diff --git a/docker-stacks/app-server/penpot.yml b/docker-stacks/app-server/penpot.yml index 65d47b7..5112aec 100644 --- a/docker-stacks/app-server/penpot.yml +++ b/docker-stacks/app-server/penpot.yml @@ -1,45 +1,89 @@ +x-flags: &penpot-flags + # Merged disable-sandbox into the flags array to protect the headless engine + PENPOT_FLAGS: disable-email-verification enable-smtp enable-prepl-server disable-secure-session-cookies enable-mcp disable-sandbox + +x-uri: &penpot-public-uri + PENPOT_PUBLIC_URI: ${PENPOT_PUBLIC_URI} + +x-body-size: &penpot-http-body-size + PENPOT_HTTP_SERVER_MAX_BODY_SIZE: 367001600 + PENPOT_HTTP_SERVER_MAX_MULTIPART_BODY_SIZE: 367001600 + +x-secret-key: &penpot-secret-key + PENPOT_SECRET_KEY: ${PENPOT_SECRET_KEY} + networks: penpot-net: driver: bridge - + +volumes: + penpot_assets: + services: - penpot-backend: - image: penpotapp/backend:latest - restart: always - networks: - - penpot-net - environment: - - PENPOT_DATABASE_URI=${PENPOT_DATABASE_URI} - - PENPOT_REDIS_URI=${PENPOT_REDIS_URI} - - PENPOT_SECRET_KEY=${PENPOT_SECRET_KEY} - - PENPOT_EXPORTER_SECRET_KEY=${PENPOT_EXPORTER_SECRET_KEY} - - PENPOT_PUBLIC_URI=${PENPOT_PUBLIC_URI} - ports: - - "6060:6060" - - penpot-exporter: - image: penpotapp/exporter:latest - restart: always - networks: - - penpot-net - shm_size: '2gb' - environment: - - PENPOT_PUBLIC_URI=${PENPOT_PUBLIC_URI} - - PENPOT_SECRET_KEY=${PENPOT_SECRET_KEY} - - PENPOT_EXPORTER_SECRET_KEY=${PENPOT_EXPORTER_SECRET_KEY} - - PENPOT_REDIS_URL=${PENPOT_REDIS_URI} - - PENPOT_REDIS_URI=${PENPOT_REDIS_URI} - - PENPOT_FLAGS=disable-sandbox - penpot-frontend: - image: penpotapp/frontend:latest + image: "penpotapp/frontend:${PENPOT_VERSION:-latest}" restart: always - networks: - - penpot-net - environment: - - PENPOT_FLAGS=enable-all-flags ports: - - "8084:80" + - "8084:80" # Binds your port 8084 layout mapping to Penpot frontend + volumes: + - penpot_assets:/opt/data/assets depends_on: - penpot-backend - - penpot-exporter \ No newline at end of file + - penpot-exporter + - penpot-mcp + networks: + - penpot-net + environment: + << : [*penpot-flags, *penpot-http-body-size, *penpot-public-uri] + + penpot-backend: + image: "penpotapp/backend:${PENPOT_VERSION:-latest}" + restart: always + volumes: + - penpot_assets:/opt/data/assets + networks: + - penpot-net + ports: + - "6060:6060" + environment: + << : [*penpot-flags, *penpot-public-uri, *penpot-http-body-size, *penpot-secret-key] + + # Security Handshake Key for internal Exporter validation routines + PENPOT_EXPORTER_SECRET_KEY: ${PENPOT_EXPORTER_SECRET_KEY} + + ## Database connection parameters pointing directly to your external LXC + # Note: Ensure the raw string value assigned to this variable inside your .env + # has special characters URL-encoded (e.g. postgresql://penpot:ddlO%26%40jdw72%23zA@...) + PENPOT_DATABASE_URI: ${PENPOT_DATABASE_URI} + + ## Valkey/Redis parameters routed directly to your active k3s node + PENPOT_REDIS_URI: ${PENPOT_REDIS_URI} + + ## Storage Settings + PENPOT_OBJECTS_STORAGE_BACKEND: fs + PENPOT_OBJECTS_STORAGE_FS_DIRECTORY: /opt/data/assets + + ## Telemetry & Optional settings + PENPOT_TELEMETRY_ENABLED: "false" + + penpot-mcp: + image: "penpotapp/mcp:${PENPOT_VERSION:-latest}" + restart: always + networks: + - penpot-net + + penpot-exporter: + image: "penpotapp/exporter:${PENPOT_VERSION:-latest}" + restart: always + shm_size: '2gb' # Retained to protect Puppeteer rendering processes from memory crashes + networks: + - penpot-net + environment: + << : [*penpot-secret-key] + PENPOT_EXPORTER_SECRET_KEY: ${PENPOT_EXPORTER_SECRET_KEY} + PENPOT_PUBLIC_URI: http://penpot-frontend:8080 + + ## Valkey/Redis variables duplicated to satisfy background exporter sub-engines + PENPOT_REDIS_URI: ${PENPOT_REDIS_URI} + PENPOT_REDIS_URL: ${PENPOT_REDIS_URI} + PENPOT_FLAGS: disable-sandbox \ No newline at end of file