# Deploy compose for racknerd2 (validation host). # # Unlike the root docker-compose.yml (which BUILDS images locally), this file # PULLS pre-built images from the Forgejo container registry # (registry.snsnetlabs.com/sam/...) that the Forgejo Actions `build` workflow # pushes. racknerd2 only has ~1.9 GiB RAM, so we never build here. # # Usage on racknerd2 (in this file's directory, with a sibling .env): # docker login registry.snsnetlabs.com # once, as user `sam` # docker compose pull && docker compose up -d # # IMPORTANT: published ports are bound to the NetBird mesh IP only. Docker # manipulates iptables directly and BYPASSES ufw, so a plain "8080:8080" would # expose the port on the host's public interface regardless of the firewall. # Binding to ${ARCHNEST_BIND_IP} keeps the app reachable only over the mesh. services: archnest: image: registry.snsnetlabs.com/sam/archnest:${ARCHNEST_TAG:-latest} container_name: archnest restart: unless-stopped ports: - "${ARCHNEST_BIND_IP:-100.96.217.250}:8080:8080" depends_on: - archnest-backend archnest-backend: image: registry.snsnetlabs.com/sam/archnest-backend:${ARCHNEST_TAG:-latest} container_name: archnest-backend restart: unless-stopped environment: - PORT=4000 - ARCHNEST_DB_PATH=/data/archnest.db - ARCHNEST_JWT_SECRET=${ARCHNEST_JWT_SECRET} - ARCHNEST_SECRET_KEY=${ARCHNEST_SECRET_KEY} - ARCHNEST_CORS_ORIGIN=${ARCHNEST_CORS_ORIGIN:-http://100.96.217.250:8080} - ARCHNEST_GUAC_CRYPT_KEY=${ARCHNEST_GUAC_CRYPT_KEY} - ARCHNEST_GUACD_HOST=guacd - ARCHNEST_GUACD_PORT=4822 volumes: - archnest-data:/data # No host port published: the frontend container reaches the backend over # the compose network as "archnest-backend:4000" (nginx proxies /api). depends_on: - guacd guacd: image: guacamole/guacd:1.5.5 container_name: archnest-guacd restart: unless-stopped # Internal only; reachable as "guacd:4822" on the compose network. volumes: archnest-data: