DockerDiscordControl-Linux/docker-compose.yml at main · DockerDiscordControl/DockerDiscordControl-Linux · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
# docker-compose.yml

services:
  ddc: # Name of the service (freely selectable, here 'ddc')
    container_name: ddc # Equivalent to --name ddc
    image: dockerdiscordcontrol # The image to be used (built by rebuild.sh)
    build: . # Optional: Allows building the image with 'docker-compose build'
    restart: unless-stopped # Equivalent to --restart unless-stopped
    ports:
      - "9374:9374" # Equivalent to -p 9374:9374 (<host-port>:<container-port>)
                    # Change the host port (9374) if it's already in use.
    volumes:
      # Mount for Docker Socket (Adjust if your socket is located elsewhere)
      - /var/run/docker.sock:/var/run/docker.sock:ro
      # Mount for the configuration directory
      # Use relative paths for easier setup
      - ./config:/app/config:cached
      # Mount for logs
      - ./logs:/app/logs:cached
      # Note: cached_displays are now built into the Docker image for Community App compatibility
    # user: "99:100"
    environment:
      # FLASK_SECRET_KEY: Must be set! Best to use a .env file.
      FLASK_SECRET_KEY: ${FLASK_SECRET_KEY}
      # ENV_FLASK_SECRET_KEY: Is also set to the same value (for Supervisor)
      ENV_FLASK_SECRET_KEY: ${FLASK_SECRET_KEY}
      # ENV_DOCKER_SOCKET: Path to the Docker socket (used in web_ui.py)
      ENV_DOCKER_SOCKET: 'unix:///var/run/docker.sock'
      # DOCKER_SOCKET: Also used in web_ui.py (set both to be safe)
      DOCKER_SOCKET: 'unix:///var/run/docker.sock'
      # Explicitly set DOCKER_HOST to correct URL format
      DOCKER_HOST: 'unix:///var/run/docker.sock'
      # SECURITY: Discord Bot Token via environment variable (recommended)
      DISCORD_BOT_TOKEN: ${DISCORD_BOT_TOKEN:-}
      # Uncomment and set this to change the default admin password (admin)
      # DDC_ADMIN_PASSWORD: ${DDC_ADMIN_PASSWORD}
    security_opt:
      - no-new-privileges:true
    # Capability hardening (currently disabled — kept here as a tested-but-
    # unverified configuration). The entrypoint needs root caps to chown the
    # data dirs and switch users via su-exec / setpriv. The minimal set below
    # has been derived from docker/entrypoint.sh; enable & test on staging
    # before promoting to production:
    #
    # cap_drop:
    #   - ALL
    # cap_add:
    #   - CHOWN          # chown -R on /app/config and /app/logs at first run
    #   - DAC_OVERRIDE   # read/write across user boundaries during bootstrap
    #   - FOWNER         # touch/chmod for marker files
    #   - SETUID         # su-exec / setpriv user switch
    #   - SETGID         # su-exec / setpriv group switch
    #   - SETPCAP        # capability transition for setpriv
    #
    # See AUDIT.md (S10) for the rollback plan.
    healthcheck:
      test: ["CMD", "python3", "-c", "import urllib.request; urllib.request.urlopen('http://localhost:9374/health')"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 30s
    logging: # Equivalent to --log-driver and --log-opt
      driver: json-file
      options:
        max-size: "10m"
        max-file: "3"
    # Resource configuration for scalability
    deploy:
      resources:
        limits:
          cpus: '2.0'    # Allow up to 2 CPU cores for better performance
          memory: 512M   # Allow up to 512MB memory for larger installations
          pids: 256      # Cap process count — defends against fork-bomb DoS
        reservations:
          cpus: '0.25'   # Reserve 25% of a CPU core for responsiveness
          memory: 128M   # Reserve 128MB memory as minimum