version: "2.4" services: # we're using matrix-postgres as DB #db: # restart: always # image: postgres:14-alpine # shm_size: 256mb # networks: # - mastodon-fabric # Experimentally replaced by caddy #nginx: # image: hub.greenbaum.cloud/nginx-dehydrated:1.19-alpine # mem_limit: 256m # restart: always # environment: # - LETSENCRYPT_DOMAIN=mastodon.pub.solar # - UPSTREAM_NAME=mastodon # - UPSTREAM_CNS_BASE_DOMAIN=svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.cgn-1.int.greenbaum.zone # - UPSTREAM_PORT=3000 # network_mode: mastodon-fabric # ports: # - 80 # - 443 # labels: # - triton.cns.services=mastodon-proxy caddy: image: caddy:2.6.4 mem_limit: 256m restart: always environment: - SITE_DOMAIN=mastodon.pub.solar - UPSTREAM_APP_DOMAIN=mastodon-web.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.cgn-1.int.greenbaum.zone - UPSTREAM_STREAMING_DOMAIN=mastodon-streaming.svc.e5756d08-36fd-424b-f8bc-acdb92ca7b82.cgn-1.int.greenbaum.zone - UPSTREAM_APP_PORT=3000 - UPSTREAM_STREAMING_PORT=4000 network_mode: mastodon-fabric ports: - 80 - 443 labels: - triton.cns.services=mastodon-proxy entrypoint: /bin/sh command: - -c - >- echo " { email admins@pub.solar servers { protocols h1 h2 } } $$SITE_DOMAIN { @streaming { path /api/v1/streaming/* } @cache_control { path_regexp ^/(emoji|packs|/system/accounts/avatars|/system/media_attachments/files) } # Uncomment only for debugging, we don't log by default #log { # output stderr #} handle /.well-known/keybase.txt { root * /srv file_server } redir /auth/sign_up /auth/sign_in temporary redir /auth/confirmation/new https://auth.pub.solar/realms/pub.solar/login-actions/reset-credentials?client_id=mastodon temporary redir /auth/password/new https://auth.pub.solar/realms/pub.solar/login-actions/reset-credentials?client_id=mastodon temporary reverse_proxy @streaming { to http://$$UPSTREAM_STREAMING_DOMAIN:$$UPSTREAM_STREAMING_PORT } reverse_proxy { to http://$$UPSTREAM_APP_DOMAIN:$$UPSTREAM_APP_PORT } handle_errors { rewrite 500.html } encode zstd gzip header { Strict-Transport-Security "max-age=31536000" # clickjacking protection X-Frame-Options DENY } header /sw.js Cache-Control "public, max-age=0" header @cache_control Cache-Control "public, max-age=31536000, immutable" } files.pub.solar { handle { rewrite * /s/jw24ad6l4a6zxsnd32cmf5hp5nsq/pub-solar-mastodon{uri}?download reverse_proxy { # backends / upstreams to https://link.tardigradeshare.io # header manipulation # proxy to an HTTPS endpoint header_up Host {upstream_hostport} # copied from mastodon docs for nginx with s3 for files header_up Connection "" header_up Authorization "" # remove these header from the backends response header_down -Set-Cookie header_down -Access-Control-Allow-Origin header_down -Access-Control-Allow-Methods header_down -Access-Control-Allow-Headers header_down -x-amz-id-2 header_down -x-amz-request-id header_down -x-amz-meta-server-side-encryption header_down -x-amz-server-side-encryption header_down -x-amz-bucket-region header_down -x-amzn-requestid # add these header to the backends response # cache client side for 7 days header_down Cache-Control "public, max-age=604800" header_down Access-Control-Allow-Origin "*" header_down X-Content-Type-Options "nosniff" } } handle_errors { rewrite 500.html } }" | caddy run --adapter caddyfile --config - # using SmartOS native zone mastodon-redis, lx-brand redis crashes regularly, # upstream bug: https://github.com/redis/redis/issues/8861 # redis: # image: redis:6.2-alpine # mem_limit: 512m # restart: always # network_mode: mastodon-fabric # labels: # - triton.cns.services=mastodon-redis web: image: tootsuite/mastodon:v4.1.4 mem_limit: 1g restart: always env_file: .env.production command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p 3000" network_mode: mastodon-fabric # see redis service comment #depends_on: # - redis labels: - triton.cns.services=mastodon-web streaming: image: tootsuite/mastodon:v4.1.4 mem_limit: 1g restart: always env_file: .env.production command: node ./streaming network_mode: mastodon-fabric # see redis service comment #depends_on: # - redis labels: - triton.cns.services=mastodon-streaming sidekiq: image: tootsuite/mastodon:v4.1.4 mem_limit: 1g restart: always env_file: .env.production command: bundle exec sidekiq network_mode: mastodon-fabric labels: - triton.cns.services=mastodon-sidekiq elasticsearch: image: docker.elastic.co/elasticsearch/elasticsearch:7.17.11 mem_limit: 512m restart: always environment: - "ES_JAVA_OPTS=-Xms512m -Xmx512m" - "xpack.license.self_generated.type=basic" - "xpack.security.enabled=false" - "xpack.watcher.enabled=false" - "xpack.graph.enabled=false" - "xpack.ml.enabled=false" - "bootstrap.memory_lock=true" - "cluster.name=es-mastodon" - "discovery.type=single-node" - "thread_pool.write.queue_size=1000" network_mode: mastodon-fabric labels: - triton.cns.services=mastodon-elasticsearch ulimits: memlock: soft: -1 hard: -1 nofile: soft: 65536 hard: 65536