3fdf4a230c
Multi-stage non-root Dockerfile (builds -p gp-server against the nip44/nym siblings; excludes the goblin-tree dev crate), a full docker-compose (server + bundled nostr-rs-relay + auto-HTTPS Caddy), a hardened systemd unit (DynamicUser, ProtectSystem=strict, NoNewPrivileges, seed via LoadCredential), an install.sh bare-metal bootstrap, .env.example, and an fmt+clippy+test CI workflow for Gitea and GitHub.
90 lines
2.8 KiB
YAML
90 lines
2.8 KiB
YAML
# A full, self-contained GoblinPay till: the server, its BUNDLED relay, and an
|
|
# auto-HTTPS reverse proxy.
|
|
#
|
|
# cd deploy
|
|
# cp .env.example .env # then edit it (domain, tokens)
|
|
# mkdir -p secrets # drop the mounted-secret files in here
|
|
# docker compose up -d
|
|
#
|
|
# gives you:
|
|
# - gp-server : the GoblinPay payment server (this repo)
|
|
# - relay : a stock nostr-rs-relay, the bundled relay GP_RELAY_MODE=bundled
|
|
# points at (so no third-party relay is needed)
|
|
# - caddy : auto-TLS reverse proxy terminating HTTPS for both
|
|
#
|
|
# Set GP_DOMAIN in .env to your own domain BEFORE bringing it up: Caddy obtains
|
|
# a certificate for it, so DNS must already point at this host.
|
|
#
|
|
# NOTE on the build context: gp-server's Nostr/Nym path depends on the sibling
|
|
# crates nip44/ and nym/ (see deploy/Dockerfile), so the build context is the
|
|
# workspace parent (`../..`) that holds GoblinPay, nip44, and nym.
|
|
|
|
services:
|
|
gp-server:
|
|
build:
|
|
context: ../..
|
|
dockerfile: GoblinPay/deploy/Dockerfile
|
|
image: goblinpay:latest
|
|
restart: unless-stopped
|
|
env_file: .env
|
|
environment:
|
|
# Bundled relay (default mode). GP_BUNDLED_RELAY_URL is BOTH dialed by the
|
|
# server and advertised to payers in the nprofile, so it must be the
|
|
# relay's PUBLIC url (payers connect here); the server reaches it back
|
|
# through Caddy.
|
|
GP_RELAY_MODE: bundled
|
|
GP_BUNDLED_RELAY_URL: ${GP_BUNDLED_RELAY_URL:-wss://relay.${GP_DOMAIN}}
|
|
GP_PUBLIC_URL: ${GP_PUBLIC_URL:-https://${GP_DOMAIN}}
|
|
GP_BIND: 0.0.0.0:8080
|
|
GP_DB_PATH: /data/goblinpay.db
|
|
GP_DATA_DIR: /data/gp-data
|
|
# Money/identity secrets come from mounted files (never the image/env):
|
|
GP_MNEMONIC_FILE: /run/secrets/gp_mnemonic
|
|
GP_WALLET_PASSWORD_FILE: /run/secrets/gp_wallet_password
|
|
GP_NCRYPTSEC_FILE: /run/secrets/gp_ncryptsec
|
|
volumes:
|
|
- gp-data:/data
|
|
- ./secrets:/run/secrets:ro
|
|
expose:
|
|
- "8080"
|
|
depends_on:
|
|
- relay
|
|
|
|
relay:
|
|
image: scsibug/nostr-rs-relay:latest
|
|
restart: unless-stopped
|
|
volumes:
|
|
- ./relay/nostr-rs-relay.toml:/usr/src/app/config.toml:ro
|
|
- relay-data:/usr/src/app/db
|
|
expose:
|
|
- "7777"
|
|
# Bound the relay's footprint so an unauthenticated flood cannot starve the
|
|
# till or proxy on the same host.
|
|
deploy:
|
|
resources:
|
|
limits:
|
|
memory: 512M
|
|
cpus: "1.0"
|
|
|
|
caddy:
|
|
image: caddy:2
|
|
restart: unless-stopped
|
|
depends_on:
|
|
- gp-server
|
|
- relay
|
|
environment:
|
|
GP_DOMAIN: ${GP_DOMAIN:-pay.example}
|
|
ports:
|
|
- "80:80"
|
|
- "443:443"
|
|
volumes:
|
|
- ./Caddyfile:/etc/caddy/Caddyfile:ro
|
|
- caddy-data:/data
|
|
- caddy-config:/config
|
|
|
|
volumes:
|
|
gp-data:
|
|
relay-data:
|
|
caddy-data:
|
|
caddy-config:
|