stack/docs/1-getting-started/2-installation/3-docker-setup.md

# Docker Setup

Containerized deployment for production or quick testing.

## Prerequisites

- Docker 24+ and Docker Compose 2.20+
- Git 2.x

See [Prerequisites](1-prerequisites.md) for installation instructions.

## Step 1: Clone Repository

```bash
git clone https://git.mosaicstack.dev/mosaic/stack mosaic-stack
cd mosaic-stack
```

## Step 2: Configure Environment

```bash
cp .env.example .env
nano .env  # Configure as needed
```

**Key variables for Docker deployment:**

```bash
# Database (Docker internal networking)
DATABASE_URL=postgresql://mosaic:mosaic_dev_password@postgres:5432/mosaic
POSTGRES_USER=mosaic
POSTGRES_PASSWORD=mosaic_dev_password
POSTGRES_DB=mosaic

# Valkey (Docker internal networking)
VALKEY_URL=redis://valkey:6379

# Application URLs
NEXT_PUBLIC_API_URL=http://localhost:3001

# JWT
JWT_SECRET=$(openssl rand -base64 32)
JWT_EXPIRATION=24h
```

## Step 3: Start Services

### Option A: Core Services Only (Recommended for Development)

Start PostgreSQL, Valkey, API, and Web:

```bash
# Start core stack
docker compose up -d

# View startup logs
docker compose logs -f

# Check service status
docker compose ps
```

### Option B: With Optional Services

Enable Authentik OIDC and/or Ollama AI:

```bash
# With Authentik only
docker compose --profile authentik up -d

# With Ollama only
docker compose --profile ollama up -d

# With all optional services
docker compose --profile full up -d

# Or set in .env file
echo "COMPOSE_PROFILES=full" >> .env
docker compose up -d
```

**Services available:**

| Service | Container | Port | Profile | Purpose |
|---------|-----------|------|---------|---------|
| PostgreSQL | mosaic-postgres | 5432 | core | Database with pgvector |
| Valkey | mosaic-valkey | 6379 | core | Redis-compatible cache |
| API | mosaic-api | 3001 | core | NestJS backend |
| Web | mosaic-web | 3000 | core | Next.js frontend |
| Authentik Server | mosaic-authentik-server | 9000, 9443 | authentik | OIDC provider |
| Authentik Worker | mosaic-authentik-worker | - | authentik | Background jobs |
| Authentik PostgreSQL | mosaic-authentik-postgres | - | authentik | Auth database |
| Authentik Redis | mosaic-authentik-redis | - | authentik | Auth cache |
| Ollama | mosaic-ollama | 11434 | ollama | LLM service |

## Step 4: Run Database Migrations

```bash
# Enter API container
docker compose exec api sh

# Run migrations
pnpm prisma migrate deploy

# Seed development data (optional)
pnpm prisma:seed

# Exit container
exit
```

## Step 5: Verify Deployment

### Check API Health

```bash
curl http://localhost:3001/health
```

### View Logs

```bash
# All services
docker compose logs -f

# Specific service
docker compose logs -f api

# Last 100 lines
docker compose logs --tail=100 api
```

### Access Containers

```bash
# API container shell
docker compose exec api sh

# PostgreSQL client
docker compose exec postgres psql -U mosaic -d mosaic

# Redis CLI
docker compose exec valkey redis-cli
```

## Management Commands

### Start/Stop Services

```bash
# Start all
docker compose up -d

# Stop all
docker compose stop

# Stop and remove containers
docker compose down

# Stop and remove containers + volumes (WARNING: deletes data)
docker compose down -v
```

### Restart Services

```bash
# Restart all
docker compose restart

# Restart specific service
docker compose restart api
```

### View Service Status

```bash
# List running containers
docker compose ps

# View resource usage
docker stats

# View logs
docker compose logs -f [service_name]
```

### Rebuild After Code Changes

```bash
# Rebuild and restart
docker compose up -d --build

# Rebuild specific service
docker compose build api
docker compose up -d api
```

## Production Deployment

### Environment Configuration

Create a production `.env` file:

```bash
# Production database
DATABASE_URL=postgresql://user:pass@prod-db-host:5432/mosaic

# Production Redis
REDIS_URL=redis://prod-redis-host:6379

# Production URLs
NEXT_PUBLIC_APP_URL=https://mosaic.example.com

# Secure JWT secret
JWT_SECRET=$(openssl rand -base64 64)
JWT_EXPIRATION=24h

# Authentik OIDC
OIDC_ISSUER=https://auth.example.com/application/o/mosaic/
OIDC_CLIENT_ID=prod-client-id
OIDC_CLIENT_SECRET=prod-client-secret
OIDC_REDIRECT_URI=https://mosaic.example.com/auth/callback
```

### Compose Override for Production

Create `docker-compose.prod.yml`:

```yaml
services:
  api:
    restart: always
    environment:
      NODE_ENV: production
    deploy:
      replicas: 2
      resources:
        limits:
          cpus: '1.0'
          memory: 1G

  web:
    restart: always
    environment:
      NODE_ENV: production
    deploy:
      replicas: 2
      resources:
        limits:
          cpus: '0.5'
          memory: 512M
```

**Deploy:**

```bash
docker compose -f docker-compose.yml -f docker-compose.prod.yml up -d
```

## Troubleshooting

### Containers Won't Start

```bash
# Check logs for errors
docker compose logs api
docker compose logs postgres

# Check container status
docker compose ps

# Restart specific service
docker compose restart api
```

### Database Connection Failed

```bash
# Check PostgreSQL is running
docker compose ps postgres

# Check PostgreSQL logs
docker compose logs postgres

# Test connection from API container
docker compose exec api sh
nc -zv postgres 5432
```

### Port Already in Use

```bash
# Find what's using the port
lsof -i :3001

# Kill the process or change port in docker-compose.yml
```

### Out of Disk Space

```bash
# Remove unused containers/images
docker system prune -a

# Remove unused volumes (WARNING: may delete data)
docker volume prune
```

### Permission Errors

```bash
# Add user to docker group
sudo usermod -aG docker $USER

# Log out and back in, or
newgrp docker
```

## Monitoring

### Resource Usage

```bash
# Live resource stats
docker stats

# Container logs
docker compose logs -f --tail=100
```

### Health Checks

```bash
# API health endpoint
curl http://localhost:3001/health

# PostgreSQL connection
docker compose exec postgres pg_isready -U mosaic

# Redis ping
docker compose exec valkey redis-cli ping
```

## Updating

### Pull Latest Changes

```bash
git pull origin develop

# Rebuild and restart
docker compose up -d --build
```

### Update Docker Images

```bash
# Pull latest base images
docker compose pull

# Rebuild
docker compose up -d --build
```

## Backup and Restore

### Database Backup

```bash
# Backup database
docker compose exec postgres pg_dump -U mosaic -d mosaic > backup-$(date +%Y%m%d).sql

# Restore database
cat backup-20260128.sql | docker compose exec -T postgres psql -U mosaic -d mosaic
```

### Volume Backup

```bash
# Backup PostgreSQL volume
docker run --rm \
  -v mosaic-stack_postgres-data:/data \
  -v $(pwd):/backup \
  alpine tar czf /backup/postgres-backup.tar.gz /data
```

## Next Steps

1. **Configure Authentication** — [Authentik Setup](../3-configuration/2-authentik.md)
2. **Monitor Logs** — Set up log aggregation for production
3. **Set up Backups** — Automate database backups
4. **Configure SSL** — Add reverse proxy (Traefik/Nginx) for HTTPS