4454744cba
- New HIY_ADMIN_USER / HIY_ADMIN_PASS env vars control access - Login page at /login with redirect-after-login support - Cookie-based sessions (HttpOnly, SameSite=Strict); cleared on restart - Auth middleware applied to all routes except /webhook/:app_id (HMAC) and /login - Auth is skipped when credentials are not configured (dev mode, warns at startup) - Logout link in both dashboard nav bars - Caddy admin port 2019 no longer published to the host in docker-compose https://claude.ai/code/session_01FKCW3FDjNFj6jve4niMFXH
80 lines
2.4 KiB
YAML
80 lines
2.4 KiB
YAML
# HIY — local development stack
|
|
# Run with: docker compose up --build
|
|
#
|
|
# On a real Pi you would run Caddy as a systemd service; here it runs in Compose
|
|
# so you can develop without changing the host.
|
|
|
|
services:
|
|
|
|
# ── Docker socket proxy (unix → TCP) ──────────────────────────────────────
|
|
docker-proxy:
|
|
image: alpine/socat
|
|
command: tcp-listen:2375,fork,reuseaddr unix-connect:/var/run/docker.sock
|
|
restart: unless-stopped
|
|
volumes:
|
|
- /var/run/docker.sock:/var/run/docker.sock
|
|
networks:
|
|
- hiy-net
|
|
|
|
# ── Control plane ─────────────────────────────────────────────────────────
|
|
server:
|
|
build:
|
|
context: ..
|
|
dockerfile: infra/Dockerfile.server
|
|
restart: unless-stopped
|
|
ports:
|
|
- "3000:3000"
|
|
volumes:
|
|
- hiy-data:/data
|
|
# Mount the builder script so edits take effect without rebuilding.
|
|
- ../builder:/app/builder:ro
|
|
env_file:
|
|
- path: ../.env
|
|
required: false
|
|
environment:
|
|
HIY_DATA_DIR: /data
|
|
HIY_ADDR: 0.0.0.0:3000
|
|
HIY_BUILD_SCRIPT: /app/builder/build.sh
|
|
CADDY_API_URL: http://caddy:2019
|
|
DOCKER_HOST: tcp://docker-proxy:2375
|
|
RUST_LOG: hiy_server=debug,tower_http=info
|
|
depends_on:
|
|
caddy:
|
|
condition: service_started
|
|
docker-proxy:
|
|
condition: service_started
|
|
networks:
|
|
- hiy-net
|
|
- default
|
|
|
|
# ── Reverse proxy ─────────────────────────────────────────────────────────
|
|
caddy:
|
|
image: caddy:2-alpine
|
|
restart: unless-stopped
|
|
ports:
|
|
- "80:80"
|
|
- "443:443"
|
|
# Port 2019 (Caddy admin API) is intentionally NOT published to the host.
|
|
# It is only reachable within the hiy-net Docker network (http://caddy:2019).
|
|
env_file:
|
|
- path: ../.env
|
|
required: false
|
|
volumes:
|
|
- ../proxy/Caddyfile:/etc/caddy/Caddyfile:ro
|
|
- caddy-data:/data
|
|
- caddy-config:/config
|
|
command: caddy run --config /etc/caddy/Caddyfile --adapter caddyfile
|
|
networks:
|
|
- hiy-net
|
|
- default
|
|
|
|
networks:
|
|
hiy-net:
|
|
name: hiy-net
|
|
# External so deployed app containers can join it.
|
|
external: false
|
|
|
|
volumes:
|
|
hiy-data:
|
|
caddy-data:
|
|
caddy-config:
|