Files
floonet-strfry/docker-compose.yml
T
Goblin 16302ed309 floonet-strfry: hardened strfry relay for the Grin community
Stock strfry + a default-deny write-policy plugin (kinds 0,3,5,13,1059,
10002,10050,27235 only), NIP-42 auth, neutral NIP-11, a bundled name
authority (paid names/uses via GoblinPay), and a config-toggled co-located
mixnet exit. Docker Compose + Caddy + hardened systemd. strfry core stays
stock (plugin + config only). Validated end to end against real strfry.
2026-07-02 08:20:30 -04:00

116 lines
4.1 KiB
YAML

# A full, self-contained Floonet relay with automatic HTTPS.
#
# cp .env.example .env # edit FLOONET_DOMAIN etc.
# docker compose up -d
#
# gives you:
# - relay : stock strfry (built from source at a pinned ref) + the
# Floonet write policy plugin (default-deny kind whitelist,
# optional NIP-42 and paid-write gates)
# - authority : the bundled name authority (name@domain -> pubkey, with
# optional paid names / paid write access via GoblinPay)
# - caddy : auto-TLS reverse proxy terminating HTTPS for both
# - mixexit : OPTIONAL scoped mixnet exit (COMPOSE_PROFILES=exit), so
# wallets can reach this relay over the mixnet
#
# Set FLOONET_DOMAIN / FLOONET_BASE_URL / FLOONET_RELAYS in `.env` (copy
# .env.example) BEFORE bringing it up: Caddy obtains a certificate for
# FLOONET_DOMAIN, so DNS must already point at this host.
services:
relay:
build:
context: .
dockerfile: deploy/strfry/Dockerfile
image: floonet-strfry:latest
restart: unless-stopped
environment:
# Write policy plugin configuration (the plugin inherits strfry's
# environment). See plugin/floonet_writepolicy.py and .env.example.
FLOONET_ALLOWED_KINDS: ${FLOONET_ALLOWED_KINDS:-0,3,5,13,1059,10002,10050,27235}
FLOONET_REQUIRE_AUTH: ${FLOONET_REQUIRE_AUTH:-false}
FLOONET_PAY_MODE: ${FLOONET_PAY_MODE:-off}
FLOONET_AUTHORITY_URL: http://authority:8191
FLOONET_PAID_CACHE_SECS: ${FLOONET_PAID_CACHE_SECS:-60}
volumes:
- relay-data:/strfry-db
- ./deploy/strfry/strfry.conf:/app/strfry.conf:ro
expose:
- "7777"
# Bound the relay's footprint so an unauthenticated subscription/ingest
# flood can't starve the authority or proxy on the same host.
deploy:
resources:
limits:
memory: 512M
cpus: "1.0"
authority:
build: ./name-authority
image: floonet-name-authority:latest
restart: unless-stopped
environment:
# Identity. Override these in .env for your own deployment.
FLOONET_DOMAIN: ${FLOONET_DOMAIN:-floonet.example}
FLOONET_BASE_URL: ${FLOONET_BASE_URL:-https://floonet.example}
FLOONET_RELAYS: ${FLOONET_RELAYS:-wss://floonet.example}
# In-container paths (persisted on the named volume).
FLOONET_NAMES_BIND: 0.0.0.0:8191
FLOONET_NAMES_DB: /data/names.db
# Paid mode (all optional; free by default). See .env.example.
FLOONET_PAY_MODE: ${FLOONET_PAY_MODE:-off}
FLOONET_NAME_PRICE_GRIN: ${FLOONET_NAME_PRICE_GRIN:-0}
FLOONET_WRITE_PRICE_GRIN: ${FLOONET_WRITE_PRICE_GRIN:-0}
GOBLINPAY_URL: ${GOBLINPAY_URL:-}
GOBLINPAY_TOKEN: ${GOBLINPAY_TOKEN:-}
GOBLINPAY_WEBHOOK_SECRET: ${GOBLINPAY_WEBHOOK_SECRET:-}
volumes:
- authority-data:/data
expose:
- "8191"
caddy:
image: caddy:2
restart: unless-stopped
depends_on:
- authority
- relay
environment:
FLOONET_DOMAIN: ${FLOONET_DOMAIN:-floonet.example}
ports:
- "80:80"
- "443:443"
volumes:
- ./deploy/Caddyfile:/etc/caddy/Caddyfile:ro
- ./deploy/landing:/srv/landing:ro
- caddy-data:/data
- caddy-config:/config
# The optional co-located mixnet exit. Off unless the `exit` profile is
# active (set COMPOSE_PROFILES=exit in .env, the package's exit toggle).
# It pipes every accepted mixnet stream to this stack's own TLS front, so
# wallets reach the relay over the mixnet with end-to-end TLS; the exit
# sees only ciphertext and can reach nothing but this relay. Its stable
# mixnet address is printed at startup and written to the volume's
# nym_address.txt; publish that address (relay pool `exit` field) so
# wallets can find it.
mixexit:
build: ./mixexit
image: floonet-mixexit:latest
restart: unless-stopped
profiles: ["exit"]
depends_on:
- caddy
environment:
FLOONET_MIXEXIT_DIR: /data
FLOONET_EXIT_UPSTREAM: ${FLOONET_EXIT_UPSTREAM:-caddy:443}
volumes:
- mixexit-data:/data
volumes:
relay-data:
authority-data:
caddy-data:
caddy-config:
mixexit-data: