Add Directus service configuration and environment variables to deployment stack

2026-05-02 11:24:48 +02:00
parent 4c5051049d
commit da6200afc8
3 changed files with 267 additions and 7 deletions
@@ -113,9 +113,107 @@ services:
      LOG_LEVEL: ${LOG_LEVEL:-info}
    restart: unless-stopped

+  # -------------------------------------------------------------------
+  # directus — business-plane API, admin UI, and schema authority.
+  # Built by git.dev.microservices.al/trm/directus's Gitea workflow.
+  #
+  # Boot pipeline (5 steps; see trm/directus/entrypoint.sh):
+  #   1. db-init pre-schema    → positions hypertable + faulty column
+  #   2. directus bootstrap    → installs Directus system tables
+  #   3. directus schema apply → applies snapshots/schema.yaml
+  #   4. db-init post-schema   → composite UNIQUE constraints
+  #   5. pm2-runtime start     → server up at :8055
+  #
+  # First-boot on a fresh DB takes ~60–90 s (Directus runs its own
+  # internal migrations during step 2). Subsequent boots are ~5 s as
+  # all steps no-op against the warm DB.
+  #
+  # Schema-as-code: collections + fields + relations live in the image
+  # (snapshots/schema.yaml + db-init/*.sql baked in at build time).
+  # Schema changes flow through the trm/directus repo + its CI dry-run
+  # gate, NOT through manual edits on this stage instance. Editing
+  # collections via the admin UI here will be DROPPED on the next image
+  # rebuild — schema-apply enforces the committed snapshot. See
+  # docs/wiki/entities/directus.md "destructive-apply hazard" callout.
+  # -------------------------------------------------------------------
+  directus:
+    image: git.dev.microservices.al/trm/directus:${DIRECTUS_TAG:-main}
+    depends_on:
+      postgres:
+        condition: service_healthy
+    expose:
+      # Internal-only. The admin UI + API are reachable from other services
+      # in the stack via service-name DNS (`http://directus:8055`). A reverse
+      # proxy (Traefik / Caddy / nginx) running on the host or attached to
+      # the `trm_default` network terminates TLS, applies its own auth /
+      # rate-limit / WAF rules, and forwards to this expose port.
+      #
+      # Why not host-publish 8055 directly: the admin UI is a privileged
+      # surface (full CRUD + permission policies + Flow execution). Direct
+      # exposure leaks an attack surface and forces TLS into a service that
+      # shouldn't care about it. tcp-ingestion is different (GPS devices
+      # connect directly so it must publish to the host); Directus is HTTP
+      # and belongs behind a proxy in any non-throwaway environment.
+      - '8055'
+    environment:
+      # ----- Database connection -----
+      DB_CLIENT: pg
+      DB_HOST: postgres
+      DB_PORT: 5432
+      DB_DATABASE: ${POSTGRES_DB:-trm}
+      DB_USER: ${POSTGRES_USER:-trm}
+      DB_PASSWORD: ${POSTGRES_PASSWORD:-trm-pilot-change-me}
+
+      # ----- Instance security — REQUIRED, must be unique per environment.
+      # KEY: any UUID. SECRET: long random string, e.g. `openssl rand -hex 64`.
+      # Two instances sharing the same KEY/SECRET produce colliding JWTs.
+      # Defaults below are placeholders — REPLACE in the Portainer stack env.
+      KEY: ${DIRECTUS_KEY:-REPLACE-ME-WITH-A-UUID}
+      SECRET: ${DIRECTUS_SECRET:-REPLACE-ME-WITH-A-LONG-RANDOM-STRING}
+
+      # ----- Admin bootstrap — only used on first init.
+      # If directus_users is empty at first boot, an admin user is created
+      # from these. Subsequent boots ignore them. Change the password via
+      # the admin UI after first login.
+      ADMIN_EMAIL: ${DIRECTUS_ADMIN_EMAIL:-admin@example.com}
+      ADMIN_PASSWORD: ${DIRECTUS_ADMIN_PASSWORD:-CHANGE-ON-FIRST-LOGIN}
+
+      # ----- Public-facing URL (used in emails, OAuth redirects, asset URLs).
+      # In real prod set to https://<your-domain>; default localhost is just
+      # for first-deploy smoke testing.
+      PUBLIC_URL: ${DIRECTUS_PUBLIC_URL:-http://localhost:8055}
+
+      # ----- Logging -----
+      LOG_LEVEL: ${LOG_LEVEL:-info}
+      LOG_STYLE: ${LOG_STYLE:-json}
+
+      # ----- WebSockets — required for the live channel architecture
+      # (Directus's WS subs cover business-plane events; processor's WS
+      # carries the telemetry firehose). See live-channel-architecture
+      # in the wiki.
+      WEBSOCKETS_ENABLED: 'true'
+
+      # ----- Cache / CORS — defaults disabled; enable per environment.
+      CACHE_ENABLED: ${DIRECTUS_CACHE_ENABLED:-false}
+      CORS_ENABLED: ${DIRECTUS_CORS_ENABLED:-false}
+      CORS_ORIGIN: ${DIRECTUS_CORS_ORIGIN:-false}
+    volumes:
+      # Persist admin-uploaded files across container restarts.
+      # snapshots/ + db-init/ are baked into the image, NOT mounted —
+      # that's the schema-as-code split.
+      - directus-uploads:/directus/uploads
+    restart: unless-stopped
+    healthcheck:
+      test: ['CMD-SHELL', 'wget -qO- http://localhost:8055/server/health || exit 1']
+      interval: 30s
+      timeout: 10s
+      # First boot includes Directus's internal migrations (~30–45 s on
+      # fresh DB). 120 s gives margin; warm boots become healthy in ~10 s.
+      start_period: 120s
+      retries: 3
+
  # -------------------------------------------------------------------
  # Future services land here:
-  #   - directus:         business-plane API + admin UI
  #   - react-spa:        front-end (static, served via nginx or Caddy)
  # See ../docs/wiki/ for the platform architecture.
  # -------------------------------------------------------------------
@@ -123,3 +221,4 @@ services:
 volumes:
  redis-data:
  postgres-data:
+  directus-uploads: