rspace-online/docker-compose.encryptid.yml

# EncryptID Docker Compose
# Deploy with: docker compose -f docker-compose.encryptid.yml up -d

services:
  encryptid:
    build:
      context: ..
      dockerfile: rspace-online/Dockerfile.encryptid
    container_name: encryptid
    restart: unless-stopped
    depends_on:
      encryptid-db:
        condition: service_healthy
    environment:
      - NODE_ENV=production
      - PORT=3000
      - JWT_SECRET=${JWT_SECRET}
      - DATABASE_URL=postgres://encryptid:${ENCRYPTID_DB_PASSWORD}@encryptid-db:5432/encryptid
      - SMTP_HOST=${SMTP_HOST:-mx.jeffemmett.com}
      - SMTP_PORT=${SMTP_PORT:-587}
      - SMTP_USER=${SMTP_USER:-noreply@jeffemmett.com}
      - SMTP_PASS=${SMTP_PASS}
      - SMTP_FROM=${SMTP_FROM:-EncryptID <noreply@jeffemmett.com>}
      - RECOVERY_URL=${RECOVERY_URL:-https://encryptid.jeffemmett.com/recover}
    labels:
      # Traefik auto-discovery
      - "traefik.enable=true"
      - "traefik.http.routers.encryptid.rule=Host(`encryptid.jeffemmett.com`)"
      - "traefik.http.routers.encryptid.entrypoints=web"
      - "traefik.http.services.encryptid.loadbalancer.server.port=3000"
      # Also serve from root domain for .well-known
      - "traefik.http.routers.encryptid-wellknown.rule=Host(`jeffemmett.com`) && PathPrefix(`/.well-known/webauthn`)"
      - "traefik.http.routers.encryptid-wellknown.entrypoints=web"
    networks:
      - traefik-public
      - encryptid-internal
    healthcheck:
      test: ["CMD", "bun", "-e", "fetch('http://localhost:3000/health').then(r => r.json()).then(d => process.exit(d.database ? 0 : 1)).catch(() => process.exit(1))"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 15s

  encryptid-db:
    image: postgres:16-alpine
    container_name: encryptid-db
    restart: unless-stopped
    environment:
      - POSTGRES_DB=encryptid
      - POSTGRES_USER=encryptid
      - POSTGRES_PASSWORD=${ENCRYPTID_DB_PASSWORD}
    volumes:
      - encryptid-pgdata:/var/lib/postgresql/data
    networks:
      - encryptid-internal
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U encryptid -d encryptid"]
      interval: 10s
      timeout: 5s
      retries: 5
      start_period: 10s

volumes:
  encryptid-pgdata:

networks:
  traefik-public:
    external: true
  encryptid-internal:
    driver: bridge