From 6c17c5a492579e15bd4145a123fc6f42348c3edb Mon Sep 17 00:00:00 2001 From: Damien Date: Thu, 5 Feb 2026 11:20:17 +0100 Subject: [PATCH 1/3] chore(docker): centralize infrahub configuration variables Introduces an `x-infrahub-config` extension field to the docker-compose file. This block aggregates all Infrahub environment variables (AWS, DB, Broker, Cache, etc.) into a reusable anchor (`&infrahub_config`). This change allows for: - Centralized management of configuration options. - Improved visibility of available settings matching the official documentation. - Easier injection of these variables into dependent services via the new anchor. --- docker-compose.override.yml | 31 +++ docker-compose.yml | 395 ++++++++++++++++++++++++++---------- 2 files changed, 319 insertions(+), 107 deletions(-) create mode 100644 docker-compose.override.yml diff --git a/docker-compose.override.yml b/docker-compose.override.yml new file mode 100644 index 0000000..305153f --- /dev/null +++ b/docker-compose.override.yml @@ -0,0 +1,31 @@ +services: + # === TAILSCALE === + tailscale: + image: tailscale/tailscale:latest + container_name: infrahub-tailscale + hostname: infrahub + environment: + - TS_AUTHKEY=${TS_AUTHKEY} + - TS_STATE_DIR=/var/lib/tailscale + - TS_SERVE_CONFIG=/config/serve-config.json + volumes: + - tailscale-state:/var/lib/tailscale + - ./serve-config.json:/config/serve-config.json:ro + cap_add: + - NET_ADMIN + - SYS_MODULE + restart: unless-stopped + + # === Infrahub === + message-queue: + ports: !override + [] + database: + ports: !override + [] + infrahub-server: + ports: !override + [] + +volumes: + tailscale-state: \ No newline at end of file diff --git a/docker-compose.yml b/docker-compose.yml index 5ff5202..98dd25a 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,135 +1,316 @@ +--- +# yamllint disable rule:line-length +# The following environment variables are part of the Infrahub configuration options. +# For detailed information on these configuration options, please refer to the Infrahub documentation: +# https://docs.infrahub.app/reference/configuration +x-infrahub-config: &infrahub_config + AWS_ACCESS_KEY_ID: + AWS_DEFAULT_ACL: ${AWS_DEFAULT_ACL:-private} + AWS_QUERYSTRING_AUTH: ${AWS_QUERYSTRING_AUTH:-false} + AWS_S3_BUCKET_NAME: + AWS_S3_CUSTOM_DOMAIN: + AWS_S3_ENDPOINT_URL: + AWS_S3_USE_SSL: ${AWS_S3_USE_SSL:-true} + AWS_SECRET_ACCESS_KEY: + DB_TYPE: ${DB_TYPE:-neo4j} + INFRAHUB_ADDRESS: + INFRAHUB_ALLOW_ANONYMOUS_ACCESS: ${INFRAHUB_ALLOW_ANONYMOUS_ACCESS:-true} + INFRAHUB_ANALYTICS_ADDRESS: + INFRAHUB_ANALYTICS_API_KEY: + INFRAHUB_ANALYTICS_ENABLE: ${INFRAHUB_ANALYTICS_ENABLE:-true} + INFRAHUB_ANONYMOUS_ACCESS_ROLE: ${INFRAHUB_ANONYMOUS_ACCESS_ROLE:-Anonymous User} + INFRAHUB_API_CORS_ALLOW_CREDENTIALS: ${INFRAHUB_API_CORS_ALLOW_CREDENTIALS:-true} + INFRAHUB_API_CORS_ALLOW_HEADERS: + INFRAHUB_API_CORS_ALLOW_METHODS: + INFRAHUB_API_CORS_ALLOW_ORIGINS: + INFRAHUB_BROKER_ADDRESS: ${INFRAHUB_BROKER_ADDRESS:-localhost} + INFRAHUB_BROKER_DRIVER: ${INFRAHUB_BROKER_DRIVER:-rabbitmq} + INFRAHUB_BROKER_ENABLE: ${INFRAHUB_BROKER_ENABLE:-true} + INFRAHUB_BROKER_MAXIMUM_CONCURRENT_MESSAGES: ${INFRAHUB_BROKER_MAXIMUM_CONCURRENT_MESSAGES:-2} + INFRAHUB_BROKER_MAXIMUM_MESSAGE_RETRIES: ${INFRAHUB_BROKER_MAXIMUM_MESSAGE_RETRIES:-10} + INFRAHUB_BROKER_NAMESPACE: ${INFRAHUB_BROKER_NAMESPACE:-infrahub} + INFRAHUB_BROKER_PASSWORD: &broker_password ${INFRAHUB_BROKER_PASSWORD:-infrahub} + INFRAHUB_BROKER_PORT: + INFRAHUB_BROKER_RABBITMQ_HTTP_PORT: + INFRAHUB_BROKER_TLS_CA_FILE: + INFRAHUB_BROKER_TLS_ENABLED: ${INFRAHUB_BROKER_TLS_ENABLED:-false} + INFRAHUB_BROKER_TLS_INSECURE: ${INFRAHUB_BROKER_TLS_INSECURE:-false} + INFRAHUB_BROKER_USERNAME: &broker_username ${INFRAHUB_BROKER_USERNAME:-infrahub} + INFRAHUB_BROKER_VIRTUALHOST: ${INFRAHUB_BROKER_VIRTUALHOST:-/} + INFRAHUB_CACHE_ADDRESS: ${INFRAHUB_CACHE_ADDRESS:-localhost} + INFRAHUB_CACHE_CLEAN_UP_DEADLOCKS_INTERVAL_MINS: ${INFRAHUB_CACHE_CLEAN_UP_DEADLOCKS_INTERVAL_MINS:-15} + INFRAHUB_CACHE_DATABASE: ${INFRAHUB_CACHE_DATABASE:-0} + INFRAHUB_CACHE_DRIVER: ${INFRAHUB_CACHE_DRIVER:-redis} + INFRAHUB_CACHE_ENABLE: ${INFRAHUB_CACHE_ENABLE:-true} + INFRAHUB_CACHE_PASSWORD: &cache_password ${INFRAHUB_CACHE_PASSWORD:-} + INFRAHUB_CACHE_PORT: + INFRAHUB_CACHE_TLS_CA_FILE: + INFRAHUB_CACHE_TLS_ENABLED: ${INFRAHUB_CACHE_TLS_ENABLED:-false} + INFRAHUB_CACHE_TLS_INSECURE: ${INFRAHUB_CACHE_TLS_INSECURE:-false} + INFRAHUB_CACHE_USERNAME: &cache_username ${INFRAHUB_CACHE_USERNAME:-} + INFRAHUB_CONFIG: + INFRAHUB_DB_ADDRESS: ${INFRAHUB_DB_ADDRESS:-localhost} + INFRAHUB_DB_DATABASE: + INFRAHUB_DB_MAX_CONCURRENT_QUERIES: ${INFRAHUB_DB_MAX_CONCURRENT_QUERIES:-0} + INFRAHUB_DB_MAX_CONCURRENT_QUERIES_DELAY: ${INFRAHUB_DB_MAX_CONCURRENT_QUERIES_DELAY:-0.01} + INFRAHUB_DB_MAX_DEPTH_SEARCH_HIERARCHY: ${INFRAHUB_DB_MAX_DEPTH_SEARCH_HIERARCHY:-5} + INFRAHUB_DB_PASSWORD: ${INFRAHUB_DB_PASSWORD:-admin} + INFRAHUB_DB_POLICY: + INFRAHUB_DB_PORT: ${INFRAHUB_DB_PORT:-7687} + INFRAHUB_DB_PROTOCOL: ${INFRAHUB_DB_PROTOCOL:-bolt} + INFRAHUB_DB_QUERY_SIZE_LIMIT: ${INFRAHUB_DB_QUERY_SIZE_LIMIT:-5000} + INFRAHUB_DB_RETRY_LIMIT: ${INFRAHUB_DB_RETRY_LIMIT:-3} + INFRAHUB_DB_TLS_CA_FILE: + INFRAHUB_DB_TLS_ENABLED: ${INFRAHUB_DB_TLS_ENABLED:-false} + INFRAHUB_DB_TLS_INSECURE: ${INFRAHUB_DB_TLS_INSECURE:-false} + INFRAHUB_DB_TYPE: ${INFRAHUB_DB_TYPE:-neo4j} + INFRAHUB_DB_USERNAME: ${INFRAHUB_DB_USERNAME:-neo4j} + INFRAHUB_DOCS_INDEX_PATH: ${INFRAHUB_DOCS_INDEX_PATH:-/opt/infrahub/docs/build/search-index.json} + INFRAHUB_EXPERIMENTAL_GRAPHQL_ENUMS: ${INFRAHUB_EXPERIMENTAL_GRAPHQL_ENUMS:-false} + INFRAHUB_EXPERIMENTAL_VALUE_DB_INDEX: ${INFRAHUB_EXPERIMENTAL_VALUE_DB_INDEX:-false} + INFRAHUB_GIT_APPEND_GIT_SUFFIX: + INFRAHUB_GIT_GLOBAL_CONFIG_FILE: ${INFRAHUB_GIT_GLOBAL_CONFIG_FILE:-/opt/infrahub/.gitconfig} + INFRAHUB_GIT_IMPORT_SYNC_BRANCH_NAMES: + INFRAHUB_GIT_REPOSITORIES_DIRECTORY: ${INFRAHUB_GIT_REPOSITORIES_DIRECTORY:-repositories} + INFRAHUB_GIT_SYNC_INTERVAL: ${INFRAHUB_GIT_SYNC_INTERVAL:-10} + INFRAHUB_GIT_USER_EMAIL: ${INFRAHUB_GIT_USER_EMAIL:-infrahub@opsmill.com} + INFRAHUB_GIT_USER_NAME: ${INFRAHUB_GIT_USER_NAME:-Infrahub} + INFRAHUB_GIT_USE_EXPLICIT_MERGE_COMMIT: ${INFRAHUB_GIT_USE_EXPLICIT_MERGE_COMMIT:-false} + INFRAHUB_HTTP_TIMEOUT: ${INFRAHUB_HTTP_TIMEOUT:-10} + INFRAHUB_HTTP_TLS_CA_BUNDLE: + INFRAHUB_HTTP_TLS_INSECURE: ${INFRAHUB_HTTP_TLS_INSECURE:-false} + INFRAHUB_INITIAL_ADMIN_PASSWORD: ${INFRAHUB_INITIAL_ADMIN_PASSWORD:-infrahub} + INFRAHUB_INITIAL_ADMIN_TOKEN: + INFRAHUB_INITIAL_AGENT_PASSWORD: + INFRAHUB_INITIAL_AGENT_TOKEN: + INFRAHUB_INITIAL_DEFAULT_BRANCH: ${INFRAHUB_INITIAL_DEFAULT_BRANCH:-main} + INFRAHUB_INTERNAL_ADDRESS: + INFRAHUB_LOGGING_REMOTE_API_SERVER_DSN: + INFRAHUB_LOGGING_REMOTE_ENABLE: ${INFRAHUB_LOGGING_REMOTE_ENABLE:-false} + INFRAHUB_LOGGING_REMOTE_FRONTEND_DSN: + INFRAHUB_LOGGING_REMOTE_GIT_AGENT_DSN: + INFRAHUB_LOG_LEVEL: + INFRAHUB_MISC_MAXIMUM_VALIDATOR_EXECUTION_TIME: ${INFRAHUB_MISC_MAXIMUM_VALIDATOR_EXECUTION_TIME:-1800} + INFRAHUB_MISC_PRINT_QUERY_DETAILS: ${INFRAHUB_MISC_PRINT_QUERY_DETAILS:-false} + INFRAHUB_MISC_RESPONSE_DELAY: ${INFRAHUB_MISC_RESPONSE_DELAY:-0} + INFRAHUB_MISC_START_BACKGROUND_RUNNER: ${INFRAHUB_MISC_START_BACKGROUND_RUNNER:-true} + INFRAHUB_PERMISSION_BACKENDS: ${INFRAHUB_PERMISSION_BACKENDS:-["infrahub.permissions.LocalPermissionBackend"]} + INFRAHUB_POLICY_REQUIRED_PROPOSED_CHANGE_APPROVALS: ${INFRAHUB_POLICY_REQUIRED_PROPOSED_CHANGE_APPROVALS:-0} + INFRAHUB_POLICY_REVOKE_PROPOSED_CHANGE_APPROVALS: ${INFRAHUB_POLICY_REVOKE_PROPOSED_CHANGE_APPROVALS:-false} + INFRAHUB_PRODUCTION: + INFRAHUB_PUBLIC_URL: + INFRAHUB_SCHEMA_STRICT_MODE: ${INFRAHUB_SCHEMA_STRICT_MODE:-true} + INFRAHUB_SECURITY_ACCESS_TOKEN_LIFETIME: ${INFRAHUB_SECURITY_ACCESS_TOKEN_LIFETIME:-3600} + INFRAHUB_SECURITY_REFRESH_TOKEN_LIFETIME: ${INFRAHUB_SECURITY_REFRESH_TOKEN_LIFETIME:-2592000} + INFRAHUB_SECURITY_RESTRICT_UNTRUSTED_JINJA2_FILTERS: ${INFRAHUB_SECURITY_RESTRICT_UNTRUSTED_JINJA2_FILTERS:-true} + INFRAHUB_SECURITY_SECRET_KEY: + INFRAHUB_STORAGE_BUCKET_NAME: + INFRAHUB_STORAGE_CUSTOM_DOMAIN: + INFRAHUB_STORAGE_DEFAULT_ACL: ${INFRAHUB_STORAGE_DEFAULT_ACL:-private} + INFRAHUB_STORAGE_DRIVER: ${INFRAHUB_STORAGE_DRIVER:-local} + INFRAHUB_STORAGE_ENDPOINT_URL: + INFRAHUB_STORAGE_LOCAL_PATH: ${INFRAHUB_STORAGE_LOCAL_PATH:-/opt/infrahub/storage} + INFRAHUB_STORAGE_QUERYSTRING_AUTH: ${INFRAHUB_STORAGE_QUERYSTRING_AUTH:-false} + INFRAHUB_STORAGE_USE_SSL: ${INFRAHUB_STORAGE_USE_SSL:-true} + INFRAHUB_TELEMETRY_ENDPOINT: ${INFRAHUB_TELEMETRY_ENDPOINT:-https://telemetry.opsmill.cloud/infrahub} + INFRAHUB_TELEMETRY_INTERVAL: + INFRAHUB_TELEMETRY_OPTOUT: ${INFRAHUB_TELEMETRY_OPTOUT:-false} + INFRAHUB_TIMEOUT: + INFRAHUB_TRACE_ENABLE: ${INFRAHUB_TRACE_ENABLE:-false} + INFRAHUB_TRACE_EXPORTER_ENDPOINT: + INFRAHUB_TRACE_EXPORTER_PROTOCOL: ${INFRAHUB_TRACE_EXPORTER_PROTOCOL:-grpc} + INFRAHUB_TRACE_EXPORTER_TYPE: ${INFRAHUB_TRACE_EXPORTER_TYPE:-console} + INFRAHUB_TRACE_INSECURE: ${INFRAHUB_TRACE_INSECURE:-true} + INFRAHUB_WORKFLOW_ADDRESS: ${INFRAHUB_WORKFLOW_ADDRESS:-localhost} + INFRAHUB_WORKFLOW_DEFAULT_WORKER_TYPE: ${INFRAHUB_WORKFLOW_DEFAULT_WORKER_TYPE:-infrahubasync} + INFRAHUB_WORKFLOW_DRIVER: ${INFRAHUB_WORKFLOW_DRIVER:-worker} + INFRAHUB_WORKFLOW_ENABLE: ${INFRAHUB_WORKFLOW_ENABLE:-true} + INFRAHUB_WORKFLOW_EXTRA_LOGGERS: + INFRAHUB_WORKFLOW_EXTRA_LOG_LEVEL: ${INFRAHUB_WORKFLOW_EXTRA_LOG_LEVEL:-INFO} + INFRAHUB_WORKFLOW_FLOW_RUN_COUNT_CACHE_THRESHOLD: ${INFRAHUB_WORKFLOW_FLOW_RUN_COUNT_CACHE_THRESHOLD:-100000} + INFRAHUB_WORKFLOW_PORT: + INFRAHUB_WORKFLOW_TLS_ENABLED: ${INFRAHUB_WORKFLOW_TLS_ENABLED:-false} + INFRAHUB_WORKFLOW_WORKER_POLLING_INTERVAL: ${INFRAHUB_WORKFLOW_WORKER_POLLING_INTERVAL:-2} + OTEL_RESOURCE_ATTRIBUTES: + +x-infrahub-sso: &infrahub_sso + INFRAHUB_SECURITY_SSO_USER_DEFAULT_GROUP: + INFRAHUB_SECURITY_OAUTH2_PROVIDERS: + INFRAHUB_SECURITY_OAUTH2_PROVIDER_SETTINGS: + INFRAHUB_SECURITY_OIDC_PROVIDERS: + INFRAHUB_SECURITY_OIDC_PROVIDER_SETTINGS: + # Provider related settings + ## OAUTH2 Provider 1 + INFRAHUB_OAUTH2_PROVIDER1_CLIENT_ID: + INFRAHUB_OAUTH2_PROVIDER1_CLIENT_SECRET: + INFRAHUB_OAUTH2_PROVIDER1_AUTHORIZATION_URL: + INFRAHUB_OAUTH2_PROVIDER1_TOKEN_URL: + INFRAHUB_OAUTH2_PROVIDER1_USERINFO_URL: + INFRAHUB_OAUTH2_PROVIDER1_DISPLAY_LABEL: + INFRAHUB_OAUTH2_PROVIDER1_ICON: + ## OIDC Provider 1 + INFRAHUB_OIDC_PROVIDER1_CLIENT_ID: + INFRAHUB_OIDC_PROVIDER1_CLIENT_SECRET: + INFRAHUB_OIDC_PROVIDER1_DISCOVERY_URL: + INFRAHUB_OIDC_PROVIDER1_DISPLAY_LABEL: + INFRAHUB_OIDC_PROVIDER1_ICON: + +x-task-manager-config: + INFRAHUB_TASKMANAGER_DB_USER: ${INFRAHUB_TASKMANAGER_DB_USER:-postgres} + INFRAHUB_TASKMANAGER_DB_PASSWORD: ${INFRAHUB_TASKMANAGER_DB_PASSWORD:-postgres} + INFRAHUB_TASKMANAGER_DB_DATABASE: ${INFRAHUB_TASKMANAGER_DB_DATABASE:-prefect} + services: - # === TAILSCALE === - tailscale: - image: tailscale/tailscale:latest - container_name: infrahub-tailscale - hostname: infrahub - environment: - - TS_AUTHKEY=${TS_AUTHKEY} - - TS_STATE_DIR=/var/lib/tailscale - - TS_SERVE_CONFIG=/config/serve-config.json - volumes: - - tailscale-state:/var/lib/tailscale - - ./serve-config.json:/config/serve-config.json:ro - cap_add: - - NET_ADMIN - - SYS_MODULE + message-queue: + image: ${MESSAGE_QUEUE_DOCKER_IMAGE:-rabbitmq:4.2.1-management} restart: unless-stopped - - # === NEO4J (Graph Database) === - database: - image: neo4j:5.23-community - container_name: infrahub-database environment: - - NEO4J_AUTH=neo4j/${NEO4J_PASSWORD:-infrahub} - - NEO4J_PLUGINS=["apoc"] - - NEO4J_dbms_security_procedures_unrestricted=apoc.* - - NEO4J_dbms_security_procedures_allowlist=apoc.* - - NEO4J_server_memory_heap_initial__size=1G - - NEO4J_server_memory_heap_max__size=2G - - NEO4J_server_memory_pagecache_size=1G - volumes: - - neo4j-data:/data - - neo4j-logs:/logs + RABBITMQ_DEFAULT_USER: *broker_username + RABBITMQ_DEFAULT_PASS: *broker_password healthcheck: - test: ["CMD", "wget", "-q", "--spider", "http://localhost:7474"] - interval: 30s - timeout: 10s - retries: 5 - start_period: 60s - restart: unless-stopped + test: rabbitmq-diagnostics -q check_port_connectivity + interval: 5s + timeout: 30s + retries: 10 + start_period: 3s + ports: + - 15692:15692 - # === REDIS (Cache) === cache: - image: redis:7-alpine - container_name: infrahub-cache - command: redis-server --appendonly yes - volumes: - - redis-data:/data + image: ${CACHE_DOCKER_IMAGE:-redis:8.4.0} + restart: unless-stopped healthcheck: - test: ["CMD", "redis-cli", "ping"] - interval: 10s + test: ["CMD-SHELL", "redis-cli ping | grep PONG"] + interval: 5s timeout: 5s retries: 3 - restart: unless-stopped - # === RABBITMQ (Message Queue) === - message-queue: - image: rabbitmq:3-management-alpine - container_name: infrahub-message-queue + database: + image: ${NEO4J_DOCKER_IMAGE:-neo4j:2025.10.1-community} + restart: unless-stopped environment: - - RABBITMQ_DEFAULT_USER=${RABBITMQ_USER:-infrahub} - - RABBITMQ_DEFAULT_PASS=${RABBITMQ_PASSWORD:-infrahub} + NEO4J_AUTH: ${INFRAHUB_DB_USERNAME:-neo4j}/${INFRAHUB_DB_PASSWORD:-admin} + NEO4J_dbms_security_procedures_unrestricted: "apoc.*" + NEO4J_dbms_security_auth__minimum__password__length: 4 volumes: - - rabbitmq-data:/var/lib/rabbitmq + - "database_data:/data" + - "database_logs:/logs" healthcheck: - test: ["CMD", "rabbitmq-diagnostics", "check_running"] - interval: 30s + test: wget -O /dev/null http://localhost:7474 || exit 1 + interval: 2s timeout: 10s - retries: 5 - start_period: 30s - restart: unless-stopped + retries: 20 + start_period: 3s + ports: + - 2004:2004 + - 6362:6362 - # === INFRAHUB SERVER === - infrahub-server: - image: registry.opsmill.io/opsmill/infrahub:${VERSION:-latest} - container_name: infrahub-server - network_mode: service:tailscale + task-manager: + image: "${INFRAHUB_DOCKER_IMAGE:-registry.opsmill.io/opsmill/infrahub}:${VERSION:-1.7.4}" + command: uvicorn --host 0.0.0.0 --port 4200 --factory infrahub.prefect_server.app:create_infrahub_prefect + restart: unless-stopped depends_on: - tailscale: - condition: service_started - database: + task-manager-db: condition: service_healthy - cache: + environment: + PREFECT_API_DATABASE_CONNECTION_URL: postgresql+asyncpg://${INFRAHUB_TASKMANAGER_DB_USER:-postgres}:${INFRAHUB_TASKMANAGER_DB_PASSWORD:-postgres}@task-manager-db:5432/${INFRAHUB_TASKMANAGER_DB_DATABASE:-prefect} + healthcheck: + test: curl -s -f -o /dev/null http://localhost:4200/api/health || exit 1 + interval: 5s + timeout: 5s + retries: 20 + start_period: 10s + + task-manager-db: + image: "${POSTGRES_DOCKER_IMAGE:-pgautoupgrade/pgautoupgrade:18-alpine}" + restart: unless-stopped + environment: + - POSTGRES_USER=${INFRAHUB_TASKMANAGER_DB_USER:-postgres} + - POSTGRES_PASSWORD=${INFRAHUB_TASKMANAGER_DB_PASSWORD:-postgres} + - POSTGRES_DB=${INFRAHUB_TASKMANAGER_DB_DATABASE:-prefect} + volumes: + - workflow_db:/var/lib/postgresql/18/docker + healthcheck: + test: + - "CMD-SHELL" + - "pg_isready -q -d ${INFRAHUB_TASKMANAGER_DB_DATABASE:-prefect} -U ${INFRAHUB_TASKMANAGER_DB_USER:-postgres}" + interval: 10s + timeout: 5s + retries: 5 + + infrahub-server: + image: "${INFRAHUB_DOCKER_IMAGE:-registry.opsmill.io/opsmill/infrahub}:${VERSION:-1.7.4}" + restart: unless-stopped + command: > + gunicorn --config backend/infrahub/serve/gunicorn_config.py + -w ${WEB_CONCURRENCY:-4} + --logger-class infrahub.serve.log.GunicornLogger + infrahub.server:app + depends_on: + database: condition: service_healthy message-queue: condition: service_healthy + cache: + condition: service_healthy + task-manager: + condition: service_healthy environment: - - INFRAHUB_DB_TYPE=neo4j - - INFRAHUB_DB_ADDRESS=database - - INFRAHUB_DB_PORT=7687 - - INFRAHUB_DB_USERNAME=neo4j - - INFRAHUB_DB_PASSWORD=${NEO4J_PASSWORD:-infrahub} - - INFRAHUB_CACHE_ADDRESS=cache - - INFRAHUB_CACHE_PORT=6379 - - INFRAHUB_BROKER_ADDRESS=message-queue - - INFRAHUB_BROKER_PORT=5672 - - INFRAHUB_BROKER_USERNAME=${RABBITMQ_USER:-infrahub} - - INFRAHUB_BROKER_PASSWORD=${RABBITMQ_PASSWORD:-infrahub} - - INFRAHUB_INITIAL_ADMIN_TOKEN=${INFRAHUB_ADMIN_TOKEN} - - INFRAHUB_SECURITY_SECRET_KEY=${INFRAHUB_SECRET_KEY} - - INFRAHUB_ALLOW_ANONYMOUS_ACCESS=${INFRAHUB_ALLOW_ANONYMOUS:-false} - - INFRAHUB_LOG_LEVEL=${INFRAHUB_LOG_LEVEL:-INFO} - - INFRAHUB_API_HOST=0.0.0.0 - - INFRAHUB_API_PORT=8000 - command: infrahub server start - restart: unless-stopped + <<: [*infrahub_config, *infrahub_sso] + INFRAHUB_PRODUCTION: ${INFRAHUB_PRODUCTION:-false} + INFRAHUB_LOG_LEVEL: ${INFRAHUB_LOG_LEVEL:-INFO} + INFRAHUB_BROKER_ADDRESS: ${INFRAHUB_BROKER_ADDRESS:-message-queue} + INFRAHUB_CACHE_ADDRESS: ${INFRAHUB_CACHE_ADDRESS:-cache} + INFRAHUB_DB_ADDRESS: ${INFRAHUB_DB_ADDRESS:-database} + INFRAHUB_WORKFLOW_ADDRESS: ${INFRAHUB_WORKFLOW_ADDRESS:-task-manager} + INFRAHUB_INITIAL_ADMIN_TOKEN: ${INFRAHUB_INITIAL_ADMIN_TOKEN:-06438eb2-8019-4776-878c-0941b1f1d1ec} + INFRAHUB_INITIAL_AGENT_TOKEN: ${INFRAHUB_INITIAL_AGENT_TOKEN:-44af444d-3b26-410d-9546-b758657e026c} + INFRAHUB_SECURITY_SECRET_KEY: ${INFRAHUB_SECURITY_SECRET_KEY:-327f747f-efac-42be-9e73-999f08f86b92"} + INFRAHUB_WORKFLOW_PORT: ${INFRAHUB_WORKFLOW_PORT:-4200} + PREFECT_API_URL: http://${INFRAHUB_WORKFLOW_ADDRESS:-task-manager}:${INFRAHUB_WORKFLOW_PORT:-4200}/api + ports: + - 8000:8000 + volumes: + - "storage_data:${INFRAHUB_STORAGE_LOCAL_PATH:-/opt/infrahub/storage}" + - "workflow_data:/opt/infrahub/workflow" + tty: true + healthcheck: + test: curl -s -f -o /dev/null http://localhost:8000/api/config || exit 1 + interval: 5s + timeout: 5s + retries: 20 + start_period: 10s - # === INFRAHUB TASK WORKER === task-worker: - image: registry.opsmill.io/opsmill/infrahub:${VERSION:-latest} - container_name: infrahub-task-worker + deploy: + mode: replicated + replicas: 2 + image: "${INFRAHUB_DOCKER_IMAGE:-registry.opsmill.io/opsmill/infrahub}:${VERSION:-1.7.4}" + command: prefect worker start --type infrahubasync --pool infrahub-worker --with-healthcheck + restart: unless-stopped depends_on: - infrahub-server environment: - - INFRAHUB_DB_TYPE=neo4j - - INFRAHUB_DB_ADDRESS=database - - INFRAHUB_DB_PORT=7687 - - INFRAHUB_DB_USERNAME=neo4j - - INFRAHUB_DB_PASSWORD=${NEO4J_PASSWORD:-infrahub} - - INFRAHUB_CACHE_ADDRESS=cache - - INFRAHUB_CACHE_PORT=6379 - - INFRAHUB_BROKER_ADDRESS=message-queue - - INFRAHUB_BROKER_PORT=5672 - - INFRAHUB_BROKER_USERNAME=${RABBITMQ_USER:-infrahub} - - INFRAHUB_BROKER_PASSWORD=${RABBITMQ_PASSWORD:-infrahub} - - INFRAHUB_LOG_LEVEL=${INFRAHUB_LOG_LEVEL:-INFO} - command: infrahub server start --worker - restart: unless-stopped + <<: *infrahub_config + INFRAHUB_PRODUCTION: ${INFRAHUB_PRODUCTION:-false} + INFRAHUB_LOG_LEVEL: ${INFRAHUB_LOG_LEVEL:-DEBUG} + INFRAHUB_GIT_REPOSITORIES_DIRECTORY: ${INFRAHUB_GIT_REPOSITORIES_DIRECTORY:-/opt/infrahub/git} + INFRAHUB_API_TOKEN: ${INFRAHUB_INITIAL_AGENT_TOKEN:-44af444d-3b26-410d-9546-b758657e026c} + INFRAHUB_SECURITY_SECRET_KEY: ${INFRAHUB_SECURITY_SECRET_KEY:-327f747f-efac-42be-9e73-999f08f86b92"} + INFRAHUB_ADDRESS: ${INFRAHUB_ADDRESS:-http://infrahub-server:8000} + INFRAHUB_INTERNAL_ADDRESS: ${INFRAHUB_INTERNAL_ADDRESS:-http://infrahub-server:8000} + INFRAHUB_BROKER_ADDRESS: ${INFRAHUB_BROKER_ADDRESS:-message-queue} + INFRAHUB_CACHE_ADDRESS: ${INFRAHUB_CACHE_ADDRESS:-cache} + INFRAHUB_DB_ADDRESS: ${INFRAHUB_DB_ADDRESS:-database} + INFRAHUB_WORKFLOW_ADDRESS: ${INFRAHUB_WORKFLOW_ADDRESS:-task-manager} + INFRAHUB_TIMEOUT: ${INFRAHUB_TIMEOUT:-60} + INFRAHUB_WORKFLOW_PORT: ${INFRAHUB_WORKFLOW_PORT:-4200} + PREFECT_API_URL: http://${INFRAHUB_WORKFLOW_ADDRESS:-task-manager}:${INFRAHUB_WORKFLOW_PORT:-4200}/api + tty: true volumes: - tailscale-state: - neo4j-data: - neo4j-logs: - redis-data: - rabbitmq-data: + database_data: + database_logs: + storage_data: + workflow_db: + workflow_data: \ No newline at end of file -- 2.53.0 From 55836f2e3b68e21846461f1c6c0263dc0f0f94e3 Mon Sep 17 00:00:00 2001 From: Damien Date: Thu, 5 Feb 2026 11:30:48 +0100 Subject: [PATCH 2/3] fix(compose): remove non-standard !override tags from ports Remove the `!override` custom YAML tag from the `ports` configuration for the `message-queue`, `database`, and `infrahub-server` services. This ensures compatibility with standard Docker Compose parsers while maintaining the behavior of disabling port mappings by providing an empty list. --- docker-compose.override.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docker-compose.override.yml b/docker-compose.override.yml index 305153f..463791f 100644 --- a/docker-compose.override.yml +++ b/docker-compose.override.yml @@ -18,13 +18,13 @@ services: # === Infrahub === message-queue: - ports: !override + ports: [] database: - ports: !override + ports: [] infrahub-server: - ports: !override + ports: [] volumes: -- 2.53.0 From 1d393a1341c6c5590fdd047250fbc86df3370bde Mon Sep 17 00:00:00 2001 From: Damien Date: Thu, 5 Feb 2026 11:36:39 +0100 Subject: [PATCH 3/3] chore(docker): explicitly override ports to prevent merging Update `docker-compose.override.yml` to use the `!override` tag on the `ports` configuration for `message-queue`, `database`, and `infrahub-server`. This change ensures that Docker Compose replaces the ports list rather than merging it with the base configuration, strictly preventing these services from exposing ports. --- docker-compose.override.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docker-compose.override.yml b/docker-compose.override.yml index 463791f..305153f 100644 --- a/docker-compose.override.yml +++ b/docker-compose.override.yml @@ -18,13 +18,13 @@ services: # === Infrahub === message-queue: - ports: + ports: !override [] database: - ports: + ports: !override [] infrahub-server: - ports: + ports: !override [] volumes: -- 2.53.0