devops folders consolidate

devops/compose/docker-compose.tile-proxy.yml

@@ -0,0 +1,80 @@
+# =============================================================================
+# STELLA OPS TILE PROXY OVERLAY
+# =============================================================================
+# Rekor tile caching proxy for air-gapped and offline deployments.
+# Caches tiles from upstream Rekor (public Sigstore or private) locally.
+#
+# Use Cases:
+#   - Air-gapped deployments with periodic sync
+#   - Reduce latency by caching frequently-accessed tiles
+#   - Offline verification when upstream is unavailable
+#
+# Note: This is an ALTERNATIVE to running your own rekor-v2 instance.
+# Use tile-proxy when you want to cache from public Sigstore.
+# Use rekor-v2 (--profile sigstore) when running your own transparency log.
+#
+# Usage:
+#   docker compose -f docker-compose.stella-ops.yml \
+#     -f docker-compose.tile-proxy.yml up -d
+#
+# =============================================================================
+
+x-release-labels: &release-labels
+  com.stellaops.release.version: "2025.10.0"
+  com.stellaops.release.channel: "stable"
+  com.stellaops.component: "tile-proxy"
+
+volumes:
+  tile-cache:
+    driver: local
+  tuf-cache:
+    driver: local
+
+services:
+  tile-proxy:
+    build:
+      context: ../..
+      dockerfile: src/Attestor/StellaOps.Attestor.TileProxy/Dockerfile
+    image: registry.stella-ops.org/stellaops/tile-proxy:2025.10.0
+    container_name: stellaops-tile-proxy
+    restart: unless-stopped
+    ports:
+      - "${TILE_PROXY_PORT:-8090}:8080"
+    volumes:
+      - tile-cache:/var/cache/stellaops/tiles
+      - tuf-cache:/var/cache/stellaops/tuf
+    environment:
+      # Upstream Rekor configuration
+      TILE_PROXY__UPSTREAMURL: "${REKOR_SERVER_URL:-https://rekor.sigstore.dev}"
+      TILE_PROXY__ORIGIN: "${REKOR_ORIGIN:-rekor.sigstore.dev - 1985497715}"
+
+      # TUF configuration (optional - for checkpoint signature validation)
+      TILE_PROXY__TUF__ENABLED: "${TILE_PROXY_TUF_ENABLED:-false}"
+      TILE_PROXY__TUF__URL: "${TILE_PROXY_TUF_ROOT_URL:-}"
+      TILE_PROXY__TUF__VALIDATECHECKPOINTSIGNATURE: "${TILE_PROXY_TUF_VALIDATE_CHECKPOINT:-true}"
+
+      # Cache configuration
+      TILE_PROXY__CACHE__BASEPATH: /var/cache/stellaops/tiles
+      TILE_PROXY__CACHE__MAXSIZEGB: "${TILE_PROXY_CACHE_MAX_SIZE_GB:-10}"
+      TILE_PROXY__CACHE__CHECKPOINTTTLMINUTES: "${TILE_PROXY_CHECKPOINT_TTL_MINUTES:-5}"
+
+      # Sync job configuration (for air-gapped pre-fetching)
+      TILE_PROXY__SYNC__ENABLED: "${TILE_PROXY_SYNC_ENABLED:-true}"
+      TILE_PROXY__SYNC__SCHEDULE: "${TILE_PROXY_SYNC_SCHEDULE:-0 */6 * * *}"
+      TILE_PROXY__SYNC__DEPTH: "${TILE_PROXY_SYNC_DEPTH:-10000}"
+
+      # Request handling
+      TILE_PROXY__REQUEST__COALESCINGENABLED: "${TILE_PROXY_COALESCING_ENABLED:-true}"
+      TILE_PROXY__REQUEST__TIMEOUTSECONDS: "${TILE_PROXY_REQUEST_TIMEOUT_SECONDS:-30}"
+
+      # Logging
+      Serilog__MinimumLevel__Default: "${TILE_PROXY_LOG_LEVEL:-Information}"
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:8080/_admin/health"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 5s
+    networks:
+      - stellaops
+    labels: *release-labels