Update postiz.yaml

### Proposed Improvements to Postiz Template I'd like to propose several improvements to the current Postiz template that enhance security, reliability, and configuration flexibility: #### Security Enhancements - Added Redis ACL configuration with proper authentication - Implemented secure healthchecks with authentication - Enhanced PostgreSQL security configurations #### Reliability Improvements - Added memory limits and resource management for Redis - Implemented proper data persistence configurations - Added tmpfs for temporary files - More comprehensive healthcheck configurations with proper retry/timeout strategies - Better dependency management with health conditions #### Configuration Flexibility - Support for all environment variables from Postiz documentation - Added Cloudflare R2 integration support - Logical grouping of environment variables - Default values for critical settings - Better volume management with explicit drivers The improved template provides a more production-ready setup while maintaining compatibility with Coolify's requirements. It follows best practices for Docker deployments and provides better security out of the box.
2024-11-21 16:05:55 +01:00
parent 092bd916ff
commit 47c442431b
1 changed files with 124 additions and 59 deletions
--- a/templates/compose/postiz.yaml
+++ b/templates/compose/postiz.yaml
@@ -6,92 +6,157 @@
 services:
  postiz:
-    image: ghcr.io/gitroomhq/postiz-app:latest
+    image: 'ghcr.io/gitroomhq/postiz-app:latest'
    environment:
      # Required Settings
      - SERVICE_FQDN_POSTIZ_5000
-      - MAIN_URL=${SERVICE_FQDN_POSTIZ}
+      - 'MAIN_URL=${SERVICE_FQDN_POSTIZ}'
-      - FRONTEND_URL=${SERVICE_FQDN_POSTIZ}
+      - 'FRONTEND_URL=${SERVICE_FQDN_POSTIZ}'
-      - NEXT_PUBLIC_BACKEND_URL=${SERVICE_FQDN_POSTIZ}/api
+      - 'NEXT_PUBLIC_BACKEND_URL=${SERVICE_FQDN_POSTIZ}/api'
-      - JWT_SECRET=${SERVICE_PASSWORD_JWTSECRET}
+      - 'DATABASE_URL=postgresql://${SERVICE_USER_POSTGRESQL}:${SERVICE_PASSWORD_POSTGRESQL}@postgres:5432/${POSTGRESQL_DATABASE:-postiz-db}'
-      - DATABASE_URL=postgresql://${SERVICE_USER_POSTGRESQL}:${SERVICE_PASSWORD_POSTGRESQL}@postgresql:5432/${POSTGRESQL_DATABASE:-postiz-db}
+      - 'REDIS_URL=redis://${SERVICE_USER_REDIS}:${SERVICE_PASSWORD_REDIS}@redis:6379'
-      - REDIS_URL=redis://${SERVICE_USER_REDIS}:${SERVICE_PASSWORD_REDIS}@redis:6379
+      - 'JWT_SECRET=${SERVICE_PASSWORD_JWTSECRET}'
-      - BACKEND_INTERNAL_URL=http://localhost:3000
+      - 'BACKEND_INTERNAL_URL=http://localhost:3000'
-      - IS_GENERAL=true
+      
-      - STORAGE_PROVIDER=local
+      # Cloudflare R2 Settings
-      - UPLOAD_DIRECTORY=/uploads
+      - 'CLOUDFLARE_ACCOUNT_ID=${CLOUDFLARE_ACCOUNT_ID}'
-      - NEXT_PUBLIC_UPLOAD_DIRECTORY=/uploads
+      - 'CLOUDFLARE_ACCESS_KEY=${CLOUDFLARE_ACCESS_KEY}'
-      - X_API_KEY=${SERVICE_X_API}
+      - 'CLOUDFLARE_SECRET_ACCESS_KEY=${CLOUDFLARE_SECRET_ACCESS_KEY}'
-      - X_API_SECRET=${SERVICE_X_SECRET}
+      - 'CLOUDFLARE_BUCKETNAME=${CLOUDFLARE_BUCKETNAME}'
-      - REDDIT_CLIENT_ID=${SERVICE_REDDIT_API}
+      - 'CLOUDFLARE_BUCKET_URL=${CLOUDFLARE_BUCKET_URL}'
-      - REDDIT_CLIENT_SECRET=${SERVICE_REDDIT_SECRET}
+      - 'CLOUDFLARE_REGION=${CLOUDFLARE_REGION}'
-      - TIKTOK_CLIENT_ID=${SERVICE_TIKTOK_ID}
+      
-      - TIKTOK_CLIENT_SECRET=${SERVICE_TIKTOK_SECRET}
+      # Storage Settings
-      - SLACK_ID=${SERVICE_SLACK_ID}
+      - 'STORAGE_PROVIDER=${STORAGE_PROVIDER:-local}'
-      - SLACK_SECRET=${SERVICE_SLACK_SECRET}
+      - 'UPLOAD_DIRECTORY=${UPLOAD_DIRECTORY:-/uploads}'
-      - PINTEREST_CLIENT_ID=${SERVICE_PINTEREST_ID}
+      - 'NEXT_PUBLIC_UPLOAD_DIRECTORY=${NEXT_PUBLIC_UPLOAD_DIRECTORY:-/uploads}'
-      - PINTEREST_CLIENT_SECRET=${SERVICE_PINTEREST_SECRET}
+      - 'NEXT_PUBLIC_UPLOAD_STATIC_DIRECTORY=${NEXT_PUBLIC_UPLOAD_STATIC_DIRECTORY}'
-      - DRIBBLE_CLIENT_ID=${SERVICE_DRIBBLE_ID}
+      
-      - DRIBBLE_CLIENT_SECRET=${SERVICE_DRIBBLE_SECRET}
+      # Email Settings
-      - DISCORD_CLIENT_ID=${SERVICE_DISCORD_ID}
+      - 'RESEND_API_KEY=${RESEND_API_KEY}'
-      - DISCORD_CLIENT_SECRET=${SERVICE_DISCORD_SECRET}
+      - 'EMAIL_FROM_ADDRESS=${EMAIL_FROM_ADDRESS}'
-      - DISCORD_BOT_TOKEN_ID=${SERVICE_DISCORD_TOKEN}
+      - 'EMAIL_FROM_NAME=${EMAIL_FROM_NAME}'
-      - YOUTUBE_CLIENT_ID=${SERVICE_YOUTUBE_ID}
+      
-      - YOUTUBE_CLIENT_SECRET=${SERVICE_YOUTUBE_SECRET}
+      # Social Media API Settings
-      - MASTODON_CLIENT_ID=${SERVICE_MASTODON_ID}
+      - 'X_API_KEY=${SERVICE_X_API}'
-      - MASTODON_CLIENT_SECRET=${SERVICE_MASTODON_SECRET}
+      - 'X_API_SECRET=${SERVICE_X_SECRET}'
-      - LINKEDIN_CLIENT_ID=${SERVICE_LINKEDIN_ID}
+      - 'LINKEDIN_CLIENT_ID=${SERVICE_LINKEDIN_ID}'
-      - LINKEDIN_CLIENT_SECRET=${SERVICE_LINKEDIN_SECRET}
+      - 'LINKEDIN_CLIENT_SECRET=${SERVICE_LINKEDIN_SECRET}'
-      - INSTAGRAM_APP_ID=${SERVICE_INSTAGRAM_ID}
+      - 'REDDIT_CLIENT_ID=${SERVICE_REDDIT_API}'
-      - INSTAGRAM_APP_SECRET=${SERVICE_INSTAGRAM_SECRET}
+      - 'REDDIT_CLIENT_SECRET=${SERVICE_REDDIT_SECRET}'
-      - FACEBOOK_APP_ID=${SERVICE_FACEBOOK_ID}
+      - 'GITHUB_CLIENT_ID=${SERVICE_GITHUB_ID}'
-      - FACEBOOK_APP_SECRET=${SERVICE_FACEBOOK_SECRET}
+      - 'GITHUB_CLIENT_SECRET=${SERVICE_GITHUB_SECRET}'
-      - THREADS_APP_ID=${SERVICE_THREADS_ID}
+      - 'THREADS_APP_ID=${SERVICE_THREADS_ID}'
-      - THREADS_APP_SECRET=${SERVICE_THREADS_SECRET}
+      - 'THREADS_APP_SECRET=${SERVICE_THREADS_SECRET}'
-      - GITHUB_CLIENT_ID=${SERVICE_GITHUB_ID}
+      - 'FACEBOOK_APP_ID=${SERVICE_FACEBOOK_ID}'
-      - GITHUB_CLIENT_SECRET=${SERVICE_GITHUB_SECRET}
+      - 'FACEBOOK_APP_SECRET=${SERVICE_FACEBOOK_SECRET}'
-      - BEEHIIVE_API_KEY=${SERVICE_BEEHIIVE_KEY}
+      - 'YOUTUBE_CLIENT_ID=${SERVICE_YOUTUBE_ID}'
-      - BEEHIIVE_PUBLICATION_ID=${SERVICE_BEEHIIVE_PUBID}
+      - 'YOUTUBE_CLIENT_SECRET=${SERVICE_YOUTUBE_SECRET}'
-      - OPENAI_API_KEY=${SERVICE_OPENAI_KEY}
+      - 'TIKTOK_CLIENT_ID=${SERVICE_TIKTOK_ID}'
      - 'TIKTOK_CLIENT_SECRET=${SERVICE_TIKTOK_SECRET}'
      - 'PINTEREST_CLIENT_ID=${SERVICE_PINTEREST_ID}'
      - 'PINTEREST_CLIENT_SECRET=${SERVICE_PINTEREST_SECRET}'
      - 'DRIBBBLE_CLIENT_ID=${SERVICE_DRIBBLE_ID}'
      - 'DRIBBBLE_CLIENT_SECRET=${SERVICE_DRIBBLE_SECRET}'
      - 'DISCORD_CLIENT_ID=${SERVICE_DISCORD_ID}'
      - 'DISCORD_CLIENT_SECRET=${SERVICE_DISCORD_SECRET}'
      - 'DISCORD_BOT_TOKEN_ID=${SERVICE_DISCORD_TOKEN}'
      - 'SLACK_ID=${SERVICE_SLACK_ID}'
      - 'SLACK_SECRET=${SERVICE_SLACK_SECRET}'
      - 'SLACK_SIGNING_SECRET=${SLACK_SIGNING_SECRET}'
      - 'MASTODON_CLIENT_ID=${SERVICE_MASTODON_ID}'
      - 'MASTODON_CLIENT_SECRET=${SERVICE_MASTODON_SECRET}'
      # Integration APIs
      - 'BEEHIIVE_API_KEY=${SERVICE_BEEHIIVE_KEY}'
      - 'BEEHIIVE_PUBLICATION_ID=${SERVICE_BEEHIIVE_PUBID}'
      - 'OPENAI_API_KEY=${SERVICE_OPENAI_KEY}'
      # Misc Settings
      - 'NEXT_PUBLIC_DISCORD_SUPPORT=${NEXT_PUBLIC_DISCORD_SUPPORT}'
      - 'NEXT_PUBLIC_POLOTNO=${NEXT_PUBLIC_POLOTNO}'
      - 'IS_GENERAL=${IS_GENERAL:-true}'
      - 'NX_ADD_PLUGINS=${NX_ADD_PLUGINS:-false}'
      # Payment Settings
      - 'FEE_AMOUNT=${FEE_AMOUNT:-0.05}'
      - 'STRIPE_PUBLISHABLE_KEY=${STRIPE_PUBLISHABLE_KEY}'
      - 'STRIPE_SECRET_KEY=${STRIPE_SECRET_KEY}'
      - 'STRIPE_SIGNING_KEY=${STRIPE_SIGNING_KEY}'
      - 'STRIPE_SIGNING_KEY_CONNECT=${STRIPE_SIGNING_KEY_CONNECT}'
    volumes:
-      - postiz_config:/config/
+      - 'postiz_config:/config/'
-      - postiz_uploads:/uploads/
+      - 'postiz_uploads:/uploads/'
    depends_on:
      postgres:
        condition: service_healthy
      redis:
        condition: service_healthy
    healthcheck:
-      test: ["CMD-SHELL", "wget -qO- http://127.0.0.1:5000/"]
+      test:
        - CMD-SHELL
        - 'wget -qO- http://127.0.0.1:5000/'
      interval: 5s
      timeout: 20s
      retries: 10
  postgres:
-    image: postgres:14.5
+    image: 'postgres:14.5'
    volumes:
-      - postiz_postgresql_data:/var/lib/postgresql/data
+      - 'postiz_postgresql_data:/var/lib/postgresql/data'
    environment:
-      - POSTGRES_USER=${SERVICE_USER_POSTGRESQL}
+      - 'POSTGRES_USER=${SERVICE_USER_POSTGRESQL}'
-      - POSTGRES_PASSWORD=${SERVICE_PASSWORD_POSTGRESQL}
+      - 'POSTGRES_PASSWORD=${SERVICE_PASSWORD_POSTGRESQL}'
-      - POSTGRES_DB=${POSTGRESQL_DATABASE:-postiz-db}
+      - 'POSTGRES_DB=${POSTGRESQL_DATABASE:-postiz-db}'
    healthcheck:
-      test: ["CMD-SHELL", "pg_isready -U $${POSTGRES_USER} -d $${POSTGRES_DB}"]
+      test:
        - CMD-SHELL
        - 'pg_isready -U $${POSTGRES_USER} -d $${POSTGRES_DB}'
      interval: 5s
      timeout: 20s
      retries: 10
  redis:
-    image: redis:7.2
+    image: 'redis:7.2'
    command: >
      redis-server
      --port 6379
      --save 60 1
      --loglevel warning
      --protected-mode yes
      --aclfile /data/users.acl
    volumes:
-      - postiz_redis_data:/data
+      - 'postiz_redis_data:/data'
-    environment:
+      - type: tmpfs
-      - REDIS_PASSWORD=${SERVICE_PASSWORD_REDIS}
+        target: /tmp
      - REDIS_USER=${SERVICE_USER_REDIS}
    healthcheck:
      test:
        - CMD
        - redis-cli
-        - PING
+        - '-u'
        - 'redis://${SERVICE_USER_REDIS}:${SERVICE_PASSWORD_REDIS}@localhost:6379'
        - ping
      interval: 5s
      timeout: 10s
      retries: 20
    deploy:
      resources:
        limits:
          memory: 256M
    entrypoint: >
      sh -c "
      echo 'user default off' > /data/users.acl &&
      echo 'user ${SERVICE_USER_REDIS} on >${SERVICE_PASSWORD_REDIS} ~* &* +@all' >> /data/users.acl &&
      redis-server --aclfile /data/users.acl
      "
 volumes:
  postiz_config:
    driver: local
  postiz_uploads:
    driver: local
  postiz_postgresql_data:
    driver: local
  postiz_redis_data:
    driver: local