services: backend: image: ${BACKEND_IMAGE:-git.init.cool/cool/termi-astro-backend:latest} pull_policy: always restart: unless-stopped environment: PORT: 5150 APP_BASE_URL: ${APP_BASE_URL:-http://localhost:5150} DATABASE_URL: ${DATABASE_URL:?DATABASE_URL is required} REDIS_URL: ${REDIS_URL:?REDIS_URL is required} JWT_SECRET: ${JWT_SECRET:?JWT_SECRET is required} # 当前推荐把 admin 放在受保护的后台域名下(同域转发 /api 到 backend), # 然后让 backend 信任 TinyAuth / Pocket ID 通过 Caddy 注入的认证头。 # 如启用代理 SSO,建议同时配置 TERMI_ADMIN_PROXY_SHARED_SECRET, # 并让 Caddy 在转发 /api 到 backend 时附带 X-Termi-Proxy-Secret。 TERMI_ADMIN_TRUST_PROXY_AUTH: ${TERMI_ADMIN_TRUST_PROXY_AUTH:-false} TERMI_ADMIN_LOCAL_LOGIN_ENABLED: ${TERMI_ADMIN_LOCAL_LOGIN_ENABLED:-true} TERMI_ADMIN_PROXY_SHARED_SECRET: ${TERMI_ADMIN_PROXY_SHARED_SECRET:-} TERMI_TURNSTILE_SECRET_KEY: ${TERMI_TURNSTILE_SECRET_KEY:-} PUBLIC_WEB_PUSH_VAPID_PUBLIC_KEY: ${PUBLIC_WEB_PUSH_VAPID_PUBLIC_KEY:-} TERMI_WEB_PUSH_VAPID_PRIVATE_KEY: ${TERMI_WEB_PUSH_VAPID_PRIVATE_KEY:-} TERMI_WEB_PUSH_VAPID_SUBJECT: ${TERMI_WEB_PUSH_VAPID_SUBJECT:-} RUST_LOG: ${RUST_LOG:-info} ports: # 这是“直连端口”示例;如果前面接 tohka 宿主机 Caddy, # 推荐叠加 compose.tohka.override.yml,把 backend 只绑定到 127.0.0.1。 - '${BACKEND_PORT:-5150}:5150' backend-worker: image: ${BACKEND_IMAGE:-git.init.cool/cool/termi-astro-backend:latest} pull_policy: always restart: unless-stopped depends_on: backend: condition: service_healthy command: ['termi_api-cli', '-e', 'production', 'start', '--worker'] environment: PORT: 5150 APP_BASE_URL: ${APP_BASE_URL:-http://localhost:5150} DATABASE_URL: ${DATABASE_URL:?DATABASE_URL is required} REDIS_URL: ${REDIS_URL:?REDIS_URL is required} JWT_SECRET: ${JWT_SECRET:?JWT_SECRET is required} TERMI_ADMIN_TRUST_PROXY_AUTH: ${TERMI_ADMIN_TRUST_PROXY_AUTH:-false} TERMI_ADMIN_LOCAL_LOGIN_ENABLED: ${TERMI_ADMIN_LOCAL_LOGIN_ENABLED:-true} TERMI_ADMIN_PROXY_SHARED_SECRET: ${TERMI_ADMIN_PROXY_SHARED_SECRET:-} PUBLIC_WEB_PUSH_VAPID_PUBLIC_KEY: ${PUBLIC_WEB_PUSH_VAPID_PUBLIC_KEY:-} TERMI_WEB_PUSH_VAPID_PRIVATE_KEY: ${TERMI_WEB_PUSH_VAPID_PRIVATE_KEY:-} TERMI_WEB_PUSH_VAPID_SUBJECT: ${TERMI_WEB_PUSH_VAPID_SUBJECT:-} RUST_LOG: ${RUST_LOG:-info} TERMI_SKIP_MIGRATIONS: 'true' frontend: image: ${FRONTEND_IMAGE:-git.init.cool/cool/termi-astro-frontend:latest} pull_policy: always restart: unless-stopped depends_on: backend: condition: service_healthy environment: # frontend 是 Astro SSR(Node): # - INTERNAL_API_BASE_URL 给服务端渲染访问 backend 用 # - PUBLIC_API_BASE_URL 给浏览器里的评论 / AI 问答等请求用 # - PUBLIC_COMMENT_TURNSTILE_SITE_KEY 给评论 / 订阅表单的人机验证组件用 # - PUBLIC_WEB_PUSH_VAPID_PUBLIC_KEY 给浏览器推送订阅用 # - PUBLIC_IMAGE_ALLOWED_HOSTS 给前台图片优化端点 /_img 放行额外图片域名 INTERNAL_API_BASE_URL: ${INTERNAL_API_BASE_URL:-http://backend:5150/api} PUBLIC_API_BASE_URL: ${PUBLIC_API_BASE_URL:-} PUBLIC_COMMENT_TURNSTILE_SITE_KEY: ${PUBLIC_COMMENT_TURNSTILE_SITE_KEY:-} PUBLIC_WEB_PUSH_VAPID_PUBLIC_KEY: ${PUBLIC_WEB_PUSH_VAPID_PUBLIC_KEY:-} PUBLIC_IMAGE_ALLOWED_HOSTS: ${PUBLIC_IMAGE_ALLOWED_HOSTS:-} INDEXNOW_KEY: ${INDEXNOW_KEY:-} # frontend 是 Astro SSR(Node) 服务,容器内部监听 4321 # 生产建议由网关统一反代,仅对外开放 80/443 ports: - '${FRONTEND_PORT:-4321}:4321' admin: image: ${ADMIN_IMAGE:-git.init.cool/cool/termi-astro-admin:latest} pull_policy: always restart: unless-stopped depends_on: backend: condition: service_healthy environment: ADMIN_API_BASE_URL: ${ADMIN_API_BASE_URL:-} ADMIN_FRONTEND_BASE_URL: ${ADMIN_FRONTEND_BASE_URL:-} # admin 是静态 SPA,由 Nginx 在容器内监听 80 # API 与“打开前台 / AI 问答 / 文章预览”这类地址都优先读取运行时环境变量 # ADMIN_API_BASE_URL / ADMIN_FRONTEND_BASE_URL;未设置时再回退到构建期值 / 同主机默认端口 ports: # 如果 admin 域名由宿主机 Caddy 统一反代,推荐改成 127.0.0.1 绑定。 - '${ADMIN_PORT:-4322}:80'