diff --git a/docker-compose.dokploy.yml b/docker-compose.dokploy.yml new file mode 100644 index 0000000..2ad18e8 --- /dev/null +++ b/docker-compose.dokploy.yml @@ -0,0 +1,69 @@ +# ============================================================================= +# obsidian-notes : Ignis (real Obsidian, in the browser) +# Lives at the ROOT of your manohar/ignis Forgejo mirror as a SEPARATE compose +# file, so upstream's own docker-compose.yml stays untouched and pull-able. +# In Dokploy: Compose app -> repo manohar/ignis -> Compose Path: docker-compose.dokploy.yml +# Public endpoint: https://notes.manohargupta.com (Traefik basicAuth gate) +# ============================================================================= +services: + ignis: + # Build from source — Ignis is NOT on any registry. Context "." is the repo + # root, which contains upstream's Dockerfile (downloads Obsidian on 1st run). + build: . + container_name: obsidian-ignis + restart: unless-stopped + + environment: + - PORT=8080 + # Pin the Obsidian version Ignis downloads. Bump deliberately, since a new + # Obsidian can outrun the shim. Keep in sync with what you run on the Mac. + - OBSIDIAN_VERSION=1.12.4 + - PUID=1000 + - PGID=1000 + + volumes: + # BIND mount (not a named volume) so the host backup cron can git-commit + # the plain-markdown vault directly. Each subdir here = one Obsidian vault. + - /opt/obsidian/vaults:/vaults + # Ignis internal state (plugin mgmt, sync state, auth tokens). + - /opt/obsidian/data:/app/data + # Cached Obsidian assets — persisted so redeploys don't re-download. + - obsidian-app:/app/obsidian-app + + # Rendering happens in YOUR browser, so the server side is light. Cap anyway. + mem_limit: 512m + + networks: + - dokploy-network + + labels: + - traefik.enable=true + # --- HTTP router on :80. Gated by the SAME basicAuth as belt-and-suspenders + # so port 80 never serves the vault unauthenticated (in case there's no + # global 80->443 redirect). Also serves the ACME challenge. --- + - traefik.http.routers.obsidian-notes-http.rule=Host(`notes.manohargupta.com`) + - traefik.http.routers.obsidian-notes-http.entrypoints=web + - traefik.http.routers.obsidian-notes-http.middlewares=obsidian-auth + # --- HTTPS router on :443, WITH basicAuth --- + - traefik.http.routers.obsidian-notes.rule=Host(`notes.manohargupta.com`) + - traefik.http.routers.obsidian-notes.entrypoints=websecure + - traefik.http.routers.obsidian-notes.tls=true + - traefik.http.routers.obsidian-notes.tls.certresolver=letsencrypt + - traefik.http.routers.obsidian-notes.middlewares=obsidian-auth + # --- basicAuth middleware. The user:hash is injected from Dokploy's + # Environment tab (key BASIC_AUTH_USERS) so it never lands in git. + # Set BASIC_AUTH_USERS to the RAW htpasswd output with SINGLE $ signs + # (do NOT double them — compose does not re-escape an injected value): + # htpasswd -nbB manohar 'YOUR_PASSWORD' + # e.g. BASIC_AUTH_USERS=manohar:$2y$05$abc... + - traefik.http.middlewares.obsidian-auth.basicauth.users=${BASIC_AUTH_USERS} + # --- Service: Ignis listens on 8080 --- + - traefik.http.services.obsidian-notes.loadbalancer.server.port=8080 + - traefik.docker.network=dokploy-network + +networks: + dokploy-network: + external: true + +volumes: + obsidian-app: