ZeroAuth/docker-compose.yml at main · zeroauth-dev/ZeroAuth · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
services:
  # ── Redis ────────────────────────────────────
  redis:
    image: redis:7-alpine
    container_name: zeroauth-redis
    ports:
      - '127.0.0.1:6379:6379'
    volumes:
      - redis-data:/data
    command: redis-server --appendonly yes
    healthcheck:
      test: ['CMD', 'redis-cli', 'ping']
      interval: 10s
      timeout: 5s
      retries: 3
    profiles: ['dev', 'test', 'prod']

  # ── PostgreSQL ──────────────────────────────
  postgres:
    image: postgres:16-alpine
    container_name: zeroauth-postgres
    ports:
      - '127.0.0.1:5432:5432'
    environment:
      POSTGRES_DB: ${POSTGRES_DB:-zeroauth}
      POSTGRES_USER: ${POSTGRES_USER:-zeroauth}
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-zeroauth-dev}
    volumes:
      - postgres-data:/var/lib/postgresql/data
    healthcheck:
      test: ['CMD-SHELL', 'pg_isready -U ${POSTGRES_USER:-zeroauth} -d ${POSTGRES_DB:-zeroauth}']
      interval: 10s
      timeout: 5s
      retries: 3
    profiles: ['dev', 'test', 'prod']

  # ── Verifier (Plan B — TS, B02 Phase 2) ──────
  # Standalone Groth16 verifier service. Loopback-only on the docker
  # network (no host port binding). The API reaches it via the service
  # name `zeroauth-verifier`.
  zeroauth-verifier:
    build:
      context: .
      target: verifier-production
    container_name: zeroauth-verifier
    expose:
      - '3001'
    environment:
      - NODE_ENV=production
      - VERIFIER_CIRCUIT_VERSION=v1
      - LOG_LEVEL=info
    # Persistent volume for the SQLite audit log (B02 design doc §4.3).
    # Mounted at /app/data inside the container. Survives container
    # restarts + image rebuilds. Backup story: snapshot the volume on
    # deploy + nightly cron (TODO).
    volumes:
      - verifier-audit-data:/app/data
    restart: unless-stopped
    # 127.0.0.1 (not localhost) because alpine busybox wget hits IPv6 first
    # and the verifier binds 0.0.0.0 (IPv4 only). The Dockerfile carries
    # the same fix; this is belt-and-braces for compose-level overrides.
    healthcheck:
      test: ['CMD', 'wget', '--no-verbose', '--tries=1', '--spider', 'http://127.0.0.1:3001/health']
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 15s
    profiles: ['dev', 'prod']

  # ── Development ──────────────────────────────
  zeroauth-dev:
    build:
      context: .
      target: development
    container_name: zeroauth-dev
    ports:
      - '3000:3000'
      - '5173:5173'
    env_file:
      - .env
    environment:
      - NODE_ENV=development
      - USE_REDIS_SESSIONS=true
      - REDIS_URL=redis://redis:6379
      - POSTGRES_HOST=postgres
      # B02 Phase 2 — route ZKP verifications through the verifier service.
      - VERIFIER_URL=http://zeroauth-verifier:3001
      - VERIFIER_TIMEOUT_MS=2000
    volumes:
      - ./src:/app/src
      - ./public:/app/public
      - ./circuits/build:/app/circuits/build
      - ./contracts:/app/contracts
      - ./dashboard/src:/app/dashboard/src
      - ./dashboard/dist:/app/dashboard/dist
      - ./website/build:/app/website/build
    depends_on:
      redis:
        condition: service_healthy
      postgres:
        condition: service_healthy
      zeroauth-verifier:
        condition: service_healthy
    profiles: ['dev']

  # ── Test ─────────────────────────────────────
  zeroauth-test:
    build:
      context: .
      target: test
    container_name: zeroauth-test
    env_file:
      - .env
    environment:
      - NODE_ENV=test
      - USE_REDIS_SESSIONS=false
      - POSTGRES_HOST=postgres
    depends_on:
      redis:
        condition: service_healthy
      postgres:
        condition: service_healthy
    profiles: ['test']

  # ── Production ───────────────────────────────
  zeroauth-prod:
    build:
      context: .
      target: production
    container_name: zeroauth-prod
    expose:
      - '3000'
    env_file:
      - .env
    environment:
      - NODE_ENV=production
      - USE_REDIS_SESSIONS=true
      - REDIS_URL=redis://redis:6379
      - POSTGRES_HOST=postgres
      - TRUST_PROXY=true
      # B02 Phase 2 — production cutover. Routes /v1/auth/zkp/verify
      # through the verifier service instead of inline snarkjs. The
      # inline-fallback in src/services/zkp.ts stays in the binary as
      # a safety net but is no longer the default code path in prod.
      - VERIFIER_URL=http://zeroauth-verifier:3001
      - VERIFIER_TIMEOUT_MS=2000
    depends_on:
      redis:
        condition: service_healthy
      postgres:
        condition: service_healthy
      zeroauth-verifier:
        condition: service_healthy
    restart: unless-stopped
    healthcheck:
      test: ['CMD', 'wget', '--no-verbose', '--tries=1', '--spider', 'http://localhost:3000/api/health']
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 10s
    profiles: ['prod']

  # ── Caddy reverse proxy + auto TLS for zeroauth.dev ────
  caddy:
    image: caddy:2-alpine
    container_name: zeroauth-caddy
    ports:
      - '80:80'
      - '443:443'
      - '443:443/udp'
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile:ro
      - caddy-data:/data
      - caddy-config:/config
    depends_on:
      - zeroauth-prod
    restart: unless-stopped
    profiles: ['prod']

volumes:
  redis-data:
  postgres-data:
  caddy-data:
  caddy-config:
  verifier-audit-data: