From 47c442431b6bf44cd89263babe2341b14ceca573 Mon Sep 17 00:00:00 2001 From: Drdiffie <61631493+dr-diffie@users.noreply.github.com> Date: Thu, 21 Nov 2024 16:05:55 +0100 Subject: [PATCH] Update postiz.yaml ### Proposed Improvements to Postiz Template I'd like to propose several improvements to the current Postiz template that enhance security, reliability, and configuration flexibility: #### Security Enhancements - Added Redis ACL configuration with proper authentication - Implemented secure healthchecks with authentication - Enhanced PostgreSQL security configurations #### Reliability Improvements - Added memory limits and resource management for Redis - Implemented proper data persistence configurations - Added tmpfs for temporary files - More comprehensive healthcheck configurations with proper retry/timeout strategies - Better dependency management with health conditions #### Configuration Flexibility - Support for all environment variables from Postiz documentation - Added Cloudflare R2 integration support - Logical grouping of environment variables - Default values for critical settings - Better volume management with explicit drivers The improved template provides a more production-ready setup while maintaining compatibility with Coolify's requirements. It follows best practices for Docker deployments and provides better security out of the box. --- templates/compose/postiz.yaml | 183 +++++++++++++++++++++++----------- 1 file changed, 124 insertions(+), 59 deletions(-) diff --git a/templates/compose/postiz.yaml b/templates/compose/postiz.yaml index 34f268015..1ad216f26 100644 --- a/templates/compose/postiz.yaml +++ b/templates/compose/postiz.yaml @@ -6,92 +6,157 @@ services: postiz: - image: ghcr.io/gitroomhq/postiz-app:latest + image: 'ghcr.io/gitroomhq/postiz-app:latest' environment: + # Required Settings - SERVICE_FQDN_POSTIZ_5000 - - MAIN_URL=${SERVICE_FQDN_POSTIZ} - - FRONTEND_URL=${SERVICE_FQDN_POSTIZ} - - NEXT_PUBLIC_BACKEND_URL=${SERVICE_FQDN_POSTIZ}/api - - JWT_SECRET=${SERVICE_PASSWORD_JWTSECRET} - - DATABASE_URL=postgresql://${SERVICE_USER_POSTGRESQL}:${SERVICE_PASSWORD_POSTGRESQL}@postgresql:5432/${POSTGRESQL_DATABASE:-postiz-db} - - REDIS_URL=redis://${SERVICE_USER_REDIS}:${SERVICE_PASSWORD_REDIS}@redis:6379 - - BACKEND_INTERNAL_URL=http://localhost:3000 - - IS_GENERAL=true - - STORAGE_PROVIDER=local - - UPLOAD_DIRECTORY=/uploads - - NEXT_PUBLIC_UPLOAD_DIRECTORY=/uploads - - X_API_KEY=${SERVICE_X_API} - - X_API_SECRET=${SERVICE_X_SECRET} - - REDDIT_CLIENT_ID=${SERVICE_REDDIT_API} - - REDDIT_CLIENT_SECRET=${SERVICE_REDDIT_SECRET} - - TIKTOK_CLIENT_ID=${SERVICE_TIKTOK_ID} - - TIKTOK_CLIENT_SECRET=${SERVICE_TIKTOK_SECRET} - - SLACK_ID=${SERVICE_SLACK_ID} - - SLACK_SECRET=${SERVICE_SLACK_SECRET} - - PINTEREST_CLIENT_ID=${SERVICE_PINTEREST_ID} - - PINTEREST_CLIENT_SECRET=${SERVICE_PINTEREST_SECRET} - - DRIBBLE_CLIENT_ID=${SERVICE_DRIBBLE_ID} - - DRIBBLE_CLIENT_SECRET=${SERVICE_DRIBBLE_SECRET} - - DISCORD_CLIENT_ID=${SERVICE_DISCORD_ID} - - DISCORD_CLIENT_SECRET=${SERVICE_DISCORD_SECRET} - - DISCORD_BOT_TOKEN_ID=${SERVICE_DISCORD_TOKEN} - - YOUTUBE_CLIENT_ID=${SERVICE_YOUTUBE_ID} - - YOUTUBE_CLIENT_SECRET=${SERVICE_YOUTUBE_SECRET} - - MASTODON_CLIENT_ID=${SERVICE_MASTODON_ID} - - MASTODON_CLIENT_SECRET=${SERVICE_MASTODON_SECRET} - - LINKEDIN_CLIENT_ID=${SERVICE_LINKEDIN_ID} - - LINKEDIN_CLIENT_SECRET=${SERVICE_LINKEDIN_SECRET} - - INSTAGRAM_APP_ID=${SERVICE_INSTAGRAM_ID} - - INSTAGRAM_APP_SECRET=${SERVICE_INSTAGRAM_SECRET} - - FACEBOOK_APP_ID=${SERVICE_FACEBOOK_ID} - - FACEBOOK_APP_SECRET=${SERVICE_FACEBOOK_SECRET} - - THREADS_APP_ID=${SERVICE_THREADS_ID} - - THREADS_APP_SECRET=${SERVICE_THREADS_SECRET} - - GITHUB_CLIENT_ID=${SERVICE_GITHUB_ID} - - GITHUB_CLIENT_SECRET=${SERVICE_GITHUB_SECRET} - - BEEHIIVE_API_KEY=${SERVICE_BEEHIIVE_KEY} - - BEEHIIVE_PUBLICATION_ID=${SERVICE_BEEHIIVE_PUBID} - - OPENAI_API_KEY=${SERVICE_OPENAI_KEY} + - 'MAIN_URL=${SERVICE_FQDN_POSTIZ}' + - 'FRONTEND_URL=${SERVICE_FQDN_POSTIZ}' + - 'NEXT_PUBLIC_BACKEND_URL=${SERVICE_FQDN_POSTIZ}/api' + - 'DATABASE_URL=postgresql://${SERVICE_USER_POSTGRESQL}:${SERVICE_PASSWORD_POSTGRESQL}@postgres:5432/${POSTGRESQL_DATABASE:-postiz-db}' + - 'REDIS_URL=redis://${SERVICE_USER_REDIS}:${SERVICE_PASSWORD_REDIS}@redis:6379' + - 'JWT_SECRET=${SERVICE_PASSWORD_JWTSECRET}' + - 'BACKEND_INTERNAL_URL=http://localhost:3000' + + # Cloudflare R2 Settings + - 'CLOUDFLARE_ACCOUNT_ID=${CLOUDFLARE_ACCOUNT_ID}' + - 'CLOUDFLARE_ACCESS_KEY=${CLOUDFLARE_ACCESS_KEY}' + - 'CLOUDFLARE_SECRET_ACCESS_KEY=${CLOUDFLARE_SECRET_ACCESS_KEY}' + - 'CLOUDFLARE_BUCKETNAME=${CLOUDFLARE_BUCKETNAME}' + - 'CLOUDFLARE_BUCKET_URL=${CLOUDFLARE_BUCKET_URL}' + - 'CLOUDFLARE_REGION=${CLOUDFLARE_REGION}' + + # Storage Settings + - 'STORAGE_PROVIDER=${STORAGE_PROVIDER:-local}' + - 'UPLOAD_DIRECTORY=${UPLOAD_DIRECTORY:-/uploads}' + - 'NEXT_PUBLIC_UPLOAD_DIRECTORY=${NEXT_PUBLIC_UPLOAD_DIRECTORY:-/uploads}' + - 'NEXT_PUBLIC_UPLOAD_STATIC_DIRECTORY=${NEXT_PUBLIC_UPLOAD_STATIC_DIRECTORY}' + + # Email Settings + - 'RESEND_API_KEY=${RESEND_API_KEY}' + - 'EMAIL_FROM_ADDRESS=${EMAIL_FROM_ADDRESS}' + - 'EMAIL_FROM_NAME=${EMAIL_FROM_NAME}' + + # Social Media API Settings + - 'X_API_KEY=${SERVICE_X_API}' + - 'X_API_SECRET=${SERVICE_X_SECRET}' + - 'LINKEDIN_CLIENT_ID=${SERVICE_LINKEDIN_ID}' + - 'LINKEDIN_CLIENT_SECRET=${SERVICE_LINKEDIN_SECRET}' + - 'REDDIT_CLIENT_ID=${SERVICE_REDDIT_API}' + - 'REDDIT_CLIENT_SECRET=${SERVICE_REDDIT_SECRET}' + - 'GITHUB_CLIENT_ID=${SERVICE_GITHUB_ID}' + - 'GITHUB_CLIENT_SECRET=${SERVICE_GITHUB_SECRET}' + - 'THREADS_APP_ID=${SERVICE_THREADS_ID}' + - 'THREADS_APP_SECRET=${SERVICE_THREADS_SECRET}' + - 'FACEBOOK_APP_ID=${SERVICE_FACEBOOK_ID}' + - 'FACEBOOK_APP_SECRET=${SERVICE_FACEBOOK_SECRET}' + - 'YOUTUBE_CLIENT_ID=${SERVICE_YOUTUBE_ID}' + - 'YOUTUBE_CLIENT_SECRET=${SERVICE_YOUTUBE_SECRET}' + - 'TIKTOK_CLIENT_ID=${SERVICE_TIKTOK_ID}' + - 'TIKTOK_CLIENT_SECRET=${SERVICE_TIKTOK_SECRET}' + - 'PINTEREST_CLIENT_ID=${SERVICE_PINTEREST_ID}' + - 'PINTEREST_CLIENT_SECRET=${SERVICE_PINTEREST_SECRET}' + - 'DRIBBBLE_CLIENT_ID=${SERVICE_DRIBBLE_ID}' + - 'DRIBBBLE_CLIENT_SECRET=${SERVICE_DRIBBLE_SECRET}' + - 'DISCORD_CLIENT_ID=${SERVICE_DISCORD_ID}' + - 'DISCORD_CLIENT_SECRET=${SERVICE_DISCORD_SECRET}' + - 'DISCORD_BOT_TOKEN_ID=${SERVICE_DISCORD_TOKEN}' + - 'SLACK_ID=${SERVICE_SLACK_ID}' + - 'SLACK_SECRET=${SERVICE_SLACK_SECRET}' + - 'SLACK_SIGNING_SECRET=${SLACK_SIGNING_SECRET}' + - 'MASTODON_CLIENT_ID=${SERVICE_MASTODON_ID}' + - 'MASTODON_CLIENT_SECRET=${SERVICE_MASTODON_SECRET}' + + # Integration APIs + - 'BEEHIIVE_API_KEY=${SERVICE_BEEHIIVE_KEY}' + - 'BEEHIIVE_PUBLICATION_ID=${SERVICE_BEEHIIVE_PUBID}' + - 'OPENAI_API_KEY=${SERVICE_OPENAI_KEY}' + + # Misc Settings + - 'NEXT_PUBLIC_DISCORD_SUPPORT=${NEXT_PUBLIC_DISCORD_SUPPORT}' + - 'NEXT_PUBLIC_POLOTNO=${NEXT_PUBLIC_POLOTNO}' + - 'IS_GENERAL=${IS_GENERAL:-true}' + - 'NX_ADD_PLUGINS=${NX_ADD_PLUGINS:-false}' + + # Payment Settings + - 'FEE_AMOUNT=${FEE_AMOUNT:-0.05}' + - 'STRIPE_PUBLISHABLE_KEY=${STRIPE_PUBLISHABLE_KEY}' + - 'STRIPE_SECRET_KEY=${STRIPE_SECRET_KEY}' + - 'STRIPE_SIGNING_KEY=${STRIPE_SIGNING_KEY}' + - 'STRIPE_SIGNING_KEY_CONNECT=${STRIPE_SIGNING_KEY_CONNECT}' + volumes: - - postiz_config:/config/ - - postiz_uploads:/uploads/ + - 'postiz_config:/config/' + - 'postiz_uploads:/uploads/' depends_on: postgres: condition: service_healthy redis: condition: service_healthy healthcheck: - test: ["CMD-SHELL", "wget -qO- http://127.0.0.1:5000/"] + test: + - CMD-SHELL + - 'wget -qO- http://127.0.0.1:5000/' interval: 5s timeout: 20s retries: 10 postgres: - image: postgres:14.5 + image: 'postgres:14.5' volumes: - - postiz_postgresql_data:/var/lib/postgresql/data + - 'postiz_postgresql_data:/var/lib/postgresql/data' environment: - - POSTGRES_USER=${SERVICE_USER_POSTGRESQL} - - POSTGRES_PASSWORD=${SERVICE_PASSWORD_POSTGRESQL} - - POSTGRES_DB=${POSTGRESQL_DATABASE:-postiz-db} + - 'POSTGRES_USER=${SERVICE_USER_POSTGRESQL}' + - 'POSTGRES_PASSWORD=${SERVICE_PASSWORD_POSTGRESQL}' + - 'POSTGRES_DB=${POSTGRESQL_DATABASE:-postiz-db}' healthcheck: - test: ["CMD-SHELL", "pg_isready -U $${POSTGRES_USER} -d $${POSTGRES_DB}"] + test: + - CMD-SHELL + - 'pg_isready -U $${POSTGRES_USER} -d $${POSTGRES_DB}' interval: 5s timeout: 20s retries: 10 redis: - image: redis:7.2 + image: 'redis:7.2' + command: > + redis-server + --port 6379 + --save 60 1 + --loglevel warning + --protected-mode yes + --aclfile /data/users.acl volumes: - - postiz_redis_data:/data - environment: - - REDIS_PASSWORD=${SERVICE_PASSWORD_REDIS} - - REDIS_USER=${SERVICE_USER_REDIS} + - 'postiz_redis_data:/data' + - type: tmpfs + target: /tmp healthcheck: test: - CMD - redis-cli - - PING + - '-u' + - 'redis://${SERVICE_USER_REDIS}:${SERVICE_PASSWORD_REDIS}@localhost:6379' + - ping interval: 5s timeout: 10s retries: 20 + deploy: + resources: + limits: + memory: 256M + entrypoint: > + sh -c " + echo 'user default off' > /data/users.acl && + echo 'user ${SERVICE_USER_REDIS} on >${SERVICE_PASSWORD_REDIS} ~* &* +@all' >> /data/users.acl && + redis-server --aclfile /data/users.acl + " + +volumes: + postiz_config: + driver: local + postiz_uploads: + driver: local + postiz_postgresql_data: + driver: local + postiz_redis_data: + driver: local