WarpShift-TUI/docker-compose.yml at main · RecursiveDev/WarpShift-TUI · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
# WarpShift-TUI private local Compose file.
# This exposes the TUI binary with config and secret mounts suitable for
# interactive local use. It is NOT designed for production server deployment.
#
# Usage:
#   1. Copy configs/warpshift.example.toml to configs/warpshift.local.toml
#      and customize it for your environment.
#   2. Place your WARP identity JSON at configs/warpshift.identity.json
#      (the path referenced by warpshift.local.toml).
#   3. Build and start:
#        docker compose build
#        docker compose up
#
# CLI subcommands (one-off containers):
#   docker compose run --rm warpshift config validate
#   docker compose run --rm warpshift identity import \
#     --input /home/warpshift/configs/warpshift.identity.json
#   docker compose run --rm warpshift wireguard export
#
# Configuration mount-points:
#   ./configs/warpshift.local.toml    -> /home/warpshift/configs/warpshift.local.toml
#   ./configs/warpshift.identity.json -> /home/warpshift/configs/warpshift.identity.json

services:
  warpshift:
    build:
      context: .
      dockerfile: Dockerfile
      args:
        VERSION: "${VERSION:-dev}"
    image: warpshift-tui:local
    container_name: warpshift-tui
    stdin_open: true
    tty: true
    restart: "no"
    working_dir: /home/warpshift

    # Launch the TUI by default. Override for CLI subcommands:
    #   docker compose run --rm warpshift <subcommand>
    #
    # WireGuard requires NET_ADMIN; all other capabilities are dropped.
    command: ["tui"]

    # ---- Security hardening ----
    # Root filesystem is read-only. Use the state volume for write operations
    # (identity import, WireGuard export, profile writes).
    read_only: true
    security_opt:
      - "no-new-privileges:true"
    cap_drop:
      - ALL
    cap_add:
      - NET_ADMIN
    tmpfs:
      - /tmp:noexec,nosuid,nodev,size=64M

    # ---- Healthcheck ----
    # Verifies the binary is executable by running 'warpshift version' inside
    # the container. No HTTP endpoint or secrets are exposed. start_period
    # gives the TUI time to initialise before the first health probe.
    # When the healthcheck fails, Docker marks the container unhealthy.

    healthcheck:
      test: ["CMD-SHELL", "warpshift version > /dev/null 2>&1 || exit 1"]
      interval: 30s
      timeout: 5s
      retries: 3
      start_period: 10s

    # ---- Volumes ----
    volumes:
      # Mount your local TOML config (read-only). Create from the example file first.
      - ./configs/warpshift.local.toml:/home/warpshift/configs/warpshift.local.toml:ro
      # Mount your local identity JSON (read-only, referenced by warpshift.local.toml).
      - ./configs/warpshift.identity.json:/home/warpshift/configs/warpshift.identity.json:ro
      # Writable state directory for identity import, WireGuard export, and profile writes.
      - ./state:/home/warpshift/state

    # ---- Environment ----
    environment:
      - TZ=${TZ:-UTC}

    # ---- Resource limits ----
    deploy:
      resources:
        limits:
          cpus: "1"
          memory: 256M
        reservations:
          cpus: "0.25"
          memory: 64M

    # ---- Logging ----
    logging:
      driver: json-file
      options:
        max-size: "10m"
        max-file: "3"