Bulwark/docker-compose.yml

# Local backing services for the dev loop.
#
# Runs throwaway Postgres + Valkey on your machine; the app runs on the host
# (`mix phx.server`) and connects over localhost. This mirrors the cluster
# topology in miniature — only the DSN differs between local and prod. See the
# developer guide ("Local development") for the rationale.
#
# Images: canonical upstream images pinned to the cluster's MAJOR versions.
# We deliberately do NOT use the cluster's operator images here:
#   shared-pg    -> cloudnative-pg/postgresql (assumes a k8s-managed PVC; does
#                   not chown its data dir, so it fails on a plain Docker volume)
#   shared-cache -> hyperspike/valkey (ships Cmd=/bin/sh; the Valkey operator
#                   injects the server command — it never starts standalone)
# DSN-from-env already gives us local↔cluster parity, so the local image
# identity is irrelevant. Use the standalone-friendly upstream images and pin
# the same MAJOR (PG 17, Valkey 8) to avoid behavioral drift.
#
# Env comes from .env.local (gitignored). Copy .env.local.example to start.

services:
  postgres:
    image: postgres:17
    environment:
      POSTGRES_USER: ${POSTGRES_USER:-postgres}
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-postgres}
      POSTGRES_DB: ${POSTGRES_DB:-bulwark_dev}
    ports:
      - "5432:5432"
    volumes:
      - pgdata:/var/lib/postgresql/data
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-postgres}"]
      interval: 5s
      timeout: 3s
      retries: 10

  valkey:
    image: valkey/valkey:8
    # No password locally — cluster Valkey REQUIRES one. The DSN (with creds in
    # prod) is the only thing that changes; see the auth-parity note in the
    # developer guide. Do not hard-code the no-auth form in app code.
    ports:
      - "6379:6379"
    healthcheck:
      test: ["CMD", "valkey-cli", "ping"]
      interval: 5s
      timeout: 3s
      retries: 10

volumes:
  pgdata: