survey_dashboard/docker-compose.yml at main · Materials-Data-Science-and-Informatics/survey_dashboard · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
# Docker Compose configuration for Survey Dashboard
# Orchestrates nginx reverse proxy and Panel application containers

version: '3.8'

services:
  # Panel application container
  dashboard:
    build: .
    # Builds from Dockerfile in current directory
    # Uses multi-stage build to create optimized production image

    expose:
      - "5006"
    # Exposes port 5006 to other containers (not to host machine)
    # Only accessible within Docker network - nginx can reach it

    restart: unless-stopped
    # Automatically restart if container crashes
    # Persists across system reboots unless manually stopped

    environment:
      - PYTHONUNBUFFERED=1
      # Ensures Python output is sent directly to logs (not buffered)
      # Makes 'docker-compose logs' show real-time output
      - VIRTUAL_HOST=${HOST}
      # Tells nginx-proxy which domain should route to this container
      # nginx-proxy watches Docker and auto-configures when it sees this variable
      - VIRTUAL_PATH=${VIRTUAL_PATH}
      # Restricts access to only this specific path on the domain
      # Example: VIRTUAL_PATH=/survey-dashboard means only /survey-dashboard/* is accessible
      # All other paths on this domain return 404
      - VIRTUAL_PROTO=http
      # Protocol nginx-proxy uses to communicate with this container
      # Uses HTTP inside Docker network (fast, safe), HTTPS for external traffic
      - LETSENCRYPT_HOST=${HOST}
      # Tells acme-companion to get SSL certificate for this domain
      # acme-companion watches Docker and auto-requests certificates when it sees this
      - LETSENCRYPT_EMAIL=${LETSENCRYPT_EMAIL}
      # Email for Let's Encrypt certificate notifications
      # Used for expiry warnings and security notices about your certificates

    # Uncomment to mount local code for development
    # volumes:
    #   - ./survey_dashboard:/app/survey_dashboard

  # Nginx reverse proxy container with auto-configuration
  nginx-proxy:
    container_name: nginx-proxy
    image: nginxproxy/nginx-proxy:latest
    # Auto-configuring reverse proxy that watches Docker containers
    # Automatically generates nginx config based on container environment variables

    ports:
      - "80:80"
      # HTTP port - used for ACME challenges and auto-redirect to HTTPS
      - "443:443"
      # HTTPS port - secure encrypted connections

    volumes:
      # nginx-proxy auto-generates configuration based on container env vars
      # Custom per-domain configs can be placed in ./nginx/vhost.d/
      - ./nginx/certs:/etc/nginx/certs:ro
      # SSL certificates storage (read-only for nginx-proxy)
      # acme-companion writes certificates here, nginx-proxy reads them
      - ./nginx/vhost.d:/etc/nginx/vhost.d
      # Per-domain custom nginx configurations
      # Files named after domains (e.g., survey.example.com) are included in that domain's config
      - ./nginx/html:/usr/share/nginx/html
      # Web root for serving ACME challenge files during Let's Encrypt verification
      # acme-companion creates challenge files here, nginx-proxy serves them
      - /var/run/docker.sock:/tmp/docker.sock:ro
      # Docker socket for auto-discovery of containers
      # nginx-proxy watches for containers with VIRTUAL_HOST env var
      # Read-only for security (can observe but not control Docker)

    depends_on:
      - dashboard
      # Ensures dashboard container starts before nginx-proxy
      # nginx-proxy needs dashboard to be available for proxying

    restart: unless-stopped
    # Same restart policy as dashboard

    labels:
      - "com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy=true"
      # Identifies this container as the nginx instance for acme-companion to manage
      # acme-companion will reload this container when SSL certificates are updated

  # Let's Encrypt certificate management container
  letsencrypt:
    container_name: acme-companion
    image: nginxproxy/acme-companion
    # ACME protocol client for automatic Let's Encrypt certificate management
    # Watches for containers with LETSENCRYPT_HOST environment variable

    environment:
      - NGINX_PROXY_CONTAINER=nginx-proxy
      # Tells acme-companion which nginx container to reload when certificates update
      # Must match the container_name of nginx-proxy service
      - DEFAULT_EMAIL=${LETSENCRYPT_EMAIL}
      # Default email for Let's Encrypt certificate registration and notifications
      # Individual containers can override with their own LETSENCRYPT_EMAIL
      # Used for certificate expiry warnings and security notices

    volumes:
      - ./nginx/certs:/etc/nginx/certs:rw
      # SSL certificates storage (read-write for acme-companion)
      # acme-companion writes new certificates here, nginx-proxy reads them
      # Note: :rw (not :ro like nginx-proxy) because acme-companion must write certs
      - ./nginx/vhost.d:/etc/nginx/vhost.d
      # Per-domain custom nginx configurations
      # acme-companion may add temporary configs for ACME challenge handling
      - ./nginx/html:/usr/share/nginx/html
      # Web root for ACME challenge files
      # acme-companion creates challenge files here, nginx-proxy serves them to Let's Encrypt
      - /var/run/docker.sock:/var/run/docker.sock:ro
      # Docker socket for container discovery and nginx reload
      # Watches for containers with LETSENCRYPT_HOST environment variable
      # Sends reload signal to nginx-proxy when certificates update
      - acme-data:/etc/acme.sh
      # Named volume for Let's Encrypt account data (NOT a directory)
      # Stores account credentials, must persist across container restarts
      # Losing this data means re-registering with Let's Encrypt

    depends_on:
      - nginx-proxy
      # Ensures nginx-proxy starts before acme-companion
      # acme-companion needs nginx-proxy to be running to reload it when certificates update

    restart: unless-stopped
    # Automatically restart if container crashes
    # Persists across system reboots unless manually stopped
    # Critical for certificate renewal - must stay running to renew certs every 90 days

networks:
  default:
    # Docker Compose automatically creates a default network
    # Both containers join this network and can communicate
    # Service names (dashboard, nginx) work as DNS hostnames

volumes:
  acme-data:
    # Named volume for Let's Encrypt account credentials
    # Docker manages this volume's lifecycle (persists across container removals)
    # Only destroyed if explicitly deleted with: docker volume rm survey-dashboard_acme-data