST=postgres
      - DB_PORT=5432
      - DB_USER=endurain
      - DB_DATABASE=endurain
      - ENDURAIN_HOST=https://endurain.example.com
      - BEHIND_PROXY=true
      - ALGORITHM=HS256
      - ACCESS_TOKEN_EXPIRE_MINUTES=15
      - REFRESH_TOKEN_EXPIRE_DAYS=7
    secrets:
      - db_password
      - secret_key
      - fernet_key
    volumes:
      - /opt/endurain/backend/data:/app/backend/data
      - /opt/endurain/backend/logs:/app/backend/logs
    ports:
      - "8080:8080"
    depends_on:
      postgres:
        condition: service_healthy
    restart: unless-stopped

  postgres:
    image: docker.io/postgres:17.5
    container_name: endurain-postgres
    environment:
      - POSTGRES_PASSWORD_FILE=/run/secrets/postgres_password
      - POSTGRES_DB=endurain
      - POSTGRES_USER=endurain
      - PGDATA=/var/lib/postgresql/data/pgdata
    secrets:
      - postgres_password
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U endurain"]
      interval: 5s
      timeout: 5s
      retries: 5
    volumes:
      - /opt/endurain/postgres:/var/lib/postgresql/data
    restart: unless-stopped

secrets:
  # File-based secrets - secrets are read from local files
  db_password:
    file: ./secrets/db_password.txt
  
  # Postgres uses the same password as the application
  postgres_password:
    file: ./secrets/db_password.txt
  
  # JWT secret key
  secret_key:
    file: ./secrets/secret_key.txt
  
  # Fernet encryption key
  fernet_key:
    file: ./secrets/fernet_key.txt