manohar/ignis
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ignis/docker-compose.dokploy.yml
Mannu dd0eaf49ea fix: use nobbe/ignis:latest image; fix BASIC_AUTH_USERS $ escaping 
- Switch from build:. to image: nobbe/ignis:latest — the Dockerfile
  lives at apps/ignis-server/, not the repo root, so the build was
  failing with "no such file or directory". Using the official image
  is simpler and avoids a lengthy source build on every deploy.

- Document that BASIC_AUTH_USERS must use $$ for every $ in the bcrypt
  hash, so Docker Compose doesn't expand $2y$05$... as variable refs.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-07 10:02:14 +05:30

71 lines
3.4 KiB
YAML
Raw Permalink Blame History

# =============================================================================
# obsidian-notes : Ignis (real Obsidian, in the browser)
# Lives at the ROOT of your manohar/ignis Forgejo mirror as a SEPARATE compose
# file, so upstream's own docker-compose.yml stays untouched and pull-able.
# In Dokploy: Compose app -> repo manohar/ignis -> Compose Path: docker-compose.dokploy.yml
# Public endpoint: https://notes.manohargupta.com (Traefik basicAuth gate)
# =============================================================================
services:
ignis:
# Official image from Docker Hub. Dockerfile lives at apps/ignis-server/ in
# the source repo but there's no reason to build — nobbe/ignis:latest is the
# canonical published image and avoids a long source build on every deploy.
image: nobbe/ignis:latest
container_name: obsidian-ignis
restart: unless-stopped
environment:
- PORT=8080
# Pin the Obsidian version Ignis downloads. Bump deliberately, since a new
# Obsidian can outrun the shim. Keep in sync with what you run on the Mac.
- OBSIDIAN_VERSION=1.12.4
- PUID=1000
- PGID=1000
volumes:
# BIND mount (not a named volume) so the host backup cron can git-commit
# the plain-markdown vault directly. Each subdir here = one Obsidian vault.
- /opt/obsidian/vaults:/vaults
# Ignis internal state (plugin mgmt, sync state, auth tokens).
- /opt/obsidian/data:/app/data
# Cached Obsidian assets — persisted so redeploys don't re-download.
- obsidian-app:/app/obsidian-app
# Rendering happens in YOUR browser, so the server side is light. Cap anyway.
mem_limit: 512m
networks:
- dokploy-network
labels:
- traefik.enable=true
# --- HTTP router on :80. Gated by the SAME basicAuth as belt-and-suspenders
# so port 80 never serves the vault unauthenticated (in case there's no
# global 80->443 redirect). Also serves the ACME challenge. ---
- traefik.http.routers.obsidian-notes-http.rule=Host(`notes.manohargupta.com`)
- traefik.http.routers.obsidian-notes-http.entrypoints=web
- traefik.http.routers.obsidian-notes-http.middlewares=obsidian-auth
# --- HTTPS router on :443, WITH basicAuth ---
- traefik.http.routers.obsidian-notes.rule=Host(`notes.manohargupta.com`)
- traefik.http.routers.obsidian-notes.entrypoints=websecure
- traefik.http.routers.obsidian-notes.tls=true
- traefik.http.routers.obsidian-notes.tls.certresolver=letsencrypt
- traefik.http.routers.obsidian-notes.middlewares=obsidian-auth
# --- basicAuth middleware. The user:bcrypt hash is injected from Dokploy's
# Environment tab (key BASIC_AUTH_USERS) so it never lands in git.
# IMPORTANT: bcrypt hashes contain $ signs. In the Dokploy env tab you
# MUST double every $ so compose doesn't try to expand them as variables:
# htpasswd -nbB manohar 'YOUR_PASSWORD'
# Take the output e.g. manohar:$2y$05$abc... and replace every $ with $$:
# BASIC_AUTH_USERS=manohar:$$2y$$05$$abc...
- traefik.http.middlewares.obsidian-auth.basicauth.users=${BASIC_AUTH_USERS}
# --- Service: Ignis listens on 8080 ---
- traefik.http.services.obsidian-notes.loadbalancer.server.port=8080
- traefik.docker.network=dokploy-network
networks:
dokploy-network:
external: true
volumes:
obsidian-app:
Reference in a new issue View git blame Copy permalink