rack-gateway/convox.yml at main · DocSpring/rack-gateway · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
appSettings:
  awsLogs:
    cwRetention: ${LOG_RETENTION_DAYS}
    disableRetention: false

# Vars shared by all services
environment:
  - DOMAIN # required (tailscale domain)
  - APP_SECRET_KEY # required
  - GOOGLE_CLIENT_ID # required
  - GOOGLE_CLIENT_SECRET # required
  - GOOGLE_ALLOWED_DOMAIN # required, e.g. example.com
  - ADMIN_USERS # comma-separated bootstrap admins
  - RACK_TOKEN # required API token for target rack
  - POSTMARK_API_TOKEN # optional email notifications
  - CONVOX_SECRET_ENV_VARS=DATABASE_URL
  # - GOOGLE_OAUTH_BASE_URL # optional; default Google; set to your OIDC issuer if needed
  # - POSTMARK_STREAM=outbound # optional stream
  # - POSTMARK_FROM # optional sender address
  # - COOKIE_SECURE=true # in prod
  # - DEV_MODE=false
  # - RACK_USERNAME=convox # optional; defaults to convox
  # WORM S3 anchor storage (set via Terraform)
  - AUDIT_HMAC_SECRET # Secret key used for HMAC-SHA256 cryptographic chain of audit logs
  - AUDIT_ANCHOR_BUCKET # S3 bucket name for WORM audit anchors
  - AUDIT_ANCHOR_CHAIN_ID # Chain identifier (typically rack alias, e.g., staging, eu, us)
  - AUDIT_ANCHOR_RETENTION_DAYS # Object Lock retention in days (default: 400)

services:
  gateway:
    # To deploy: Build locally and push to Docker Hub using scripts/build-and-push.sh
    # Then update the image tag below to the new version
    image: docker.io/docspringcom/rack-gateway:latest
    command: ./scripts/start-gateway.sh
    environment:
      - PORT=8080
      - PGSSLMODE=require
      - DATABASE_URL # Set via Terraform (app user connection)
    health: /api/v1/health
    internal: true
    port: 8080
    scale:
      count: 1
      cpu: 256
      memory: 256
    sticky: true
    volumes: []
    annotations:
      - eks.amazonaws.com/role-arn: "${IAM_ROLE_ARN}"

  admin:
    # Uses same image as gateway service
    image: docker.io/docspringcom/rack-gateway:latest
    command: echo "Use this service to run migrations, database admin tasks, etc."
    environment:
      - PORT=8080
      - PGSSLMODE=require
      - RGW_DATABASE_URL=${ADMIN_DATABASE_URL}
    scale:
      memory: 512
      cpu: 250
      count: 0

timers: {}