241 lines
7.7 KiB
YAML
241 lines
7.7 KiB
YAML
version: "3.7"
|
|
|
|
x-logging: &default-logging
|
|
driver: "json-file"
|
|
options:
|
|
max-size: "${LOG_MAX_SIZE:-20m}"
|
|
max-file: "${LOG_MAX_FILE:-10}"
|
|
compress: "true"
|
|
|
|
services:
|
|
db:
|
|
deploy:
|
|
# To use an external database, set replicas to 0 and set DATABASE_URL to the external database url in the .env file
|
|
replicas: 1
|
|
image: postgres:16
|
|
shm_size: 1g
|
|
restart: unless-stopped
|
|
volumes:
|
|
- db_data:/var/lib/postgresql/data
|
|
expose:
|
|
- 5432
|
|
environment:
|
|
POSTGRES_PASSWORD: changeme
|
|
POSTGRES_DB: windmill
|
|
healthcheck:
|
|
test: ["CMD-SHELL", "pg_isready -U postgres"]
|
|
interval: 10s
|
|
timeout: 5s
|
|
retries: 5
|
|
logging: *default-logging
|
|
|
|
windmill_server:
|
|
image: ${WM_IMAGE}
|
|
pull_policy: always
|
|
deploy:
|
|
replicas: 1
|
|
restart: unless-stopped
|
|
expose:
|
|
- 8000
|
|
- 2525
|
|
environment:
|
|
- DATABASE_URL=${DATABASE_URL}
|
|
- MODE=server
|
|
depends_on:
|
|
db:
|
|
condition: service_healthy
|
|
volumes:
|
|
- worker_logs:/tmp/windmill/logs
|
|
|
|
logging: *default-logging
|
|
|
|
# Docker-in-Docker sidecar: provides an isolated Docker daemon so user scripts
|
|
# can run containers without accessing the host Docker socket.
|
|
dind:
|
|
image: docker:dind
|
|
privileged: true
|
|
restart: unless-stopped
|
|
environment:
|
|
DOCKER_TLS_CERTDIR: ""
|
|
volumes:
|
|
- dind-data:/var/lib/docker
|
|
expose:
|
|
- 2375
|
|
healthcheck:
|
|
test: ["CMD", "docker", "info"]
|
|
interval: 10s
|
|
timeout: 5s
|
|
retries: 5
|
|
logging: *default-logging
|
|
|
|
windmill_worker:
|
|
image: ${WM_IMAGE}
|
|
pull_policy: always
|
|
deploy:
|
|
replicas: 3
|
|
resources:
|
|
limits:
|
|
memory: 2048M
|
|
# for GB, use syntax '2Gi'
|
|
restart: unless-stopped
|
|
# Uncomment to enable PID namespace isolation (recommended for security)
|
|
# Requires privileged mode for --mount-proc flag
|
|
# See: https://www.windmill.dev/docs/advanced/security_isolation
|
|
privileged: true
|
|
environment:
|
|
- DATABASE_URL=${DATABASE_URL}
|
|
- MODE=worker
|
|
- WORKER_GROUP=default
|
|
# If running with non-root/non-windmill UID (e.g., user: "1001:1001"),
|
|
# add: - HOME=/tmp
|
|
- FAVOR_UNSHARE_PID=true
|
|
# Connect to the dind sidecar instead of the host Docker socket
|
|
- DOCKER_HOST=tcp://dind:2375
|
|
depends_on:
|
|
db:
|
|
condition: service_healthy
|
|
dind:
|
|
condition: service_healthy
|
|
# to mount the worker folder to debug, KEEP_JOB_DIR=true and mount /tmp/windmill
|
|
volumes:
|
|
- worker_dependency_cache:/tmp/windmill/cache
|
|
- worker_logs:/tmp/windmill/logs
|
|
## WARNING: mounting the host Docker socket grants user scripts full access to
|
|
## the host Docker daemon, enabling host filesystem access and privilege escalation.
|
|
## Only use this if you fully trust all users who can run scripts.
|
|
## To use it, remove the DOCKER_HOST env var and dind depends_on above,
|
|
## and uncomment the line below:
|
|
# - /var/run/docker.sock:/var/run/docker.sock
|
|
|
|
logging: *default-logging
|
|
|
|
## This worker is specialized for "native" jobs. Native jobs run in-process and thus are much more lightweight than other jobs
|
|
windmill_worker_native:
|
|
# Use ghcr.io/windmill-labs/windmill-ee:main for the ee
|
|
image: ${WM_IMAGE}
|
|
pull_policy: always
|
|
deploy:
|
|
replicas: 1
|
|
resources:
|
|
limits:
|
|
memory: 2048M
|
|
# for GB, use syntax '2Gi'
|
|
restart: unless-stopped
|
|
# Uncomment to enable PID namespace isolation (recommended for security)
|
|
# Requires privileged mode for --mount-proc flag
|
|
# See: https://www.windmill.dev/docs/advanced/security_isolation
|
|
environment:
|
|
- DATABASE_URL=${DATABASE_URL}
|
|
- MODE=worker
|
|
- WORKER_GROUP=native
|
|
- NATIVE_MODE=true
|
|
- SLEEP_QUEUE=200
|
|
depends_on:
|
|
db:
|
|
condition: service_healthy
|
|
volumes:
|
|
- worker_logs:/tmp/windmill/logs
|
|
logging: *default-logging
|
|
# This worker is specialized for reports or scraping jobs. It is assigned the "reports" worker group which has an init script that installs chromium and can be targeted by using the "chromium" worker tag.
|
|
# windmill_worker_reports:
|
|
# image: ${WM_IMAGE}
|
|
# pull_policy: always
|
|
# deploy:
|
|
# replicas: 1
|
|
# resources:
|
|
# limits:
|
|
# memory: 2048M
|
|
# # for GB, use syntax '2Gi'
|
|
# restart: unless-stopped
|
|
# # Uncomment to enable PID namespace isolation (recommended for security)
|
|
# # Requires privileged mode for --mount-proc flag
|
|
# # See: https://www.windmill.dev/docs/advanced/security_isolation
|
|
# privileged: true
|
|
# environment:
|
|
# - DATABASE_URL=${DATABASE_URL}
|
|
# - MODE=worker
|
|
# - WORKER_GROUP=reports
|
|
# - FAVOR_UNSHARE_PID=true
|
|
# depends_on:
|
|
# db:
|
|
# condition: service_healthy
|
|
# # to mount the worker folder to debug, KEEP_JOB_DIR=true and mount /tmp/windmill
|
|
# volumes:
|
|
# - worker_dependency_cache:/tmp/windmill/cache
|
|
# - worker_logs:/tmp/windmill/logs
|
|
|
|
# The indexer powers full-text job and log search, an EE feature.
|
|
windmill_indexer:
|
|
image: ${WM_IMAGE}
|
|
pull_policy: always
|
|
deploy:
|
|
replicas: 0 # set to 1 to enable full-text job and log search
|
|
restart: unless-stopped
|
|
expose:
|
|
- 8002
|
|
environment:
|
|
- PORT=8002
|
|
- DATABASE_URL=${DATABASE_URL}
|
|
- MODE=indexer
|
|
depends_on:
|
|
db:
|
|
condition: service_healthy
|
|
volumes:
|
|
- windmill_index:/tmp/windmill/search
|
|
- worker_logs:/tmp/windmill/logs
|
|
logging: *default-logging
|
|
|
|
# Combined extra services: LSP, Multiplayer, and Debugger
|
|
# Each service can be enabled/disabled via environment variables:
|
|
# - ENABLE_LSP=true (default) - Language Server Protocol for code intelligence
|
|
# - ENABLE_MULTIPLAYER=false - Real-time collaboration (Enterprise Edition)
|
|
# - ENABLE_DEBUGGER=false - Interactive debugging via DAP WebSocket
|
|
windmill_extra:
|
|
image: ghcr.io/windmill-labs/windmill-extra:latest
|
|
pull_policy: always
|
|
restart: unless-stopped
|
|
expose:
|
|
- 3001 # LSP
|
|
- 3002 # Multiplayer
|
|
- 3003 # Debugger
|
|
environment:
|
|
- ENABLE_LSP=true
|
|
- ENABLE_MULTIPLAYER=false # Set to true to enable multiplayer (Enterprise Edition)
|
|
- ENABLE_DEBUGGER=true # Set to true to enable debugger
|
|
- DEBUGGER_PORT=3003 # Debugger service port
|
|
- ENABLE_NSJAIL=false # Set to true for nsjail sandboxing (requires privileged: true)
|
|
- REQUIRE_SIGNED_DEBUG_REQUESTS=false # Set to true to require JWT tokens for debug sessions
|
|
- WINDMILL_BASE_URL=http://windmill_server:8000
|
|
volumes:
|
|
- lsp_cache:/pyls/.cache
|
|
logging: *default-logging
|
|
|
|
caddy:
|
|
image: ghcr.io/windmill-labs/caddy-l4:latest
|
|
restart: unless-stopped
|
|
# Configure the mounted Caddyfile and the exposed ports or use another reverse proxy if needed
|
|
volumes:
|
|
- ./Caddyfile:/etc/caddy/Caddyfile
|
|
- caddy_data:/data
|
|
# - ./certs:/certs # Provide custom certificate files like cert.pem and key.pem to enable HTTPS - See the corresponding section in the Caddyfile
|
|
ports:
|
|
# To change the exposed port, simply change 80:80 to <desired_port>:80. No other changes needed
|
|
- 80:80
|
|
- 25:25
|
|
# - 443:443 # Uncomment to enable HTTPS handling by Caddy
|
|
environment:
|
|
- BASE_URL=":80"
|
|
# - BASE_URL=":443" # uncomment and comment line above to enable HTTPS via custom certificate and key files
|
|
# - BASE_URL=mydomain.com # Uncomment and comment line above to enable HTTPS handling by Caddy
|
|
logging: *default-logging
|
|
|
|
volumes:
|
|
db_data: null
|
|
worker_dependency_cache: null
|
|
worker_logs: null
|
|
worker_memory: null
|
|
windmill_index: null
|
|
lsp_cache: null
|
|
caddy_data: null
|
|
dind-data: null
|