-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathdocker-compose.yml
More file actions
122 lines (116 loc) · 3.69 KB
/
docker-compose.yml
File metadata and controls
122 lines (116 loc) · 3.69 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
services:
app:
build:
context: .
dockerfile: Dockerfile
image: ghcr.io/mitanuriel/gosearch:latest
container_name: go-app
volumes:
- ./src/whoknows.db:/app/src/whoknows.db
- ./backups:/app/src/backend/backups
ports:
- "8080:8080"
environment:
- CONN_STR=${CONN_STR}
- APP_ENV=${APP_ENV}
- LOG_LEVEL=${LOG_LEVEL}
- ES_HOST=elasticsearch
- ES_PORT=9200
- TEMPLATE_PATH=/app/src/frontend/templates/
- STATIC_PATH=/app/src/frontend/static/
- SESSION_SECRET=${SESSION_SECRET}
- SEARCH_LOG_PATH=/app/src/backend/search.log
- SQLITE_DB_PATH=/app/src/whoknows.db
- OPENWEATHER_API_KEY=${OPENWEATHER_API_KEY}
depends_on:
- postgres
- elasticsearch
restart: always
command: /app/entrypoint.sh
mem_limit: 256m
postgres:
image: postgres:13
container_name: postgres-db
restart: always
command:
- "postgres"
- "-c"
- "shared_buffers=64MB"
- "-c"
- "work_mem=4MB"
environment:
POSTGRES_USER: ${DB_USER}
POSTGRES_PASSWORD: ${DB_PASSWORD}
POSTGRES_DB: ${DB_NAME}
ports:
- "5432:5432"
volumes:
- postgres_data:/var/lib/postgresql/data
mem_limit: 200m
elasticsearch:
image: docker.elastic.co/elasticsearch/elasticsearch:8.5.0
container_name: elasticsearch
environment:
discovery.type: single-node
ELASTIC_PASSWORD: ${ES_PASSWORD}
ES_JAVA_OPTS: "-Xms128m -Xmx128m"
# Security configuration:
# X-Pack security is disabled because Elasticsearch is NOT exposed to the internet.
# Port 9200 is blocked by Azure Network Security Group (NSG) firewall.
# Elasticsearch is only accessible via Docker internal network from the Go application.
# This follows defense-in-depth security: application-level firewall (NSG) protects
# the service even though authentication is disabled at the Elasticsearch level.
# For multi-host or cloud-native deployments, enable X-Pack security with:
# xpack.security.enabled: "true" and configure ELASTIC_PASSWORD authentication.
xpack.security.enabled: "false"
xpack.security.http.ssl.enabled: "false"
# Performance tuning for resource-constrained environments
indices.memory.index_buffer_size: "5%"
indices.queries.cache.size: "3%"
indices.fielddata.cache.size: "3%"
indices.recovery.max_bytes_per_sec: "20mb"
thread_pool.write.queue_size: 100
thread_pool.search.queue_size: 100
cluster.routing.allocation.disk.threshold_enabled: "false"
ports:
- "9200:9200"
- "9300:9300"
volumes:
- esdata:/usr/share/elasticsearch/data
mem_limit: 512m
restart: always
prometheus:
image: prom/prometheus:latest
container_name: prometheus
ports:
- "9090:9090"
volumes:
- ./prometheus/prometheus.yml:/etc/prometheus/prometheus.yml
- prometheus_data:/prometheus
command:
- '--config.file=/etc/prometheus/prometheus.yml'
- '--storage.tsdb.path=/prometheus'
- '--web.console.libraries=/etc/prometheus/console.libraries'
- '--web.console.templates=/etc/prometheus/consoles'
restart: unless-stopped
mem_limit: 128m
grafana:
image: grafana/grafana:latest
container_name: grafana
ports:
- "3000:3000"
volumes:
- grafana_data:/var/lib/grafana
- ./grafana/provisioning:/etc/grafana/provisioning
environment:
- GF_SECURITY_ADMIN_PASSWORD=${GF_ADMIN_PASSWORD}
- GF_USERS_ALLOW_SIGN_UP=false
depends_on:
- prometheus
restart: unless-stopped
mem_limit: 128m
volumes:
postgres_data:
esdata:
prometheus_data:
grafana_data: