Files
teOS/docker/docker-compose.local.yml
Flexomatic81 0e8d5aef85 feat: add Docker deployment, web installer, and local test environment
- Multi-stage Dockerfiles for API (NestJS) and Web (Next.js standalone)
- docker-compose.prod.yml: full production stack (postgres, redis, keycloak,
  api, web) with optional Caddy/Let's Encrypt via --profile ssl
- docker-compose.local.yml: identical local test stack, all ports exposed
- docker/postgres/init.sql: auto-creates tos_app DB on first start
- Caddyfile: reverse proxy for app domain + auth subdomain
- install.sh: interactive installer (domain, SSL mode, secret generation)
- NestJS SetupModule: @Public() endpoints for /setup/status, /setup/admin,
  /setup/branding, /setup/complete with setup-token guard
- Web installer: 4-step flow (system check, admin creation, branding, complete)
  at /[locale]/setup/* with public middleware bypass
- i18n: installer namespace added to de.json and en.json
- CORS: x-setup-token header allowed in main.ts

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-23 21:17:34 +01:00

201 lines
7.2 KiB
YAML

# =============================================================================
# tOS Local Docker Compose (Full-Stack)
# =============================================================================
# Lokaler Full-Stack zum Testen der containerisierten Anwendung.
# Alle Services laufen containerisiert mit exponierten Ports.
#
# Start: docker compose -f docker-compose.local.yml up -d --build
# Stop: docker compose -f docker-compose.local.yml down
# Reset: docker compose -f docker-compose.local.yml down -v
#
# Unterschied zum Dev-Stack (docker-compose.yml):
# - Dev-Stack: Nur Infra (Postgres, Redis, Keycloak), Apps laufen nativ
# - Local-Stack: Alle Services containerisiert (nahe an Produktion)
# =============================================================================
name: tos-local
services:
# ---------------------------------------------------------------------------
# PostgreSQL Database
# ---------------------------------------------------------------------------
postgres:
image: postgres:16-alpine
container_name: tos-postgres-local
restart: unless-stopped
environment:
POSTGRES_USER: ${POSTGRES_USER:-tos_user}
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-tos_local_password}
POSTGRES_DB: ${POSTGRES_DB:-tos_db}
POSTGRES_INITDB_ARGS: "--encoding=UTF8 --locale=C"
ports:
- "5432:5432"
volumes:
- postgres_local_data:/var/lib/postgresql/data
- ./postgres/init.sql:/docker-entrypoint-initdb.d/init.sql:ro
healthcheck:
test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-tos_user} -d ${POSTGRES_DB:-tos_db}"]
interval: 10s
timeout: 5s
retries: 5
start_period: 10s
networks:
- tos-local-network
# ---------------------------------------------------------------------------
# Redis Cache & Queue
# ---------------------------------------------------------------------------
redis:
image: redis:7-alpine
container_name: tos-redis-local
restart: unless-stopped
command: redis-server --appendonly yes
ports:
- "6379:6379"
volumes:
- redis_local_data:/data
healthcheck:
test: ["CMD", "redis-cli", "ping"]
interval: 10s
timeout: 5s
retries: 5
networks:
- tos-local-network
# ---------------------------------------------------------------------------
# Keycloak Identity & Access Management (Dev Mode)
# ---------------------------------------------------------------------------
keycloak:
image: quay.io/keycloak/keycloak:24.0
container_name: tos-keycloak-local
restart: unless-stopped
command:
- start-dev
- --import-realm
environment:
KEYCLOAK_ADMIN: ${KEYCLOAK_ADMIN:-admin}
KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD:-admin123}
KC_DB: postgres
KC_DB_URL: jdbc:postgresql://postgres:5432/${POSTGRES_DB:-tos_db}
KC_DB_USERNAME: ${POSTGRES_USER:-tos_user}
KC_DB_PASSWORD: ${POSTGRES_PASSWORD:-tos_local_password}
KC_HOSTNAME: localhost
KC_HOSTNAME_STRICT: "false"
KC_HOSTNAME_STRICT_HTTPS: "false"
KC_HTTP_ENABLED: "true"
KC_HEALTH_ENABLED: "true"
ports:
- "8080:8080"
volumes:
- ./keycloak/realm-export.json:/opt/keycloak/data/import/realm-export.json:ro
healthcheck:
# Keycloak 24+ (UBI9) hat kein curl - nutze bash TCP redirect
test: >
bash -c 'exec 3<>/dev/tcp/localhost/8080 &&
echo -e "GET /health/ready HTTP/1.1\r\nHost: localhost\r\nConnection: close\r\n\r\n" >&3 &&
timeout 2 cat <&3 | grep -q "200 OK"'
interval: 30s
timeout: 15s
retries: 5
start_period: 90s
depends_on:
postgres:
condition: service_healthy
networks:
- tos-local-network
# ---------------------------------------------------------------------------
# tOS API (NestJS Backend)
# ---------------------------------------------------------------------------
api:
build:
context: ..
dockerfile: apps/api/Dockerfile
container_name: tos-api-local
restart: unless-stopped
environment:
NODE_ENV: production
PORT: "3001"
API_PREFIX: api
DATABASE_URL: postgresql://${POSTGRES_USER:-tos_user}:${POSTGRES_PASSWORD:-tos_local_password}@postgres:5432/tos_app
JWT_SECRET: ${JWT_SECRET:-local-jwt-secret-not-for-production-use}
ENCRYPTION_KEY: ${ENCRYPTION_KEY:-local-encryption-key-32-bytes-long!!}
KEYCLOAK_URL: http://keycloak:8080
KEYCLOAK_REALM: tOS
KEYCLOAK_CLIENT_ID: tos-backend
KEYCLOAK_CLIENT_SECRET: ${KEYCLOAK_CLIENT_SECRET:-}
KEYCLOAK_ADMIN_PASSWORD: ${KEYCLOAK_ADMIN_PASSWORD:-admin123}
REDIS_HOST: redis
REDIS_PORT: "6379"
SETUP_TOKEN: ${SETUP_TOKEN:-local-setup-token-for-testing}
ports:
- "3001:3001"
depends_on:
postgres:
condition: service_healthy
redis:
condition: service_healthy
keycloak:
condition: service_healthy
healthcheck:
test: ["CMD-SHELL", "wget -qO- http://localhost:3001/api/v1/health/liveness || exit 1"]
interval: 30s
timeout: 10s
retries: 3
start_period: 60s
networks:
- tos-local-network
# ---------------------------------------------------------------------------
# tOS Web Frontend (Next.js)
# ---------------------------------------------------------------------------
# HINWEIS zum Keycloak-Issuer-Problem in Docker:
# Next.js/NextAuth validiert Tokens server-seitig gegen den Issuer.
# Der Browser erreicht Keycloak ueber localhost:8080, aber der Container
# muss ueber den Docker-Netzwerknamen "keycloak:8080" zugreifen.
#
# Loesung: KEYCLOAK_ISSUER fuer Browser-Redirects (localhost),
# NEXTAUTH_KEYCLOAK_ISSUER fuer server-seitige Validierung (Docker-intern)
# ---------------------------------------------------------------------------
web:
build:
context: ..
dockerfile: apps/web/Dockerfile
container_name: tos-web-local
restart: unless-stopped
environment:
NEXT_PUBLIC_APP_URL: http://localhost:3000
NEXT_PUBLIC_API_URL: http://localhost:3001/api/v1
NEXTAUTH_URL: http://localhost:3000
NEXTAUTH_SECRET: ${NEXTAUTH_SECRET:-local-nextauth-secret}
KEYCLOAK_CLIENT_ID: tos-nextauth
KEYCLOAK_CLIENT_SECRET: ${NEXTAUTH_KEYCLOAK_CLIENT_SECRET:-tos-nextauth-secret-dev}
# Browser-seitige Redirects: localhost (erreichbar vom Host)
KEYCLOAK_ISSUER: http://localhost:8080/realms/tOS
# Server-seitige Token-Validierung: Docker-internes Netzwerk
NEXTAUTH_KEYCLOAK_ISSUER: http://keycloak:8080/realms/tOS
ports:
- "3000:3000"
depends_on:
api:
condition: service_healthy
networks:
- tos-local-network
# =============================================================================
# Volumes
# =============================================================================
volumes:
postgres_local_data:
name: tos-local-postgres-data
redis_local_data:
name: tos-local-redis-data
# =============================================================================
# Networks
# =============================================================================
networks:
tos-local-network:
name: tos-local-network
driver: bridge