Update docker-compose and .env-example (#2397)

The docker-compose example is severely outdated and the past
configuration used a docker image for the dashboard that did not allow
you to configure the URLs to the various API endpoints if you
self-hosted your own dashboard publicly.

The newest dashboard image allows you to do this so the docker-compose
has been updated to use this image and the env variables have been
updated accordingly.

Other variables have been updated in the docker-compose to support
self-hosting a public instance.

A commented traefik configuration in the docker-compose for the
dashboard service also allows the user to configure basic auth to
protect a publicly-facing dashboard.

---------

Co-authored-by: David Barroso <dbarrosop@dravetech.com>
Co-authored-by: Hassan Ben Jobrane <hsanbenjobrane@gmail.com>

.changeset/tall-suns-hunt.md

@@ -0,0 +1,5 @@
+---
+'@nhost-examples/docker-compose': minor
+---
+
+updated docker-compose.yaml and .env-example

examples/docker-compose/.env.example

@@ -1,5 +1,31 @@
+# Change all these variables before first creating the containers
 POSTGRES_PASSWORD=secret-pg-password-never-use-this-value
-HASURA_GRAPHQL_ADMIN_SECRET=nhost-admin-secret
+HASURA_GRAPHQL_ADMIN_SECRET=change-me
+# The jwt secret key can be generated with `openssl rand -hex 32`
 HASURA_GRAPHQL_JWT_SECRET='{"type":"HS256", "key":"5152fa850c02dc222631cca898ed1485821a70912a6e3649c49076912daa3b62182ba013315915d64f40cddfbb8b58eb5bd11ba225336a6af45bbae07ca873f3","issuer":"hasura-auth"}'
 STORAGE_ACCESS_KEY=storage-access-key-never-use-this-value
 STORAGE_SECRET_KEY=storage-secret-key-never-use-this-value
+
+# The following HOST and URL env variables are separated since the HOST variables are used to define the allowed hosts to the traefik services in the docker-compose.yaml
+
+# Public (proxy.my-nhost.com) or private (localhost) hostname for the Hasura API/proxy for the Nhost dashboard to send requests to 
+PROXY_HOST=localhost
+# Change to https://${PROXY_HOST} if not using localhost
+PROXY_URL=http://${PROXY_HOST}:1337
+
+# Public (example-url.my-nhost.com) or private (localhost) hostname for the Nhost dashboard for the proxy to allow requests from
+NHOST_HOST=localhost
+
+# Environment variables for the Nhost Dashboard. See dashboard/.env.example for default values. The defualt values are changed to work with our traefik setup created with the docker-compose
+
+# URL for the migrations API running from running `hasura-console`. If it needs to be publicly accessible, change it to your publicly-available URL (https://hasura-migrations.my-nhost.com)
+NEXT_PUBLIC_NHOST_HASURA_MIGRATIONS_API_URL=http://localhost:9693
+
+# The following do not need to be changed unless you modified the docker-compose.yaml
+NEXT_PUBLIC_NHOST_HASURA_CONSOLE_URL=${PROXY_URL}
+NEXT_PUBLIC_NHOST_HASURA_API_URL=${PROXY_URL}
+NEXT_PUBLIC_NHOST_ADMIN_SECRET=${HASURA_GRAPHQL_ADMIN_SECRET}
+NEXT_PUBLIC_NHOST_AUTH_URL=${PROXY_URL}/v1/auth
+NEXT_PUBLIC_NHOST_GRAPHQL_URL=${PROXY_URL}/v1/graphql
+NEXT_PUBLIC_NHOST_STORAGE_URL=${PROXY_URL}/v1/storage
+NEXT_PUBLIC_NHOST_FUNCTIONS_URL=${PROXY_URL}/v1/functions

examples/docker-compose/docker-compose.yaml

@@ -8,9 +8,14 @@ services:
       - "--providers.docker=true"
       - "--providers.docker.exposedbydefault=false"
       - "--entrypoints.web.address=:1337"
+      - "--entryPoints.admin.address=:3030"
     ports:
+      # hasura/services
       - "1337:1337"
+      # traefik interface
       - "9090:8080"
+      # dashboard
+      - "3030:3030"
     volumes:
       - "/var/run/docker.sock:/var/run/docker.sock:ro"
   postgres:
@@ -24,7 +29,7 @@ services:
     ports:
       - '5432:5432'
   graphql-engine:
-    image: hasura/graphql-engine:v2.15.2
+    image: hasura/graphql-engine:v2.35.1
     depends_on:
       - 'postgres'
     restart: always
@@ -39,10 +44,10 @@ services:
       HASURA_GRAPHQL_ENABLE_CONSOLE: 'true'
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.hasura.rule=Host(`localhost`) && PathPrefix(`/`)"
+      - "traefik.http.routers.hasura.rule=Host(`${PROXY_HOST}`, `localhost`) && PathPrefix(`/`)"
       - "traefik.http.routers.hasura.entrypoints=web"
   auth:
-    image: nhost/hasura-auth:0.16.2
+    image: nhost/hasura-auth:0.24
     depends_on:
       - postgres
       - graphql-engine
@@ -66,11 +71,11 @@ services:
     labels:
       - "traefik.enable=true"
       - "traefik.http.middlewares.strip-auth.stripprefix.prefixes=/v1/auth"
-      - "traefik.http.routers.auth.rule=Host(`localhost`) && PathPrefix(`/v1/auth`)"
+      - "traefik.http.routers.auth.rule=Host(`${PROXY_HOST}`, `localhost`) && PathPrefix(`/v1/auth`)"
       - "traefik.http.routers.auth.middlewares=strip-auth@docker"
       - "traefik.http.routers.auth.entrypoints=web"
   storage:
-    image: nhost/hasura-storage:0.3.1
+    image: nhost/hasura-storage:0.4.1
     depends_on:
       - postgres
       - graphql-engine
@@ -79,7 +84,7 @@ services:
     expose:
       - 8000
     environment:
-      PUBLIC_URL: http://localhost:${PROXY_PORT:-1337}
+      PUBLIC_URL: ${PROXY_URL}
       HASURA_METADATA: 1
       HASURA_ENDPOINT: http://graphql-engine:8080/v1
       HASURA_GRAPHQL_ADMIN_SECRET: ${HASURA_GRAPHQL_ADMIN_SECRET}
@@ -91,7 +96,7 @@ services:
       POSTGRES_MIGRATIONS_SOURCE: postgres://postgres:${POSTGRES_PASSWORD:-secretpgpassword}@postgres:5432/postgres?sslmode=disable
     labels:
       - "traefik.enable=true"
-      - "traefik.http.routers.storage.rule=Host(`localhost`) && PathPrefix(`/v1/storage`)"
+      - "traefik.http.routers.storage.rule=Host(`${PROXY_HOST}`, `localhost`) && PathPrefix(`/v1/storage`)"
       - "traefik.http.routers.storage.entrypoints=web"
       # Rewrite the path so it matches with the new storage API path introduced in hasura-storage 0.2
       - "traefik.http.middlewares.strip-suffix.replacepathregex.regex=^/v1/storage/(.*)"
@@ -99,11 +104,11 @@ services:
       - "traefik.http.routers.storage.middlewares=strip-suffix@docker"
     command: serve
   functions:
-    image: nhost/functions:0.1.8
+    image: nhost/functions:1.0.0
     labels:
       - "traefik.enable=true"
       - "traefik.http.middlewares.strip-functions.stripprefix.prefixes=/v1/functions"
-      - "traefik.http.routers.functions.rule=Host(`localhost`) && PathPrefix(`/v1/functions`)"
+      - "traefik.http.routers.functions.rule=Host(`${PROXY_HOST}`, `localhost`) && PathPrefix(`/v1/functions`)"
       - "traefik.http.routers.functions.middlewares=strip-functions@docker"
       - "traefik.http.routers.functions.entrypoints=web"
     restart: always
@@ -140,8 +145,24 @@ services:
     volumes:
       - ./data/mailhog:/maildir
   dashboard:
-    image: nhost/dashboard:0.7.4
-    ports:
-      - "3030:3000"
+    image: nhost/dashboard:0.21.1
+    environment:
+      NEXT_PUBLIC_NHOST_HASURA_MIGRATIONS_API_URL: ${NEXT_PUBLIC_NHOST_HASURA_MIGRATIONS_API_URL}
+      NEXT_PUBLIC_NHOST_HASURA_CONSOLE_URL: ${NEXT_PUBLIC_NHOST_HASURA_CONSOLE_URL}
+      NEXT_PUBLIC_NHOST_HASURA_API_URL: ${NEXT_PUBLIC_NHOST_HASURA_API_URL}
+      NEXT_PUBLIC_NHOST_ADMIN_SECRET: ${NEXT_PUBLIC_NHOST_ADMIN_SECRET}
+      NEXT_PUBLIC_NHOST_AUTH_URL: ${NEXT_PUBLIC_NHOST_AUTH_URL}
+      NEXT_PUBLIC_NHOST_GRAPHQL_URL: ${NEXT_PUBLIC_NHOST_GRAPHQL_URL}
+      NEXT_PUBLIC_NHOST_STORAGE_URL: ${NEXT_PUBLIC_NHOST_STORAGE_URL}
+      NEXT_PUBLIC_NHOST_FUNCTIONS_URL: ${NEXT_PUBLIC_NHOST_FUNCTIONS_URL}
+    expose:
+     - 3000
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.nhost.rule=Host(`${NHOST_HOST}`)"
+      - "traefik.http.routers.nhost.entrypoints=admin"
+      # If you would like to protect your dashboard with a username and password if it is publicly-facing, uncomment and fill in the following lines below according to the documentation at https://doc.traefik.io/traefik/middlewares/http/basicauth/
+      #- "traefik.http.routers.nhost.middlewares=auth"
+      #- "traefik.http.middlewares.auth.basicauth.users=
 volumes:
   functions_node_modules:

examples/docker-compose/functions/pnpm-lock.yaml

@@ -0,0 +1,5 @@
+lockfileVersion: '6.0'
+
+settings:
+  autoInstallPeers: true
+  excludeLinksFromLockfile: false