wealthfolio/compose.yml at main · afadil/wealthfolio · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
# Wealthfolio - Production Docker Compose
#
# Usage: docker compose up -d
# Dev overlay: docker compose -f compose.yml -f compose.dev.yml up
#
# Works with any reverse proxy (Coolify, Nginx, Caddy, Traefik).
# Uses expose (not ports) — the proxy handles external traffic.

services:
  wealthfolio:
    image: afadil/wealthfolio:latest
    container_name: wealthfolio
    restart: unless-stopped
    expose:
      - "8088"
    volumes:
      - wealthfolio-data:/data
    environment:
      WF_LISTEN_ADDR: "0.0.0.0:8088"
      WF_DB_PATH: "/data/wealthfolio.db"
      # Required — generate with: openssl rand -base64 32
      WF_SECRET_KEY: "${WF_SECRET_KEY:?Set WF_SECRET_KEY}"

      # ── Authentication ────────────────────────────────────────────────
      # Required when listening on 0.0.0.0 (the default for Docker).
      # Provide an Argon2id PHC hash of your password.
      #
      # IMPORTANT — Docker Compose interpolates "$" in .env files and YAML:
      #   .env file  → WF_AUTH_PASSWORD_HASH='$argon2id$v=19$...'  (single quotes)
      #   .env file  → WF_AUTH_PASSWORD_HASH=$$argon2id$$v=19$$...  (double every $)
      #   YAML inline → WF_AUTH_PASSWORD_HASH: '$$argon2id$$v=19$$...'  (double every $)
      #
      # Generate a hash:
      #   printf 'your-password' | argon2 yoursalt16chars! -id -e
      #
      # If a reverse proxy handles auth instead, set WF_AUTH_REQUIRED: "false"
      # and leave WF_AUTH_PASSWORD_HASH empty.
      WF_AUTH_PASSWORD_HASH: "${WF_AUTH_PASSWORD_HASH:-}"
      WF_AUTH_TOKEN_TTL_MINUTES: "${WF_AUTH_TOKEN_TTL_MINUTES:-60}"
      # Set to "false" to skip the auth requirement (e.g. reverse proxy handles auth)
      # WF_AUTH_REQUIRED: "true"

      # Required when auth is enabled — set to your app's origin, e.g. https://wealthfolio.example.com
      WF_CORS_ALLOW_ORIGINS: "${WF_CORS_ALLOW_ORIGINS}"
      WF_REQUEST_TIMEOUT_MS: "${WF_REQUEST_TIMEOUT_MS:-30000}"
    healthcheck:
      test:
        ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://127.0.0.1:8088/api/v1/healthz"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 15s
    deploy:
      resources:
        limits:
          memory: 512M
        reservations:
          memory: 128M
    security_opt:
      - no-new-privileges:true
    read_only: true
    tmpfs:
      - /tmp:size=64M

volumes:
  wealthfolio-data:
    driver: local