ControlR/docker-compose/docker-compose.yml at main · bitbound/ControlR · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
name: controlr

### Docker Secrets ###
# This config demonstrates using both Docker Secrets and environment variables for supplying
# secrets to services.  You need to choose which method to use for the values that are being
# supplied both ways (e.g. POSTGRES_USER).  You can "mix-and-match" if you want.  For example,
# you could choose to supply the Aspire Token via env vars and Postgres password via Secrets.
#
# If you decide to use Secrets:
#   - Remove all lines with the comment "Remove if using secrets".
#   - Uncomment the "_FILE" environment variables for the Postgres service.
#   - Ensure all the files in the top-level `secrets` section are created on the host system
#     and have the appropriate permissions set (e.g. 600).
#
# If you decide to use env vars:
#   - Remove all lines with the comment "Remove if using env".
#   - Make sure the top-level variables (e.g. ControlR_POSTGRES_USER) are supplied by the
#     host via environment variables or .env file.
#
# If using Secrets, any ControlR environment variable beginning with "ControlR_" can be replaced
# with a similarly-named secret file, minus the "ControlR_" prefix.  For example, if you create
# a secret file named "AppOptions__GitHubClientSecret", it will override the
# "ControlR_AppOptions__GitHubClientSecret" environment variable.
#
# See here for more info: https://docs.docker.com/compose/how-tos/use-secrets/


# These values are expected to be passed in by the host's environment or .env file.
x-postgres-user: &pgUser ${ControlR_POSTGRES_USER:?error} # Remove if using secrets
x-postgres-password: &pgPassword ${ControlR_POSTGRES_PASSWORD:?error} # Remove if using secrets
x-aspire-browser-token: &aspireToken ${ControlR_ASPIRE_BROWSER_TOKEN:?error} # Remove if using secrets

# The public URL where the Aspire Dashboard will be accessible via browser.
# For example, if your reverse proxy is set up to route https://metrics.example.com
# to Aspire, that is the URL you should use here.
x-aspire-public-url: &aspirePublicUrl "http://localhost:18888"

services:
  controlr:
    # It's recommended to change 'latest' to a specific version tag and update manually.
    image: bitbound/controlr:latest
    container_name: controlr
    restart: unless-stopped
    depends_on:
      - postgres
      - aspire
    ports:
      - "5120:8080"
    networks:
      - controlr-network
    secrets: # Remove if using env
      - POSTGRES_USER
      - POSTGRES_PASSWORD
      - POSTGRES_DB
      - KeyProtectionOptions__EncryptKeys
      - KeyProtectionOptions__CertificateContentsBase64
      - KeyProtectionOptions__CertificatePassword
      - AspireDashboard__Token
    environment:
      # ASPNETCORE variables should not be changed.
      ASPNETCORE_ENVIRONMENT: Production
      ASPNETCORE_HTTP_PORTS: 8080


      # Postgres connection details.
      ControlR_POSTGRES_PORT: 5432
      ControlR_POSTGRES_HOST: "postgres"
      ControlR_POSTGRES_USER: *pgUser # Remove if using secrets
      ControlR_POSTGRES_PASSWORD: *pgPassword # Remove if using secrets
      ControlR_POSTGRES_DB: "controlr" # Remove if using secrets

      # Whether to enable the configuration provider for Docker Secrets.
      ControlR_AppOptions__EnableDockerSecrets: false

      # The access token for the Aspire Dashboard, where server logs and telemetry can be viewed.
      #ControlR_AspireDashboard__Token: *aspireToken

      # The public URL for the Aspire Dashboard's web interface.
      ControlR_AspireDashboard__PublicWebUrl: *aspirePublicUrl

      # Whether to make self-registration publicly available.
      ControlR_AppOptions__EnablePublicRegistration: false

      # Allows devices to self-register without requiring an installer key.
      ControlR_AppOptions__AllowAgentsToSelfBootstrap: false

      # The name that appears in TOTP authenticator apps.
      ControlR_AppOptions__AuthenticatorIssuerName: "ControlR"

      # If enabled, signing in with a passkey will effectively add the "remember me" option.
      ControlR_AppOptions__PersistPasskeyLogin: false

      # Automatically obtain Cloudflare IPs from https://www.cloudflare.com/ips-v4
      # and add them to the KnownNetworks list for forwarded headers.
      ControlR_AppOptions__EnableCloudflareProxySupport: false

      # When enabled, bypasses KnownProxies/KnownIpNetworks checks and trusts all forwarded headers
      # from the reverse proxy.  Only enable this in secure environments where the reverse proxy
      # is guaranteed to be the only source of incoming traffic.
      ControlR_AppOptions__EnableNetworkTrust: false

      # Add an Azure Monitor connection string to enable exporting of OpenTelemetry data to Azure.
      #ControlR_AzureMonitor__ConnectionString:

      # Add an OTLP endpoint URL to enable exporting of OpenTelemetry data to an OTLP endpoint.
      ControlR_OTLP_ENDPOINT_URL: "http://aspire:18889"

      # Set the minimum level for logs sent to OTLP exporter and/or Azure Monitor.
      ControlR_Logging__LogLevel__Default: Information

      # The log level to use for HttpLogging middleware (when it's enabled).
      ControlR_Logging__LogLevel__Microsoft.AspNetCore.HttpLogging: Information

      # The log level for ForwardedHeadersMiddleware, among others. When set to debug,
      # this will log when a reverse proxy isn't trusted, which can help troubleshoot misconfigurations.
      ControlR_Logging__LogLevel__Microsoft.AspNetCore.HttpOverrides: Debug

      # For debugging.  When enabled, extra logs will be written for all HTTP requests and responses.
      # https://learn.microsoft.com/en-us/aspnet/core/fundamentals/http-logging
      ControlR_AppOptions__UseHttpLogging: false

      # Configure X.509 certificate-based encryption for Data Protection keys at rest.
      # If false, keys are not encrypted (not recommended for production).
      # When true, Data Protection keys will be encrypted using the certificate specified below.
      # An exception will be thrown at startup if the certificate is not configured or doesn't exist.
      ControlR_KeyProtectionOptions__EncryptKeys: false

      # The file path to a PFX (.pfx) certificate file for key encryption.
      # Mount the certificate file into the container and provide the container path here.
      #ControlR_KeyProtectionOptions__CertificatePath:

      # An alternative means of supplying the certificate.  It should be the
      # base64-encoded contents of the PFX file If this is set, it will
      # override CertificatePath.
      #ControlR_KeyProtectionOptions__CertificateContentsBase64:

      # The password for the PFX certificate file (if password-protected).
      # Leave empty if the PFX file has no password.
      #ControlR_KeyProtectionOptions__CertificatePassword:

      # The Gateway IP here must match the IP address used by the Docker gateway.
      ControlR_AppOptions__DockerGatewayIp: "::ffff:172.29.0.1"

      # The maximum allowed file size for transfers in the remote File System component.
      # Set to 0 or less for no limit.  Default is 100MB.
      ControlR_AppOptions__MaxFileTransferSize: 104857600

      # Whether users must confirm their email address before being allowed to log in.
      # If true, you must also configure SMTP settings below.
      ControlR_AppOptions__RequireUserEmailConfirmation: true

      # Disable all email sending from the application.
      ControlR_AppOptions__DisableEmailSending: false

      # SMTP settings are used for sending account-related emails, such as
      # account confirmation and password reset emails.  As of this writing,
      # emails are only used for Microsoft's Identity system.
      ControlR_AppOptions__SmtpDisplayName: ""
      ControlR_AppOptions__SmtpEmail: ""
      ControlR_AppOptions__SmtpHost: ""
      ControlR_AppOptions__SmtpLocalDomain: ""
      ControlR_AppOptions__SmtpCheckCertificateRevocation: true
      ControlR_AppOptions__SmtpPassword: ""
      ControlR_AppOptions__SmtpPort: 587
      ControlR_AppOptions__SmtpUserName: ""

      # Uncomment and add an entry for each proxy that will be forwarding traffic
      # to ControlR.  The app will not work correctly if this isn't done or if the
      # forwarded headers are not in the correct format.
      # See the docs for more details:
      # https://learn.microsoft.com/en-us/aspnet/core/host-and-deploy/proxy-load-balancer
      #ControlR_AppOptions__KnownProxies__0:

      #ControlR_AppOptions__KnownNetworks__0:

      # To enable Microsoft account login, create an App Registration in Azure and
      # set the values below. Instructions can be found here:
      # https://learn.microsoft.com/en-us/aspnet/core/security/authentication/social/microsoft-logins
      #ControlR_AppOptions__MicrosoftClientId: ""
      #ControlR_AppOptions__MicrosoftClientSecret: ""

      # To enable GitHub login, create an OAuth app in GitHub set the values below.
      # Instructions can be found here:
      # https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps
      #ControlR_AppOptions__GitHubClientId: ""
      #ControlR_AppOptions__GitHubClientSecret: ""

  postgres:
    image: postgres:18
    container_name: postgres
    restart: unless-stopped
    ports:
      - "5432:5432"
    networks:
      - controlr-network
    volumes:
      - postgres-data:/var/lib/postgresql
    environment:
      POSTGRES_USER: *pgUser # Remove if using secrets
      POSTGRES_PASSWORD: *pgPassword # Remove if using secrets
      POSTGRES_DB: controlr # Remove if using secrets
      # Uncomment below if using secrets
      #POSTGRES_USER_FILE: /run/secrets/POSTGRES_USER # Remove if using env
      #POSTGRES_PASSWORD_FILE: /run/secrets/POSTGRES_PASSWORD # Remove if using env
      #POSTGRES_DB_FILE: /run/secrets/POSTGRES_DB # Remove if using env
    secrets: # Remove if using env
      - POSTGRES_PASSWORD
      - POSTGRES_DB
      - POSTGRES_USER

  aspire:
    image: mcr.microsoft.com/dotnet/aspire-dashboard:13.1
    container_name: aspire
    restart: unless-stopped
    ports:
      - "18888:18888"
    expose:
      - "18889"
    networks:
      - controlr-network
    environment:
      ASPIRE_DASHBOARD_FILE_CONFIG_DIRECTORY: /run/secrets # Remove if using env
      Dashboard__Frontend__BrowserToken: *aspireToken # Remove if using secrets
      Dashboard__Frontend__PublicUrl: *aspirePublicUrl
    secrets: # Remove if using env
      - Dashboard__Frontend__BrowserToken

volumes:
  postgres-data:
    name: "postgres-data"

networks:
  controlr-network:
    driver: bridge
    ipam:
      config:
        - subnet: 172.29.0.0/16
          gateway: 172.29.0.1

secrets: # Remove if using env
  POSTGRES_USER:
    file: ./example-secrets/postgres_user
  POSTGRES_PASSWORD:
    file: ./example-secrets/postgres_password
  POSTGRES_DB:
    file: ./example-secrets/postgres_db
  KeyProtectionOptions__EncryptKeys:
    file: ./example-secrets/data-protection-encrypt-keys
  KeyProtectionOptions__CertificateContentsBase64:
    file: ./example-secrets/data-protection-cert-base64
  KeyProtectionOptions__CertificatePassword:
    file: ./example-secrets/data-protection-cert-password
  AspireDashboard__Token:
    file: ./example-secrets/aspire-dashboard-browser-token
  Dashboard__Frontend__BrowserToken:
    file: ./example-secrets/aspire-dashboard-browser-token