polycentric/compose.yml at develop · modify-dev/polycentric · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
services:
  postgres:
    image: postgres:18
    environment:
      POSTGRES_PASSWORD: testing
    volumes:
      - postgres-data:/var/lib/postgresql/18/docker
    ports:
      - 5432:5432
    healthcheck:
      test: ['CMD-SHELL', 'pg_isready -U postgres -d postgres || exit 1']
      interval: 5s
      timeout: 5s
      retries: 5
      start_period: 10s

  server:
    build:
      context: .
      dockerfile: services/server/Dockerfile
    ports:
      - ${POLYCENTRIC_SERVER_PORT:-3000}:3000
    environment:
      - RUST_LOG=debug
      - DATABASE_URL=postgres://postgres:testing@postgres:5432
      - CONTENT_BLOB_OS_BUCKET=polycentric-blobs
      - CONTENT_BLOB_OS_ENDPOINT=http://rustfs:9000
      - CONTENT_BLOB_OS_FORCE_PATH_STYLE=true
      - CONTENT_BLOB_OS_ACCESS_KEY=rustfsadmin
      - CONTENT_BLOB_OS_SECRET_KEY=rustfsadmin
      # In-network listener: the default (localhost:9092) points at the server
      # container itself, making Kafka unreachable
      - POLYCENTRIC_KAFKA_BROKERS=kafka:19092
      # Reached over the isolated `scraper_link` network (see below).
      - POLYCENTRIC_SCRAPER_URL=http://scraper:8855
    # On both the shared app network and the isolated scraper link, so it can
    # talk to postgres/kafka/etc. AND to the scraper.
    networks:
      - default
      - scraper_link
    depends_on:
      postgres:
        condition: service_healthy
      rustfs-init:
        condition: service_completed_successfully
      kafka:
        condition: service_started
      scraper:
        condition: service_started

  scraper:
    build:
      context: .
      dockerfile: services/scraper/Dockerfile
    # The entrypoint programs an nftables egress firewall inside the container's
    # network namespace before dropping privileges, so it needs NET_ADMIN.
    # `init` reaps the headless-Chromium child processes the scraper spawns.
    cap_add:
      - NET_ADMIN
    init: true
    # Isolation: attached ONLY to `scraper_link` (shared with the server), never
    # to `default`. So even if its in-container egress firewall is bypassed, it
    # has no route to postgres/kafka/rustfs/etc. — they sit on a network it
    # cannot see. Deliberately no `ports:` — it must not be published to the
    # host, as it fetches arbitrary user-supplied URLs.
    networks:
      - scraper_link
    healthcheck:
      # node:24 ships global fetch; avoids needing curl/wget in the image.
      test:
        - CMD
        - node
        - -e
        - fetch('http://localhost:8855/health').then(r=>process.exit(r.ok?0:1)).catch(()=>process.exit(1))
      interval: 10s
      timeout: 5s
      retries: 5
      # Generous: the first check waits for the headless browser to come up.
      start_period: 20s

  rustfs:
    image: rustfs/rustfs:latest
    volumes:
      - rustfs-data:/data
    ports:
      - 9000:9000
      - 9001:9001
    environment:
      # rustfs:latest refuses the default root credentials on a non-loopback listener. This
      # re-enables them so that default credentials continue to work for all dependent services.
      - RUSTFS_ALLOW_INSECURE_DEFAULT_CREDENTIALS=true
    healthcheck:
      test: ['CMD', 'curl', '-sf', 'http://localhost:9000/health']
      interval: 10s
      timeout: 5s
      retries: 5
      start_period: 10s

  rustfs-init:
    image: rustfs/rc:latest
    depends_on:
      rustfs:
        condition: service_healthy
    entrypoint: >
      /bin/sh -c "
      until rc alias set rustfs http://rustfs:9000 rustfsadmin rustfsadmin >/dev/null 2>&1; do
        echo 'waiting for rustfs...'; sleep 1;
      done;
      rc mb -p rustfs/polycentric-blobs"

  kafka:
    image: apache/kafka:latest
    container_name: broker
    environment:
      KAFKA_NODE_ID: 1
      KAFKA_PROCESS_ROLES: broker,controller
      KAFKA_LISTENERS: CONTROLLER://0.0.0.0:9093,INTERNAL://0.0.0.0:19092,EXTERNAL://0.0.0.0:9092
      KAFKA_ADVERTISED_LISTENERS: INTERNAL://kafka:19092,EXTERNAL://localhost:9092
      KAFKA_LISTENER_SECURITY_PROTOCOL_MAP: CONTROLLER:PLAINTEXT,INTERNAL:PLAINTEXT,EXTERNAL:PLAINTEXT
      KAFKA_INTER_BROKER_LISTENER_NAME: INTERNAL
      KAFKA_CONTROLLER_LISTENER_NAMES: CONTROLLER
      KAFKA_CONTROLLER_QUORUM_VOTERS: 1@localhost:9093
      KAFKA_OFFSETS_TOPIC_REPLICATION_FACTOR: 1
      KAFKA_TRANSACTION_STATE_LOG_REPLICATION_FACTOR: 1
      KAFKA_TRANSACTION_STATE_LOG_MIN_ISR: 1
      KAFKA_GROUP_INITIAL_REBALANCE_DELAY_MS: 0
      KAFKA_NUM_PARTITIONS: 3
    ports:
      - 9092:9092

  kafka-ui:
    image: docker.redpanda.com/redpandadata/console:latest
    environment:
      CONFIG_FILEPATH: /etc/console/config.yaml
      KAFKA_BROKERS: kafka:19092
    ports:
      - 8080:8080
    depends_on:
      - kafka
    volumes:
      - ./kafka-ui.yml:/etc/console/config.yaml
      - ./protos:/proto

networks:
  # The implicit network all the app services share (postgres, kafka, …).
  default:
  # Isolated bridge shared ONLY by the server and the scraper. The scraper is
  # deliberately not attached to `default`, so a compromised scraper has no
  # network route to the other containers regardless of its in-container
  # firewall — they are not reachable on any network it is a member of.
  scraper_link:

volumes:
  postgres-data:
  rustfs-data: