fix(swarm): move docker-compose.swarm.yml back to root directory

- Move docker/docker-compose.swarm.yml to root - Update documentation references - Simplifies deployment: swarm file in root, standalone file in root - Deploy script already expects file in root Rationale: Keep it simple - two compose files for two deployment methods: - docker-compose.yml → standalone (docker compose up -d) - docker-compose.swarm.yml → swarm (docker stack deploy) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-08 17:22:20 -06:00
parent f8477d5052
commit dac735af56
4 changed files with 145 additions and 508 deletions
--- a/docker-compose.swarm.yml
+++ b/docker-compose.swarm.yml
@@ -1,3 +1,28 @@
+# ==============================================
+# Mosaic Stack - Docker Swarm Deployment
+# ==============================================
+#
+# IMPORTANT: Docker Swarm does NOT support docker-compose profiles
+# To disable services (e.g., for external alternatives), manually comment them out
+#
+# Current Configuration:
+#   - PostgreSQL: ENABLED (internal)
+#   - Valkey: ENABLED (internal)
+#   - OpenBao: ENABLED (internal)
+#   - Authentik: DISABLED (commented out - using external OIDC)
+#   - Ollama: ENABLED (internal)
+#
+# For detailed deployment instructions, see:
+#   docs/SWARM-DEPLOYMENT.md
+#
+# Quick Start:
+#   1. cp .env.swarm.example .env
+#   2. nano .env  # Configure environment
+#   3. ./scripts/deploy-swarm.sh mosaic
+#   4. Initialize OpenBao manually (see docs/SWARM-DEPLOYMENT.md)
+#
+# ==============================================
+
 services:
  # ======================
  # PostgreSQL Database
@@ -81,125 +106,119 @@ services:
        condition: on-failure

  # ======================
-  # Authentik PostgreSQL
+  # Authentik - COMMENTED OUT (Using External Authentik)
  # ======================
-  authentik-postgres:
-    image: postgres:17-alpine
-    env_file: .env
-    environment:
-      POSTGRES_USER: ${AUTHENTIK_POSTGRES_USER:-authentik}
-      POSTGRES_PASSWORD: ${AUTHENTIK_POSTGRES_PASSWORD:-authentik_password}
-      POSTGRES_DB: ${AUTHENTIK_POSTGRES_DB:-authentik}
-    volumes:
-      - authentik_postgres_data:/var/lib/postgresql/data
-    healthcheck:
-      test: ["CMD-SHELL", "pg_isready -U ${AUTHENTIK_POSTGRES_USER:-authentik}"]
-      interval: 10s
-      timeout: 5s
-      retries: 5
-      start_period: 20s
-    networks:
-      - internal
-    deploy:
-      restart_policy:
-        condition: on-failure
-
-  # ======================
-  # Authentik Redis
-  # ======================
-  authentik-redis:
-    image: valkey/valkey:8-alpine
-    env_file: .env
-    command: valkey-server --save 60 1 --loglevel warning
-    volumes:
-      - authentik_redis_data:/data
-    healthcheck:
-      test: ["CMD", "valkey-cli", "ping"]
-      interval: 10s
-      timeout: 5s
-      retries: 5
-      start_period: 10s
-    networks:
-      - internal
-    deploy:
-      restart_policy:
-        condition: on-failure
-
-  # ======================
-  # Authentik Server
-  # ======================
-  authentik-server:
-    image: ghcr.io/goauthentik/server:2024.12.1
-    env_file: .env
-    command: server
-    environment:
-      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:-change-this-to-a-random-secret}
-      AUTHENTIK_ERROR_REPORTING__ENABLED: ${AUTHENTIK_ERROR_REPORTING:-false}
-      AUTHENTIK_POSTGRESQL__HOST: authentik-postgres
-      AUTHENTIK_POSTGRESQL__PORT: 5432
-      AUTHENTIK_POSTGRESQL__NAME: ${AUTHENTIK_POSTGRES_DB:-authentik}
-      AUTHENTIK_POSTGRESQL__USER: ${AUTHENTIK_POSTGRES_USER:-authentik}
-      AUTHENTIK_POSTGRESQL__PASSWORD: ${AUTHENTIK_POSTGRES_PASSWORD:-authentik_password}
-      AUTHENTIK_REDIS__HOST: authentik-redis
-      AUTHENTIK_REDIS__PORT: 6379
-      AUTHENTIK_BOOTSTRAP_PASSWORD: ${AUTHENTIK_BOOTSTRAP_PASSWORD:-admin}
-      AUTHENTIK_BOOTSTRAP_EMAIL: ${AUTHENTIK_BOOTSTRAP_EMAIL:-admin@localhost}
-      AUTHENTIK_COOKIE_DOMAIN: ${AUTHENTIK_COOKIE_DOMAIN:-.mosaicstack.dev}
-    volumes:
-      - authentik_media:/media
-      - authentik_templates:/templates
-    healthcheck:
-      test:
-        [
-          "CMD",
-          "wget",
-          "--no-verbose",
-          "--tries=1",
-          "--spider",
-          "http://localhost:9000/-/health/live/",
-        ]
-      interval: 30s
-      timeout: 10s
-      retries: 3
-      start_period: 90s
-    networks:
-      - internal
-      - traefik-public
-    deploy:
-      restart_policy:
-        condition: on-failure
-      labels:
-        - "traefik.enable=true"
-        - "traefik.http.routers.mosaic-auth.rule=Host(`${MOSAIC_AUTH_DOMAIN:-auth.mosaicstack.dev}`)"
-        - "traefik.http.routers.mosaic-auth.entrypoints=web"
-        - "traefik.http.services.mosaic-auth.loadbalancer.server.port=9000"
-
-  # ======================
-  # Authentik Worker
-  # ======================
-  authentik-worker:
-    image: ghcr.io/goauthentik/server:2024.12.1
-    env_file: .env
-    command: worker
-    environment:
-      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:-change-this-to-a-random-secret}
-      AUTHENTIK_ERROR_REPORTING__ENABLED: ${AUTHENTIK_ERROR_REPORTING:-false}
-      AUTHENTIK_POSTGRESQL__HOST: authentik-postgres
-      AUTHENTIK_POSTGRESQL__PORT: 5432
-      AUTHENTIK_POSTGRESQL__NAME: ${AUTHENTIK_POSTGRES_DB:-authentik}
-      AUTHENTIK_POSTGRESQL__USER: ${AUTHENTIK_POSTGRES_USER:-authentik}
-      AUTHENTIK_POSTGRESQL__PASSWORD: ${AUTHENTIK_POSTGRES_PASSWORD:-authentik_password}
-      AUTHENTIK_REDIS__HOST: authentik-redis
-      AUTHENTIK_REDIS__PORT: 6379
-    volumes:
-      - authentik_media:/media
-      - authentik_certs:/certs
-      - authentik_templates:/templates
-    networks:
-      - internal
-    deploy:
-      restart_policy:
-        condition: on-failure
+  # Uncomment these services if you want to run Authentik internally
+  # For external Authentik, configure OIDC_ISSUER, OIDC_CLIENT_ID, OIDC_CLIENT_SECRET in .env
+  #
+  # authentik-postgres:
+  #   image: postgres:17-alpine
+  #   env_file: .env
+  #   environment:
+  #     POSTGRES_USER: ${AUTHENTIK_POSTGRES_USER:-authentik}
+  #     POSTGRES_PASSWORD: ${AUTHENTIK_POSTGRES_PASSWORD:-authentik_password}
+  #     POSTGRES_DB: ${AUTHENTIK_POSTGRES_DB:-authentik}
+  #   volumes:
+  #     - authentik_postgres_data:/var/lib/postgresql/data
+  #   healthcheck:
+  #     test: ["CMD-SHELL", "pg_isready -U ${AUTHENTIK_POSTGRES_USER:-authentik}"]
+  #     interval: 10s
+  #     timeout: 5s
+  #     retries: 5
+  #     start_period: 20s
+  #   networks:
+  #     - internal
+  #   deploy:
+  #     restart_policy:
+  #       condition: on-failure
+  #
+  # authentik-redis:
+  #   image: valkey/valkey:8-alpine
+  #   env_file: .env
+  #   command: valkey-server --save 60 1 --loglevel warning
+  #   volumes:
+  #     - authentik_redis_data:/data
+  #   healthcheck:
+  #     test: ["CMD", "valkey-cli", "ping"]
+  #     interval: 10s
+  #     timeout: 5s
+  #     retries: 5
+  #     start_period: 10s
+  #   networks:
+  #     - internal
+  #   deploy:
+  #     restart_policy:
+  #       condition: on-failure
+  #
+  # authentik-server:
+  #   image: ghcr.io/goauthentik/server:2024.12.1
+  #   env_file: .env
+  #   command: server
+  #   environment:
+  #     AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:-change-this-to-a-random-secret}
+  #     AUTHENTIK_ERROR_REPORTING__ENABLED: ${AUTHENTIK_ERROR_REPORTING:-false}
+  #     AUTHENTIK_POSTGRESQL__HOST: authentik-postgres
+  #     AUTHENTIK_POSTGRESQL__PORT: 5432
+  #     AUTHENTIK_POSTGRESQL__NAME: ${AUTHENTIK_POSTGRES_DB:-authentik}
+  #     AUTHENTIK_POSTGRESQL__USER: ${AUTHENTIK_POSTGRES_USER:-authentik}
+  #     AUTHENTIK_POSTGRESQL__PASSWORD: ${AUTHENTIK_POSTGRES_PASSWORD:-authentik_password}
+  #     AUTHENTIK_REDIS__HOST: authentik-redis
+  #     AUTHENTIK_REDIS__PORT: 6379
+  #     AUTHENTIK_BOOTSTRAP_PASSWORD: ${AUTHENTIK_BOOTSTRAP_PASSWORD:-admin}
+  #     AUTHENTIK_BOOTSTRAP_EMAIL: ${AUTHENTIK_BOOTSTRAP_EMAIL:-admin@localhost}
+  #     AUTHENTIK_COOKIE_DOMAIN: ${AUTHENTIK_COOKIE_DOMAIN:-.mosaicstack.dev}
+  #   volumes:
+  #     - authentik_media:/media
+  #     - authentik_templates:/templates
+  #   healthcheck:
+  #     test:
+  #       [
+  #         "CMD",
+  #         "wget",
+  #         "--no-verbose",
+  #         "--tries=1",
+  #         "--spider",
+  #         "http://localhost:9000/-/health/live/",
+  #       ]
+  #     interval: 30s
+  #     timeout: 10s
+  #     retries: 3
+  #     start_period: 90s
+  #   networks:
+  #     - internal
+  #     - traefik-public
+  #   deploy:
+  #     restart_policy:
+  #       condition: on-failure
+  #     labels:
+  #       - "traefik.enable=true"
+  #       - "traefik.http.routers.mosaic-auth.rule=Host(`${MOSAIC_AUTH_DOMAIN:-auth.mosaicstack.dev}`)"
+  #       - "traefik.http.routers.mosaic-auth.entrypoints=web"
+  #       - "traefik.http.services.mosaic-auth.loadbalancer.server.port=9000"
+  #
+  # authentik-worker:
+  #   image: ghcr.io/goauthentik/server:2024.12.1
+  #   env_file: .env
+  #   command: worker
+  #   environment:
+  #     AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:-change-this-to-a-random-secret}
+  #     AUTHENTIK_ERROR_REPORTING__ENABLED: ${AUTHENTIK_ERROR_REPORTING:-false}
+  #     AUTHENTIK_POSTGRESQL__HOST: authentik-postgres
+  #     AUTHENTIK_POSTGRESQL__PORT: 5432
+  #     AUTHENTIK_POSTGRESQL__NAME: ${AUTHENTIK_POSTGRES_DB:-authentik}
+  #     AUTHENTIK_POSTGRESQL__USER: ${AUTHENTIK_POSTGRES_USER:-authentik}
+  #     AUTHENTIK_POSTGRESQL__PASSWORD: ${AUTHENTIK_POSTGRES_PASSWORD:-authentik_password}
+  #     AUTHENTIK_REDIS__HOST: authentik-redis
+  #     AUTHENTIK_REDIS__PORT: 6379
+  #   volumes:
+  #     - authentik_media:/media
+  #     - authentik_certs:/certs
+  #     - authentik_templates:/templates
+  #   networks:
+  #     - internal
+  #   deploy:
+  #     restart_policy:
+  #       condition: on-failure

  # ======================
  # Ollama (Optional AI Service)
@@ -345,11 +364,12 @@ volumes:
  openbao_data:
  openbao_logs:
  openbao_init:
-  authentik_postgres_data:
-  authentik_redis_data:
-  authentik_media:
-  authentik_certs:
-  authentik_templates:
+  # Authentik volumes - commented out (using external Authentik)
+  # authentik_postgres_data:
+  # authentik_redis_data:
+  # authentik_media:
+  # authentik_certs:
+  # authentik_templates:
  ollama_data:
  orchestrator_workspace: