Teren-app/docker-compose.yaml.example

version: '3.8'

services:
  # Laravel Application
  app:
    build:
      context: .
      dockerfile: Dockerfile
      args:
        - PHP_VERSION=8.4
    container_name: teren-app
    restart: unless-stopped
    working_dir: /var/www
    volumes:
      - ./:/var/www
      - ./storage:/var/www/storage
      - ./bootstrap/cache:/var/www/bootstrap/cache
    environment:
      - APP_ENV=${APP_ENV:-production}
      - APP_DEBUG=${APP_DEBUG:-false}
      - DB_CONNECTION=pgsql
      - DB_HOST=postgres
      - DB_PORT=5432
      - DB_DATABASE=${DB_DATABASE}
      - DB_USERNAME=${DB_USERNAME}
      - DB_PASSWORD=${DB_PASSWORD}
      - REDIS_HOST=redis
      - REDIS_PORT=6379
      - QUEUE_CONNECTION=redis
      - LIBREOFFICE_BIN=/usr/bin/soffice
    depends_on:
      postgres:
        condition: service_healthy
      redis:
        condition: service_healthy
    networks:
      - teren-network
    # Supervisor runs inside the container (defined in Dockerfile)
    # Includes PHP-FPM, Laravel queue workers, and queue-sms workers

  # Nginx Web Server (VPN-only access)
  nginx:
    image: nginx:alpine
    container_name: teren-nginx
    restart: unless-stopped
    ports:
      - "10.13.13.1:80:80"      # Only accessible via WireGuard VPN
      - "10.13.13.1:443:443"    # Only accessible via WireGuard VPN
    volumes:
      - ./:/var/www
      - ./docker/nginx/conf.d:/etc/nginx/conf.d
      - ./docker/nginx/ssl:/etc/nginx/ssl
      - ./docker/certbot/conf:/etc/letsencrypt
      - ./docker/certbot/www:/var/www/certbot
    depends_on:
      - app
    networks:
      - teren-network
    command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"

  # Certbot for SSL certificates
  certbot:
    image: certbot/certbot
    container_name: teren-certbot
    restart: unless-stopped
    volumes:
      - ./docker/certbot/conf:/etc/letsencrypt
      - ./docker/certbot/www:/var/www/certbot
    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
    networks:
      - teren-network

  # PostgreSQL Database
  postgres:
    image: postgres:16-alpine
    container_name: teren-postgres
    restart: unless-stopped
    ports:
      - "127.0.0.1:5432:5432"  # Only accessible via localhost (or VPN)
    environment:
      - POSTGRES_DB=${DB_DATABASE}
      - POSTGRES_USER=${DB_USERNAME}
      - POSTGRES_PASSWORD=${DB_PASSWORD}
      - PGDATA=/var/lib/postgresql/data/pgdata
    volumes:
      - postgres-data:/var/lib/postgresql/data
      - ./docker/postgres/init:/docker-entrypoint-initdb.d
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U ${DB_USERNAME}"]
      interval: 10s
      timeout: 5s
      retries: 5
    networks:
      - teren-network

  # pgAdmin - PostgreSQL UI
  pgadmin:
    image: dpage/pgadmin4:latest
    container_name: teren-pgadmin
    restart: unless-stopped
    ports:
      - "127.0.0.1:5050:80"  # Only accessible via localhost (or VPN)
    environment:
      - PGADMIN_DEFAULT_EMAIL=${PGADMIN_EMAIL:-admin@admin.com}
      - PGADMIN_DEFAULT_PASSWORD=${PGADMIN_PASSWORD:-admin}
      - PGADMIN_CONFIG_SERVER_MODE=True
      - PGADMIN_CONFIG_MASTER_PASSWORD_REQUIRED=True
    volumes:
      - pgadmin-data:/var/lib/pgadmin
    depends_on:
      - postgres
    networks:
      - teren-network

  # Redis for caching and queues
  redis:
    image: redis:7-alpine
    container_name: teren-redis
    restart: unless-stopped
    ports:
      - "127.0.0.1:6379:6379"
    volumes:
      - redis-data:/data
    command: redis-server --appendonly yes
    healthcheck:
      test: ["CMD", "redis-cli", "ping"]
      interval: 10s
      timeout: 3s
      retries: 5
    networks:
      - teren-network

  # WireGuard VPN with Web UI Dashboard
  wireguard:
    image: weejewel/wg-easy:latest
    container_name: teren-wireguard
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - WG_HOST=${WG_SERVERURL}  # Your VPS public IP or domain
      - PASSWORD=${WG_UI_PASSWORD}  # Password for WireGuard UI
      - WG_PORT=51820
      - WG_DEFAULT_ADDRESS=10.13.13.x
      - WG_DEFAULT_DNS=1.1.1.1,1.0.0.1
      - WG_MTU=1420
      - WG_PERSISTENT_KEEPALIVE=25
      - WG_ALLOWED_IPS=10.13.13.0/24
    volumes:
      - wireguard-data:/etc/wireguard
    ports:
      - "51820:51820/udp"  # WireGuard VPN port (public)
      - "51821:51821/tcp"  # WireGuard Web UI (public for initial setup, then VPN-only)
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv4.ip_forward=1
    networks:
      - teren-network

  # Portainer - Docker Management UI (VPN-only access)
  portainer:
    image: portainer/portainer-ce:latest
    container_name: teren-portainer
    restart: unless-stopped
    ports:
      - "10.13.13.1:9000:9000"    # Portainer UI (VPN-only)
      - "10.13.13.1:9443:9443"    # Portainer HTTPS (VPN-only)
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - portainer-data:/data
    networks:
      - teren-network

networks:
  teren-network:
    driver: bridge

volumes:
  postgres-data:
    driver: local
  pgadmin-data:
    driver: local
  redis-data:
    driver: local
  wireguard-data:
    driver: local
  portainer-data:
    driver: local