+8

docker-compose/.env.example

reviewed

··· 1 1 + # Required 2 2 + DOMAIN=lichen.example.com 3 3 + ADMIN_PASSWORD=change-me 4 4 + 5 5 + # Optional 6 6 + ADMIN_USER=admin 7 7 + AUTH_PROVIDERS=file,atproto 8 8 + RUST_LOG=info

+2

docker-compose/.gitignore

reviewed

··· 1 1 + .env 2 2 + bin/

+16

docker-compose/Caddyfile

reviewed

··· 1 1 + { 2 2 + on_demand_tls { 3 3 + ask http://app:9000/tls-check 4 4 + } 5 5 + } 6 6 + 7 7 + :443 { 8 8 + tls { 9 9 + on_demand 10 10 + } 11 11 + reverse_proxy app:9000 12 12 + } 13 13 + 14 14 + :80 { 15 15 + redir https://{host}{uri} permanent 16 16 + }

+47

docker-compose/README.md

reviewed

··· 1 1 + # Lichen Docker Compose Deployment 2 2 + 3 3 + Deploy lichen to any VPS with Docker. 4 4 + 5 5 + ## Quick start 6 6 + 7 7 + 1. Copy this directory to your server 8 8 + 2. Create `.env` from the example: 9 9 + ```bash 10 10 + cp .env.example .env 11 11 + # edit .env — set DOMAIN and ADMIN_PASSWORD 12 12 + ``` 13 13 + 3. Point your domain's DNS A record to the server IP 14 14 + 4. Start: 15 15 + ```bash 16 16 + docker compose up -d 17 17 + ``` 18 18 + 5. Caddy automatically obtains a TLS certificate via Let's Encrypt 19 19 + 20 20 + ## Connect the CLI 21 21 + 22 22 + ```bash 23 23 + lm auth login --server https://your-domain.com --password 24 24 + lm sites list 25 25 + ``` 26 26 + 27 27 + ## Custom binary (optional) 28 28 + 29 29 + To run a custom-built lichen-server instead of the image default: 30 30 + 31 31 + ```bash 32 32 + mkdir -p bin 33 33 + # build locally and copy, or scp from your dev machine: 34 34 + scp your-machine:path/to/target/release/lichen-server bin/ 35 35 + docker compose restart app 36 36 + ``` 37 37 + 38 38 + The entrypoint checks for `bin/lichen-server` and uses it if present. 39 39 + Remove the file and restart to revert to the standard image. 40 40 + 41 41 + ## Files 42 42 + 43 43 + - `docker-compose.yml` — service definitions (app + caddy) 44 44 + - `entrypoint.sh` — startup script (admin user, custom binary check) 45 45 + - `Caddyfile` — HTTPS with on-demand TLS via Let's Encrypt 46 46 + - `.env.example` — configuration template 47 47 + - `bin/` — drop a custom lichen-server binary here (gitignored)

+48

docker-compose/docker-compose.yml

reviewed

··· 1 1 + services: 2 2 + app: 3 3 + image: notplants/lichen-full:latest 4 4 + entrypoint: ["/bin/sh", "/entrypoint.sh"] 5 5 + networks: 6 6 + - internal 7 7 + environment: 8 8 + - LM_SERVER_PORT=9000 9 9 + - LM_DASHBOARD_DOMAIN=${DOMAIN} 10 10 + - LM_USE_AUTH=true 11 11 + - LM_ROOT_DIR=/data 12 12 + - LM_PUBLIC_URL=https://${DOMAIN} 13 13 + - AUTH_PROVIDERS=${AUTH_PROVIDERS:-file,atproto} 14 14 + - ADMIN_USER=${ADMIN_USER:-admin} 15 15 + - ADMIN_PASSWORD=${ADMIN_PASSWORD} 16 16 + - RUST_LOG=${RUST_LOG:-info} 17 17 + volumes: 18 18 + - lichen_data:/data 19 19 + - ./entrypoint.sh:/entrypoint.sh:ro 20 20 + - ./bin:/opt/lichen-bin:ro 21 21 + healthcheck: 22 22 + test: ["CMD", "wget", "-q", "--spider", "http://127.0.0.1:9000/tls-check"] 23 23 + interval: 30s 24 24 + timeout: 10s 25 25 + retries: 5 26 26 + start_period: 30s 27 27 + restart: unless-stopped 28 28 + 29 29 + caddy: 30 30 + image: caddy:2 31 31 + ports: 32 32 + - "80:80" 33 33 + - "443:443" 34 34 + networks: 35 35 + - internal 36 36 + environment: 37 37 + - DOMAIN=${DOMAIN} 38 38 + volumes: 39 39 + - ./Caddyfile:/etc/caddy/Caddyfile:ro 40 40 + - caddy_data:/data 41 41 + restart: unless-stopped 42 42 + 43 43 + networks: 44 44 + internal: 45 45 + 46 46 + volumes: 47 47 + lichen_data: 48 48 + caddy_data:

+39

docker-compose/entrypoint.sh

reviewed

··· 1 1 + #!/bin/sh 2 2 + set -e 3 3 + 4 4 + # disable bubblewrap sandbox — not supported inside Docker 5 5 + rm -f /usr/bin/bwrap 6 6 + 7 7 + # install bash for lichen shell feature 8 8 + apk add --no-cache bash > /dev/null 2>&1 || true 9 9 + 10 10 + # set git identity for auto-commit 11 11 + if command -v git > /dev/null 2>&1; then 12 12 + git config --global user.email "lichen@${LM_DASHBOARD_DOMAIN:-localhost}" 13 13 + git config --global user.name "lichen" 14 14 + fi 15 15 + 16 16 + # write lichen.toml if it doesn't exist yet 17 17 + if [ ! -f /data/lichen.toml ]; then 18 18 + TOML_PROVIDERS=$(echo "${AUTH_PROVIDERS:-file,atproto}" | sed 's/[^,][^,]*/\"&\"/g') 19 19 + echo "auth_providers = [$TOML_PROVIDERS]" > /data/lichen.toml 20 20 + fi 21 21 + 22 22 + # create or update admin user on every startup 23 23 + if [ -n "$ADMIN_PASSWORD" ]; then 24 24 + if [ -f "/data/users/${ADMIN_USER:-admin}.toml" ]; then 25 25 + lichen-server --multi user set-password "${ADMIN_USER:-admin}" \ 26 26 + --password "$ADMIN_PASSWORD" --root-dir /data 27 27 + else 28 28 + lichen-server --multi user add "${ADMIN_USER:-admin}" \ 29 29 + --password "$ADMIN_PASSWORD" --root-dir /data 30 30 + fi 31 31 + fi 32 32 + 33 33 + # use custom binary if present, otherwise use the image's built-in binary 34 34 + if [ -x /opt/lichen-bin/lichen-server ]; then 35 35 + echo "++ using custom binary from /opt/lichen-bin/lichen-server" 36 36 + exec /opt/lichen-bin/lichen-server --multi serve 37 37 + else 38 38 + exec lichen-server --multi serve 39 39 + fi