# WASL Digital Wallet — Production-grade Docker setup # Services on internal network; only nginx is exposed externally. # Usage: # docker compose up -d # docker compose exec app composer install # docker compose exec app php artisan migrate --force # docker compose exec app php artisan octane:start --server=swoole --host=0.0.0.0 --port=8000 services: # ─────────────────────────────────────────────────────────────── # Application (PHP 8.3 + Swoole + Octane) # ─────────────────────────────────────────────────────────────── app: build: context: . dockerfile: Dockerfile target: production container_name: wasl-app restart: unless-stopped working_dir: /var/www/html volumes: - ./:/var/www/html - app_storage:/var/www/html/storage - app_bootstrap_cache:/var/www/html/bootstrap/cache networks: - wasl-internal depends_on: postgres: condition: service_healthy redis: condition: service_healthy environment: - "PHP_OCTANE_SERVER=swoole" - "DB_HOST=postgres" - "REDIS_HOST=redis" healthcheck: test: ["CMD-SHELL", "php artisan octane:status || exit 1"] interval: 30s timeout: 5s retries: 3 start_period: 30s # ─────────────────────────────────────────────────────────────── # Queue Worker (supervisor-managed) # ─────────────────────────────────────────────────────────────── worker: build: context: . dockerfile: Dockerfile target: production container_name: wasl-worker restart: unless-stopped working_dir: /var/www/html volumes: - ./:/var/www/html - app_storage:/var/www/html/storage networks: - wasl-internal depends_on: postgres: condition: service_healthy redis: condition: service_healthy command: ["php", "artisan", "queue:work", "redis", "--tries=3", "--backoff=10", "--max-time=3600"] healthcheck: test: ["CMD-SHELL", "php artisan horizon:status || php artisan queue:status || exit 0"] interval: 60s timeout: 10s retries: 3 # ─────────────────────────────────────────────────────────────── # Nginx (Reverse Proxy + Load Balancer) — the ONLY exposed service # ─────────────────────────────────────────────────────────────── nginx: image: nginx:1.27-alpine container_name: wasl-nginx restart: unless-stopped ports: - "${NGINX_PORT:-8080}:80" volumes: - ./:/var/www/html - ./docker/nginx/default.conf:/etc/nginx/conf.d/default.conf:ro - ./docker/nginx/nginx.conf:/etc/nginx/nginx.conf:ro - nginx_logs:/var/log/nginx networks: - wasl-internal depends_on: - app healthcheck: test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost/up"] interval: 30s timeout: 5s retries: 3 # ─────────────────────────────────────────────────────────────── # PostgreSQL 16 — Primary financial database # ─────────────────────────────────────────────────────────────── postgres: image: postgres:16-alpine container_name: wasl-postgres restart: unless-stopped environment: - "POSTGRES_DB=${DB_DATABASE:-wasl}" - "POSTGRES_USER=${DB_USERNAME:-wasl}" - "POSTGRES_PASSWORD=${DB_PASSWORD:-secret}" - "POSTGRES_INITDB_ARGS=--encoding=UTF8 --locale=C" volumes: - postgres_data:/var/lib/postgresql/data - ./docker/postgres/init.sql:/docker-entrypoint-initdb.d/init.sql:ro networks: - wasl-internal healthcheck: test: ["CMD-SHELL", "pg_isready -U ${DB_USERNAME:-wasl} -d ${DB_DATABASE:-wasl}"] interval: 10s timeout: 5s retries: 5 # SECURITY: no ports exposed — only reachable from internal network # ─────────────────────────────────────────────────────────────── # Redis 7 — Cache + Queue + Sessions + Throttling # ─────────────────────────────────────────────────────────────── redis: image: redis:7-alpine container_name: wasl-redis restart: unless-stopped command: > redis-server --requirepass ${REDIS_PASSWORD:-secret} --maxmemory 512mb --maxmemory-policy allkeys-lru --appendonly yes --save 60 1000 volumes: - redis_data:/data networks: - wasl-internal healthcheck: test: ["CMD", "redis-cli", "-a", "${REDIS_PASSWORD:-secret}", "ping"] interval: 10s timeout: 5s retries: 5 # SECURITY: no ports exposed # ─────────────────────────────────────────────────────────────── # MinIO — S3-compatible storage for KYC documents (encrypted at rest) # ─────────────────────────────────────────────────────────────── minio: image: minio/minio:latest container_name: wasl-minio restart: unless-stopped command: server /data --console-address ":9001" environment: - "MINIO_ROOT_USER=${AWS_ACCESS_KEY_ID:-minioadmin}" - "MINIO_ROOT_PASSWORD=${AWS_SECRET_ACCESS_KEY:-minioadmin}" volumes: - minio_data:/data networks: - wasl-internal healthcheck: test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"] interval: 30s timeout: 20s retries: 3 # SECURITY: no ports exposed externally # ─────────────────────────────────────────────────────────────── # MinIO Bootstrap — auto-create buckets on first run # ─────────────────────────────────────────────────────────────── minio-bootstrap: image: minio/mc:latest container_name: wasl-minio-init depends_on: minio: condition: service_healthy networks: - wasl-internal entrypoint: > /bin/sh -c " sleep 5; mc alias set wasl http://minio:9000 ${AWS_ACCESS_KEY_ID:-minioadmin} ${AWS_SECRET_ACCESS_KEY:-minioadmin}; mc mb wasl/${WASL_KYC_BUCKET:-wasl-kyc} --ignore-existing; mc anonymous set none wasl/${WASL_KYC_BUCKET:-wasl-kyc}; exit 0; " networks: wasl-internal: driver: bridge internal: false # set to `true` if you don't need outbound internet volumes: postgres_data: driver: local redis_data: driver: local minio_data: driver: local app_storage: driver: local app_bootstrap_cache: driver: local nginx_logs: driver: local