LogviewR/docker-compose.local.yml at main · Erreur32/LogviewR · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
# ===========================================
# LogviewR - Docker Compose (Local Build)
# ===========================================
#
# Builds the image locally for testing without pulling from the registry.
# For production deployment, use docker-compose.yml instead.
#
# Usage:
#   docker compose -f docker-compose.local.yml up -d --build
#   docker compose -f docker-compose.local.yml down
#
# Environment variables (set in .env):
#   DASHBOARD_PORT  - Dashboard port (default: 7501)
#   JWT_SECRET      - JWT secret (required)
#   ADM_GID         - GID of the adm group on the host (default: 4)
#   FAIL2BAN_GID    - GID of the fail2ban group on the host (run setup script to set)
#   HOST_IP         - Host machine IP (optional, auto-detected if not set)
#
# ── Port modes ──────────────────────────────────────────────────────────────
#
#  MODE A — Standard (bridge network, no firewall tabs)
#    ports:
#      - "${DASHBOARD_PORT:-7501}:3000"
#    environment:
#      DASHBOARD_PORT: ${DASHBOARD_PORT:-7501}   # host port exposed by Docker
#
#  MODE B — Firewall tabs (IPTables / IPSet / NFTables) + reverse proxy
#    network_mode: host                           # shares host network namespace
#    cap_add: [NET_ADMIN]                         # required for netfilter
#    environment:
#      PORT: ${PORT:-7501}                        # direct listen port on host
#    → reverse proxy target: 127.0.0.1:7501
#    ⚠️  network_mode: host is INCOMPATIBLE with ports: — remove ports: section
# ─────────────────────────────────────────────────────────────────────────────

services:
  logviewr-local:
    build:
      context: .
      dockerfile: Dockerfile
      # Analytics opt-in — pulled from your .env (Compose substitutes automatically).
      # Leave VITE_ANALYTICS_* unset in .env to keep analytics disabled.
      args:
        VITE_ANALYTICS_HOST: ${VITE_ANALYTICS_HOST:-}
        VITE_ANALYTICS_SITE_ID: ${VITE_ANALYTICS_SITE_ID:-}
    container_name: logviewr-local
    restart: unless-stopped

    # ── MODE A — Standard (default) ──────────────────────────────────────────
    # Direct port mapping: host port → container port 3000
    # Comment out and use MODE B below to enable firewall tabs
    # ports:
    #   - "${DASHBOARD_PORT:-7501}:3000"

    # ── MODE B — Firewall tabs (IPTables / IPSet / NFTables) ─────────────────
    # Uncomment the block below AND remove the ports: section above
    #
    network_mode: host          # shares host network namespace (required)
    cap_add:
      - NET_ADMIN               # required for netfilter kernel operations

    environment:
      # ── Required ────────────────────────────────────────────────────────────
      JWT_SECRET: ${JWT_SECRET}

      # ── Port (choose one based on mode) ─────────────────────────────────────
      # MODE A — must match the host port in ports: above
      # DASHBOARD_PORT: ${DASHBOARD_PORT:-7501}
      # MODE B — direct listen port when using network_mode: host
      PORT: ${PORT:-5175}

      # ── Optional ─────────────────────────────────────────────────────────────
      HOST_IP: ${HOST_IP:-}
      CONFIG_FILE_PATH: ${CONFIG_FILE_PATH:-/app/config/logviewr.conf}
      HOST_ROOT_PATH: ${HOST_ROOT_PATH:-/host}
      # Timezone — must match the host TZ so Apache/Nginx log timestamps
      # (written in host local time, without TZ info) are parsed correctly.
      # Override via TZ=... in your .env if your host is not in Europe/Paris.
      TZ: ${TZ:-Europe/Paris}

    # Add node user to system groups for log and fail2ban access
    group_add:
      - "${ADM_GID:-4}"           # adm group — read host log files
      - "${FAIL2BAN_GID:-}"       # fail2ban group — socket access (set by setup script)

    volumes:
      - logviewr_data_local:/app/data
      # Fail2ban socket (read-write — required for ban/unban commands)
      # PREREQUISITE: run the host setup script once before starting:
      #   curl -fsSL https://raw.githubusercontent.com/Erreur32/LogviewR/main/scripts/setup-fail2ban-access.sh | sudo bash
      - /var/run/fail2ban/fail2ban.sock:/var/run/fail2ban/fail2ban.sock
      # Host filesystem (read-only) for logs and system metrics
      - /:/host:ro
      - /proc:/host/proc:ro
      - /sys:/host/sys:ro

      # Optional: enable Fail2ban SQLite VACUUM (rw override — requires long-form syntax)
      # - type: bind
      #   source: /var/lib/fail2ban
      #   target: /host/var/lib/fail2ban
      #   bind:
      #     propagation: shared

      # Optional: enable Fail2ban config file editing from the UI
      # - type: bind
      #   source: /etc/fail2ban
      #   target: /host/etc/fail2ban
      #   bind:
      #     propagation: shared

    healthcheck:
      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://127.0.0.1:3000/api/health"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 40s

    # Prevent privilege escalation — safe in MODE A (bridge, no firewall tabs)
    # ⚠️ Remove or comment out in MODE B (network_mode: host + firewall tabs)
    #    sudo cannot run with this flag set, breaking iptables/ipset/nft commands
    # security_opt:
    #   - no-new-privileges:true

volumes:
  logviewr_data_local:
    name: logviewr_data_local