ePDS/docker-compose.yml at main · hypercerts-org/ePDS · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
services:
  core:
    build:
      context: .
      dockerfile: Dockerfile.pds
    ports:
      - '${PDS_PORT:-3000}:3000'
    env_file: .env
    environment:
      - PDS_PORT=3000
      # Optional /_internal/test/* hooks used by the e2e suite (e.g.
      # backdating account_device.updatedAt past upstream's 7-day
      # authenticationMaxAge so checkLoginRequired returns true).
      # Defaults OFF so the local docker-compose stack matches a
      # production deployment by default; opt in for e2e runs by setting
      # EPDS_TEST_HOOKS=1 in your .env or shell. The router additionally
      # throws at startup if NODE_ENV=production, regardless of this var.
      - EPDS_TEST_HOOKS=${EPDS_TEST_HOOKS:-0}
    volumes:
      - pds-data:/data
    restart: unless-stopped
    healthcheck:
      test: ['CMD', 'wget', '--spider', '-q', 'http://localhost:3000/health']
      interval: 10s
      timeout: 3s
      retries: 3
      start_period: 15s

  auth:
    build:
      context: .
      dockerfile: Dockerfile.auth
    ports:
      - '${AUTH_PORT:-3001}:3001'
    env_file: .env
    environment:
      - AUTH_PORT=3001
      # Optional /_internal/test/* hooks used by the e2e suite (e.g. forcing
      # OTP expiry without a 10-minute wait). Defaults OFF — opt in for e2e
      # runs by setting EPDS_TEST_HOOKS=1 in your .env or shell. The router
      # additionally throws at startup if NODE_ENV=production, regardless
      # of this var.
      - EPDS_TEST_HOOKS=${EPDS_TEST_HOOKS:-0}
    volumes:
      - auth-data:/data
    restart: unless-stopped
    healthcheck:
      test: ['CMD', 'wget', '--spider', '-q', 'http://localhost:3001/health']
      interval: 10s
      timeout: 3s
      retries: 3
      start_period: 10s

  caddy:
    image: caddy:2-alpine
    ports:
      - '80:80'
      - '443:443'
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
      - caddy-data:/data
      - caddy-config:/config
    env_file: .env
    restart: unless-stopped
    networks:
      # Surface the public PDS / auth / demo hostnames inside the compose
      # network so sibling containers (demo, auth) can reach each other
      # via their real public URLs without NAT-hairpinning back out to
      # the public IP. Needed for OAuth flows where demo's PAR request
      # targets PDS_URL (public) but lives in the same docker network.
      default:
        aliases:
          - ${PDS_HOSTNAME:-pds.example}
          - auth.${PDS_HOSTNAME:-pds.example}
          - ${DEMO_HOSTNAME:-demo.pds.example}
          - ${DEMO_UNTRUSTED_HOSTNAME:-demo-untrusted.pds.example}
          - ${MAILPIT_HOSTNAME:-mailpit.pds.example}
    depends_on:
      core:
        condition: service_healthy
      auth:
        condition: service_healthy

  # Demo frontend (tutorial scaffold)
  demo:
    build:
      context: .
      dockerfile: Dockerfile.demo
    ports:
      - '${DEMO_PORT:-3002}:3002'
    env_file: packages/demo/.env
    environment:
      - PDS_URL=https://${PDS_HOSTNAME:-pds.example}
      - PDS_INTERNAL_URL=http://core:3000
      - AUTH_ENDPOINT=https://auth.${PDS_HOSTNAME:-pds.example}/oauth/authorize
    restart: unless-stopped
    depends_on:
      core:
        condition: service_healthy

  # Second demo instance for e2e scenarios that need an untrusted OAuth
  # client (trusted-vs-untrusted branding tests, HYPER-268 cross-client
  # session reuse). Identical image, different PUBLIC_URL so the client_id
  # is distinct, and deliberately NOT listed in PDS_OAUTH_TRUSTED_CLIENTS.
  # Gated behind the `dev` compose profile — production deployments don't
  # spin it up.
  demo-untrusted:
    build:
      context: .
      dockerfile: Dockerfile.demo
    env_file: packages/demo/.env
    environment:
      - PDS_URL=https://${PDS_HOSTNAME:-pds.example}
      - PDS_INTERNAL_URL=http://core:3000
      - AUTH_ENDPOINT=https://auth.${PDS_HOSTNAME:-pds.example}/oauth/authorize
      - PUBLIC_URL=https://${DEMO_UNTRUSTED_HOSTNAME:-demo-untrusted.pds.example}
      # Override the trusted-only skip-consent hint — an untrusted client
      # can advertise it but pds-core won't honour the flag.
      - EPDS_SKIP_CONSENT_ON_SIGNUP=
      # Blank theme so the untrusted client is visually distinct from the
      # trusted one when the latter opts into a demo theme (ocean, amber).
      - EPDS_CLIENT_THEME=
      # Distinct ES256 keypair so this confidential client cannot forge
      # client_assertion JWTs claiming to be the trusted demo. Sourced
      # from root .env (auto-loaded by compose for variable substitution)
      # so the trusted demo's keypair in packages/demo/.env stays scoped
      # to that container only. Without this override both demos would
      # share packages/demo/.env's EPDS_CLIENT_PRIVATE_JWK and either
      # could impersonate the other at the token endpoint.
      - EPDS_CLIENT_PRIVATE_JWK=${DEMO_UNTRUSTED_PRIVATE_JWK}
    restart: unless-stopped
    profiles:
      - dev
    depends_on:
      core:
        condition: service_healthy

  # Local email trap for development + e2e tests
  mailpit:
    image: axllent/mailpit:latest
    ports:
      - '1025:1025'
      - '8025:8025'
    environment:
      # Basic-auth creds for the HTTP UI + API. E2E suite reads these via
      # E2E_MAILPIT_USER / E2E_MAILPIT_PASS. Plaintext is fine for a
      # dev-only email trap.
      - MP_UI_AUTH=${MAILPIT_USER:-admin}:${MAILPIT_PASS:-admin}
      - MP_MAX_MESSAGES=5000
    profiles:
      - dev

volumes:
  pds-data:
  auth-data:
  caddy-data:
  caddy-config: