You've already forked agentic-coding-workflow
77 lines
2.9 KiB
YAML
77 lines
2.9 KiB
YAML
services:
|
|
postgres:
|
|
image: registry.jerryyan.top/library/postgres:16-alpine
|
|
restart: unless-stopped
|
|
environment:
|
|
POSTGRES_USER: ${POSTGRES_USER:-acw}
|
|
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-acw}
|
|
POSTGRES_DB: ${POSTGRES_DB:-acw}
|
|
volumes:
|
|
- acw-pg-data:/var/lib/postgresql/data
|
|
healthcheck:
|
|
test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-acw}"]
|
|
interval: 5s
|
|
timeout: 5s
|
|
retries: 10
|
|
|
|
app:
|
|
image: git.jerryyan.net/q792602257/agent-coding-workflow:latest
|
|
build: .
|
|
restart: unless-stopped
|
|
environment:
|
|
APP_ENV: production
|
|
APP_HTTP_ADDR: ":8080"
|
|
APP_DB_DSN: "postgres://${POSTGRES_USER:-acw}:${POSTGRES_PASSWORD:-acw}@postgres:5432/${POSTGRES_DB:-acw}?sslmode=disable"
|
|
APP_MASTER_KEY: "${APP_MASTER_KEY}"
|
|
APP_BOOTSTRAP_ADMIN_EMAIL: "${APP_BOOTSTRAP_ADMIN_EMAIL:-admin@local}"
|
|
APP_BOOTSTRAP_ADMIN_PASSWORD: "${APP_BOOTSTRAP_ADMIN_PASSWORD}"
|
|
# secret key provider(env|vault|kms)。轮换时把新版本 key 暂存到
|
|
# APP_MASTER_KEY_V2 再调 POST /api/v1/admin/security/rotate-key。
|
|
APP_CRYPTO_PROVIDER: "${APP_CRYPTO_PROVIDER:-env}"
|
|
# per-session 沙箱:默认 none。Linux 生产可设 uid/container,并配 base_uid /
|
|
# egress proxy。需要 egress 白名单时取消下方 forward-proxy 注释并指向它。
|
|
APP_ACP_SANDBOX_MODE: "${APP_ACP_SANDBOX_MODE:-none}"
|
|
APP_ACP_SANDBOX_BASE_UID: "${APP_ACP_SANDBOX_BASE_UID:-0}"
|
|
APP_ACP_SANDBOX_PROXY_URL: "${APP_ACP_SANDBOX_PROXY_URL:-}"
|
|
ports:
|
|
- "8080:8080"
|
|
volumes:
|
|
- acw-data:/data
|
|
depends_on:
|
|
postgres:
|
|
condition: service_healthy
|
|
healthcheck:
|
|
test: ["CMD", "wget", "-q", "--spider", "http://localhost:8080/healthz"]
|
|
interval: 10s
|
|
timeout: 5s
|
|
retries: 6
|
|
start_period: 30s
|
|
|
|
# ── Egress allowlist forward proxy (opt-in for acp.sandbox egress control) ──
|
|
# Stand up a forward proxy whose only outbound is the allowlisted hosts, put
|
|
# the app (and, in container mode, the agent containers) on the egress-net,
|
|
# and set APP_ACP_SANDBOX_PROXY_URL=http://forward-proxy:8888. Provide your own
|
|
# tinyproxy.conf with an Allow/ConnectPort allowlist. Commented out so the
|
|
# default `docker compose up` works without extra config.
|
|
#
|
|
# forward-proxy:
|
|
# image: registry.jerryyan.top/library/tinyproxy:latest
|
|
# restart: unless-stopped
|
|
# volumes:
|
|
# - ./deploy/tinyproxy.conf:/etc/tinyproxy/tinyproxy.conf:ro
|
|
# networks:
|
|
# - egress-net
|
|
# - default
|
|
|
|
volumes:
|
|
acw-pg-data:
|
|
acw-data:
|
|
|
|
# networks:
|
|
# egress-net:
|
|
# # internal:true makes this network have NO direct internet route; only the
|
|
# # forward-proxy (multi-homed) can reach allowlisted hosts. Attach agent
|
|
# # sandbox containers here in mode=container so a non-cooperating binary
|
|
# # cannot bypass the proxy.
|
|
# internal: true
|