initial commit

docker-compose.grist.yml

@@ -0,0 +1,32 @@
+services:
+  grist:
+    image: gristlabs/grist:1.7
+    restart: unless-stopped
+    volumes:
+      - ${GRIST_DATA:-grist}:/persist
+    environment:
+      - GRIST_SESSION_SECRET=${GRIST_SESSION_SECRET}
+      - GRIST_DEFAULT_EMAIL=${GRIST_DEFAULT_EMAIL:-admin@mail.com}
+      - GRIST_SANDBOX_FLAVOR=gvisor
+      - GRIST_SINGLE_ORG=camp
+      - GRIST_PAGE_TITLE_SUFFIX= - Camp Interhack
+      - APP_HOME_URL=https://${HOST}
+    depends_on:
+      - db
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.grist.entryPoints=https
+      - traefik.http.routers.grist.rule=Host(`${HOST}`)
+      - traefik.http.routers.grist.tls.certresolver=le-ssl
+      - traefik.http.services.grist.loadbalancer.server.port=8484
+      - traefik.docker.network=front
+    networks:
+      - default
+      - front
+
+volumes:
+  grist:
+
+networks:
+  front:
+    external: true

docker-compose.keycloak.yml

@@ -0,0 +1,44 @@
+services:
+  postgresql:
+    image: postgres:18.0
+    restart: unless-stopped
+    environment:
+      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
+      - POSTGRES_USER=${POSTGRES_USER:-keycloak}
+      - POSTGRES_DB=${POSTGRES_DB:-keycloak}
+    volumes:
+      - ${POSTGRES_DATA:-postgres_data}:/var/lib/postgresql/data
+
+  keycloak:
+    image: quay.io/keycloak/keycloak:26.4
+    restart: unless-stopped
+    depends_on:
+      - postgresql
+    command: start
+    environment:
+      - KC_DB=postgres
+      - KC_DB_URL=jdbc:postgresql://postgresql/${POSTGRES_DB:-keycloak}
+      - KC_DB_PASSWORD=${POSTGRES_PASSWORD}
+      - KC_DB_USERNAME=${POSTGRES_USER:-keycloak}
+      - KC_PROXY=edge
+      - KC_HOSTNAME_STRICT=false
+      - KEYCLOAK_ADMIN=${KEYCLOAK_ADMIN_USER:-admin}
+      - KEYCLOAK_ADMIN_PASSWORD=${KEYCLOAK_ADMIN_PASSWORD}
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.keycloak.entryPoints=https
+      - traefik.http.routers.keycloak.rule=Host(`${HOST}`)
+      - traefik.http.routers.keycloak.tls.certresolver=le-ssl
+      - traefik.http.services.keycloak.loadbalancer.server.port=8080
+      - traefik.docker.network=front
+    networks:
+      - default
+      - front
+
+volumes:
+  postgresql_data:
+    driver: local
+
+networks:
+  front:
+    external: true

docker-compose.leantime.yml

@@ -0,0 +1,83 @@
+services:
+  mysql:
+    image: mysql:9.4
+    volumes:
+      - ${MYSQL_DATA_DIR:-db_data}:/var/lib/mysql
+    restart: unless-stopped
+    environment:
+      - MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD}
+      - MYSQL_DATABASE=leantime
+      - MYSQL_USER=lean
+      - MYSQL_PASSWORD=${MYSQL_PASSWORD}
+    command: --character-set-server=UTF8MB4 --collation-server=UTF8MB4_unicode_ci
+    healthcheck:
+      test: ["CMD", "mysqladmin", "ping", "-h", "localhost"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+
+  leantime:
+    image: leantime/leantime:3.5.12
+    restart: unless-stopped
+    # security_opt:
+      # - no-new-privileges:true
+    # cap_add:
+      # - CAP_NET_BIND_SERVICE
+      # - CAP_CHOWN
+      # - CAP_SETGID
+      # - CAP_SETUID
+    environment:
+      - LEAN_DB_HOST=mysql
+      - LEAN_DB_DATABASE=leantime  
+      - LEAN_DB_USER=lean 
+      - LEAN_DB_PASSWORD=${MYSQL_PASSWORD}
+      - LEAN_SESSION_PASSWORD=${LEAN_SESSION_PASSWORD}
+      - LEAN_DEBUG=0
+      - LEAN_LANGUAGE=fr-FR
+      - LEAN_DEFAULT_TIMEZONE=Europe/Paris
+      - LEAN_DISABLE_LOGIN_FORM=true
+      - LEAN_OIDC_ENABLE=true
+      - LEAN_OIDC_PROVIDER_URL=${LEAN_OIDC_PROVIDER_URL}
+      - LEAN_OIDC_CLIENT_ID=${LEAN_OIDC_CLIENT_ID}
+      - LEAN_OIDC_CLIENT_SECRET=${LEAN_OIDC_CLIENT_SECRET}
+      - LEAN_OIDC_CREATE_USER=false
+      - LEAN_OIDC_DEFAULT_ROLE=20
+    volumes:
+      - ${LEAN_PUBLIC_USERFILES_DIR:-public_userfiles}:/var/www/html/public/userfiles     # Volume to store public files, logo etc
+      - ${LEAN_USERFILES_DIR:-userfiles}:/var/www/html/userfiles                          # Original volume name for compatibility
+      - ${LEAN_PLUGINS_DIR:-plugins}:/var/www/html/app/Plugins                            # Plugin storage
+      - ${LEAN_LOGS_DIR:-logs}:/var/www/html/storage/logs                                 # Log storage
+    depends_on:
+      mysql:
+        condition: service_healthy
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.leantime.entryPoints=https
+      - traefik.http.routers.leantime.rule=Host(`${HOST}`)
+      - traefik.http.routers.leantime.tls.certresolver=le-ssl
+      - traefik.http.services.leantime.loadbalancer.server.port=8080
+      - traefik.docker.network=front
+    networks:
+      - default
+      - front
+
+  # Add a helper container for volume permissions
+  # Run via docker compose --profile mysql_helper up -d
+  mysql_helper:
+    image: mysql:9.4
+    command: chown -R mysql:mysql /var/lib/mysql
+    volumes:
+      - ${MYSQL_DATA_DIR:-db_data}:/var/lib/mysql
+    user: root
+    profiles: [ "helper" ]
+
+volumes:
+  db_data:
+  userfiles:
+  public_userfiles:
+  plugins:
+  logs:
+
+networks:
+  front:
+    external: true

docker-compose.paheko.yml

@@ -0,0 +1,22 @@
+services:
+  paheko:
+    image: paheko/paheko:1.3.16
+    restart: unless-stopped
+    volumes:
+      - ${PAHEKO_CONFIG}:/var/www/paheko/config.local.php
+      # - ./php.ini:/usr/local/etc/php/php.ini
+      - ${PAHEKO_DATA}:/var/www/paheko/data
+      - ${PAHEKO_PLUGINS}:/var/www/paheko/data/plugins
+    labels:
+      - traefik.enable=true
+      - traefik.http.routers.paheko.entryPoints=https
+      - traefik.http.routers.paheko.rule=Host(`${HOST}`)
+      - traefik.http.routers.paheko.tls.certresolver=le-ssl
+      - traefik.http.services.paheko.loadbalancer.server.port=80
+      - traefik.docker.network=front
+    networks:
+      - front
+
+networks:
+  front:
+    external: true

docker-compose.reverse-proxy.yml

@@ -0,0 +1,30 @@
+services:
+  traefik:
+    image: traefik:v3.5
+    container_name: traefik
+    restart: always
+    ports:
+      - 80:80 # (HTTP)
+      - 443:443 # (HTTPS)
+    command:
+      - --providers.docker=true
+      - --providers.docker.exposedByDefault=false
+      - --certificatesresolvers.le-ssl.acme.email=${ACME_EMAIL}
+      - --certificatesresolvers.le-ssl.acme.storage=acme.json
+      - --certificatesresolvers.le-ssl.acme.httpchallenge.entrypoint=web
+      - --tls.options.default.minVersion=VersionTLS12
+      - --entrypoints.http.address=:80
+      - --entrypoints.http.http.redirections.entryPoint.to=https
+      - --entrypoints.http.http.redirections.entryPoint.scheme=https
+      - --entrypoints.https.address=:443
+      - --entrypoints.https.http.tls.certResolver=le-ssl
+    volumes:
+      - /etc/localtime:/etc/localtime:ro
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+    networks:
+      - default
+      - front
+
+networks:
+  front:
+    external: true