c3df03beb3
**BREAKING** for operators using `COMPOSE_PROFILES=full` or custom Compose overrides that referenced these stanzas — they're gone in docker-compose.yml and docker-compose.prod.yml. The scheduler-v2 model (previous commit) is now the sole driver: every cadence is a job in services/scheduler/__main__.py:JOBS hitting an admin HTTP endpoint. Why drop instead of keep behind `profiles: [full]`: - The previous stanzas were tight `restart: unless-stopped` boot loops. When the scheduled run ended (every cycle), Docker re-spawned the container, defeating any cadence the service intended. - The whole point of #176 is that there's now exactly one driver. Two drivers (scheduler HTTP + standalone container loop) would race on the same /data/user_sessions and knowledge_items writes. - Removing the stanzas is a louder signal than commenting them out — operators upgrading get a clean failure mode (no stale containers), not a silently double-driven pipeline. The Python entry points (services/{corporate_memory, session_collector, verification_detector}/__main__.py) stay — they're still callable from the CLI for manual one-shot runs and from the new admin endpoints. docs/architecture.md updated to reflect the new schedule table. tests/test_docker_compose.py pins the contract: the two services must not reappear under either Compose file.
133 lines
3.8 KiB
YAML
133 lines
3.8 KiB
YAML
services:
|
|
app:
|
|
build: .
|
|
# --proxy-headers + --forwarded-allow-ips make uvicorn honor the
|
|
# X-Forwarded-Proto / X-Forwarded-Host headers any reverse proxy (Caddy,
|
|
# nginx, Cloudflare Tunnel) sets. Without it, request.url_for() emits
|
|
# http://localhost:8000/... even when the user is on https://, which
|
|
# breaks OAuth callbacks (redirect_uri_mismatch). Belt-and-suspenders —
|
|
# FORWARDED_ALLOW_IPS=* in .env does the same via env var.
|
|
command: uvicorn app.main:app --host 0.0.0.0 --port 8000 --proxy-headers --forwarded-allow-ips='*'
|
|
ports:
|
|
- "8000:8000"
|
|
volumes:
|
|
- data:/data
|
|
- ./config:/app/config:ro
|
|
# - ./custom-connectors:/app/connectors/custom:ro # Tier A: AI-generated connectors
|
|
env_file: .env
|
|
environment:
|
|
- DATA_DIR=/data
|
|
healthcheck:
|
|
test: ["CMD", "curl", "-sf", "http://localhost:8000/api/health"]
|
|
interval: 30s
|
|
timeout: 5s
|
|
retries: 3
|
|
restart: unless-stopped
|
|
mem_limit: 4g
|
|
mem_reservation: 1g
|
|
cpus: 2.0
|
|
|
|
# One-shot: run extractor then rebuild orchestrator views
|
|
extract:
|
|
build: .
|
|
command: >
|
|
sh -c "python -m connectors.keboola.extractor &&
|
|
python -c 'from src.orchestrator import SyncOrchestrator; print(SyncOrchestrator().rebuild())'"
|
|
volumes:
|
|
- data:/data
|
|
- ./config:/app/config:ro
|
|
env_file: .env
|
|
environment:
|
|
- DATA_DIR=/data
|
|
profiles:
|
|
- extract
|
|
|
|
scheduler:
|
|
build: .
|
|
command: python -m services.scheduler
|
|
volumes:
|
|
- data:/data
|
|
- ./config:/app/config:ro
|
|
env_file: .env
|
|
environment:
|
|
- DATA_DIR=/data
|
|
- API_URL=http://app:8000
|
|
- SEED_ADMIN_EMAIL=${SEED_ADMIN_EMAIL:-}
|
|
depends_on:
|
|
app:
|
|
condition: service_healthy
|
|
restart: unless-stopped
|
|
mem_limit: 2g
|
|
cpus: 1.0
|
|
|
|
telegram-bot:
|
|
build: .
|
|
command: python -m services.telegram_bot
|
|
volumes:
|
|
- data:/data
|
|
env_file: .env
|
|
environment:
|
|
- DATA_DIR=/data
|
|
depends_on:
|
|
- app
|
|
profiles:
|
|
- full
|
|
restart: unless-stopped
|
|
|
|
ws-gateway:
|
|
build: .
|
|
command: python -m services.ws_gateway
|
|
volumes:
|
|
- data:/data
|
|
env_file: .env
|
|
environment:
|
|
- DATA_DIR=/data
|
|
depends_on:
|
|
- app
|
|
profiles:
|
|
- full
|
|
restart: unless-stopped
|
|
|
|
# NOTE: corporate-memory + session-collector previously ran here as
|
|
# tight `restart: unless-stopped` boot loops behind `profiles: [full]`.
|
|
# As of #176 the scheduler container drives both through admin HTTP
|
|
# endpoints (/api/admin/run-corporate-memory,
|
|
# /api/admin/run-session-collector). The verification-detector job
|
|
# was never in compose; it now ships the same way. The app remains
|
|
# the sole writer to system.duckdb. Operators previously running
|
|
# COMPOSE_PROFILES=full need to drop those service stanzas from any
|
|
# custom Compose overrides.
|
|
|
|
# TLS reverse proxy. Corporate-CA certs mounted from /data/state/certs
|
|
# (managed by scripts/ops/agnes-tls-rotate.sh on the VM). For local
|
|
# development without certs, run without --profile tls and hit :8000
|
|
# directly.
|
|
caddy:
|
|
image: caddy:2-alpine
|
|
ports:
|
|
- "80:80"
|
|
- "443:443"
|
|
volumes:
|
|
- ./Caddyfile:/etc/caddy/Caddyfile:ro
|
|
- /data/state/certs:/certs:ro
|
|
- caddy_data:/data
|
|
- caddy_config:/config
|
|
environment:
|
|
- DOMAIN=${DOMAIN:-localhost}
|
|
# Passes through whatever the operator set in .env. Caddyfile uses
|
|
# {$CADDY_TLS:tls /certs/fullchain.pem /certs/privkey.pem} so:
|
|
# - unset → cert-file mode (corp PKI rotated by tls-rotate.sh)
|
|
# - "tls <email>" → Let's Encrypt auto-issue
|
|
# - "tls internal" → Caddy-managed self-signed
|
|
- CADDY_TLS
|
|
depends_on:
|
|
app:
|
|
condition: service_healthy
|
|
restart: unless-stopped
|
|
profiles:
|
|
- tls
|
|
|
|
volumes:
|
|
data:
|
|
caddy_data:
|
|
caddy_config:
|