Files
GoblinPay/deploy/docker-compose.yml
T
2ro 3fdf4a230c M11: reproducible deploy pipeline
Multi-stage non-root Dockerfile (builds -p gp-server against the nip44/nym siblings; excludes the goblin-tree dev crate), a full docker-compose (server + bundled nostr-rs-relay + auto-HTTPS Caddy), a hardened systemd unit (DynamicUser, ProtectSystem=strict, NoNewPrivileges, seed via LoadCredential), an install.sh bare-metal bootstrap, .env.example, and an fmt+clippy+test CI workflow for Gitea and GitHub.
2026-07-03 03:22:43 -04:00

90 lines
2.8 KiB
YAML

# A full, self-contained GoblinPay till: the server, its BUNDLED relay, and an
# auto-HTTPS reverse proxy.
#
# cd deploy
# cp .env.example .env # then edit it (domain, tokens)
# mkdir -p secrets # drop the mounted-secret files in here
# docker compose up -d
#
# gives you:
# - gp-server : the GoblinPay payment server (this repo)
# - relay : a stock nostr-rs-relay, the bundled relay GP_RELAY_MODE=bundled
# points at (so no third-party relay is needed)
# - caddy : auto-TLS reverse proxy terminating HTTPS for both
#
# Set GP_DOMAIN in .env to your own domain BEFORE bringing it up: Caddy obtains
# a certificate for it, so DNS must already point at this host.
#
# NOTE on the build context: gp-server's Nostr/Nym path depends on the sibling
# crates nip44/ and nym/ (see deploy/Dockerfile), so the build context is the
# workspace parent (`../..`) that holds GoblinPay, nip44, and nym.
services:
gp-server:
build:
context: ../..
dockerfile: GoblinPay/deploy/Dockerfile
image: goblinpay:latest
restart: unless-stopped
env_file: .env
environment:
# Bundled relay (default mode). GP_BUNDLED_RELAY_URL is BOTH dialed by the
# server and advertised to payers in the nprofile, so it must be the
# relay's PUBLIC url (payers connect here); the server reaches it back
# through Caddy.
GP_RELAY_MODE: bundled
GP_BUNDLED_RELAY_URL: ${GP_BUNDLED_RELAY_URL:-wss://relay.${GP_DOMAIN}}
GP_PUBLIC_URL: ${GP_PUBLIC_URL:-https://${GP_DOMAIN}}
GP_BIND: 0.0.0.0:8080
GP_DB_PATH: /data/goblinpay.db
GP_DATA_DIR: /data/gp-data
# Money/identity secrets come from mounted files (never the image/env):
GP_MNEMONIC_FILE: /run/secrets/gp_mnemonic
GP_WALLET_PASSWORD_FILE: /run/secrets/gp_wallet_password
GP_NCRYPTSEC_FILE: /run/secrets/gp_ncryptsec
volumes:
- gp-data:/data
- ./secrets:/run/secrets:ro
expose:
- "8080"
depends_on:
- relay
relay:
image: scsibug/nostr-rs-relay:latest
restart: unless-stopped
volumes:
- ./relay/nostr-rs-relay.toml:/usr/src/app/config.toml:ro
- relay-data:/usr/src/app/db
expose:
- "7777"
# Bound the relay's footprint so an unauthenticated flood cannot starve the
# till or proxy on the same host.
deploy:
resources:
limits:
memory: 512M
cpus: "1.0"
caddy:
image: caddy:2
restart: unless-stopped
depends_on:
- gp-server
- relay
environment:
GP_DOMAIN: ${GP_DOMAIN:-pay.example}
ports:
- "80:80"
- "443:443"
volumes:
- ./Caddyfile:/etc/caddy/Caddyfile:ro
- caddy-data:/data
- caddy-config:/config
volumes:
gp-data:
relay-data:
caddy-data:
caddy-config: