toolhive-registry-server/docker-compose.yaml at main · stacklok/toolhive-registry-server · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
# ToolHive Registry API Server - Docker Compose Configuration
#
# Services:
# 1. postgres - PostgreSQL 18 database
# 2. registry-api - Main API server (runs migrations on startup)
#
# Startup flow:
# postgres (healthy) -> registry-api (runs migrations automatically on startup)
#
# Migrations are embedded in the binary and run automatically on startup.
#
# Two-User Security Model:
# This setup uses two separate database users for security:
# - db_app: Application user with limited privileges (SELECT, INSERT, UPDATE, DELETE)
# - db_migrator: Migration user with elevated privileges (CREATE, ALTER, DROP)
#
# Password Management (pgpass file):
# Passwords are provided via a pgpass file built into the container image at /home/appuser/.pgpass
# The pgpass file format is: hostname:port:database:username:password
# Example contents:
#   postgres:5432:registry:db_app:app_password
#   postgres:5432:registry:db_migrator:migration_password
#
# See: https://www.postgresql.org/docs/current/libpq-pgpass.html

services:
  postgres:
    image: postgres:18-alpine
    container_name: toolhive-registry-postgres
    environment:
      POSTGRES_USER: registry
      POSTGRES_PASSWORD: registry_password
      POSTGRES_DB: registry
      POSTGRES_INITDB_ARGS: "-E UTF8"
    ports:
      - "5432:5432"
    volumes:
      - postgres_data:/var/lib/postgresql/data
      - ./docker/postgres-init.sh:/docker-entrypoint-initdb.d/init.sh:ro
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U registry"]
      interval: 5s
      timeout: 5s
      retries: 5
    networks:
      - registry-network

  registry-api:
    build:
      context: .
      dockerfile: ./docker/dockerfile-compose
    container_name: toolhive-registry-api
    depends_on:
      postgres:
        condition: service_healthy
    ports:
      - "8080:8080"
    volumes:
      # Mount entire examples directory - all configs and registry files available
      - ./examples:/examples:ro
      - registry_data:/app/data
      # pgpass file is now built into the container image
    # Use CONFIG_FILE env var to switch between configs (defaults to config-docker.yaml)
    # Examples: CONFIG_FILE=config-docker-dual.yaml docker-compose up
    command: ["serve", "--config", "/examples/${CONFIG_FILE:-config-docker.yaml}", "--address", ":8080"]
    environment:
      - LOG_LEVEL=debug
      # Point to the pgpass file for PostgreSQL authentication
      - PGPASSFILE=/home/appuser/.pgpass
      # No THV_DATABASE_PASSWORD - using pgpass file instead
    networks:
      - registry-network
    restart: unless-stopped

volumes:
  postgres_data:
    driver: local
  registry_data:
    driver: local

networks:
  registry-network:
    driver: bridge