part #2

devops/compose/.env

@@ -0,0 +1,171 @@
+# =============================================================================
+# STELLA OPS ENVIRONMENT CONFIGURATION
+# =============================================================================
+# Main environment template for docker-compose.stella-ops.yml
+# Copy to .env and customize for your deployment.
+#
+# Usage:
+#   cp env/stellaops.env.example .env
+#   docker compose -f docker-compose.stella-ops.yml up -d
+#
+# =============================================================================
+
+# =============================================================================
+# INFRASTRUCTURE
+# =============================================================================
+
+# PostgreSQL Database
+POSTGRES_USER=stellaops
+POSTGRES_PASSWORD=stellaops
+POSTGRES_DB=stellaops_platform
+POSTGRES_PORT=5432
+
+# Valkey (Redis-compatible cache and messaging)
+VALKEY_PORT=6379
+
+# RustFS Object Storage
+RUSTFS_HTTP_PORT=8080
+
+# =============================================================================
+# CORE SERVICES
+# =============================================================================
+
+# Authority (OAuth2/OIDC)
+AUTHORITY_ISSUER=https://authority.stella-ops.local
+AUTHORITY_PORT=8440
+AUTHORITY_OFFLINE_CACHE_TOLERANCE=00:30:00
+
+# Signer
+SIGNER_POE_INTROSPECT_URL=http://authority.stella-ops.local/.well-known/openid-configuration
+SIGNER_PORT=8441
+
+# Attestor
+ATTESTOR_PORT=8442
+
+# Issuer Directory
+ISSUER_DIRECTORY_PORT=8447
+ISSUER_DIRECTORY_SEED_CSAF=true
+
+# Concelier
+CONCELIER_PORT=8445
+
+# Notify
+NOTIFY_WEB_PORT=8446
+
+# Web UI
+UI_PORT=8443
+
+# =============================================================================
+# SCANNER CONFIGURATION
+# =============================================================================
+
+SCANNER_WEB_PORT=8444
+
+# Queue configuration (Valkey only - NATS removed)
+SCANNER__QUEUE__BROKER=valkey://cache.stella-ops.local:6379
+
+# Event streaming
+SCANNER_EVENTS_ENABLED=false
+SCANNER_EVENTS_DRIVER=valkey
+SCANNER_EVENTS_DSN=cache.stella-ops.local:6379
+SCANNER_EVENTS_STREAM=stella.events
+SCANNER_EVENTS_PUBLISH_TIMEOUT_SECONDS=5
+SCANNER_EVENTS_MAX_STREAM_LENGTH=10000
+
+# Surface cache configuration
+SCANNER_SURFACE_FS_ENDPOINT=http://s3.stella-ops.local
+SCANNER_SURFACE_FS_BUCKET=surface-cache
+SCANNER_SURFACE_CACHE_ROOT=/var/lib/stellaops/surface
+SCANNER_SURFACE_CACHE_QUOTA_MB=4096
+SCANNER_SURFACE_PREFETCH_ENABLED=false
+SCANNER_SURFACE_TENANT=default
+SCANNER_SURFACE_FEATURES=
+SCANNER_SURFACE_SECRETS_PROVIDER=file
+SCANNER_SURFACE_SECRETS_NAMESPACE=
+SCANNER_SURFACE_SECRETS_ROOT=/etc/stellaops/secrets
+SCANNER_SURFACE_SECRETS_FALLBACK_PROVIDER=
+SCANNER_SURFACE_SECRETS_ALLOW_INLINE=false
+SURFACE_SECRETS_HOST_PATH=./offline/surface-secrets
+
+# Offline Kit configuration
+SCANNER_OFFLINEKIT_ENABLED=false
+SCANNER_OFFLINEKIT_REQUIREDSSE=true
+SCANNER_OFFLINEKIT_REKOROFFLINEMODE=true
+SCANNER_OFFLINEKIT_TRUSTROOTDIRECTORY=/etc/stellaops/trust-roots
+SCANNER_OFFLINEKIT_REKORSNAPSHOTDIRECTORY=/var/lib/stellaops/rekor-snapshot
+SCANNER_OFFLINEKIT_TRUSTROOTS_HOST_PATH=./offline/trust-roots
+SCANNER_OFFLINEKIT_REKOR_SNAPSHOT_HOST_PATH=./offline/rekor-snapshot
+
+# =============================================================================
+# SCHEDULER CONFIGURATION
+# =============================================================================
+
+# Queue configuration (Valkey only - NATS removed)
+SCHEDULER__QUEUE__KIND=Valkey
+SCHEDULER__QUEUE__VALKEY__URL=cache.stella-ops.local:6379
+SCHEDULER_SCANNER_BASEADDRESS=http://scanner.stella-ops.local
+
+# =============================================================================
+# REKOR / SIGSTORE CONFIGURATION
+# =============================================================================
+
+# Rekor server URL (default: public Sigstore, use http://rekor-v2:3000 for local)
+REKOR_SERVER_URL=https://rekor.sigstore.dev
+REKOR_VERSION=V2
+REKOR_TILE_BASE_URL=
+REKOR_LOG_ID=c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d
+REKOR_TILES_IMAGE=ghcr.io/sigstore/rekor-tiles:latest
+
+# =============================================================================
+# ADVISORY AI CONFIGURATION
+# =============================================================================
+
+ADVISORY_AI_WEB_PORT=8448
+ADVISORY_AI_SBOM_BASEADDRESS=http://scanner.stella-ops.local
+ADVISORY_AI_INFERENCE_MODE=Local
+ADVISORY_AI_REMOTE_BASEADDRESS=
+ADVISORY_AI_REMOTE_APIKEY=
+
+# =============================================================================
+# CRYPTO CONFIGURATION
+# =============================================================================
+
+# Crypto profile: default, china, russia, eu
+STELLAOPS_CRYPTO_PROFILE=default
+
+# Enable crypto simulation (for testing)
+STELLAOPS_CRYPTO_ENABLE_SIM=0
+STELLAOPS_CRYPTO_SIM_URL=http://sim-crypto:8080
+
+# CryptoPro (Russia only) - requires EULA acceptance
+CRYPTOPRO_PORT=18080
+CRYPTOPRO_ACCEPT_EULA=0
+CRYPTOPRO_CONTAINER_NAME=stellaops-signing
+CRYPTOPRO_USE_MACHINE_STORE=true
+CRYPTOPRO_PROVIDER_TYPE=80
+
+# SM Remote (China only)
+SM_REMOTE_PORT=56080
+SM_SOFT_ALLOWED=1
+SM_REMOTE_HSM_URL=
+SM_REMOTE_HSM_API_KEY=
+SM_REMOTE_HSM_TIMEOUT=30000
+
+# =============================================================================
+# NETWORKING
+# =============================================================================
+
+# External reverse proxy network (Traefik, Envoy, etc.)
+FRONTDOOR_NETWORK=stellaops_frontdoor
+
+# =============================================================================
+# TELEMETRY (optional)
+# =============================================================================
+
+OTEL_GRPC_PORT=4317
+OTEL_HTTP_PORT=4318
+OTEL_PROMETHEUS_PORT=9464
+PROMETHEUS_PORT=9090
+TEMPO_PORT=3200
+LOKI_PORT=3100
+PROMETHEUS_RETENTION=15d

devops/compose/docker-compose.dev.yml

@@ -10,9 +10,11 @@
 #   docker compose -f docker-compose.dev.yml up -d
 #
 # This provides:
-#   - PostgreSQL 18.1 on port 5432
-#   - Valkey 9.0.1 on port 6379
-#   - RustFS on port 8080
+#   - PostgreSQL 18.1 on 127.1.1.1:5432 (db.stella-ops.local)
+#   - Valkey 9.0.1 on 127.1.1.2:6379 (cache.stella-ops.local)
+#   - SeaweedFS (S3) on 127.1.1.3:8080 (s3.stella-ops.local)
+#   - Rekor v2 (tiles) on 127.1.1.4:3322 (rekor.stella-ops.local)
+#   - Zot (OCI registry) on 127.1.1.5:80 (registry.stella-ops.local)
 # =============================================================================
 
 services:
@@ -27,7 +29,7 @@ services:
     volumes:
       - postgres-data:/var/lib/postgresql/data
     ports:
-      - "${POSTGRES_PORT:-5432}:5432"
+      - "127.1.1.1:${POSTGRES_PORT:-5432}:5432"
     healthcheck:
       test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-stellaops}"]
       interval: 10s
@@ -42,7 +44,7 @@ services:
     volumes:
       - valkey-data:/data
     ports:
-      - "${VALKEY_PORT:-6379}:6379"
+      - "127.1.1.2:${VALKEY_PORT:-6379}:6379"
     healthcheck:
       test: ["CMD", "valkey-cli", "ping"]
       interval: 10s
@@ -50,24 +52,52 @@ services:
       retries: 5
 
   rustfs:
-    image: registry.stella-ops.org/stellaops/rustfs:2025.09.2
+    image: chrislusf/seaweedfs:latest
     container_name: stellaops-dev-rustfs
     restart: unless-stopped
-    command: ["serve", "--listen", "0.0.0.0:8080", "--root", "/data"]
-    environment:
-      RUSTFS__LOG__LEVEL: info
-      RUSTFS__STORAGE__PATH: /data
+    command: ["server", "-s3", "-s3.port=8080", "-dir=/data"]
     volumes:
       - rustfs-data:/data
     ports:
-      - "${RUSTFS_PORT:-8080}:8080"
+      - "127.1.1.3:${RUSTFS_PORT:-8080}:8080"
     healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost:8080/health"]
+      test: ["CMD", "wget", "-qO-", "http://localhost:8080/status"]
       interval: 30s
       timeout: 10s
       retries: 3
 
+  rekor-v2:
+    image: ${REKOR_TILES_IMAGE:-ghcr.io/sigstore/rekor-tiles:latest}
+    container_name: stellaops-dev-rekor
+    restart: unless-stopped
+    volumes:
+      - rekor-tiles-data:/var/lib/rekor-tiles
+    ports:
+      - "127.1.1.4:${REKOR_PORT:-3322}:3322"
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:3322/healthz"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+
+  registry:
+    image: ghcr.io/project-zot/zot-linux-amd64:v2.1.3
+    container_name: stellaops-dev-registry
+    restart: unless-stopped
+    volumes:
+      - registry-data:/var/lib/registry
+      - ./zot-config.json:/etc/zot/config.json:ro
+    ports:
+      - "127.1.1.5:80:5000"
+    healthcheck:
+      test: ["CMD", "wget", "-qO-", "http://localhost:5000/v2/"]
+      interval: 30s
+      timeout: 5s
+      retries: 3
+
 volumes:
   postgres-data:
   valkey-data:
   rustfs-data:
+  rekor-tiles-data:
+  registry-data:

devops/compose/postgres-init/01-create-schemas.sql

@@ -0,0 +1,14 @@
+-- Pre-create schemas referenced by Stella Ops services.
+-- Runs once on first PostgreSQL container start via docker-entrypoint-initdb.d.
+
+CREATE SCHEMA IF NOT EXISTS scanner;
+CREATE SCHEMA IF NOT EXISTS vex;
+CREATE SCHEMA IF NOT EXISTS scheduler;
+CREATE SCHEMA IF NOT EXISTS policy;
+CREATE SCHEMA IF NOT EXISTS notify;
+CREATE SCHEMA IF NOT EXISTS notifier;
+CREATE SCHEMA IF NOT EXISTS evidence;
+CREATE SCHEMA IF NOT EXISTS findings;
+CREATE SCHEMA IF NOT EXISTS timeline;
+CREATE SCHEMA IF NOT EXISTS doctor;
+CREATE SCHEMA IF NOT EXISTS issuer_directory;

devops/compose/zot-config.json

@@ -0,0 +1,16 @@
+{
+  "distSpecVersion": "1.1.0",
+  "storage": {
+    "rootDirectory": "/var/lib/registry",
+    "gc": true,
+    "gcDelay": "1h",
+    "gcInterval": "24h"
+  },
+  "http": {
+    "address": "0.0.0.0",
+    "port": "5000"
+  },
+  "log": {
+    "level": "info"
+  }
+}