planka/docker-compose.yml

services:
  planka:
    image: ghcr.io/plankanban/planka:2.0.0-rc.3
    restart: on-failure
    volumes:
      - favicons:/app/public/favicons
      - user-avatars:/app/public/user-avatars
      - background-images:/app/public/background-images
      - attachments:/app/private/attachments
    # Optionally override this to your user/group
    # user: 1000:1000
    # tmpfs:
    #   - /app/.tmp:mode=770,uid=1000,gid=1000
    ports:
      - 3000:1337
    environment:
      - BASE_URL=http://localhost:3000
      - DATABASE_URL=postgresql://postgres@postgres/planka

      # Optionally store the database password in secrets:
      # - DATABASE_URL=postgresql://postgres:$${DATABASE_PASSWORD}@postgres/planka
      # - DATABASE_PASSWORD__FILE=/run/secrets/database_password
      # And add the following to the service:
      # secrets:
      #   - database_password

      - SECRET_KEY=notsecretkey
      # Optionally store in secrets - then SECRET_KEY should not be set
      # - SECRET_KEY__FILE=/run/secrets/secret_key

      # - LOG_LEVEL=warn

      # - TRUST_PROXY=true
      # - TOKEN_EXPIRES_IN=365 # In days

      # related: https://github.com/knex/knex/issues/2354
      # As knex does not pass query parameters from the connection string,
      # we have to use environment variables in order to pass the desired values, e.g.
      # - PGSSLMODE=<value>

      # Configure knex to accept SSL certificates
      # - KNEX_REJECT_UNAUTHORIZED_SSL_CERTIFICATE=false

      # Used for per-board notifications
      # - DEFAULT_LANGUAGE=en-US

      # Do not comment out DEFAULT_ADMIN_EMAIL if you want to prevent this user from being edited/deleted
      # - DEFAULT_ADMIN_EMAIL=demo@demo.demo
      # - DEFAULT_ADMIN_PASSWORD=demo
      # Optionally store in secrets - then DEFAULT_ADMIN_PASSWORD should not be set
      # - DEFAULT_ADMIN_PASSWORD__FILE=/run/secrets/default_admin_password
      # - DEFAULT_ADMIN_NAME=Demo Demo
      # - DEFAULT_ADMIN_USERNAME=demo

      # - INTERNAL_ACCESS_TOKEN=
      # - ACTIVE_USERS_LIMIT=

      # Set to true to show more detailed authentication error messages.
      # It should not be enabled without a rate limiter for security reasons.
      # - SHOW_DETAILED_AUTH_ERRORS=false

      # - S3_ENDPOINT=
      # - S3_REGION=
      # - S3_ACCESS_KEY_ID=
      # - S3_SECRET_ACCESS_KEY=
      # Optionally store in secrets - then S3_SECRET_ACCESS_KEY should not be set
      # - S3_SECRET_ACCESS_KEY__FILE=/run/secrets/s3_secret_access_key
      # - S3_BUCKET=
      # - S3_FORCE_PATH_STYLE=true

      # - OIDC_ISSUER=
      # - OIDC_CLIENT_ID=
      # - OIDC_CLIENT_SECRET=
      # Optionally store in secrets - then OIDC_CLIENT_SECRET should not be set
      # - OIDC_CLIENT_SECRET__FILE=/run/secrets/oidc_client_secret
      # - OIDC_ID_TOKEN_SIGNED_RESPONSE_ALG=
      # - OIDC_USERINFO_SIGNED_RESPONSE_ALG=
      # - OIDC_SCOPES=openid email profile
      # - OIDC_RESPONSE_MODE=fragment
      # - OIDC_USE_DEFAULT_RESPONSE_MODE=true
      # - OIDC_ADMIN_ROLES=admin
      # - OIDC_PROJECT_OWNER_ROLES=project_owner
      # - OIDC_BOARD_USER_ROLES=board_user
      # - OIDC_CLAIMS_SOURCE=userinfo
      # - OIDC_EMAIL_ATTRIBUTE=email
      # - OIDC_NAME_ATTRIBUTE=name
      # - OIDC_USERNAME_ATTRIBUTE=preferred_username
      # - OIDC_ROLES_ATTRIBUTE=groups
      # - OIDC_IGNORE_USERNAME=true
      # - OIDC_IGNORE_ROLES=true
      # - OIDC_ENFORCED=true

      # Email Notifications (https://nodemailer.com/smtp/)
      # - SMTP_HOST=
      # - SMTP_PORT=587
      # - SMTP_NAME=
      # - SMTP_SECURE=true
      # - SMTP_USER=
      # - SMTP_PASSWORD=
      # Optionally store in secrets - then SMTP_PASSWORD should not be set
      # - SMTP_PASSWORD__FILE=/run/secrets/smtp_password
      # - SMTP_FROM="Demo Demo" <demo@demo.demo>
      # - SMTP_TLS_REJECT_UNAUTHORIZED=false
    depends_on:
      postgres:
        condition: service_healthy

  postgres:
    image: postgres:16-alpine
    restart: on-failure
    volumes:
      - db-data:/var/lib/postgresql/data
    environment:
      - POSTGRES_DB=planka
      - POSTGRES_HOST_AUTH_METHOD=trust
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U postgres -d planka"]
      interval: 10s
      timeout: 5s
      retries: 5

volumes:
  favicons:
  user-avatars:
  background-images:
  attachments:
  db-data:
Docker, update readme, update dependencies 2019-10-01 04:18:33 +05:00			`services:`
			`planka:`
chore: Update version 2025-05-27 23:37:47 +02:00			`image: ghcr.io/plankanban/planka:2.0.0-rc.3`
feat: Add healthcheck for docker deployments fix: Missing healthcheck.js fix: missing healthcheck.js fix: HEALTHCHECK command 2024-02-06 00:48:21 +01:00			`restart: on-failure`
Docker, update readme, update dependencies 2019-10-01 04:18:33 +05:00			`volumes:`
feat: Version 2 Closes #627, closes #1047 2025-05-10 02:09:06 +02:00			`- favicons:/app/public/favicons`
Add file attachments 2020-04-21 05:04:34 +05:00			`- user-avatars:/app/public/user-avatars`
feat: Version 2 Closes #627, closes #1047 2025-05-10 02:09:06 +02:00			`- background-images:/app/public/background-images`
feat: Remove attachments from public access Closes #219 2022-04-26 22:20:20 +05:00			`- attachments:/app/private/attachments`
build: Add tmpfs to compose file (#1165) 2025-06-02 13:39:10 -04:00			`# Optionally override this to your user/group`
			`# user: 1000:1000`
			`# tmpfs:`
			`# - /app/.tmp:mode=770,uid=1000,gid=1000`
Docker, update readme, update dependencies 2019-10-01 04:18:33 +05:00			`ports:`
			`- 3000:1337`
			`environment:`
			`- BASE_URL=http://localhost:3000`
			`- DATABASE_URL=postgresql://postgres@postgres/planka`
feat: Support for Docker secrets (#1132) Closes #1001 2025-05-15 19:32:37 +02:00
			`# Optionally store the database password in secrets:`
			`# - DATABASE_URL=postgresql://postgres:$${DATABASE_PASSWORD}@postgres/planka`
			`# - DATABASE_PASSWORD__FILE=/run/secrets/database_password`
			`# And add the following to the service:`
			`# secrets:`
			`# - database_password`

Add secret key to environment variables, update readme 2019-10-04 04:19:46 +05:00			`- SECRET_KEY=notsecretkey`
feat: Support for Docker secrets (#1132) Closes #1001 2025-05-15 19:32:37 +02:00			`# Optionally store in secrets - then SECRET_KEY should not be set`
			`# - SECRET_KEY__FILE=/run/secrets/secret_key`
feat: Allow postgres connections that require ssl mode (#409) Closes #261 2023-03-06 13:54:52 +01:00
chore: Add LOG_LEVEL to environment samples 2025-04-22 15:41:01 +02:00			`# - LOG_LEVEL=warn`

chore: Fix sample value for `TRUST_PROXY` environment variable 2025-05-13 16:29:31 +02:00			`# - TRUST_PROXY=true`
fix: Make default admin environment variables optional Closes #526 2023-10-20 21:52:12 +02:00			`# - TOKEN_EXPIRES_IN=365 # In days`
feat: Use environment variables for default admin configuration 2023-09-12 01:12:38 +02:00
feat: Allow postgres connections that require ssl mode (#409) Closes #261 2023-03-06 13:54:52 +01:00			`# related: https://github.com/knex/knex/issues/2354`
feat: Support for Docker secrets (#1132) Closes #1001 2025-05-15 19:32:37 +02:00			`# As knex does not pass query parameters from the connection string,`
			`# we have to use environment variables in order to pass the desired values, e.g.`
feat: Allow postgres connections that require ssl mode (#409) Closes #261 2023-03-06 13:54:52 +01:00			`# - PGSSLMODE=<value>`

			`# Configure knex to accept SSL certificates`
			`# - KNEX_REJECT_UNAUTHORIZED_SSL_CERTIFICATE=false`
fix: OIDC finalization and refactoring 2023-10-17 19:18:19 +02:00
feat: Support for Docker secrets (#1132) Closes #1001 2025-05-15 19:32:37 +02:00			`# Used for per-board notifications`
			`# - DEFAULT_LANGUAGE=en-US`
feat: Version 2 Closes #627, closes #1047 2025-05-10 02:09:06 +02:00
feat: Support for Docker secrets (#1132) Closes #1001 2025-05-15 19:32:37 +02:00			`# Do not comment out DEFAULT_ADMIN_EMAIL if you want to prevent this user from being edited/deleted`
			`# - DEFAULT_ADMIN_EMAIL=demo@demo.demo`
fix: Make default admin environment variables optional Closes #526 2023-10-20 21:52:12 +02:00			`# - DEFAULT_ADMIN_PASSWORD=demo`
feat: Support for Docker secrets (#1132) Closes #1001 2025-05-15 19:32:37 +02:00			`# Optionally store in secrets - then DEFAULT_ADMIN_PASSWORD should not be set`
			`# - DEFAULT_ADMIN_PASSWORD__FILE=/run/secrets/default_admin_password`
fix: Make default admin environment variables optional Closes #526 2023-10-20 21:52:12 +02:00			`# - DEFAULT_ADMIN_NAME=Demo Demo`
			`# - DEFAULT_ADMIN_USERNAME=demo`

feat: Add `INTERNAL_ACCESS_TOKEN` to support internal user configuration 2025-07-07 21:35:37 +02:00			`# - INTERNAL_ACCESS_TOKEN=`
feat: Version 2 Closes #627, closes #1047 2025-05-10 02:09:06 +02:00			`# - ACTIVE_USERS_LIMIT=`
feat: Support for Docker secrets (#1132) Closes #1001 2025-05-15 19:32:37 +02:00
			`# Set to true to show more detailed authentication error messages.`
			`# It should not be enabled without a rate limiter for security reasons.`
			`# - SHOW_DETAILED_AUTH_ERRORS=false`
feat: Ability to allow everyone to create projects (#787) 2024-06-14 16:38:06 +02:00
fix: Secure S3 attachments, bump SDK, refactoring Closes #673 2024-11-12 15:58:22 +01:00			`# - S3_ENDPOINT=`
			`# - S3_REGION=`
			`# - S3_ACCESS_KEY_ID=`
			`# - S3_SECRET_ACCESS_KEY=`
feat: Support for Docker secrets (#1132) Closes #1001 2025-05-15 19:32:37 +02:00			`# Optionally store in secrets - then S3_SECRET_ACCESS_KEY should not be set`
			`# - S3_SECRET_ACCESS_KEY__FILE=/run/secrets/s3_secret_access_key`
fix: Secure S3 attachments, bump SDK, refactoring Closes #673 2024-11-12 15:58:22 +01:00			`# - S3_BUCKET=`
			`# - S3_FORCE_PATH_STYLE=true`

fix: OIDC finalization and refactoring 2023-10-17 19:18:19 +02:00			`# - OIDC_ISSUER=`
			`# - OIDC_CLIENT_ID=`
feat: Improve OIDC SSO (#524) The OIDC implementation merged in https://github.com/plankanban/planka/pull/491 is flawed for multiple reasons. It assumes that the access_token returned by the IDP has to be a JWT parseable by the RP which is not the case [1]. Many major IDPs do issue tokens which are not JWTs and RPs should not rely on the contents of these at all. The only signed token which has a standardized format for direct RP consumption is the OIDC ID token (id_token), but this by default doesn't contain many claims, especially role claims are omitted from them by default for size reasons. To get these additional claims into the ID token, one needs an IDP with support for the "claims" parameter. It requires manual specification of the JWKS URL which is mandatory in any OIDC discovery document and thus never needs to be manually specified. It also makes the questionable decision to use a client-side code flow with PKCE where a normal code flow would be much more appropriate as all user data is processed in the backend which can securely hold a client secret (confidential client). This has far wider IDP support, is safer (due to direct involvement of the IDP in obtaining user information) and doesn't require working with ID tokens and claim parameters. By using a server-side code flow we can also offload most complexity to the server alone, no longer requiring an additional OIDC library on the web client. Also silent logout doesn't work on most IDPs for security reasons, one needs to actually redirect the user over to the IDP, which then prompts them once more if they actually want to log out. This implementation should work with any OIDC-compliant IDP and even OAuth 2.0-only IDPs as long as they serve and OIDC discovery document. [1] rfc-editor.org/rfc/rfc6749#section-5.1 2023-10-19 14:39:21 +02:00			`# - OIDC_CLIENT_SECRET=`
feat: Support for Docker secrets (#1132) Closes #1001 2025-05-15 19:32:37 +02:00			`# Optionally store in secrets - then OIDC_CLIENT_SECRET should not be set`
			`# - OIDC_CLIENT_SECRET__FILE=/run/secrets/oidc_client_secret`
ref: Refactoring, fix linting 2024-07-16 12:33:38 +02:00			`# - OIDC_ID_TOKEN_SIGNED_RESPONSE_ALG=`
			`# - OIDC_USERINFO_SIGNED_RESPONSE_ALG=`
fix: OIDC finalization and refactoring 2023-10-17 19:18:19 +02:00			`# - OIDC_SCOPES=openid email profile`
ref: Refactoring, fix linting 2024-07-16 12:33:38 +02:00			`# - OIDC_RESPONSE_MODE=fragment`
			`# - OIDC_USE_DEFAULT_RESPONSE_MODE=true`
fix: OIDC finalization and refactoring 2023-10-17 19:18:19 +02:00			`# - OIDC_ADMIN_ROLES=admin`
chore: Add missing environment variables for OIDC roles 2025-06-30 12:07:44 +02:00			`# - OIDC_PROJECT_OWNER_ROLES=project_owner`
			`# - OIDC_BOARD_USER_ROLES=board_user`
feat: Ability to configure OIDC claims source (#888) Closes #884 2024-09-20 16:19:54 +02:00			`# - OIDC_CLAIMS_SOURCE=userinfo`
feat: Add ability to map OIDC attributes and ignore username Closes #554 2024-01-25 23:01:59 +01:00			`# - OIDC_EMAIL_ATTRIBUTE=email`
			`# - OIDC_NAME_ATTRIBUTE=name`
			`# - OIDC_USERNAME_ATTRIBUTE=preferred_username`
fix: OIDC finalization and refactoring 2023-10-17 19:18:19 +02:00			`# - OIDC_ROLES_ATTRIBUTE=groups`
feat: Add ability to map OIDC attributes and ignore username Closes #554 2024-01-25 23:01:59 +01:00			`# - OIDC_IGNORE_USERNAME=true`
feat: Add ability to ignore roles when logging in with SSO (#534) Closes #533 2023-10-25 23:01:35 +02:00			`# - OIDC_IGNORE_ROLES=true`
feat: Add ability to enforce SSO Closes #543, closes #545 2024-02-01 00:31:15 +01:00			`# - OIDC_ENFORCED=true`
feat: Slack bot notifications (#676) 2024-04-08 00:33:29 +02:00
			`# Email Notifications (https://nodemailer.com/smtp/)`
			`# - SMTP_HOST=`
			`# - SMTP_PORT=587`
feat: Add SMTP_NAME environment variable (#761) Closes #758 2024-05-18 14:02:21 +01:00			`# - SMTP_NAME=`
feat: Slack bot notifications (#676) 2024-04-08 00:33:29 +02:00			`# - SMTP_SECURE=true`
			`# - SMTP_USER=`
			`# - SMTP_PASSWORD=`
feat: Support for Docker secrets (#1132) Closes #1001 2025-05-15 19:32:37 +02:00			`# Optionally store in secrets - then SMTP_PASSWORD should not be set`
			`# - SMTP_PASSWORD__FILE=/run/secrets/smtp_password`
feat: Slack bot notifications (#676) 2024-04-08 00:33:29 +02:00			`# - SMTP_FROM="Demo Demo" <demo@demo.demo>`
feat: Ability to disable SMTP certificate verification Closes #744 2024-10-02 14:10:31 +02:00			`# - SMTP_TLS_REJECT_UNAUTHORIZED=false`
Docker, update readme, update dependencies 2019-10-01 04:18:33 +05:00			`depends_on:`
feat: Add healthcheck for docker deployments fix: Missing healthcheck.js fix: missing healthcheck.js fix: HEALTHCHECK command 2024-02-06 00:48:21 +01:00			`postgres:`
			`condition: service_healthy`
Docker, update readme, update dependencies 2019-10-01 04:18:33 +05:00
			`postgres:`
chore: Bump postgres version to 16 in compose files 2024-10-22 20:22:23 +02:00			`image: postgres:16-alpine`
feat: Add healthcheck for docker deployments fix: Missing healthcheck.js fix: missing healthcheck.js fix: HEALTHCHECK command 2024-02-06 00:48:21 +01:00			`restart: on-failure`
Docker, update readme, update dependencies 2019-10-01 04:18:33 +05:00			`volumes:`
			`- db-data:/var/lib/postgresql/data`
			`environment:`
			`- POSTGRES_DB=planka`
Add file attachments 2020-04-21 05:04:34 +05:00			`- POSTGRES_HOST_AUTH_METHOD=trust`
feat: Add healthcheck for docker deployments fix: Missing healthcheck.js fix: missing healthcheck.js fix: HEALTHCHECK command 2024-02-06 00:48:21 +01:00			`healthcheck:`
fix: Secure S3 attachments, bump SDK, refactoring Closes #673 2024-11-12 15:58:22 +01:00			`test: ["CMD-SHELL", "pg_isready -U postgres -d planka"]`
feat: Add healthcheck for docker deployments fix: Missing healthcheck.js fix: missing healthcheck.js fix: HEALTHCHECK command 2024-02-06 00:48:21 +01:00			`interval: 10s`
			`timeout: 5s`
			`retries: 5`
Docker, update readme, update dependencies 2019-10-01 04:18:33 +05:00
			`volumes:`
feat: Version 2 Closes #627, closes #1047 2025-05-10 02:09:06 +02:00			`favicons:`
Add file attachments 2020-04-21 05:04:34 +05:00			`user-avatars:`
feat: Version 2 Closes #627, closes #1047 2025-05-10 02:09:06 +02:00			`background-images:`
Add file attachments 2020-04-21 05:04:34 +05:00			`attachments:`
Docker, update readme, update dependencies 2019-10-01 04:18:33 +05:00			`db-data:`