1 files changed, 88 insertions, 0 deletions

diff --git a/playbooks/roles/ci/templates/stacks/docker-compose.yml b/playbooks/roles/ci/templates/stacks/docker-compose.yml
new file mode 100644
index 0000000..e2358e5
--- /dev/null
+++ b/playbooks/roles/ci/templates/stacks/docker-compose.yml
@@ -0,0 +1,88 @@
+services:
+  db:
+    image: postgres
+    environment:
+      POSTGRES_DB: concourse
+      POSTGRES_PASSWORD: concourse_pass
+      POSTGRES_USER: concourse_user
+      PGDATA: /database
+      POSTGRES_HOST_AUTH_METHOD: trust
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U concourse_user -d concourse"]
+      interval: 3s
+      timeout: 3s
+      retries: 5
+    networks:
+      - ci
+
+  worker:
+    image: concourse/concourse
+    command: worker
+    privileged: true
+    depends_on:
+      web:
+        condition: service_healthy
+    volumes:
+      - {{ ci_base }}/volumes/keys/worker:/concourse-keys
+    networks:
+      - ci
+    stop_signal: SIGUSR2
+    environment:
+      CONCOURSE_TSA_HOST: web:2222
+      CONCOURSE_GARDEN_DNS_PROXY_ENABLE: "true"
+
+  web:
+    image: concourse
+    depends_on:
+      db:
+        condition: service_healthy
+    volumes:
+      - {{ ci_base }}/volumes/keys/web:/concourse-keys
+    environment:
+      - TZ={{ timezone }}
+      - DEPLOYMENT_TIME={{ deployment_time }}
+      - CONCOURSE_POSTGRES_HOST: db
+      - CONCOURSE_POSTGRES_USER: concourse_user
+      - CONCOURSE_POSTGRES_PASSWORD: concourse_pass
+      - CONCOURSE_POSTGRES_DATABASE: concourse
+      - CONCOURSE_EXTERNAL_URL: https://{{ ci_domain }}
+
+      - # instead of relying on the default "detect"
+      - CONCOURSE_WORKER_BAGGAGECLAIM_DRIVER=overlay
+      - CONCOURSE_CLUSTER_NAME={{ ci_domain }}
+
+      - CONCOURSE_OIDC_DISPLAY_NAME={{ domain }} <3
+      - CONCOURSE_OIDC_CLIENT_ID=concourse
+      - CONCOURSE_OIDC_CLIENT_SECRET={{ concourse_secret_key }}
+      - CONCOURSE_OID_ISSUER=https://{{ idm_domain }}/oauth2/openid/concourse/
+    networks:
+      - ci
+      - proxy
+    healthcheck:
+      test: ["CMD-SHELL", "curl", "--fail", "http://localhost:8080"]
+      timeout: 15s
+      interval: 30s
+      retries: 3
+      start_period: 5s
+    deploy:
+      mode: replicated
+      update_config:
+        parallelism: 1
+        failure_action: rollback
+        order: start-first
+        delay: 5s
+        monitor: 20s
+      replicas: 1
+      labels:
+        - traefik.enable=true
+        - traefik.swarm.network=proxy
+        - traefik.http.routers.ci.tls=true
+        - traefik.http.routers.ci.tls.certResolver=letsencrypt
+        - traefik.http.routers.ci.rule=Host(`{{ ci_domain }}`)
+        - traefik.http.routers.ci.entrypoints=websecure
+        - traefik.http.services.ci.loadbalancer.server.port=8080
+
+networks:
+  ci:
+  proxy:
+    external: true