This commit is contained in:
2026-06-22 08:55:57 +08:00
parent dbb87823e8
commit 6ade6e8fa9
325 changed files with 41131 additions and 855 deletions
+32
View File
@@ -25,6 +25,14 @@ services:
APP_MASTER_KEY: "${APP_MASTER_KEY}"
APP_BOOTSTRAP_ADMIN_EMAIL: "${APP_BOOTSTRAP_ADMIN_EMAIL:-admin@local}"
APP_BOOTSTRAP_ADMIN_PASSWORD: "${APP_BOOTSTRAP_ADMIN_PASSWORD}"
# secret key provider(env|vault|kms)。轮换时把新版本 key 暂存到
# APP_MASTER_KEY_V2 再调 POST /api/v1/admin/security/rotate-key。
APP_CRYPTO_PROVIDER: "${APP_CRYPTO_PROVIDER:-env}"
# per-session 沙箱:默认 none。Linux 生产可设 uid/container,并配 base_uid /
# egress proxy。需要 egress 白名单时取消下方 forward-proxy 注释并指向它。
APP_ACP_SANDBOX_MODE: "${APP_ACP_SANDBOX_MODE:-none}"
APP_ACP_SANDBOX_BASE_UID: "${APP_ACP_SANDBOX_BASE_UID:-0}"
APP_ACP_SANDBOX_PROXY_URL: "${APP_ACP_SANDBOX_PROXY_URL:-}"
ports:
- "8080:8080"
volumes:
@@ -39,6 +47,30 @@ services:
retries: 6
start_period: 30s
# ── Egress allowlist forward proxy (opt-in for acp.sandbox egress control) ──
# Stand up a forward proxy whose only outbound is the allowlisted hosts, put
# the app (and, in container mode, the agent containers) on the egress-net,
# and set APP_ACP_SANDBOX_PROXY_URL=http://forward-proxy:8888. Provide your own
# tinyproxy.conf with an Allow/ConnectPort allowlist. Commented out so the
# default `docker compose up` works without extra config.
#
# forward-proxy:
# image: registry.jerryyan.top/library/tinyproxy:latest
# restart: unless-stopped
# volumes:
# - ./deploy/tinyproxy.conf:/etc/tinyproxy/tinyproxy.conf:ro
# networks:
# - egress-net
# - default
volumes:
acw-pg-data:
acw-data:
# networks:
# egress-net:
# # internal:true makes this network have NO direct internet route; only the
# # forward-proxy (multi-homed) can reach allowlisted hosts. Attach agent
# # sandbox containers here in mode=container so a non-cooperating binary
# # cannot bypass the proxy.
# internal: true