Skip to content

🏗️ New Service: Sure Finance #314

Open
Feature
Open
🏗️ New Service: Sure Finance#314
Feature
Labels
new servicerequest to add a new service
@kommandantredundant

Description

@kommandantredundant
kommandantredundant
opened on Jun 15, 2026

Service Description

I am stuck at trying to get Sure Finance to work. It is already using four containers itself on a shared docker network and I am unable to bring them onto the same network so web, worker, db can talk to each other and the web is also reachable via service:tailscale.

This could serve as a starting point:

docker-compose.yaml 
configs:
  ts-serve:
    content: |
      {"TCP":{"443":{"HTTPS":true}},
      "Web":{"$${TS_CERT_DOMAIN}:443":
          {"Handlers":{"/":
          {"Proxy":"http://127.0.0.1:8070"}}}},
      "AllowFunnel":{"$${TS_CERT_DOMAIN}:443":false}}

services:
# Make sure you have updated/checked the .env file with the correct variables.
# All the ${ xx } need to be defined there.
  # Tailscale Sidecar Configuration
  tailscale:
    image: tailscale/tailscale:latest # Image to be used
    container_name: tailscale-${SERVICE} # Name for local container management
    hostname: ${SERVICE} # Name used within your Tailscale environment
    environment:
      - TS_AUTHKEY=${TS_AUTHKEY}
      - TS_STATE_DIR=/var/lib/tailscale
      - TS_SERVE_CONFIG=/config/serve.json # Tailscale Serve configuration to expose the web interface on your local Tailnet - remove this line if not required
      - TS_USERSPACE=false
      - TS_ENABLE_HEALTH_CHECK=true              # Enable healthcheck endpoint: "/healthz"
      - TS_LOCAL_ADDR_PORT=127.0.0.1:41234       # The <addr>:<port> for the healthz endpoint
      - TS_ACCEPT_DNS=true # Uncomment when using MagicDNS
      - TS_AUTH_ONCE=true
    configs:
      - source: ts-serve
        target: /config/serve.json
    volumes:
      - ./config:/config # Config folder used to store Tailscale files - you may need to change the path
      - ./ts/state:/var/lib/tailscale # Tailscale requirement - you may need to change the path
    devices:
      - /dev/net/tun:/dev/net/tun # Network configuration for Tailscale to work
    cap_add:
      - net_admin # Tailscale requirement
    #ports:
    #  - 0.0.0.0:${SERVICEPORT}:${SERVICEPORT} # Binding port ${SERVICE}PORT to the local network - may be removed if only exposure to your Tailnet is required
    # If any DNS issues arise, use your preferred DNS provider by uncommenting the config below
    # dns:
    #   - ${DNS_SERVER}
    healthcheck:
      test: ["CMD", "wget", "--spider", "-q", "http://127.0.0.1:41234/healthz"] # Check Tailscale has a Tailnet IP and is operational
      interval: 1m # How often to perform the check
      timeout: 10s # Time to wait for the check to succeed
      retries: 3 # Number of retries before marking as unhealthy
      start_period: 10s # Time to wait before starting health checks
    restart: always

  web:
    image: ghcr.io/we-promise/sure:stable
    container_name: app-${SERVICE}-web
    network_mode: service:tailscale
    volumes:
      - ./app-storage:/rails/storage
    #ports:
    #  - ${PORT:-8070}:3000
      # To also publish on IPv6 (dual-stack), uncomment the line below AND
      # set BINDING=:: in the environment block. See docs/hosting/docker.md
      # "Binding to IPv6" for details.
      # - "[::]:${PORT:-3000}:3000"
    restart: unless-stopped
    environment:
      - POSTGRES_USER=${POSTGRES_USER:-sure_user}
      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD:-sure_password}
      - POSTGRES_DB=${POSTGRES_DB:-sure_production}
      - SECRET_KEY_BASE=${SECRET_KEY_BASE:-a7523c3d0ae56415046ad8abae168d71074a79534a7062258f8d1d51ac2f76d3c3bc86d86b6b0b307df30d9a6a90a2066a3fa9e67c5e6f374dbd7dd4e0778e13}
      - SELF_HOSTED=${SELF_HOSTED:-true}
      - RAILS_FORCE_SSL=${RAILS_FORCE_SSL:-false}
      - RAILS_ASSUME_SSL=${RAILS_ASSUME_SSL:-false}
      - DB_HOST=${DB_HOST:-db}
      - DB_PORT=${DB_PORT:-5432}
      - REDIS_URL=${REDIS_URL:-redis://redis:6379/1}
      - OPENAI_ACCESS_TOKEN=${OPENAI_ACCESS_TOKEN} # NOTE: enabling OpenAI will incur costs when you use AI-related features in the app (chat, rules).  Make sure you have set appropriate spend limits on your account before adding this.
      - OIDC_ISSUER=${OIDC_ISSUER} # Optional: OIDC issuer URL for authentication (e.g., https://accounts.google.com). If not set, OIDC authentication will be disabled.
      - OIDC_CLIENT_ID=${OIDC_CLIENT_ID} # Optional: OIDC client ID for authentication. Required if OIDC_ISSUER is set.
      - OIDC_CLIENT_SECRET=${OIDC_CLIENT_SECRET} # Optional: OIDC client secret for authentication. Required if OIDC_ISSUER is set.
      - OIDC_REDIRECT_URI=${OIDC_REDIRECT_URI} # Optional: OIDC redirect URI for authentication. Required if OIDC_ISSUER is set.
      # BINDING: "::"  # Uncomment for IPv6 dual-stack inside the container
    depends_on:
      db:
        condition: service_healthy
      redis:
        condition: service_healthy

  worker:
    image: ghcr.io/we-promise/sure:stable
    container_name: app-${SERVICE}-worker
    command: bundle exec sidekiq
    volumes:
      - ./app-storage:/rails/storage
    restart: unless-stopped
    depends_on:
      db:
        condition: service_healthy
      redis:
        condition: service_healthy
    environment:
      - POSTGRES_USER=${POSTGRES_USER:-sure_user}
      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD:-sure_password}
      - POSTGRES_DB=${POSTGRES_DB:-sure_production}
      - SECRET_KEY_BASE=${SECRET_KEY_BASE:-a7523c3d0ae56415046ad8abae168d71074a79534a7062258f8d1d51ac2f76d3c3bc86d86b6b0b307df30d9a6a90a2066a3fa9e67c5e6f374dbd7dd4e0778e13}
      - SELF_HOSTED=${SELF_HOSTED:-true}
      - RAILS_FORCE_SSL=${RAILS_FORCE_SSL:-false}
      - RAILS_ASSUME_SSL=${RAILS_ASSUME_SSL:-false}
      - DB_HOST=${DB_HOST:-db}
      - DB_PORT=${DB_PORT:-5432}
      - REDIS_URL=${REDIS_URL:-redis://redis:6379/1}
      - OPENAI_ACCESS_TOKEN=${OPENAI_ACCESS_TOKEN} # NOTE: enabling OpenAI will incur costs when you use AI-related features in the app (chat, rules).  Make sure you have set appropriate spend limits on your account before adding this.

  db:
    image: postgres:16
    container_name: app-${SERVICE}-db
    restart: unless-stopped
    volumes:
      - ./postgres-data:/var/lib/postgresql/data
    environment:
      - POSTGRES_USER=${POSTGRES_USER:-sure_user}
      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD:-sure_password}
      - POSTGRES_DB=${POSTGRES_DB:-sure_production}
    healthcheck:
      test: [ "CMD-SHELL", "pg_isready -U $$POSTGRES_USER -d $$POSTGRES_DB" ]
      interval: 5s
      timeout: 5s
      retries: 5

  backup:
    profiles:
      - backup
    image: prodrigestivill/postgres-backup-local
    container_name: app-${SERVICE}-backup
    restart: unless-stopped
    volumes:
      - ./backups:/backups # Change this path to your desired backup location on the host machine
    environment:
      - POSTGRES_HOST=${POSTGRES_HOST:-db}
      - POSTGRES_DB=${POSTGRES_DB:-sure_production}
      - POSTGRES_USER=${POSTGRES_USER:-sure_user}
      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD:-sure_password} # pipelock:ignore
      - SCHEDULE=${SCHEDULE:-@daily}
      - BACKUP_KEEP_DAYS=${BACKUP_KEEP_DAYS:-7}
      - BACKUP_KEEP_WEEKS=${BACKUP_KEEP_WEEKS:-4}
      - BACKUP_KEEP_MONTHS=${BACKUP_KEEP_MONTHS:-6}
    depends_on:
      - db

  redis:
    image: redis:latest
    container_name: app-${SERVICE}-redis
    restart: unless-stopped
    volumes:
      - ./redis-data:/data
    healthcheck:
      test: [ "CMD", "redis-cli", "ping" ]
      interval: 5s
      timeout: 5s
      retries: 5
.env-File 
#version=1.1
#URL=https://github.com/tailscale-dev/ScaleTail
#COMPOSE_PROJECT_NAME= # Optional: only use when running multiple deployments on the same infrastructure.

# Service Configuration
SERVICE=sure # Service name (e.g., adguard). Used as hostname in Tailscale and for container naming (app-${SERVICE}).
IMAGE_URL=ghcr.io/we-promise/sure:stable # Docker image URL from container registry (e.g., adguard/adguard-home).

# Network Configuration
SERVICEPORT=3000 # Port to expose to local network. Uncomment the "ports:" section in compose.yaml to enable.
DNS_SERVER=1.1.1.1 # Preferred DNS server for Tailscale. Uncomment the "dns:" section in compose.yaml to enable.

# Tailscale Configuration
TS_AUTHKEY=        # Auth key from https://tailscale.com/admin/authkeys. See: https://tailscale.com/kb/1085/auth-keys#generate-an-auth-key for instructions.

# Optional Service variables
# PUID=1000

#Time Zone setting for containers 
TZ=Europe/Berlin # See: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones

# Any Container environment variables are declared below. See https://docs.docker.com/compose/how-tos/environment-variables/

#EXAMPLE_VAR="Environment variable"

POSTGRES_USER=sure_user
POSTGRES_PASSWORD=sure_password
POSTGRES_DB=sure_production
SECRET_KEY_BASE=  #openssl rand -hex 64
SELF_HOSTED=true
RAILS_FORCE_SSL=true
RAILS_ASSUME_SSL=true
DB_HOST=db
DB_PORT=5432
REDIS_URL=redis://redis:6379/1
OPENAI_ACCESS_TOKEN=
PORT=8070
POSTGRES_HOST=db
SCHEDULE=@daily
BACKUP_KEEP_DAYS=7
BACKUP_KEEP_WEEKS=4
BACKUP_KEEP_MONTHS=6

OIDC_ISSUER=https://<issuer-domain>/            
OIDC_CLIENT_ID=
OIDC_CLIENT_SECRET=
OIDC_REDIRECT_URI=https://<service-domain>/auth/openid_connect/callback

Docker Compose File Link

https://github.com/we-promise/sure/blob/main/compose.example.yml

Docker Compose Configuration



Website of Service


https://sure.am


Would you be willing to work on this service?


    

  •  Yes, I'd like to implement this feature
    • 

  •  I could help with parts of this feature
    • 

  •  No, I'm just suggesting the feature
    • 

Metadata
Metadata
Assignees
No one assigned
    Labels
    new servicerequest to add a new service
    Type
    Feature
    Fields
    No fields configured for Feature.
    Projects
    No projects
    Milestone
    No milestone
    Relationships
    None yet
    Development
    No branches or pull requests
    Issue actions