## FOR TEST AND DEVELOPMENT ONLY, DO NOT USE IN PRODUCTION ## ## Setup: https://docs.photoprism.app/developer-guide/setup/ ## services: ## PhotoPrism (Development Environment) photoprism: build: . image: photoprism/photoprism:develop depends_on: - mariadb - dummy-webdav - dummy-oidc stop_grace_period: 15s security_opt: - seccomp:unconfined - apparmor:unconfined ## Expose HTTP and debug ports ports: - "2342:2342" # Default HTTP port (host:container) - "2443:2443" # Default TLS port (host:container) - "2343:2343" # Acceptance Test HTTP port (host:container) - "40000:40000" # Go Debugger (host:container) shm_size: "2gb" ## Set links and labels for use with Traefik reverse proxy links: - "traefik:localssl.dev" - "traefik:app.localssl.dev" - "traefik:vision.localssl.dev" - "traefik:qdrant.localssl.dev" - "traefik:keycloak.localssl.dev" - "traefik:dummy-oidc.localssl.dev" - "traefik:dummy-webdav.localssl.dev" labels: - "traefik.enable=true" - "traefik.docker.network=photoprism" - "traefik.http.services.photoprism.loadbalancer.server.port=2342" - "traefik.http.services.photoprism.loadbalancer.server.scheme=http" - "traefik.http.routers.photoprism.entrypoints=websecure" - "traefik.http.routers.photoprism.rule=Host(`localssl.dev`) || HostRegexp(`^.+\\.localssl\\.dev`)" - "traefik.http.routers.photoprism.priority=2" - "traefik.http.routers.photoprism.tls.domains[0].main=localssl.dev" - "traefik.http.routers.photoprism.tls.domains[0].sans=*.localssl.dev" - "traefik.http.routers.photoprism.tls=true" ## Override variables with optional env file, see https://docs.docker.com/reference/compose-file/services/#required env_file: - path: ".env" required: false ## Configure development environment environment: ## Run as a non-root user after initialization (supported: 0, 33, 50-99, 500-600, and 900-1200): PHOTOPRISM_UID: ${UID:-1000} # user id, should match your host user id PHOTOPRISM_GID: ${GID:-1000} # group id ## Access Management: PHOTOPRISM_ADMIN_USER: "admin" # admin login username PHOTOPRISM_ADMIN_PASSWORD: "photoprism" # initial admin password (8-72 characters) PHOTOPRISM_AUTH_MODE: "password" # authentication mode (public, password) PHOTOPRISM_REGISTER_URI: "https://keycloak.localssl.dev/admin/" PHOTOPRISM_PASSWORD_RESET_URI: "https://keycloak.localssl.dev/realms/master/login-actions/reset-credentials" PHOTOPRISM_USAGE_INFO: "true" PHOTOPRISM_FILES_QUOTA: "100" ## Customization: PHOTOPRISM_DEFAULT_LOCALE: "en" # default user interface language, e.g. "en" or "de" PHOTOPRISM_PLACES_LOCALE: "local" # location details language, e.g. "local", "en", or "de" ## OpenID Connect (pre-configured for local tests): ## see https://keycloak.localssl.dev/realms/master/.well-known/openid-configuration PHOTOPRISM_OIDC_URI: "https://keycloak.localssl.dev/realms/master" PHOTOPRISM_OIDC_CLIENT: "photoprism-develop" PHOTOPRISM_OIDC_SECRET: "9d8351a0-ca01-4556-9c37-85eb634869b9" PHOTOPRISM_OIDC_PROVIDER: "Keycloak" PHOTOPRISM_OIDC_REGISTER: "true" PHOTOPRISM_OIDC_WEBDAV: "true" PHOTOPRISM_DISABLE_OIDC: "false" ## LDAP Authentication (pre-configured for local tests): PHOTOPRISM_LDAP_URI: "ldap://dummy-ldap:389" PHOTOPRISM_LDAP_INSECURE: "true" PHOTOPRISM_LDAP_SYNC: "true" PHOTOPRISM_LDAP_BIND: "simple" PHOTOPRISM_LDAP_BIND_DN: "cn" PHOTOPRISM_LDAP_BASE_DN: "dc=localssl,dc=dev" PHOTOPRISM_LDAP_ROLE: "" PHOTOPRISM_LDAP_ROLE_DN: "ou=photoprism-*,ou=groups,dc=localssl,dc=dev" PHOTOPRISM_LDAP_WEBDAV_DN: "ou=photoprism-webdav,ou=groups,dc=localssl,dc=dev" ## HTTPS/TLS Options: ## see https://docs.photoprism.app/getting-started/using-https/ PHOTOPRISM_DISABLE_TLS: "true" PHOTOPRISM_DEFAULT_TLS: "true" ## Site Information: PHOTOPRISM_SITE_URL: "https://app.localssl.dev/" # server URL in the format "http(s)://domain.name(:port)/(path)" PHOTOPRISM_SITE_CAPTION: "AI-Powered Photos App" PHOTOPRISM_SITE_DESCRIPTION: "Tags and finds pictures without getting in your way!" PHOTOPRISM_SITE_AUTHOR: "@photoprism_app" PHOTOPRISM_DEBUG: "true" PHOTOPRISM_READONLY: "false" PHOTOPRISM_EXPERIMENTAL: "true" PHOTOPRISM_HTTP_MODE: "debug" PHOTOPRISM_HTTP_HOST: "0.0.0.0" PHOTOPRISM_HTTP_PORT: 2342 PHOTOPRISM_HTTP_COMPRESSION: "gzip" # improves transfer speed and bandwidth utilization (none or gzip) PHOTOPRISM_DATABASE_DRIVER: "mysql" PHOTOPRISM_DATABASE_SERVER: "mariadb:4001" PHOTOPRISM_DATABASE_NAME: "photoprism" PHOTOPRISM_DATABASE_USER: "root" PHOTOPRISM_DATABASE_PASSWORD: "photoprism" PHOTOPRISM_TEST_DRIVER: "sqlite" # PHOTOPRISM_TEST_DSN_MYSQL8: "root:photoprism@tcp(mysql:4001)/photoprism?charset=utf8mb4,utf8&collation=utf8mb4_unicode_ci&parseTime=true&timeout=15s" PHOTOPRISM_ASSETS_PATH: "/go/src/github.com/photoprism/photoprism/assets" PHOTOPRISM_STORAGE_PATH: "/go/src/github.com/photoprism/photoprism/storage" PHOTOPRISM_ORIGINALS_PATH: "/go/src/github.com/photoprism/photoprism/storage/originals" PHOTOPRISM_ORIGINALS_LIMIT: 128000 # sets originals file size limit to 128 GB PHOTOPRISM_IMPORT_PATH: "/go/src/github.com/photoprism/photoprism/storage/import" PHOTOPRISM_DISABLE_CHOWN: "false" # disables updating storage permissions via chmod and chown on startup PHOTOPRISM_DISABLE_BACKUPS: "false" # disables backing up albums and photo metadata to YAML files PHOTOPRISM_DISABLE_WEBDAV: "false" # disables built-in WebDAV server PHOTOPRISM_DISABLE_SETTINGS: "false" # disables settings UI and API PHOTOPRISM_DISABLE_PLACES: "false" # disables reverse geocoding and maps PHOTOPRISM_DISABLE_EXIFTOOL: "false" # disables creating JSON metadata sidecar files with ExifTool PHOTOPRISM_DISABLE_TENSORFLOW: "false" # disables all features depending on TensorFlow PHOTOPRISM_DISABLE_RAW: "false" # disables indexing and conversion of RAW images PHOTOPRISM_RAW_PRESETS: "false" # enables applying user presets when converting RAW images (reduces performance) PHOTOPRISM_DETECT_NSFW: "false" # automatically flags photos as private that MAY be offensive (requires TensorFlow) PHOTOPRISM_UPLOAD_NSFW: "false" # allows uploads that MAY be offensive (no effect without TensorFlow) PHOTOPRISM_UPLOAD_ALLOW: "" # restricts uploads to these file types (comma-separated list of EXTENSIONS; leave blank to allow all) PHOTOPRISM_UPLOAD_ARCHIVES: "true" # allows upload of zip archives (will be extracted before import) PHOTOPRISM_THUMB_LIBRARY: "auto" # image processing library to be used for generating thumbnails (auto, imaging, vips) PHOTOPRISM_THUMB_FILTER: "auto" # downscaling filter (imaging best to worst: blackman, lanczos, cubic, linear, nearest) PHOTOPRISM_THUMB_UNCACHED: "true" # enables on-demand thumbnail rendering (high memory and cpu usage) ## Video Transcoding (https://docs.photoprism.app/getting-started/advanced/transcoding/): # PHOTOPRISM_FFMPEG_ENCODER: "software" # H.264/AVC encoder (software, intel, nvidia, apple, raspberry, or vaapi) # LIBVA_DRIVER_NAME: "i965" # For Intel architectures Haswell and older which do not support QSV yet but use VAAPI instead PHOTOPRISM_FFMPEG_SIZE: "1920" # video size limit in pixels (720-7680) (default: 3840) # PHOTOPRISM_FFMPEG_BITRATE: "64" # video bitrate limit in Mbps (default: 60) ## Run/install on first startup (options: update tensorflow https intel gpu davfs yt-dlp): PHOTOPRISM_INIT: "https" ## Computer Vision (https://docs.photoprism.app/getting-started/config-options/#computer-vision): PHOTOPRISM_VISION_API: "true" # server: enables service API endpoints under /api/v1/vision (requires access token) PHOTOPRISM_VISION_URI: "" # client: service URI, e.g. http://hostname/api/v1/vision (leave blank to disable) PHOTOPRISM_VISION_KEY: "" # client: service access token (for authentication) OLLAMA_BASE_URL: "http://ollama:11434" # use "https://ollama.com" for Ollama Cloud OLLAMA_API_KEY: "" # API key required to access Ollama (optional) ## External dependencies and tools: TF_CPP_MIN_LOG_LEVEL: 1 GOCACHE: "/go/src/github.com/photoprism/photoprism/.local/gocache" CODEX_HOME: "/go/src/github.com/photoprism/photoprism/.local/codex" ## Shared devices for video hardware transcoding (optional): # devices: # - "/dev/dri:/dev/dri" # Required Intel QSV or VAAPI hardware transcoding # - "/dev/video11:/dev/video11" # Video4Linux Video Encode Device (h264_v4l2m2m) working_dir: "/go/src/github.com/photoprism/photoprism" volumes: - ".:/go/src/github.com/photoprism/photoprism" - "./storage:/photoprism" - "go-mod:/go/pkg/mod" ## MariaDB (Database Server) ## Docs: https://mariadb.com/docs/reference/ ## Release Notes: https://mariadb.com/kb/en/changes-improvements-in-mariadb-1011/ mariadb: image: mariadb:11 stop_grace_period: 10s security_opt: # see https://github.com/MariaDB/mariadb-docker/issues/434#issuecomment-1136151239 - seccomp:unconfined - apparmor:unconfined command: --port=4001 --innodb-strict-mode=1 --innodb-buffer-pool-size=256M --transaction-isolation=READ-COMMITTED --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci --max-connections=512 --innodb-rollback-on-timeout=OFF --innodb-lock-wait-timeout=120 expose: - "4001" ports: - "4001:4001" # database port (host:container) volumes: - "mariadb:/var/lib/mysql" - "./scripts/sql/mariadb-init.sql:/docker-entrypoint-initdb.d/init.sql" environment: MARIADB_AUTO_UPGRADE: "1" MARIADB_INITDB_SKIP_TZINFO: "1" MARIADB_DATABASE: "photoprism" MARIADB_USER: "photoprism" MARIADB_PASSWORD: "photoprism" MARIADB_ROOT_PASSWORD: "photoprism" ## Qdrant (Vector Database) ## Docs: https://qdrant.tech/documentation/guides/installation/#docker-compose ## Release Notes: https://github.com/qdrant/qdrant/releases ## Web UI: https://qdrant.localssl.dev/dashboard qdrant: image: qdrant/qdrant:latest profiles: [ "all", "qdrant" ] stop_grace_period: 10s links: - "traefik:localssl.dev" - "traefik:app.localssl.dev" - "traefik:vision.localssl.dev" labels: - "traefik.enable=true" - "traefik.http.services.qdrant.loadbalancer.server.port=6333" - "traefik.http.services.qdrant.loadbalancer.server.scheme=http" - "traefik.http.routers.qdrant.entrypoints=websecure" - "traefik.http.routers.qdrant.rule=Host(`qdrant.localssl.dev`)" - "traefik.http.routers.qdrant.priority=3" - "traefik.http.routers.qdrant.tls.domains[0].main=localssl.dev" - "traefik.http.routers.qdrant.tls.domains[0].sans=*.localssl.dev" - "traefik.http.routers.qdrant.tls=true" expose: - 6333 - 6334 - 6335 volumes: - "./.qdrant.yaml:/qdrant/config/production.yaml" - "./storage/services/qdrant:/qdrant/storage" ## Ollama Large-Language Model Runner ## run "ollama pull [name]:[version]" to download a vision model ## listed at , for example: ## docker compose exec ollama ollama pull gemma3:latest ollama: image: ollama/ollama:latest stop_grace_period: 10s ## Only starts this service if the "all", "ollama", or "vision" profile is specified:: ## docker compose --profile ollama up -d profiles: [ "all", "ollama", "vision" ] ## Insecurely exposes the Ollama service on port 11434 ## without authentication (for private networks only): # ports: # - "11434:11434" labels: - "traefik.enable=true" - "traefik.docker.network=photoprism" - "traefik.http.services.ollama.loadbalancer.server.port=11434" - "traefik.http.routers.ollama.rule=Host(`ollama.localssl.dev`)" - "traefik.http.routers.ollama.entrypoints=websecure" - "traefik.http.routers.ollama.tls=true" environment: ## Ollama Configuration Options: OLLAMA_HOST: "0.0.0.0:11434" OLLAMA_MODELS: "/root/.ollama" # model storage path (see volumes section below) OLLAMA_MAX_QUEUE: "100" # maximum number of queued requests OLLAMA_NUM_PARALLEL: "1" # maximum number of parallel requests OLLAMA_MAX_LOADED_MODELS: "1" # maximum number of loaded models per GPU OLLAMA_LOAD_TIMEOUT: "5m" # maximum time for loading models (default "5m") OLLAMA_KEEP_ALIVE: "5m" # duration that models stay loaded in memory (default "5m") OLLAMA_CONTEXT_LENGTH: "4096" # maximum input context length OLLAMA_MULTIUSER_CACHE: "false" # optimize prompt caching for multi-user scenarios OLLAMA_NOPRUNE: "false" # disables pruning of model blobs at startup OLLAMA_NOHISTORY: "true" # disables readline history OLLAMA_FLASH_ATTENTION: "false" # enables the experimental flash attention feature OLLAMA_KV_CACHE_TYPE: "f16" # cache quantization (f16, q8_0, or q4_0) OLLAMA_SCHED_SPREAD: "false" # allows scheduling models across all GPUs. OLLAMA_NEW_ENGINE: "true" # enables the new Ollama engine # OLLAMA_DEBUG: "true" # shows additional debug information # OLLAMA_INTEL_GPU: "true" # enables experimental Intel GPU detection ## NVIDIA GPU Hardware Acceleration (optional): # NVIDIA_VISIBLE_DEVICES: "all" # NVIDIA_DRIVER_CAPABILITIES: "compute,utility" volumes: - "./storage/services/ollama:/root/.ollama" ## NVIDIA GPU Hardware Acceleration (optional): # deploy: # resources: # reservations: # devices: # - driver: "nvidia" # capabilities: [ gpu ] # count: "all" ## Open WebUI, a Web Interface for Ollama ## see https://github.com/open-webui/open-webui open-webui: image: ghcr.io/open-webui/open-webui:main stop_grace_period: 10s ## Only starts this service if the "all", "ollama", "open-webui", or "vision" profile is specified:: ## docker compose --profile ollama up -d profiles: [ "all", "ollama", "open-webui", "vision" ] ## Exposes Open WebUI at http://localhost:8080 (use https://chat.localssl.dev/ to access it through Traefik): ports: - "127.0.0.1:8080:8080" labels: - "traefik.enable=true" - "traefik.docker.network=photoprism" - "traefik.http.services.open-webui.loadbalancer.server.port=8080" - "traefik.http.routers.open-webui.rule=Host(`chat.localssl.dev`) || Host(`open-webui.localssl.dev`) || Host(`ollama-ui.localssl.dev`)" - "traefik.http.routers.open-webui.entrypoints=websecure" - "traefik.http.routers.open-webui.tls=true" environment: WEBUI_URL: "https://chat.localssl.dev" # WEBUI_SECRET_KEY: "" OLLAMA_BASE_URL: "http://ollama:11434" ANONYMIZED_TELEMETRY: "false" # disable Chroma telemetry HF_HUB_DISABLE_TELEMETRY: "1" # disable Hugging Face telemetry # HUGGING_FACE_HUB_TOKEN: "" # see https://huggingface.co/docs/hub/en/security-tokens volumes: - "./storage/services/open-webui:/app/backend/data" ## PhotoPrism® Computer Vision API ## see https://github.com/photoprism/photoprism-vision photoprism-vision: image: photoprism/vision:latest stop_grace_period: 15s ## Only starts this service if the "all" or "vision" profile is specified:: ## docker compose --profile vision up -d profiles: [ "all", "vision" ] working_dir: "/app" links: - "traefik:localssl.dev" - "traefik:app.localssl.dev" - "traefik:qdrant.localssl.dev" labels: - "traefik.enable=true" - "traefik.http.services.qdrant.loadbalancer.server.port=5000" - "traefik.http.services.qdrant.loadbalancer.server.scheme=http" - "traefik.http.routers.qdrant.entrypoints=websecure" - "traefik.http.routers.qdrant.rule=Host(`vision.localssl.dev`)" - "traefik.http.routers.qdrant.priority=3" - "traefik.http.routers.qdrant.tls.domains[0].main=localssl.dev" - "traefik.http.routers.qdrant.tls.domains[0].sans=*.localssl.dev" - "traefik.http.routers.qdrant.tls=true" expose: - 5000 environment: TF_CPP_MIN_LOG_LEVEL: 2 ## Ollama client configuration (for the service, see below): OLLAMA_ENABLED: "true" OLLAMA_HOST: "http://ollama:11434" ## Traefik v3 (Reverse Proxy) ## includes "*.localssl.dev" SSL certificate for test environments ## Docs: https://doc.traefik.io/traefik/ traefik: image: photoprism/traefik:latest stop_grace_period: 15s security_opt: - no-new-privileges:true ports: - "80:80" # HTTP (redirects to HTTPS) - "443:443" # HTTPS (required) labels: - "traefik.enable=true" volumes: - "/var/run/docker.sock:/var/run/docker.sock" # enables Traefik to watch services ## Dummy WebDAV Server dummy-webdav: image: photoprism/dummy-webdav:251210 stop_grace_period: 10s environment: WEBDAV_USERNAME: admin WEBDAV_PASSWORD: photoprism labels: - "traefik.enable=true" - "traefik.http.services.dummy-webdav.loadbalancer.server.port=80" - "traefik.http.routers.dummy-webdav.entrypoints=websecure" - "traefik.http.routers.dummy-webdav.rule=Host(`dummy-webdav.localssl.dev`)" - "traefik.http.routers.dummy-webdav.priority=3" - "traefik.http.routers.dummy-webdav.tls.domains[0].main=localssl.dev" - "traefik.http.routers.dummy-webdav.tls.domains[0].sans=*.localssl.dev" - "traefik.http.routers.dummy-webdav.tls=true" ## Dummy OIDC Identity Provider dummy-oidc: image: photoprism/dummy-oidc:251210 stop_grace_period: 5s labels: - "traefik.enable=true" - "traefik.http.services.dummy-oidc.loadbalancer.server.port=9998" - "traefik.http.routers.dummy-oidc.entrypoints=websecure" - "traefik.http.routers.dummy-oidc.rule=Host(`dummy-oidc.localssl.dev`)" - "traefik.http.routers.dummy-oidc.priority=3" - "traefik.http.routers.dummy-oidc.tls.domains[0].main=localssl.dev" - "traefik.http.routers.dummy-oidc.tls.domains[0].sans=*.localssl.dev" - "traefik.http.routers.dummy-oidc.tls=true" ## Dummy LDAP Directory Server ## Docs: https://glauth.github.io/docs/ dummy-ldap: image: glauth/glauth-plugins:latest stop_grace_period: 5s ports: - "127.0.0.1:389:389" labels: - "traefik.enable=true" - "traefik.http.services.ldap.loadbalancer.server.port=5555" - "traefik.http.routers.dummy-ldap.entrypoints=websecure" - "traefik.http.routers.dummy-ldap.rule=Host(`dummy-ldap.localssl.dev`)" - "traefik.http.routers.dummy-ldap.priority=3" - "traefik.http.routers.dummy-ldap.tls.domains[0].main=localssl.dev" - "traefik.http.routers.dummy-ldap.tls.domains[0].sans=*.localssl.dev" - "traefik.http.routers.dummy-ldap.tls=true" volumes: - "./.ldap.cfg:/app/config/config.cfg" ## Keycloak (OIDC Identity Provider) ## Docs: https://www.keycloak.org/docs/latest/server_admin/ ## Login with "user / photoprism" and "admin / photoprism". keycloak: image: quay.io/keycloak/keycloak:25.0 stop_grace_period: 10s profiles: [ "all", "auth", "keycloak" ] command: "start-dev" # development mode, do not use this in production! links: - "traefik:localssl.dev" - "traefik:app.localssl.dev" labels: - "traefik.enable=true" - "traefik.http.services.keycloak.loadbalancer.server.port=8080" - "traefik.http.routers.keycloak.entrypoints=websecure" - "traefik.http.routers.keycloak.rule=Host(`keycloak.localssl.dev`)" - "traefik.http.routers.keycloak.priority=3" - "traefik.http.routers.keycloak.tls.domains[0].main=localssl.dev" - "traefik.http.routers.keycloak.tls.domains[0].sans=*.localssl.dev" - "traefik.http.routers.keycloak.tls=true" environment: # see https://www.keycloak.org/server/all-config KEYCLOAK_ADMIN: "admin" KEYCLOAK_ADMIN_PASSWORD: "photoprism" KC_METRICS_ENABLED: "false" KC_HOSTNAME: "keycloak.localssl.dev" KC_HOSTNAME_STRICT: "false" KC_PROXY: "edge" KC_DB: "mariadb" KC_DB_URL: "jdbc:mariadb://mariadb:4001/keycloak" KC_DB_USERNAME: "keycloak" KC_DB_PASSWORD: "keycloak" ## Run "docker compose --profile prometheus up" to start your development environment with Prometheus. ## Docs: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#oauth2 ## The following grants API access to Prometheus with the preconfigured client credentials (adjust flags as needed): ## ./photoprism client add --id=cs5cpu17n6gj2qo5 --secret=xcCbOrw6I0vcoXzhnOmXhjpVSyFq0l0e -s metrics -n Prometheus -e 60 -t 1 prometheus: image: prom/prometheus:latest stop_grace_period: 10s profiles: [ "all", "auth", "prometheus" ] labels: - "traefik.enable=true" - "traefik.http.services.prometheus.loadbalancer.server.port=9090" - "traefik.http.routers.prometheus.entrypoints=websecure" - "traefik.http.routers.prometheus.rule=Host(`prometheus.localssl.dev`)" - "traefik.http.routers.prometheus.priority=3" - "traefik.http.routers.prometheus.tls.domains[0].main=localssl.dev" - "traefik.http.routers.prometheus.tls.domains[0].sans=*.localssl.dev" - "traefik.http.routers.prometheus.tls=true" volumes: - "./prometheus.yml:/etc/prometheus/prometheus.yml" ## Create named volume for Go module cache volumes: go-mod: driver: local mariadb: driver: local ## Create shared "photoprism" network for connecting with services in other compose.yaml files networks: default: name: photoprism driver: bridge