networks: orchestrator_net: driver: overlay attachable: true services: app: image: ${IMAGE_NAME:-ots-orchestrator}:${IMAGE_TAG:-latest} build: context: . dockerfile: Dockerfile restart: unless-stopped privileged: true ports: - target: 8080 published: 8080 mode: ingress networks: - orchestrator_net environment: ASPNETCORE_ENVIRONMENT: Production # ── Database ─────────────────────────────────────────────────────────── ConnectionStrings__OrchestratorDb: "Host=postgres;Port=5432;Database=orchestrator;Username=ots;Password=${POSTGRES_PASSWORD}" # ── JWT ──────────────────────────────────────────────────────────────── Jwt__Key: "${JWT_KEY}" Jwt__Issuer: "OTSSignsOrchestrator" Jwt__Audience: "OTSSignsOrchestrator" # All other integration settings (Bitwarden, Stripe, Authentik, SendGrid) # are managed via the admin UI (Settings page). On first run, env vars # below are seeded into the database and then ignored. # Uncomment any line to seed on first deploy, then remove it. # Bitwarden__AccessToken: "${BITWARDEN_ACCESS_TOKEN}" # Bitwarden__OrganizationId: "${BITWARDEN_ORG_ID}" # Bitwarden__ProjectId: "${BITWARDEN_PROJECT_ID}" # Stripe__SecretKey: "${STRIPE_SECRET_KEY}" # Stripe__WebhookSecret: "${STRIPE_WEBHOOK_SECRET}" # Authentik__BaseUrl: "${AUTHENTIK_BASE_URL}" # Authentik__ApiToken: "${AUTHENTIK_API_TOKEN}" # Authentik__OtsSigningKpId: "${AUTHENTIK_OTS_SIGNING_KP_ID}" # Email__SendGridApiKey: "${SENDGRID_API_KEY}" volumes: - dataprotection_keys:/app/dataprotection-keys - /var/run/docker.sock:/var/run/docker.sock deploy: placement: constraints: - node.role == manager postgres: image: postgres:16 restart: unless-stopped networks: - orchestrator_net environment: POSTGRES_DB: orchestrator POSTGRES_USER: ots POSTGRES_PASSWORD: "${POSTGRES_PASSWORD}" volumes: - pgdata:/var/lib/postgresql/data healthcheck: test: ["CMD-SHELL", "pg_isready -U ots -d orchestrator"] interval: 10s timeout: 5s retries: 5 volumes: pgdata: dataprotection_keys: