services: postgres: image: registry.jerryyan.top/library/postgres:16-alpine restart: unless-stopped environment: POSTGRES_USER: ${POSTGRES_USER:-acw} POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-acw} POSTGRES_DB: ${POSTGRES_DB:-acw} volumes: - acw-pg-data:/var/lib/postgresql/data healthcheck: test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-acw}"] interval: 5s timeout: 5s retries: 10 app: image: git.jerryyan.net/q792602257/agent-coding-workflow:latest build: . restart: unless-stopped environment: APP_ENV: production APP_HTTP_ADDR: ":8080" APP_DB_DSN: "postgres://${POSTGRES_USER:-acw}:${POSTGRES_PASSWORD:-acw}@postgres:5432/${POSTGRES_DB:-acw}?sslmode=disable" APP_MASTER_KEY: "${APP_MASTER_KEY}" APP_BOOTSTRAP_ADMIN_EMAIL: "${APP_BOOTSTRAP_ADMIN_EMAIL:-admin@local}" APP_BOOTSTRAP_ADMIN_PASSWORD: "${APP_BOOTSTRAP_ADMIN_PASSWORD}" # secret key provider(env|vault|kms)。轮换时把新版本 key 暂存到 # APP_MASTER_KEY_V2 再调 POST /api/v1/admin/security/rotate-key。 APP_CRYPTO_PROVIDER: "${APP_CRYPTO_PROVIDER:-env}" # per-session 沙箱:默认 none。Linux 生产可设 uid/container,并配 base_uid / # egress proxy。需要 egress 白名单时取消下方 forward-proxy 注释并指向它。 APP_ACP_SANDBOX_MODE: "${APP_ACP_SANDBOX_MODE:-none}" APP_ACP_SANDBOX_BASE_UID: "${APP_ACP_SANDBOX_BASE_UID:-0}" APP_ACP_SANDBOX_PROXY_URL: "${APP_ACP_SANDBOX_PROXY_URL:-}" ports: - "8080:8080" volumes: - acw-data:/data depends_on: postgres: condition: service_healthy healthcheck: test: ["CMD", "wget", "-q", "--spider", "http://localhost:8080/healthz"] interval: 10s timeout: 5s retries: 6 start_period: 30s # ── Egress allowlist forward proxy (opt-in for acp.sandbox egress control) ── # Stand up a forward proxy whose only outbound is the allowlisted hosts, put # the app (and, in container mode, the agent containers) on the egress-net, # and set APP_ACP_SANDBOX_PROXY_URL=http://forward-proxy:8888. Provide your own # tinyproxy.conf with an Allow/ConnectPort allowlist. Commented out so the # default `docker compose up` works without extra config. # # forward-proxy: # image: registry.jerryyan.top/library/tinyproxy:latest # restart: unless-stopped # volumes: # - ./deploy/tinyproxy.conf:/etc/tinyproxy/tinyproxy.conf:ro # networks: # - egress-net # - default volumes: acw-pg-data: acw-data: # networks: # egress-net: # # internal:true makes this network have NO direct internet route; only the # # forward-proxy (multi-homed) can reach allowlisted hosts. Attach agent # # sandbox containers here in mode=container so a non-cooperating binary # # cannot bypass the proxy. # internal: true