BurgerGames/NetBirdMSP-Appliance
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
831564762b111ba9b7fc9bda886f0c4b31b1eb8e
NetBirdMSP-Appliance/docker-compose.yml

84 lines
2.4 KiB
YAML
Raw Blame History

services:
# ---------------------------------------------------------------------------
# Docker Socket Proxy — limits Docker API access to only what is needed.
# The main app container no longer has direct access to /var/run/docker.sock.
# ---------------------------------------------------------------------------
docker-socket-proxy:
image: tecnativa/docker-socket-proxy:latest
container_name: docker-socket-proxy
restart: unless-stopped
environment:
# Read-only endpoints
CONTAINERS: 1
IMAGES: 1
NETWORKS: 1
INFO: 1
# Write endpoints (needed for compose up/down/start/stop)
POST: 1
DELETE: 1
# Volumes needed for docker compose (creates/removes volumes per customer)
VOLUMES: 1
# Explicitly deny dangerous endpoints
AUTH: 0
SECRETS: 0
SWARM: 0
NODES: 0
SERVICES: 0
TASKS: 0
CONFIGS: 0
PLUGINS: 0
BUILD: 0
COMMIT: 0
DISTRIBUTION: 0
EXEC: 1
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro,z
networks:
- npm-network
# Only accessible from within the Docker network — never expose port externally
netbird-msp-appliance:
build:
context: .
args:
GIT_COMMIT: ${GIT_COMMIT:-unknown}
GIT_BRANCH: ${GIT_BRANCH:-unknown}
GIT_COMMIT_DATE: ${GIT_COMMIT_DATE:-unknown}
GIT_TAG: ${GIT_TAG:-unknown}
container_name: netbird-msp-appliance
restart: unless-stopped
security_opt:
- label:disable
extra_hosts:
- "host.docker.internal:host-gateway"
depends_on:
- docker-socket-proxy
ports:
- "${WEB_UI_PORT:-8000}:8000"
volumes:
- ./data:/app/data:z
- ./logs:/app/logs:z
- ./backups:/app/backups:z
- /var/run/docker.sock:/var/run/docker.sock:z
- ${DATA_DIR:-/opt/netbird-instances}:${DATA_DIR:-/opt/netbird-instances}:z
- .:/app-source:z
environment:
- SECRET_KEY=${SECRET_KEY}
- DATABASE_PATH=/app/data/netbird_msp.db
- LOG_LEVEL=${LOG_LEVEL:-INFO}
- DATA_DIR=${DATA_DIR:-/opt/netbird-instances}
- DOCKER_NETWORK=${DOCKER_NETWORK:-npm-network}
- HOST_IP=${HOST_IP:-}
networks:
- npm-network
healthcheck:
test: [ "CMD", "curl", "-f", "http://localhost:8000/api/health" ]
interval: 30s
timeout: 10s
retries: 3
start_period: 15s
networks:
npm-network:
external: true
Reference in New Issue View Git Blame Copy Permalink