diff --git a/rootless-compose.example.yml b/rootless-compose.example.yml new file mode 100644 index 00000000..01631f70 --- /dev/null +++ b/rootless-compose.example.yml @@ -0,0 +1,75 @@ +--- +services: + socket-proxy: + container_name: socket-proxy + image: ghcr.io/yusing/socket-proxy:latest + environment: + - ALLOW_START=1 + - ALLOW_STOP=1 + - ALLOW_RESTARTS=1 + - CONTAINERS=1 + - EVENTS=1 + - INFO=1 + - PING=1 + - POST=1 + - VERSION=1 + volumes: + - ${DOCKER_SOCKET:-/var/run/docker.sock}:/var/run/docker.sock + restart: unless-stopped + tmpfs: + - /run + networks: + - godoxy + frontend: + image: ghcr.io/yusing/godoxy-frontend:${TAG:-latest} + container_name: godoxy-frontend + restart: unless-stopped + env_file: .env + read_only: true + security_opt: + - no-new-privileges:true + cap_drop: + - all + depends_on: + - app + environment: + HOSTNAME: 0.0.0.0 + PORT: 3000 + labels: + proxy.aliases: ${GODOXY_FRONTEND_ALIASES:-godoxy} + proxy.#1.port: 3000 + networks: + - godoxy + app: + image: yusing/godoxy:test + container_name: godoxy-proxy + restart: always + env_file: .env + depends_on: + socket-proxy: + condition: service_started + security_opt: + - no-new-privileges:true + cap_drop: + - all + cap_add: + - NET_BIND_SERVICE + environment: + - DOCKER_HOST=tcp://${SOCKET_PROXY_LISTEN_ADDR:-127.0.0.1:2375} + ports: + - 80:80 + - 443:443/tcp + - 443:443/udp # http3 + volumes: + - ./config:/app/config + - ./logs:/app/logs + - ./error_pages:/app/error_pages:ro + - ./data:/app/data + - ./certs:/app/certs + networks: + - proxy + - godoxy +networks: + proxy: # bridge network for all services that needs proxying + external: true + godoxy: diff --git a/rootless.env.example b/rootless.env.example new file mode 100644 index 00000000..15956d10 --- /dev/null +++ b/rootless.env.example @@ -0,0 +1,72 @@ +DOCKER_SOCKET=/var/run/user/1000/docker.sock +SOCKET_PROXY_LISTEN_ADDR=socket-proxy:2375 + +# docker image tag (latest, nightly) +TAG=latest + +# set timezone to get correct log timestamp +TZ=ETC/UTC + +# Set GODOXY_API_JWT_SECURE=false to allow http +GODOXY_API_JWT_SECURE=true +# API JWT Configuration (common) +# generate secret with `openssl rand -base64 32` +GODOXY_API_JWT_SECRET= +# the JWT token time-to-live +# leave empty to use default (24 hours) +# format: https://pkg.go.dev/time#Duration +GODOXY_API_JWT_TOKEN_TTL= + +# API/WebUI user password login credentials (optional) +# These fields are not required for OIDC authentication +GODOXY_API_USER=admin +GODOXY_API_PASSWORD=password + +# OIDC Configuration (optional) +# Uncomment and configure these values to enable OIDC authentication. +# +# GODOXY_OIDC_ISSUER_URL=https://accounts.google.com +# GODOXY_OIDC_CLIENT_ID=your-client-id +# GODOXY_OIDC_CLIENT_SECRET=your-client-secret +# GODOXY_OIDC_SCOPES=openid, profile, email, groups # you may also include `offline_access` if your Idp supports it (e.g. Authentik, Pocket ID) +# +# User definitions: Uncomment and configure these values to restrict access to specific users or groups. +# These two fields act as a logical AND operator. For example, given the following membership: +# user1, group1 +# user2, group1 +# user3, group2 +# user1, group2 +# You can allow access to user3 AND all users of group1 by providing: +# # GODOXY_OIDC_ALLOWED_USERS=user3 +# # GODOXY_OIDC_ALLOWED_GROUPS=group1 +# +# Comma-separated list of allowed users. +# GODOXY_OIDC_ALLOWED_USERS=user1,user2 +# Optional: Comma-separated list of allowed groups. +# GODOXY_OIDC_ALLOWED_GROUPS=group1,group2 + +# Proxy listening address +GODOXY_HTTP_ADDR=:80 +GODOXY_HTTPS_ADDR=:443 + +# Enable HTTP3 +GODOXY_HTTP3_ENABLED=true + +# API listening address +GODOXY_API_ADDR=127.0.0.1:8888 + +# Metrics +GODOXY_METRICS_DISABLE_CPU=false +GODOXY_METRICS_DISABLE_MEMORY=false +GODOXY_METRICS_DISABLE_DISK=false +GODOXY_METRICS_DISABLE_NETWORK=false +GODOXY_METRICS_DISABLE_SENSORS=false + +# Frontend listening port +GODOXY_FRONTEND_PORT=3000 + +# Frontend aliases (subdomains / FQDNs, e.g. godoxy, godoxy.domain.com) +GODOXY_FRONTEND_ALIASES=godoxy + +# Debug mode +GODOXY_DEBUG=false \ No newline at end of file