forked from SmythOS/smythos-studio
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathdocker-compose.yml
More file actions
284 lines (271 loc) · 11.2 KB
/
docker-compose.yml
File metadata and controls
284 lines (271 loc) · 11.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
services:
# Traefik Reverse Proxy
traefik:
image: traefik:v3.6.2
container_name: smythos-traefik
restart: unless-stopped
command:
- --providers.docker=true
- --providers.docker.exposedbydefault=false
- --providers.docker.network=smythos-network
# Configure entrypoints for HTTP and HTTPS
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
# Enable API and dashboard (optional, can be disabled in production)
- --api.dashboard=true
- --api.insecure=true
# Enable access logs (optional)
- --accesslog=true
# Configure Let's Encrypt for automatic SSL (configured but only used when ENABLE_TLS=true)
- "--certificatesresolvers.le.acme.email=${LETSENCRYPT_EMAIL:-admin@example.com}"
- "--certificatesresolvers.le.acme.storage=/letsencrypt/acme.json"
- "--certificatesresolvers.le.acme.httpchallenge.entrypoint=web"
# Global redirect from HTTP to HTTPS (optional)
# - "--entrypoints.web.http.redirections.entryPoint.to=websecure"
# - "--entrypoints.web.http.redirections.entryPoint.scheme=https"
ports:
- "${EXPOSE_TRAEFIK_PORT:-80}:80"
- "${EXPOSE_HTTPS_TRAEFIK_PORT:-443}:443"
# Traefik dashboard (optional, can be removed in production)
- "${EXPOSE_TRAEFIK_DASHBOARD_PORT:-8089}:8080"
# Optional: Direct access ports for testing without hosts file
# - "5050:5050" # Uncomment to access UI directly
# - "5053:5053" # Uncomment to access Runtime directly
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- traefik_letsencrypt:/letsencrypt
networks:
- smythos-network
labels:
- traefik.enable=true
# Dashboard configuration (optional)
- traefik.http.routers.traefik.rule=Host(`traefik.localhost`)
- traefik.http.routers.traefik.service=api@internal
depends_on:
smythos:
condition: service_healthy
# MySQL Database
mysql:
image: mysql:8.0
container_name: smythos-mysql
restart: unless-stopped
env_file:
- .env
environment:
MYSQL_ROOT_PASSWORD: ${DATABASE_ROOT_PASSWORD:-smythos_root_password}
MYSQL_DATABASE: ${DATABASE_NAME:-smythos_db}
MYSQL_USER: ${DATABASE_USER:-smythos_user}
MYSQL_PASSWORD: ${DATABASE_PASSWORD:-smythos_password}
volumes:
- mysql_data:/var/lib/mysql
networks:
- smythos-network
command: --default-authentication-plugin=mysql_native_password
healthcheck:
test:
[
"CMD",
"mysqladmin",
"ping",
"-h",
"localhost",
"-u",
"${DATABASE_USER:-smythos_user}",
"-p${DATABASE_PASSWORD:-smythos_password}",
]
interval: 10s
timeout: 5s
retries: 5
start_period: 30s
# Redis Cache
redis:
image: redis:7-alpine
container_name: smythos-redis
restart: unless-stopped
volumes:
- redis_data:/data
networks:
- smythos-network
env_file:
- .env
command: >
sh -c "
if [ -n '${REDIS_PASSWORD:-}' ]; then
redis-server --appendonly yes --requirepass '${REDIS_PASSWORD}'
else
redis-server --appendonly yes
fi
"
healthcheck:
test: >
sh -c "
if [ -n '${REDIS_PASSWORD:-}' ]; then
redis-cli -a '${REDIS_PASSWORD}' ping
else
redis-cli ping
fi
"
interval: 10s
timeout: 3s
retries: 5
start_period: 10s
# Git Sync - Syncs public repository every 5 minutes to SMYTH_PATH
git-sync:
image: registry.k8s.io/git-sync/git-sync:v4.2.4
container_name: smythos-git-sync
restart: unless-stopped
env_file:
- .env
environment:
# Repository to sync
GITSYNC_REPO: ${GIT_SYNC_REPO_URL:-https://github.com/SmythOS/sre-models-pub}
# Sync every 10 minutes (600 seconds)
GITSYNC_PERIOD: ${GIT_SYNC_INTERVAL:-600s}
# Root directory where repo will be synced (models subdirectory)
# Git-sync will sync repository content directly to /data/models/
# Since we mount SMYTH_PATH/models:/data/models, this syncs to ${SMYTH_PATH}/models on the host
# Repository directories from GitHub will be directly accessible at ${SMYTH_PATH}/models/<model directories>
GITSYNC_ROOT: /data/models
# Sync continuously (not one-time)
GITSYNC_ONE_TIME: "false"
# Sync depth (use shallow clone for performance)
GITSYNC_DEPTH: ${GIT_SYNC_DEPTH:-1}
# Branch to sync
GITSYNC_BRANCH: ${GIT_SYNC_BRANCH:-main}
# Verbose logging
GITSYNC_VERBOSE: ${GIT_SYNC_VERBOSE:-2}
volumes:
# Bind mount to host path: SMYTH_PATH/models (defaults to $HOME/smythos-data/.smyth if not set)
# SMYTH_PATH points to the .smyth directory (e.g., /home/user/smythos-data/.smyth)
# Mounting only the models subdirectory preserves all other .smyth contents
# Git-sync will sync repository content directly to /data/models in the container
# Model directories from GitHub will be accessible at ${SMYTH_PATH}/models/<model directories> on the host
- ${SMYTH_PATH:-$HOME/smythos-data/.smyth}/models:/data/models
user: "0:0"
networks:
- smythos-network
healthcheck:
# Check if /data/models directory exists and has repository content
# Repository content will be synced directly to /data/models/ after first successful clone
# Increased start_period to allow time for initial repository clone
test:
[
"CMD",
"sh",
"-c",
"test -d /data/models && [ \"$(ls -A /data/models 2>/dev/null | grep -v '^\\.worktrees$' | head -1)\" ]",
]
interval: 30s
timeout: 10s
retries: 5
start_period: 180s
# SmythOS Application
smythos:
image: smythos/smythos-studio:alpha
container_name: smythos-app
restart: unless-stopped
expose:
- "5050"
- "5053"
env_file:
- .env
environment:
# Override database URL to use internal MySQL container with dynamic credentials
DATABASE_URL: mysql://${DATABASE_USER:-smythos_user}:${DATABASE_PASSWORD:-smythos_password}@mysql:3306/${DATABASE_NAME:-smythos_db}
# Override Redis to use internal Redis container (standalone mode)
REDIS_HOST: ${REDIS_HOST:-redis}
REDIS_PORT: ${REDIS_PORT:-6379}
REDIS_PASSWORD: ${REDIS_PASSWORD:-}
# Docker container flag to ensure proper host binding
DOCKER_CONTAINER: "true"
labels:
- traefik.enable=true
# APP_DOMAIN routing to port 5050 (UI Server)
- "traefik.http.routers.smythos-app.rule=Host(`${APP_DOMAIN:-localhost}`)"
- "traefik.http.routers.smythos-app.entrypoints=web,websecure"
- "traefik.http.routers.smythos-app.service=smythos-app"
- "traefik.http.routers.smythos-app.middlewares=smythos@docker"
# TLS configuration (only enable for production with real domains)
- "traefik.http.routers.smythos-app.tls=${ENABLE_TLS:-false}"
- "traefik.http.routers.smythos-app.tls.certresolver=le"
# Service definition
- "traefik.http.services.smythos-app.loadbalancer.server.port=5050"
# RUNTIME_DOMAIN routing to port 5053 (Runtime Server)
- "traefik.http.routers.smythos-runtime.rule=Host(`${RUNTIME_DOMAIN:-runtime.localhost}`)"
- "traefik.http.routers.smythos-runtime.entrypoints=web,websecure"
- "traefik.http.routers.smythos-runtime.service=smythos-runtime"
# TLS configuration (only enable for production with real domains)
- "traefik.http.routers.smythos-runtime.tls=${ENABLE_TLS:-false}"
- "traefik.http.routers.smythos-runtime.tls.certresolver=le"
- "traefik.http.services.smythos-runtime.loadbalancer.server.port=5053"
# PROD_AGENT_DOMAIN routing to port 5053 (Production Agents)
- "traefik.http.routers.smythos-prod-agents.rule=Host(`${PROD_AGENT_DOMAIN:-prod.localhost}`) || HostRegexp(`^.+\\.${PROD_AGENT_DOMAIN:-prod\\.localhost}$$`)"
- "traefik.http.routers.smythos-prod-agents.entrypoints=web,websecure"
- "traefik.http.routers.smythos-prod-agents.service=smythos-runtime"
# TLS configuration (only enable for production with real domains)
- "traefik.http.routers.smythos-prod-agents.tls=${ENABLE_TLS:-false}"
- "traefik.http.routers.smythos-prod-agents.tls.certresolver=le"
# DEFAULT_AGENT_DOMAIN routing to port 5053 (Default/Development Agents)
- "traefik.http.routers.smythos-default-agents.rule=Host(`${DEFAULT_AGENT_DOMAIN:-default.localhost}`) || HostRegexp(`^.+\\.${DEFAULT_AGENT_DOMAIN:-default\\.localhost}$$`)"
- "traefik.http.routers.smythos-default-agents.entrypoints=web,websecure"
- "traefik.http.routers.smythos-default-agents.service=smythos-runtime"
# TLS configuration (only enable for production with real domains)
- "traefik.http.routers.smythos-default-agents.tls=${ENABLE_TLS:-false}"
- "traefik.http.routers.smythos-default-agents.tls.certresolver=le"
# Security Headers Middleware
- "traefik.http.middlewares.smythos.headers.STSSeconds=315360000"
- "traefik.http.middlewares.smythos.headers.STSPreload=true"
- "traefik.http.middlewares.smythos.headers.BrowserXSSFilter=true"
- "traefik.http.middlewares.smythos.headers.ContentTypeNosniff=true"
- "traefik.http.middlewares.smythos.headers.ForceSTSHeader=true"
- "traefik.http.middlewares.smythos.headers.STSIncludeSubdomains=true"
- "traefik.http.middlewares.smythos.headers.ReferrerPolicy=strict-origin-when-cross-origin"
volumes:
- smythos_data:/home/node/smythos-data
# Mount entire .smyth directory from host for application data persistence
# The .smyth directory contains multiple subdirectories:
# - models/: Synced by git-sync (public models from GitHub)
# - .sre/: SRE vault configuration (API keys, secrets)
# - storage/: Application storage for runtime data
# Mount as read-write to allow application to create/update .sre, storage, and other directories
- ${SMYTH_PATH:-$HOME/smythos-data/.smyth}:/home/node/smythos-data/.smyth:rw
# Override models subdirectory as read-only for security
# Docker respects more specific mounts, so this overrides the parent :rw mount
# Benefits:
# - Prevents accidental modification/deletion of synced models by the application
# - Single source of truth: only git-sync manages model files
# - Application can still read models but cannot write to them
- ${SMYTH_PATH:-$HOME/smythos-data/.smyth}/models:/home/node/smythos-data/.smyth/models:ro
networks:
- smythos-network
depends_on:
mysql:
condition: service_healthy
redis:
condition: service_healthy
healthcheck:
test:
[
"CMD",
"sh",
"-c",
"wget --no-verbose --tries=1 --spider http://127.0.0.1:5050/health && wget --no-verbose --tries=1 --spider http://127.0.0.1:5053/health",
]
interval: 30s
timeout: 10s
retries: 3
start_period: 60s
networks:
smythos-network:
driver: bridge
volumes:
mysql_data:
driver: local
redis_data:
driver: local
smythos_data:
driver: local
git_sync_data:
driver: local
traefik_letsencrypt:
driver: local