orion/HangmanLab.Server.T1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4ca9e588b5a8752f0b36f5aec1fc48164265f513
HangmanLab.Server.T1/docker-compose.yml
orion 4ca9e588b5 security: bind all ports to 127.0.0.1 
Docker bypasses ufw and exposes 0.0.0.0-bound ports directly via
iptables DNAT rules, even when ufw default policy is deny. Bind
every service port to 127.0.0.1 so only nginx (and SSH tunnels for
wizard) can reach them from outside.
2026-04-16 08:54:19 +00:00

144 lines
3.5 KiB
YAML
Raw Blame History

services:
backend:
image: git.hangman-lab.top/hzhang/hangmanlab-backend:latest
ports:
- "127.0.0.1:$BACKEND_PORT:$BACKEND_PORT"
env_file:
- .env
depends_on:
- mysql
networks:
- app-network
volumes:
- backend_dump:/app/dump
frontend:
image: git.hangman-lab.top/hzhang/hangmanlab-frontend:latest
ports:
- "127.0.0.1:$FRONTEND_PORT:80"
env_file:
- .env
depends_on:
- backend
networks:
- app-network
mysql:
image: mysql:8.0
container_name: mysql
ports:
- "127.0.0.1:$DB_PORT:$DB_PORT"
environment:
MYSQL_ROOT_PASSWORD: ${MYSQL_ROOT_PASSWORD}
MYSQL_DATABASE: ${DB_NAME}
MYSQL_USER: ${DB_USER}
MYSQL_PASSWORD: ${DB_PASSWORD}
volumes:
- mysql_data:/var/lib/mysql
networks:
- app-network
healthcheck:
test: ["CMD", "mysqladmin", "ping", "-h", "localhost", "-p${MYSQL_ROOT_PASSWORD}"]
interval: 10s
timeout: 5s
retries: 5
start_period: 20s
hf_db_init:
image: mysql:8.0
restart: "no"
environment:
MYSQL_HOST: mysql
MYSQL_ROOT_PASSWORD: ${MYSQL_ROOT_PASSWORD}
DB_USER: ${DB_USER}
HF_DB_NAME: ${HF_DB_NAME:-harborforge}
volumes:
- ./mysql-init/10-harborforge.sh:/init/10-harborforge.sh:ro
entrypoint: ["/bin/sh", "/init/10-harborforge.sh"]
depends_on:
mysql:
condition: service_healthy
networks:
- app-network
hf_backend:
image: git.hangman-lab.top/zhi/harborforge-backend:multi-stage
restart: "no"
ports:
- "127.0.0.1:$HF_BACKEND_PORT:8000"
volumes:
- wizard_config:/config:ro
environment:
CONFIG_DIR: /config
CONFIG_FILE: harborforge.json
SECRET_KEY: ${HF_SECRET_KEY:-change_me_in_production}
LOG_LEVEL: ${HF_LOG_LEVEL:-INFO}
DATABASE_URL: mysql+pymysql://${DB_USER}:${DB_PASSWORD}@mysql:3306/${HF_DB_NAME:-harborforge}
depends_on:
hf_db_init:
condition: service_completed_successfully
networks:
- app-network
wizard_init:
image: busybox:1.36
restart: "no"
user: "0:0"
volumes:
- wizard_config:/config
command: ["sh", "-c", "chown -R 65532:65532 /config"]
wizard:
image: git.hangman-lab.top/nav/abstract-wizard:latest
ports:
- "127.0.0.1:$WIZARD_PORT:8080"
volumes:
- wizard_config:/config
environment:
CONFIG_DIR: /config
LISTEN_ADDR: "0.0.0.0:8080"
MAX_BACKUPS: "5"
CORS_ORIGINS: ${HF_FRONTEND_HOST}
depends_on:
wizard_init:
condition: service_completed_successfully
networks:
- app-network
hf_frontend:
image: git.hangman-lab.top/zhi/harborforge-frontend:latest
ports:
- "127.0.0.1:$HF_FRONTEND_PORT:3000"
environment:
FRONTEND_DEV_MODE: ${HF_FRONTEND_DEV_MODE:-0}
NODE_ENV: production
depends_on:
- wizard
- hf_backend
networks:
- app-network
harborforge-monitor:
image: git.hangman-lab.top/zhi/harborforge-monitor:latest
container_name: harborforge-monitor
restart: unless-stopped
environment:
HF_MONITER_BACKEND_URL: ${HF_MONITOR_BACKEND_URL:-https://hf-api.hangman-lab.top}
HF_MONITER_IDENTIFIER: ${HF_MONITOR_IDENTIFIER}
HF_MONITER_API_KEY: ${HF_MONITOR_API_KEY}
HF_MONITER_REPORT_INTERVAL: "30"
HF_MONITER_LOG_LEVEL: info
HF_MONITER_ROOTFS: /host
volumes:
- /:/host:ro
network_mode: host
networks:
app-network:
driver: bridge
volumes:
mysql_data:
backend_dump:
wizard_config:
Reference in New Issue View Git Blame Copy Permalink