services: # Gluetun is used to connect container to VPN penpot-gluetun: image: qmcgaw/gluetun cap_add: - NET_ADMIN environment: - VPN_SERVICE_PROVIDER=custom - VPN_TYPE=wireguard - VPN_ENDPOINT_IP=176.58.103.70 - VPN_ENDPOINT_PORT=51820 - WIREGUARD_PUBLIC_KEY=ijDPNuiCnYgETt9daFLQVQPHX7efb4OEHm+cV7wLvk4= - WIREGUARD_PRIVATE_KEY=OOIsjovP2bMsxq3VFUHNNkHMc1ri6PPP/WYO7L+GLk0= - WIREGUARD_ADDRESSES=10.0.0.11/32 - FIREWALL_VPN_INPUT_PORTS=9001,80,5432,6379,25,465,587 - FIREWALL_INPUT_PORTS=9001,80,5432,6379,25,465,587 #volumes: # Custom IPTables forwarding rules to forward TCP(web) traffic from port 11000 to port 80 # - ./post-rules.txt:/iptables/post-rules.txt # ports: - "9001:80" networks: penpot: deploy: resources: limits: cpus: '0.10' memory: 512M penpot-frontend: network_mode: "service:penpot-gluetun" image: "penpotapp/frontend:latest" restart: always volumes: - ./penpot_assets:/opt/data/assets depends_on: - penpot-backend - penpot-exporter #labels: #- "traefik.enable=true" ## HTTP: example of labels for the case where penpot will be exposed to the ## internet with only HTTP (without HTTPS) using traefik. # - "traefik.http.routers.penpot-http.entrypoints=web" # - "traefik.http.routers.penpot-http.rule=Host(``)" # - "traefik.http.services.penpot-http.loadbalancer.server.port=80" ## HTTPS: example of labels for the case where penpot will be exposed to the ## internet with HTTPS using traefik. # - "traefik.http.middlewares.http-redirect.redirectscheme.scheme=https" # - "traefik.http.middlewares.http-redirect.redirectscheme.permanent=true" # - "traefik.http.routers.penpot-http.entrypoints=web" # - "traefik.http.routers.penpot-http.rule=Host(``)" # - "traefik.http.routers.penpot-http.middlewares=http-redirect" # - "traefik.http.routers.penpot-https.entrypoints=websecure" # - "traefik.http.routers.penpot-https.rule=Host(``)" # - "traefik.http.services.penpot-https.loadbalancer.server.port=80" # - "traefik.http.routers.penpot-https.tls=true" # - "traefik.http.routers.penpot-https.tls.certresolver=letsencrypt" ## Configuration envronment variables for the frontend container. In this case, the ## container only needs the `PENPOT_FLAGS`. This environment variable is shared with ## other services, but not all flags are relevant to all services. environment: ## Relevant flags for frontend: ## - demo-users ## - login-with-github ## - login-with-gitlab ## - login-with-google ## - login-with-ldap ## - login-with-oidc ## - login-with-password ## - registration ## - webhooks ## ## You can read more about all available flags on: ## https://help.penpot.app/technical-guide/configuration/#advanced-configuration - PENPOT_FLAGS=enable-registration enable-login-with-password penpot-backend: image: "penpotapp/backend:latest" restart: always volumes: - ./penpot_assets:/opt/data/assets depends_on: - penpot-postgres - penpot-redis networks: penpot: ## Configuration envronment variables for the backend ## container. environment: ## Relevant flags for backend: ## - demo-users ## - email-verification ## - log-emails ## - log-invitation-tokens ## - login-with-github ## - login-with-gitlab ## - login-with-google ## - login-with-ldap ## - login-with-oidc ## - login-with-password ## - registration ## - secure-session-cookies ## - smtp ## - smtp-debug ## - telemetry ## - webhooks ## - prepl-server ## ## You can read more about all available flags and other ## environment variables for the backend here: ## https://help.penpot.app/technical-guide/configuration/#advanced-configuration - PENPOT_FLAGS=enable-registration enable-login-with-password disable-email-verification enable-smtp enable-prepl-server ## Penpot SECRET KEY. It serves as a master key from which other keys for subsystems ## (eg http sessions, or invitations) are derived. ## ## If you leave it commented, all created sessions and invitations will ## become invalid on container restart. ## ## If you going to uncomment this, we recommend to use a trully randomly generated ## 512 bits base64 encoded string here. You can generate one with: ## ## python3 -c "import secrets; print(secrets.token_urlsafe(64))" # - PENPOT_SECRET_KEY=my-insecure-key ## The PREPL host. Mainly used for external programatic access to penpot backend ## (example: admin). By default it will listen on `localhost` but if you are going to use ## the `admin`, you will need to uncomment this and set the host to `0.0.0.0`. # - PENPOT_PREPL_HOST=0.0.0.0 ## Public URI. If you are going to expose this instance to the internet and use it ## under a different domain than 'localhost', you will need to adjust it to the final ## domain. ## ## Consider using traefik and set the 'disable-secure-session-cookies' if you are ## not going to serve penpot under HTTPS. - PENPOT_PUBLIC_URI=http://localhost:9001 ## Database connection parameters. Don't touch them unless you are using custom ## postgresql connection parameters. - PENPOT_DATABASE_URI=postgresql://11.3.0.24/penpot - PENPOT_DATABASE_USERNAME=penpot - PENPOT_DATABASE_PASSWORD={{ service_penpot_postgres_password }} ## Redis is used for the websockets notifications. Don't touch unless the redis ## container has different parameters or different name. - PENPOT_REDIS_URI=redis://11.3.0.23/0 ## Default configuration for assets storage: using filesystem based with all files ## stored in a docker volume. - PENPOT_ASSETS_STORAGE_BACKEND=assets-fs - PENPOT_STORAGE_ASSETS_FS_DIRECTORY=/opt/data/assets ## Also can be configured to to use a S3 compatible storage ## service like MiniIO. Look below for minio service setup. # - AWS_ACCESS_KEY_ID= # - AWS_SECRET_ACCESS_KEY= # - PENPOT_ASSETS_STORAGE_BACKEND=assets-s3 # - PENPOT_STORAGE_ASSETS_S3_ENDPOINT=http://penpot-minio:9000 # - PENPOT_STORAGE_ASSETS_S3_BUCKET= ## Telemetry. When enabled, a periodical process will send anonymous data about this ## instance. Telemetry data will enable us to learn how the application is used, ## based on real scenarios. If you want to help us, please leave it enabled. You can ## audit what data we send with the code available on github. #- PENPOT_TELEMETRY_ENABLED=true ## Example SMTP/Email configuration. By default, emails are sent to the mailcatch ## service, but for production usage it is recommended to setup a real SMTP ## provider. Emails are used to confirm user registrations & invitations. Look below ## how the mailcatch service is configured. - PENPOT_SMTP_DEFAULT_FROM=no-reply@example.com - PENPOT_SMTP_DEFAULT_REPLY_TO=no-reply@example.com - PENPOT_SMTP_HOST=11.3.0.22 - PENPOT_SMTP_PORT=1025 - PENPOT_SMTP_USERNAME= - PENPOT_SMTP_PASSWORD= - PENPOT_SMTP_TLS=false - PENPOT_SMTP_SSL=false penpot-exporter: image: "penpotapp/exporter:latest" restart: always networks: - penpot environment: # Don't touch it; this uses an internal docker network to # communicate with the frontend. - PENPOT_PUBLIC_URI=http://penpot-frontend ## Redis is used for the websockets notifications. - PENPOT_REDIS_URI=redis://11.3.0.23/0 penpot-postgres: image: "postgres:15" restart: always stop_signal: SIGINT volumes: - ./penpot_postgres_v15:/var/lib/postgresql/data networks: penpot: ipv4_address: 11.3.0.24 environment: - POSTGRES_INITDB_ARGS=--data-checksums - POSTGRES_DB=penpot - POSTGRES_USER=penpot - POSTGRES_PASSWORD={{ service_penpot_postgres_password }} penpot-redis: image: redis:7 restart: always networks: penpot: ipv4_address: 11.3.0.23 ## A mailcatch service, used as temporal SMTP server. You can access via HTTP to the ## port 1080 for read all emails the penpot platform has sent. Should be only used as a ## temporal solution while no real SMTP provider is configured. penpot-mailcatch: image: sj26/mailcatcher:latest restart: always expose: - '1025' ports: - "1080:1080" networks: penpot: ipv4_address: 11.3.0.22 networks: penpot: driver: bridge driver_opts: com.docker.network.bridge.name: penpot # com.docker.network.driver.enable_ip_masquerade: 0 ipam: config: - subnet: 11.3.0.0/16 # gateway: 11.5.0.1