Jason Woltje
dfe89b7a3b
All checks were successful
ci/woodpecker/push/infra Pipeline was successful
Added CSRF_SECRET to docker-compose.swarm.portainer.yml (the active Portainer deployment) and both example compose files. Also added ENCRYPTION_KEY to the example files where it was missing. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
115 lines
3.2 KiB
YAML
115 lines
3.2 KiB
YAML
# ==============================================
|
|
# Mosaic Stack - Hybrid Deployment Example
|
|
# ==============================================
|
|
# This example shows a hybrid deployment mixing bundled and external services.
|
|
# Common for staging environments: bundled database/cache, external auth/secrets.
|
|
#
|
|
# Usage:
|
|
# 1. Copy this file to docker-compose.override.yml
|
|
# 2. Set COMPOSE_PROFILES=database,cache,ollama in .env
|
|
# 3. Configure external service URLs in .env (see below)
|
|
# 4. Run: docker compose up -d
|
|
#
|
|
# Or run directly:
|
|
# docker compose -f docker-compose.yml -f docker-compose.example.hybrid.yml up -d
|
|
#
|
|
# Services Included (Bundled):
|
|
# - PostgreSQL 17 with pgvector
|
|
# - Valkey (Redis-compatible cache)
|
|
# - Ollama (local LLM)
|
|
# - API (NestJS)
|
|
# - Web (Next.js)
|
|
# - Orchestrator (Agent management)
|
|
#
|
|
# Services Included (External):
|
|
# - OpenBao/Vault (managed secrets)
|
|
# - Authentik/OIDC (managed authentication)
|
|
#
|
|
# Environment Variables (.env):
|
|
# COMPOSE_PROFILES=database,cache,ollama # Enable only these bundled services
|
|
# IMAGE_TAG=dev
|
|
#
|
|
# # Bundled Database (default from docker-compose.yml)
|
|
# DATABASE_URL=postgresql://mosaic:${POSTGRES_PASSWORD}@postgres:5432/mosaic
|
|
#
|
|
# # Bundled Cache (default from docker-compose.yml)
|
|
# VALKEY_URL=redis://valkey:6379
|
|
#
|
|
# # Bundled Ollama (default from docker-compose.yml)
|
|
# OLLAMA_ENDPOINT=http://ollama:11434
|
|
#
|
|
# # External Secrets (OpenBao/Vault)
|
|
# OPENBAO_ADDR=https://vault.example.com:8200
|
|
# OPENBAO_ROLE_ID=your-role-id
|
|
# OPENBAO_SECRET_ID=your-secret-id
|
|
#
|
|
# # External OIDC Authentication
|
|
# OIDC_ENABLED=true
|
|
# OIDC_ISSUER=https://auth.example.com/
|
|
# OIDC_CLIENT_ID=your-client-id
|
|
# OIDC_CLIENT_SECRET=your-client-secret
|
|
#
|
|
# ==============================================
|
|
|
|
services:
|
|
# Use bundled PostgreSQL and Valkey (enabled via database,cache profiles)
|
|
# No overrides needed - profiles handle this
|
|
|
|
# Disable bundled Authentik - use external OIDC
|
|
authentik-postgres:
|
|
profiles:
|
|
- disabled
|
|
|
|
authentik-redis:
|
|
profiles:
|
|
- disabled
|
|
|
|
authentik-server:
|
|
profiles:
|
|
- disabled
|
|
|
|
authentik-worker:
|
|
profiles:
|
|
- disabled
|
|
|
|
# Disable bundled OpenBao - use external vault
|
|
openbao:
|
|
profiles:
|
|
- disabled
|
|
|
|
openbao-init:
|
|
profiles:
|
|
- disabled
|
|
|
|
# Use bundled Ollama (enabled via ollama profile)
|
|
# No override needed
|
|
|
|
# Configure API for hybrid deployment
|
|
api:
|
|
environment:
|
|
# Bundled database (default)
|
|
DATABASE_URL: postgresql://${POSTGRES_USER:-mosaic}:${POSTGRES_PASSWORD}@postgres:5432/${POSTGRES_DB:-mosaic}
|
|
|
|
# Bundled cache (default)
|
|
VALKEY_URL: redis://valkey:6379
|
|
|
|
# External secrets
|
|
OPENBAO_ADDR: ${OPENBAO_ADDR}
|
|
OPENBAO_ROLE_ID: ${OPENBAO_ROLE_ID}
|
|
OPENBAO_SECRET_ID: ${OPENBAO_SECRET_ID}
|
|
|
|
# Bundled Ollama (default)
|
|
OLLAMA_ENDPOINT: http://ollama:11434
|
|
|
|
# External OIDC
|
|
OIDC_ENABLED: ${OIDC_ENABLED}
|
|
OIDC_ISSUER: ${OIDC_ISSUER}
|
|
OIDC_CLIENT_ID: ${OIDC_CLIENT_ID}
|
|
OIDC_CLIENT_SECRET: ${OIDC_CLIENT_SECRET}
|
|
|
|
# Security
|
|
CSRF_SECRET: ${CSRF_SECRET}
|
|
ENCRYPTION_KEY: ${ENCRYPTION_KEY}
|
|
|
|
# Web and Orchestrator use defaults from docker-compose.yml
|