Kyoo/docker-compose.yml

x-transcoder: &transcoder-base
  build: ./transcoder
  image: ghcr.io/zoriya/kyoo_transcoder:edge
  networks:
    default:
      aliases:
        - transcoder
  restart: unless-stopped
  environment:
    - JWKS_URL=http://auth:4568/.well-known/jwks.json
  env_file:
    - ./.env
  volumes:
    - ${LIBRARY_ROOT}:/video:ro
    - ${CACHE_ROOT}:/cache
    - transcoder_metadata:/metadata
  labels:
    - "traefik.enable=true"
    - "traefik.http.routers.transcoder.rule=PathPrefix(`/video`)"
    - "traefik.http.routers.transcoder.middlewares=phantom-token"
    - "traefik.http.middlewares.phantom-token.forwardauth.address=http://auth:4568/auth/jwt"
    - "traefik.http.middlewares.phantom-token.forwardauth.authRequestHeaders=Authorization,Cookie,X-Api-Key"
    - "traefik.http.middlewares.phantom-token.forwardauth.authResponseHeaders=Authorization"

services:
  front:
    build: ./front
    image: ghcr.io/zoriya/kyoo_front:edge
    restart: unless-stopped
    environment:
      - KYOO_URL=${KYOO_URL:-http://api:5000/api}
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.front.rule=PathPrefix(`/`)"
      - "traefik.http.services.front.loadbalancer.server.port=8901"

  auth:
    build: ./auth
    image: ghcr.io/zoriya/kyoo_auth:edge
    restart: unless-stopped
    depends_on:
      postgres:
        condition: service_healthy
    env_file:
      - ./.env
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.auth.rule=PathPrefix(`/auth/`) || PathPrefix(`/.well-known/`)"

  api:
    build: ./api
    restart: unless-stopped
    depends_on:
      postgres:
        condition: service_healthy
    environment:
      - JWT_ISSUER=${PUBLIC_URL}
    env_file:
      - ./.env
    volumes:
      - images:/app/images
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.swagger.rule=PathPrefix(`/swagger`)"
      - "traefik.http.routers.api.rule=PathPrefix(`/api/`)"
      - "traefik.http.routers.api.middlewares=phantom-token"
      - "traefik.http.middlewares.phantom-token.forwardauth.address=http://auth:4568/auth/jwt"
      - "traefik.http.middlewares.phantom-token.forwardauth.authRequestHeaders=Authorization,Cookie,X-Api-Key"
      - "traefik.http.middlewares.phantom-token.forwardauth.authResponseHeaders=Authorization"

  scanner:
    build: ./scanner
    image: ghcr.io/zoriya/kyoo_scanner:edge
    restart: unless-stopped
    env_file:
      - ./.env
    environment:
      # Use this env var once we use mTLS for auth
      # - KYOO_URL=${KYOO_URL:-http://api:3567/api}
      - KYOO_URL=${KYOO_URL:-http://traefik:8901/api}
      - KYOO_APIKEY=scanner-$KEIBI_APIKEY_SCANNER
      - JWKS_URL=http://auth:4568/.well-known/jwks.json
      - JWT_ISSUER=${PUBLIC_URL}
    volumes:
      - ${LIBRARY_ROOT}:/video:ro
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.scanner.rule=PathPrefix(`/scanner/`)"
      - "traefik.http.routers.scanner.middlewares=phantom-token"
      - "traefik.http.middlewares.phantom-token.forwardauth.address=http://auth:4568/auth/jwt"
      - "traefik.http.middlewares.phantom-token.forwardauth.authRequestHeaders=Authorization,Cookie,X-Api-Key"
      - "traefik.http.middlewares.phantom-token.forwardauth.authResponseHeaders=Authorization"

  transcoder:
    <<: *transcoder-base
    profiles: ["", "cpu"]
  transcoder-nvidia:
    <<: *transcoder-base
    deploy:
      resources:
        reservations:
          devices:
            - capabilities: [gpu]
              driver: cdi
              device_ids:
                - nvidia.com/gpu=all
    environment:
      - GOCODER_HWACCEL=nvidia
    profiles: ["nvidia"]
  transcoder-vaapi:
    <<: *transcoder-base
    devices:
      - /dev/dri:/dev/dri
    environment:
      - GOCODER_HWACCEL=vaapi
      - GOCODER_VAAPI_RENDERER=${GOCODER_VAAPI_RENDERER:-/dev/dri/renderD128}
    profiles: ["vaapi"]
  # qsv is the same setup as vaapi but with the hwaccel env var different
  transcoder-qsv:
    <<: *transcoder-base
    devices:
      - /dev/dri:/dev/dri
    environment:
      - GOCODER_HWACCEL=qsv
      - GOCODER_VAAPI_RENDERER=${GOCODER_VAAPI_RENDERER:-/dev/dri/renderD128}
    profiles: ["qsv"]

  traefik:
    image: traefik:v3.5
    restart: unless-stopped
    command:
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entryPoints.web.address=:8901"
      - "--accesslog=true"
    ports:
      - "8901:8901"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"

  postgres:
    image: postgres:15
    restart: unless-stopped
    env_file:
      - ./.env
    volumes:
      - db:/var/lib/postgresql/data
    environment:
      - POSTGRES_USER=$PGUSER
      - POSTGRES_PASSWORD=$PGPASSWORD
      - POSTGRES_DB=$PGDATABASE
      - POSTGRES_HOST_AUTH_METHOD=trust
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U ${PGUSER} -d ${PGDATABASE}"]
      interval: 5s
      timeout: 5s
      retries: 5

volumes:
  db:
  images:
  transcoder_metadata: