Docker Compose

Reference compose file for local development and small production. Volumes for state, environment-driven secrets, healthchecks on every service, and a one-shot upgrade path.

01Prerequisites

Docker 24+ with Compose v2 (docker compose, no hyphen).
4 GiB RAM allocated to the engine. MongoDB will not start with less.

02compose.yaml

services:
  app:
    image: ghcr.io/cloudnativeworks/certautopilot:1.4.0
    restart: unless-stopped
    ports: ["443:443", "9090:9090"]
    environment:
      CAP_MODE: all
      CAP_MONGO_URI: mongodb://mongo:27017/certautopilot?replicaSet=rs0
      CAP_KEK_FILE: /run/secrets/kek
    secrets: [kek]
    volumes:
      - ./uploads:/var/lib/certautopilot/uploads
      - ./tls:/etc/certautopilot/tls:ro
    depends_on:
      mongo:
        condition: service_healthy
    healthcheck:
      test: ["CMD", "/usr/bin/certautopilot", "health"]
      interval: 30s
      retries: 3

  mongo:
    image: mongo:7
    restart: unless-stopped
    command: ["mongod", "--replSet", "rs0", "--bind_ip_all"]
    volumes: ["./mongo:/data/db"]
    healthcheck:
      test: ["CMD", "mongosh", "--quiet", "--eval", "rs.status().ok"]
      interval: 10s
      retries: 12

secrets:
  kek:
    file: ./secrets/kek.bin

03Generate the KEK

The KEK is a 32-byte random blob. Generate once, back it up, and never check it into git.

mkdir -p secrets
openssl rand 32 > secrets/kek.bin
chmod 0400 secrets/kek.bin

Lose this file = lose all secrets

Without the KEK, the encrypted private keys, credentials, and audit secret in MongoDB are unrecoverable. Back the file up to a separate secret store (AWS Secrets Manager, HashiCorp Vault, 1Password, etc.) before running anything that writes encrypted data.

04Initialize the replica set

CertAutoPilot uses MongoDB transactions, which require a replica set. Even a single-member RS works — initialize it once:

docker compose up -d mongo
docker compose exec mongo mongosh --eval 'rs.initiate({_id:"rs0",members:[{_id:0,host:"mongo:27017"}]})'

05Start everything

docker compose up -d
docker compose logs -f app

The first-run setup token is logged on startup; grep for setup token.

06Upgrade

Bump the image tag and recreate. Migrations run automatically on startup.

sed -i 's|certautopilot:1.4.0|certautopilot:1.4.1|' compose.yaml
docker compose pull app
docker compose up -d app

07Environment reference

Variable	Required	Notes
`CAP_MODE`	yes	`all` / `api` / `worker` / `scheduler`
`CAP_MONGO_URI`	yes	Standard Mongo URI with `replicaSet`.
`CAP_KEK_FILE`	yes	Path to the 32-byte KEK.
`CAP_HTTPS_PORT`	no	Default 443.
`CAP_LOG_LEVEL`	no	`debug` / `info` / `warn`
`HTTPS_PROXY`	no	Outbound proxy for ACME/CA traffic.