This repository contains a production-ready Docker Compose configuration for self-hosting Ghostfolio, an open-source wealth management software.
Purpose: Deploy Ghostfolio with a secure, scalable, and maintainable Docker setup
Target Environment: Production server with nginx reverse proxy
Exposed Port: Configurable (default: 8061, internal to server, proxied by nginx)
Data Persistence: All data stored under configurable base path
-
Ghostfolio App (
ghostfolio/ghostfolio:2.184.0
)
- Main application container
- Connects to PostgreSQL and Redis
- Exposes port 8061 for nginx reverse proxy
-
PostgreSQL Database (
postgres:16-alpine
)
- Primary data storage
- Persistent volume:
${DATA_BASE_PATH}/data/db/postgre
- Optimized for performance and security
-
Redis Cache (
redis:7-alpine
)
- Session and data caching
- Persistent volume:
${DATA_BASE_PATH}/data/cache/redis
- Improves application performance
${DATA_BASE_PATH}/
├── data/
│ ├── db/postgre/ # PostgreSQL data files
│ ├── cache/redis/ # Redis persistence files
│ └── storage/ # User uploaded files and storage
└── logs/ # Application and container logs
- Secrets Management: Use
.env
and .db.env
files (never commit to version control)
- Strong Passwords: Generate secure random passwords for all services
- JWT Security: Use cryptographically secure random strings for JWT secrets
- Database Isolation: Separate database credentials from application credentials
- User Permissions: Containers run with appropriate user IDs
- Network Isolation: Services communicate only through defined networks
- Image Security: Use official images with latest security patches
- Volume Permissions: Proper file system permissions on host volumes
- Internal Communication: Services communicate on isolated Docker network
- External Access: Only Ghostfolio app exposed to host (port 8061)
- Reverse Proxy: nginx handles SSL termination and public access
- Uses
version: '3.8'
for modern Docker Compose features
- Supports health checks, dependency management, and resource limits
- Ghostfolio: Pinned to
2.184.0
to prevent accidental updates
- PostgreSQL:
16-alpine
for stability and security
- Redis:
7-alpine
for latest performance improvements
- PostgreSQL: Database connection verification
- Redis: Ping response check
- Ghostfolio: HTTP endpoint health verification
- Memory limits defined for each service
- CPU limits to prevent resource starvation
- Restart policies for automatic recovery
ACCESS_TOKEN_SALT
: Random salt for access tokens (security critical)JWT_SECRET_KEY
: Secret for JWT token signing (security critical)HOST
: Application host (0.0.0.0 for container access)PORT
: Internal application port (3333)NODE_ENV
: Production environment setting
POSTGRES_USER
: Database user for GhostfolioPOSTGRES_PASSWORD
: Database password (generate strong password)POSTGRES_DB
: Database name for Ghostfolio dataREDIS_PASSWORD
: Redis authentication password
DATABASE_URL
: PostgreSQL connection string with credentialsREDIS_HOST
: Redis service hostname (container name)REDIS_PORT
: Redis service port (6379)REDIS_PASSWORD
: Redis authentication
- Clone repository and navigate to directory
- Copy and configure environment files
- Create directory structure
- Start services with Docker Compose
- Access application and create admin user
- Update version number in docker-compose.yml
- Pull new images
- Stop services gracefully
- Start with new version
- Verify database migrations completed
- Database backup using pg_dump
- Redis backup using BGSAVE
- File storage backup (rsync or tar)
- Configuration backup (environment files)
- Container health status monitoring
- Log aggregation and rotation
- Resource usage monitoring
- Database performance monitoring
- Security Updates: Monitor for security patches
- Version Updates: Test new Ghostfolio releases in staging
- Database Maintenance: Regular VACUUM and backup verification
- Log Rotation: Implement log rotation to manage disk space
- Container Logs: Use
docker compose logs
for debugging
- Database Access: Connect directly to PostgreSQL for investigation
- Redis Monitoring: Use Redis CLI for cache analysis
- Health Checks: Monitor service health endpoints
- Production: Pinned versions, resource limits, security hardening
- Development: Latest tags, relaxed security, development tools
- Production: Environment-specific settings in
.env
files
- Development: Override configurations for local development
- Testing: Isolated test databases and services
- Version Control: Pin all image versions in production
- Secrets: Never commit sensitive data to version control
- Backups: Implement automated backup strategies
- Monitoring: Set up comprehensive monitoring and alerting
- Updates: Test updates in staging before production deployment
- Security: Regular security audits and updates
- Documentation: Keep configuration and procedures documented
- Recovery: Test disaster recovery procedures regularly
# Start all services
docker compose up -d
# Stop all services
docker compose down
# View logs
docker compose logs -f [service_name]
# Update services
docker compose pull && docker compose up -d
# Backup database
docker compose exec postgres pg_dump -U $POSTGRES_USER $POSTGRES_DB > backup.sql
# Check service health
docker compose ps
# Monitor resource usage
docker stats
# Clean up unused resources
docker system prune -f
# Update single service
docker compose up -d --no-deps ghostfolio
This configuration follows Docker and security best practices while providing a robust foundation for running Ghostfolio in production.