# version: "3.9" x-common-env: &common-env TZ: "UTC" ############################################################ # SERVICES ############################################################ services: # ────────────────────────────── # kong: # image: kong/kong:3.6 # container_name: kong # restart: unless-stopped # environment: # KONG_DATABASE: "off" # KONG_DECLARATIVE_CONFIG: /config/kong.yml # KONG_LOG_LEVEL: info # KONG_PLUGINS: bundled # KONG_PROXY_ACCESS_LOG: /dev/stdout # KONG_ADMIN_ACCESS_LOG: /dev/stdout # KONG_PROXY_ERROR_LOG: /dev/stderr # KONG_ADMIN_ERROR_LOG: /dev/stderr # volumes: # - ./kong:/config # networks: # - internal # - nginx-proxy # depends_on: # - fastapi oauth2-proxy: image: quay.io/oauth2-proxy/oauth2-proxy:v7.6.0 container_name: oauth2-proxy restart: always networks: - internal - nginx-proxy environment: OAUTH2_PROXY_PROVIDER: oidc OAUTH2_PROXY_OIDC_ISSUER_URL: https://kc.kellsupport.com/realms/cmmc OAUTH2_PROXY_CLIENT_ID: ${OAUTH2_PROXY_CLIENT_ID} OAUTH2_PROXY_CLIENT_SECRET: ${OAUTH2_PROXY_CLIENT_SECRET} OAUTH2_PROXY_REDIRECT_URL: https://api.kellsupport.com/oauth2/callback OAUTH2_PROXY_COOKIE_SECRET: ${OAUTH2_PROXY_COOKIE_SECRET} # Forward all traffic to FastAPI (which handles /api/* etc) OAUTH2_PROXY_UPSTREAMS: http://fastapi:8000 # Secure cookies and session behavior OAUTH2_PROXY_COOKIE_DOMAIN: api.kellsupport.com OAUTH2_PROXY_COOKIE_NAME: _oauth2_proxy OAUTH2_PROXY_COOKIE_SECURE: "true" OAUTH2_PROXY_COOKIE_HTTPONLY: "false" OAUTH2_PROXY_COOKIE_SAMESITE: Lax OAUTH2_PROXY_COOKIE_EXPIRE: 168h OAUTH2_PROXY_COOKIE_REFRESH: 60m # Auth config OAUTH2_PROXY_EMAIL_DOMAINS: "*" OAUTH2_PROXY_SET_XAUTHREQUEST: "true" OAUTH2_PROXY_SET_AUTHORIZATION_HEADER: "true" OAUTH2_PROXY_PASS_ACCESS_TOKEN: "true" OAUTH2_PROXY_PASS_USER_HEADERS: "true" OAUTH2_PROXY_PREFER_EMAIL_TO_USER: "true" OAUTH2_PROXY_COOKIE_CSRF_PER_REQUEST: "true" OAUTH2_PROXY_CSRF_COOKIE_NAME: _oauth2_proxy_csrf OAUTH2_PROXY_SHOW_DEBUG_ON_ERROR: "true" # Optional: PKCE OAUTH2_PROXY_CODE_CHALLENGE_METHOD: S256 # Health routes allowed anonymously OAUTH2_PROXY_SKIP_AUTH_ROUTES: GET=^/gateway-health$,GET=^/healthz$,GET=^/favicon\.ico$ OAUTH2_PROXY_SKIP_PROVIDER_BUTTON: "true" # Networking OAUTH2_PROXY_HTTP_ADDRESS: 0.0.0.0:4180 OAUTH2_PROXY_REVERSE_PROXY: "true" expose: - "4180" # ────────────────────────────── fastapi: image: cmmc-fastapi:latest container_name: fastapi restart: unless-stopped environment: <<: *common-env # Default to local container; overridden by external URL in Makefile/CI KEYCLOAK_URL: "${KEYCLOAK_URL:-http://keycloak:8080}" KEYCLOAK_REALM: "cmmc" KEYCLOAK_CLIENT_ID: "frontend" # ports: # # keep reachable only from localhost, not LAN # - "127.0.0.1:8008:8000" networks: [internal] # ────────────────────────────── # Starts ONLY when profile `idp` is requested keycloak: image: quay.io/keycloak/keycloak:25.0.0 container_name: keycloak command: start-dev profiles: ["idp"] # ← optional profile flag restart: unless-stopped environment: <<: *common-env KEYCLOAK_ADMIN: admin KEYCLOAK_ADMIN_PASSWORD: admin KC_PROXY_HEADERS: xforwarded healthcheck: test: ["CMD", "curl", "-f", "http://localhost:8080/realms/master"] interval: 10s retries: 5 networks: [internal, nginx-proxy] ############################################################ # NETWORKS ############################################################ networks: internal: driver: bridge nginx-proxy: # external bridge Nginx-Proxy-Manager already uses external: true name: nginx-proxy