# ============================================================================= # STELLA OPS - MAIN STACK # ============================================================================= # Consolidated Docker Compose for the complete StellaOps platform. # Infrastructure: PostgreSQL 18.1, Valkey 9.0.1, SeaweedFS (S3), Rekor v2, Zot (OCI) # # Usage: # docker compose -f devops/compose/docker-compose.stella-ops.yml up -d # # With Sigstore tools: # docker compose -f devops/compose/docker-compose.stella-ops.yml --profile sigstore up -d # # With Telemetry: # docker compose -f devops/compose/docker-compose.stella-ops.yml \ # -f devops/compose/docker-compose.telemetry.yml up -d # # With Compliance overlay (e.g., China): # docker compose -f devops/compose/docker-compose.stella-ops.yml \ # -f devops/compose/docker-compose.compliance-china.yml up -d # # ============================================================================= x-release-labels: &release-labels com.stellaops.release.version: "2025.10.0" com.stellaops.release.channel: "stable" com.stellaops.profile: "default" x-postgres-connection: &postgres-connection "Host=db.stella-ops.local;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}" x-kestrel-cert: &kestrel-cert Kestrel__Certificates__Default__Path: "/app/etc/certs/kestrel-dev.pfx" Kestrel__Certificates__Default__Password: "devpass" x-cert-volume: &cert-volume "../../etc/authority/keys:/app/etc/certs:ro" x-plugin-tmpfs: &plugin-tmpfs /app/plugins: mode: "1777" # --------------------------------------------------------------------------- # Common anchors for the 60-service stack # --------------------------------------------------------------------------- x-depends-infra: &depends-infra postgres: condition: service_healthy valkey: condition: service_healthy x-healthcheck-tcp: &healthcheck-tcp interval: 30s timeout: 5s retries: 3 start_period: 15s x-healthcheck-worker: &healthcheck-worker test: ["CMD", "/usr/local/bin/healthcheck.sh"] interval: 30s timeout: 5s start_period: 30s retries: 3 networks: stellaops: driver: bridge name: stellaops frontdoor: external: true name: ${FRONTDOOR_NETWORK:-stellaops_frontdoor} volumes: postgres-data: valkey-data: rustfs-data: rekor-tiles-data: registry-data: concelier-jobs: scanner-surface-cache: advisory-ai-queue: advisory-ai-plans: advisory-ai-outputs: evidence-data: services: # =========================================================================== # INFRASTRUCTURE SERVICES # =========================================================================== postgres: image: docker.io/library/postgres:18.1 container_name: stellaops-postgres restart: unless-stopped environment: POSTGRES_USER: "${POSTGRES_USER:-stellaops}" POSTGRES_PASSWORD: "${POSTGRES_PASSWORD:-stellaops}" POSTGRES_DB: "${POSTGRES_DB:-stellaops_platform}" PGDATA: /var/lib/postgresql/data/pgdata volumes: - postgres-data:/var/lib/postgresql/data - ./postgres-init:/docker-entrypoint-initdb.d:ro ports: - "127.1.1.1:${POSTGRES_PORT:-5432}:5432" networks: stellaops: aliases: - db.stella-ops.local healthcheck: test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-stellaops} -d ${POSTGRES_DB:-stellaops_platform}"] interval: 10s timeout: 5s retries: 5 start_period: 10s labels: *release-labels valkey: image: docker.io/valkey/valkey:9.0.1 container_name: stellaops-valkey restart: unless-stopped command: ["valkey-server", "--appendonly", "yes"] volumes: - valkey-data:/data ports: - "127.1.1.2:${VALKEY_PORT:-6379}:6379" networks: stellaops: aliases: - cache.stella-ops.local healthcheck: test: ["CMD", "valkey-cli", "ping"] interval: 10s timeout: 5s retries: 5 labels: *release-labels rustfs: image: chrislusf/seaweedfs:latest container_name: stellaops-rustfs command: ["server", "-s3", "-s3.port=8333", "-volume.port=8080", "-dir=/data"] restart: unless-stopped volumes: - rustfs-data:/data ports: - "127.1.1.3:${RUSTFS_HTTP_PORT:-8333}:8333" networks: stellaops: aliases: - s3.stella-ops.local healthcheck: test: ["CMD", "wget", "-qO-", "http://127.0.0.1:8333/"] interval: 30s timeout: 10s retries: 3 labels: *release-labels registry: image: ghcr.io/project-zot/zot-linux-amd64:v2.1.3 container_name: stellaops-registry restart: unless-stopped volumes: - registry-data:/var/lib/registry - ./zot-config.json:/etc/zot/config.json:ro ports: - "127.1.1.5:80:5000" networks: stellaops: aliases: - registry.stella-ops.local healthcheck: disable: true labels: *release-labels rekor-v2: image: ${REKOR_TILES_IMAGE:-ghcr.io/sigstore/rekor-tiles:latest} container_name: stellaops-rekor restart: unless-stopped volumes: - rekor-tiles-data:/var/lib/rekor-tiles ports: - "127.1.1.4:${REKOR_PORT:-3322}:3322" networks: stellaops: aliases: - rekor.stella-ops.local profiles: ["sigstore"] labels: <<: *release-labels com.stellaops.component: "rekor-v2" rekor-cli: image: ghcr.io/sigstore/rekor-cli:v1.4.3 entrypoint: ["rekor-cli"] command: ["version"] profiles: ["sigstore"] networks: [stellaops] labels: *release-labels cosign: image: ghcr.io/sigstore/cosign:v3.0.4 entrypoint: ["cosign"] command: ["version"] profiles: ["sigstore"] networks: [stellaops] labels: *release-labels # =========================================================================== # APPLICATION SERVICES (ordered by port-registry slot) # =========================================================================== # --- Slot 0: Router Gateway ------------------------------------------------ router-gateway: image: stellaops/router-gateway:dev container_name: stellaops-router-gateway restart: unless-stopped depends_on: *depends-infra environment: ASPNETCORE_URLS: "http://+:8080" <<: *kestrel-cert ConnectionStrings__Default: *postgres-connection ConnectionStrings__Redis: "cache.stella-ops.local:6379" volumes: - *cert-volume ports: - "127.1.0.2:80:80" networks: stellaops: aliases: - router.stella-ops.local frontdoor: {} healthcheck: test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"] <<: *healthcheck-tcp labels: *release-labels # --- Slot 1: Platform ------------------------------------------------------ platform: image: stellaops/platform:dev container_name: stellaops-platform restart: unless-stopped depends_on: *depends-infra environment: ASPNETCORE_URLS: "http://+:8080" <<: *kestrel-cert ConnectionStrings__Default: *postgres-connection ConnectionStrings__Redis: "cache.stella-ops.local:6379" STELLAOPS_ROUTER_URL: "http://router.stella-ops.local" STELLAOPS_PLATFORM_URL: "http://platform.stella-ops.local" STELLAOPS_AUTHORITY_URL: "http://authority.stella-ops.local" STELLAOPS_GATEWAY_URL: "http://gateway.stella-ops.local" STELLAOPS_ATTESTOR_URL: "http://attestor.stella-ops.local" STELLAOPS_EVIDENCELOCKER_URL: "http://evidencelocker.stella-ops.local" STELLAOPS_SCANNER_URL: "http://scanner.stella-ops.local" STELLAOPS_CONCELIER_URL: "http://concelier.stella-ops.local" STELLAOPS_EXCITITOR_URL: "http://excititor.stella-ops.local" STELLAOPS_VEXHUB_URL: "http://vexhub.stella-ops.local" STELLAOPS_VEXLENS_URL: "http://vexlens.stella-ops.local" STELLAOPS_VULNEXPLORER_URL: "http://vulnexplorer.stella-ops.local" STELLAOPS_POLICY_ENGINE_URL: "http://policy-engine.stella-ops.local" STELLAOPS_POLICY_GATEWAY_URL: "http://policy-gateway.stella-ops.local" STELLAOPS_RISKENGINE_URL: "http://riskengine.stella-ops.local" STELLAOPS_ORCHESTRATOR_URL: "http://orchestrator.stella-ops.local" STELLAOPS_TASKRUNNER_URL: "http://taskrunner.stella-ops.local" STELLAOPS_SCHEDULER_URL: "http://scheduler.stella-ops.local" STELLAOPS_GRAPH_URL: "http://graph.stella-ops.local" STELLAOPS_CARTOGRAPHER_URL: "http://cartographer.stella-ops.local" STELLAOPS_REACHGRAPH_URL: "http://reachgraph.stella-ops.local" STELLAOPS_TIMELINEINDEXER_URL: "http://timelineindexer.stella-ops.local" STELLAOPS_TIMELINE_URL: "http://timeline.stella-ops.local" STELLAOPS_FINDINGS_LEDGER_URL: "http://findings.stella-ops.local" STELLAOPS_DOCTOR_URL: "http://doctor.stella-ops.local" STELLAOPS_OPSMEMORY_URL: "http://opsmemory.stella-ops.local" STELLAOPS_NOTIFIER_URL: "http://notifier.stella-ops.local" STELLAOPS_NOTIFY_URL: "http://notify.stella-ops.local" STELLAOPS_SIGNER_URL: "http://signer.stella-ops.local" STELLAOPS_SMREMOTE_URL: "http://smremote.stella-ops.local" STELLAOPS_AIRGAP_CONTROLLER_URL: "http://airgap-controller.stella-ops.local" STELLAOPS_AIRGAP_TIME_URL: "http://airgap-time.stella-ops.local" STELLAOPS_PACKSREGISTRY_URL: "http://packsregistry.stella-ops.local" STELLAOPS_REGISTRY_TOKENSERVICE_URL: "http://registry-token.stella-ops.local" STELLAOPS_BINARYINDEX_URL: "http://binaryindex.stella-ops.local" STELLAOPS_ISSUERDIRECTORY_URL: "http://issuerdirectory.stella-ops.local" STELLAOPS_SYMBOLS_URL: "http://symbols.stella-ops.local" STELLAOPS_SBOMSERVICE_URL: "http://sbomservice.stella-ops.local" STELLAOPS_EXPORTCENTER_URL: "http://exportcenter.stella-ops.local" STELLAOPS_REPLAY_URL: "http://replay.stella-ops.local" STELLAOPS_INTEGRATIONS_URL: "http://integrations.stella-ops.local" STELLAOPS_SIGNALS_URL: "http://signals.stella-ops.local" STELLAOPS_ADVISORYAI_URL: "http://advisoryai.stella-ops.local" STELLAOPS_UNKNOWNS_URL: "http://unknowns.stella-ops.local" volumes: - *cert-volume ports: - "127.1.0.3:80:80" networks: stellaops: aliases: - platform.stella-ops.local frontdoor: {} healthcheck: test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"] <<: *healthcheck-tcp labels: *release-labels # --- Slot 2: Authority ----------------------------------------------------- authority: image: stellaops/authority:dev container_name: stellaops-authority restart: unless-stopped depends_on: postgres: condition: service_healthy valkey: condition: service_healthy environment: ASPNETCORE_URLS: "http://+:8440" Kestrel__Certificates__Default__Path: "/app/etc/authority/keys/kestrel-dev.pfx" Kestrel__Certificates__Default__Password: "devpass" STELLAOPS_AUTHORITY_AUTHORITY__SCHEMAVERSION: "1" STELLAOPS_AUTHORITY_AUTHORITY__ISSUER: "${AUTHORITY_ISSUER:-http://authority.stella-ops.local}" STELLAOPS_AUTHORITY_AUTHORITY__STORAGE__CONNECTIONSTRING: *postgres-connection STELLAOPS_AUTHORITY_AUTHORITY__CACHE__REDIS__CONNECTIONSTRING: "cache.stella-ops.local:6379" STELLAOPS_AUTHORITY_AUTHORITY__SIGNING__ACTIVEKEYID: "dev-signing-key-1" STELLAOPS_AUTHORITY_AUTHORITY__SIGNING__KEYPATH: "/app/etc/authority/keys/signing-dev.pem" STELLAOPS_AUTHORITY_AUTHORITY__NOTIFICATIONS__ACKTOKENS__ACTIVEKEYID: "dev-ack-key-1" STELLAOPS_AUTHORITY_AUTHORITY__NOTIFICATIONS__ACKTOKENS__KEYPATH: "/app/etc/authority/keys/ack-token-dev.pem" STELLAOPS_AUTHORITY_AUTHORITY__NOTIFICATIONS__WEBHOOKS__ALLOWEDHOSTS__0: "notify.stella-ops.local" STELLAOPS_AUTHORITY_AUTHORITY__NOTIFICATIONS__ESCALATION__SCOPE: "notify.escalate" STELLAOPS_AUTHORITY_AUTHORITY__BOOTSTRAP__ENABLED: "false" STELLAOPS_AUTHORITY_AUTHORITY__PLUGINDIRECTORIES__0: "/app/plugins" STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__CONFIGURATIONDIRECTORY: "/app/etc/authority/plugins" volumes: - ../../etc/authority:/app/etc/authority:ro - ../../etc/certificates/trust-roots:/etc/ssl/certs/stellaops:ro tmpfs: - /app/plugins:mode=1777 ports: - "127.1.0.4:80:80" networks: stellaops: aliases: - authority.stella-ops.local frontdoor: {} healthcheck: test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"] <<: *healthcheck-tcp labels: *release-labels # --- Slot 3: Gateway ------------------------------------------------------- gateway: image: stellaops/gateway:dev container_name: stellaops-gateway restart: unless-stopped depends_on: *depends-infra environment: ASPNETCORE_URLS: "http://+:8080" <<: *kestrel-cert ConnectionStrings__Default: *postgres-connection ConnectionStrings__Redis: "cache.stella-ops.local:6379" volumes: - *cert-volume ports: - "127.1.0.5:80:80" networks: stellaops: aliases: - gateway.stella-ops.local frontdoor: {} healthcheck: test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"] <<: *healthcheck-tcp labels: *release-labels # --- Slot 4: Attestor ------------------------------------------------------ attestor: image: stellaops/attestor:dev container_name: stellaops-attestor restart: unless-stopped depends_on: - signer environment: ASPNETCORE_URLS: "http://+:8442" <<: *kestrel-cert ATTESTOR_ATTESTOR__SIGNER__BASEURL: "http://signer.stella-ops.local" ConnectionStrings__Default: *postgres-connection volumes: - *cert-volume ports: - "127.1.0.6:80:80" networks: stellaops: aliases: - attestor.stella-ops.local frontdoor: {} healthcheck: test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"] <<: *healthcheck-tcp labels: *release-labels # --- Slot 5: Attestor TileProxy -------------------------------------------- attestor-tileproxy: image: stellaops/attestor-tileproxy:dev container_name: stellaops-attestor-tileproxy restart: unless-stopped depends_on: - attestor environment: ASPNETCORE_URLS: "http://+:8080" <<: *kestrel-cert TILE_PROXY__tile_proxy__UpstreamUrl: "http://rekor.stella-ops.local:3322" TILE_PROXY__tile_proxy__Origin: "stellaops-tileproxy" TILE_PROXY__tile_proxy__Cache__BasePath: "/var/cache/stellaops/tiles" TILE_PROXY__tile_proxy__Cache__MaxSizeGb: "1" volumes: - *cert-volume tmpfs: - /var/cache/stellaops/tiles:mode=1777 networks: stellaops: aliases: - attestor-tileproxy.stella-ops.local healthcheck: test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"] <<: *healthcheck-tcp labels: *release-labels # --- Slot 6: Evidence Locker ------------------------------------------------ evidence-locker-web: image: stellaops/evidence-locker-web:dev container_name: stellaops-evidence-locker-web restart: unless-stopped depends_on: *depends-infra environment: ASPNETCORE_URLS: "http://+:8080" <<: *kestrel-cert EvidenceLocker__Database__ConnectionString: *postgres-connection EvidenceLocker__Database__ApplyMigrationsAtStartup: "true" EvidenceLocker__ObjectStore__Kind: "FileSystem" EvidenceLocker__ObjectStore__FileSystem__RootPath: "/data/evidence" EvidenceLocker__ObjectStore__EnforceWriteOnce: "false" EvidenceLocker__Signing__Enabled: "false" EvidenceLocker__Signing__Algorithm: "ES256" EvidenceLocker__Signing__KeyId: "dev-evidence-key" EvidenceLocker__Quotas__MaxMaterialCount: "128" ConnectionStrings__Redis: "cache.stella-ops.local:6379" EvidenceLocker__Authority__BaseUrl: "http://authority.stella-ops.local" volumes: - *cert-volume - evidence-data:/data/evidence ports: - "127.1.0.7:80:80" networks: stellaops: aliases: - evidencelocker.stella-ops.local frontdoor: {} healthcheck: test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"] <<: *healthcheck-tcp labels: *release-labels evidence-locker-worker: image: stellaops/evidence-locker-worker:dev container_name: stellaops-evidence-locker-worker restart: unless-stopped depends_on: *depends-infra environment: <<: *kestrel-cert EvidenceLocker__Database__ConnectionString: *postgres-connection EvidenceLocker__Database__ApplyMigrationsAtStartup: "true" EvidenceLocker__ObjectStore__Kind: "FileSystem" EvidenceLocker__ObjectStore__FileSystem__RootPath: "/data/evidence" EvidenceLocker__ObjectStore__EnforceWriteOnce: "false" EvidenceLocker__Signing__Enabled: "false" EvidenceLocker__Signing__Algorithm: "ES256" EvidenceLocker__Signing__KeyId: "dev-evidence-key" EvidenceLocker__Quotas__MaxMaterialCount: "128" ConnectionStrings__Redis: "cache.stella-ops.local:6379" volumes: - *cert-volume - evidence-data:/data/evidence networks: stellaops: aliases: - evidence-locker-worker.stella-ops.local healthcheck: <<: *healthcheck-worker labels: *release-labels # --- Slot 8: Scanner ------------------------------------------------------- scanner-web: image: stellaops/scanner-web:dev container_name: stellaops-scanner-web restart: unless-stopped depends_on: postgres: condition: service_healthy valkey: condition: service_healthy rustfs: condition: service_started environment: ASPNETCORE_URLS: "http://+:8444" <<: *kestrel-cert SCANNER_SCANNER__PLUGINS__BASEDIRECTORY: "/app" SCANNER_SCANNER__STORAGE__DRIVER: "postgres" SCANNER_SCANNER__STORAGE__DSN: *postgres-connection SCANNER_SCANNER__STORAGE__COMMANDTIMEOUTSECONDS: "30" SCANNER_SCANNER__STORAGE__HEALTHCHECKTIMEOUTSECONDS: "5" SCANNER_SCANNER__ARTIFACTSTORE__DRIVER: "rustfs" SCANNER_SCANNER__ARTIFACTSTORE__ENDPOINT: "http://s3.stella-ops.local:8333" SCANNER_SCANNER__ARTIFACTSTORE__BUCKET: "scanner-artifacts" SCANNER_SCANNER__ARTIFACTSTORE__TIMEOUTSECONDS: "30" SCANNER_SCANNER__QUEUE__DRIVER: "redis" SCANNER_SCANNER__QUEUE__DSN: "cache.stella-ops.local:6379" SCANNER_SCANNER__EVENTS__ENABLED: "${SCANNER_EVENTS_ENABLED:-false}" SCANNER_SCANNER__EVENTS__DRIVER: "redis" SCANNER_SCANNER__EVENTS__DSN: "cache.stella-ops.local:6379" SCANNER_SCANNER__EVENTS__STREAM: "${SCANNER_EVENTS_STREAM:-stella.events}" SCANNER_SCANNER__EVENTS__PUBLISHTIMEOUTSECONDS: "${SCANNER_EVENTS_PUBLISH_TIMEOUT_SECONDS:-5}" SCANNER_SCANNER__EVENTS__MAXSTREAMLENGTH: "${SCANNER_EVENTS_MAX_STREAM_LENGTH:-10000}" SCANNER_SCANNER__OFFLINEKIT__ENABLED: "${SCANNER_OFFLINEKIT_ENABLED:-false}" SCANNER_SURFACE_FS_ENDPOINT: "${SCANNER_SURFACE_FS_ENDPOINT:-http://s3.stella-ops.local:8333}" SCANNER_SURFACE_FS_BUCKET: "${SCANNER_SURFACE_FS_BUCKET:-surface-cache}" SCANNER_SURFACE_CACHE_ROOT: "${SCANNER_SURFACE_CACHE_ROOT:-/var/lib/stellaops/surface}" SCANNER_SURFACE_CACHE_QUOTA_MB: "${SCANNER_SURFACE_CACHE_QUOTA_MB:-4096}" SCANNER_SURFACE_PREFETCH_ENABLED: "${SCANNER_SURFACE_PREFETCH_ENABLED:-false}" SCANNER_SURFACE_TENANT: "${SCANNER_SURFACE_TENANT:-default}" SCANNER_SURFACE_FEATURES: "${SCANNER_SURFACE_FEATURES:-}" SCANNER_SURFACE_SECRETS_PROVIDER: "${SCANNER_SURFACE_SECRETS_PROVIDER:-file}" SCANNER_SURFACE_SECRETS_NAMESPACE: "${SCANNER_SURFACE_SECRETS_NAMESPACE:-}" SCANNER_SURFACE_SECRETS_ROOT: "${SCANNER_SURFACE_SECRETS_ROOT:-/etc/stellaops/secrets}" SCANNER_SURFACE_SECRETS_FALLBACK_PROVIDER: "${SCANNER_SURFACE_SECRETS_FALLBACK_PROVIDER:-}" SCANNER_SURFACE_SECRETS_ALLOW_INLINE: "${SCANNER_SURFACE_SECRETS_ALLOW_INLINE:-false}" volumes: - ../../etc/scanner:/app/etc/scanner:ro - ../../etc/certificates/trust-roots:/etc/ssl/certs/stellaops:ro - ${SURFACE_SECRETS_HOST_PATH:-./offline/surface-secrets}:${SCANNER_SURFACE_SECRETS_ROOT:-/etc/stellaops/secrets}:ro - ${SCANNER_OFFLINEKIT_TRUSTROOTS_HOST_PATH:-./offline/trust-roots}:${SCANNER_OFFLINEKIT_TRUSTROOTDIRECTORY:-/etc/stellaops/trust-roots}:ro - ${SCANNER_OFFLINEKIT_REKOR_SNAPSHOT_HOST_PATH:-./offline/rekor-snapshot}:${SCANNER_OFFLINEKIT_REKORSNAPSHOTDIRECTORY:-/var/lib/stellaops/rekor-snapshot}:ro - *cert-volume tmpfs: - /app/plugins:mode=1777 - /var/lib/stellaops/surface:mode=1777 ports: - "127.1.0.8:80:80" networks: stellaops: aliases: - scanner.stella-ops.local frontdoor: {} healthcheck: test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"] <<: *healthcheck-tcp labels: *release-labels scanner-worker: image: stellaops/scanner-worker:dev container_name: stellaops-scanner-worker restart: unless-stopped depends_on: postgres: condition: service_healthy valkey: condition: service_healthy rustfs: condition: service_started environment: <<: *kestrel-cert # Scanner worker options Scanner__Worker__Authority__Enabled: "false" BinaryIndex__Enabled: "false" # Scanner storage (Postgres + S3/RustFS object store) ScannerStorage__Postgres__ConnectionString: *postgres-connection ScannerStorage__Postgres__SchemaName: "scanner" ScannerStorage__ObjectStore__Driver: "rustfs" ScannerStorage__ObjectStore__BucketName: "scanner-artifacts" ScannerStorage__ObjectStore__RustFs__BaseUrl: "http://s3.stella-ops.local:8333" # Surface environment (read via Environment.GetEnvironmentVariable) SCANNER_SURFACE_FS_ENDPOINT: "http://s3.stella-ops.local:8333" SURFACE_FS_ENDPOINT: "http://s3.stella-ops.local:8333" SCANNER_SURFACE_SECRETS_NAMESPACE: "stellaops" SCANNER_SURFACE_SECRETS_PROVIDER: "file" SCANNER_SURFACE_SECRETS_ROOT: "/var/lib/stellaops/surface" SCANNER_SURFACE_VALIDATION_DISABLED: "true" # EPSS bundle source path (EpssBundleSource constructor) EPSS_BUNDLE_PATH: "/app/epss" volumes: - *cert-volume tmpfs: - /var/lib/stellaops/surface:mode=1777 - /app/epss:mode=1777 networks: stellaops: aliases: - scanner-worker.stella-ops.local healthcheck: <<: *healthcheck-worker labels: *release-labels # --- Slot 9: Concelier ----------------------------------------------------- concelier: image: stellaops/concelier:dev container_name: stellaops-concelier restart: unless-stopped depends_on: postgres: condition: service_healthy valkey: condition: service_healthy rustfs: condition: service_started environment: ASPNETCORE_URLS: "http://+:8080" <<: *kestrel-cert CONCELIER_PLUGINS__BASEDIRECTORY: "/app" CONCELIER_POSTGRESSTORAGE__CONNECTIONSTRING: *postgres-connection CONCELIER_POSTGRESSTORAGE__ENABLED: "true" CONCELIER_S3__ENDPOINT: "http://s3.stella-ops.local:8333" CONCELIER_AUTHORITY__BASEURL: "http://authority.stella-ops.local" CONCELIER_AUTHORITY__RESILIENCE__ALLOWOFFLINECACHEFALLBACK: "true" CONCELIER_AUTHORITY__RESILIENCE__OFFLINECACHETOLERANCE: "${AUTHORITY_OFFLINE_CACHE_TOLERANCE:-00:30:00}" volumes: - concelier-jobs:/var/lib/concelier/jobs - *cert-volume tmpfs: - /app/plugins:mode=1777 ports: - "127.1.0.9:80:80" networks: stellaops: aliases: - concelier.stella-ops.local frontdoor: {} healthcheck: test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"] <<: *healthcheck-tcp labels: *release-labels # --- Slot 10: Excititor ---------------------------------------------------- excititor: image: stellaops/excititor:dev container_name: stellaops-excititor restart: unless-stopped profiles: ["code-fix-pending"] # Docker build error from prior session depends_on: *depends-infra environment: ASPNETCORE_URLS: "http://+:8080" <<: *kestrel-cert # Postgres options (section: Postgres:Excititor) Postgres__Excititor__ConnectionString: *postgres-connection Postgres__Excititor__SchemaName: "vex" Excititor__Concelier__BaseUrl: "http://concelier.stella-ops.local" Excititor__Storage__Driver: "postgres" volumes: - *cert-volume tmpfs: - /app/plugins:mode=1777 ports: - "127.1.0.10:80:80" networks: stellaops: aliases: - excititor.stella-ops.local frontdoor: {} healthcheck: test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"] <<: *healthcheck-tcp labels: *release-labels excititor-worker: image: stellaops/excititor-worker:dev container_name: stellaops-excititor-worker restart: unless-stopped depends_on: postgres: condition: service_healthy valkey: condition: service_healthy environment: <<: *kestrel-cert # Postgres options (section: Postgres:Excititor) Postgres__Excititor__ConnectionString: *postgres-connection Postgres__Excititor__SchemaName: "vex" ConnectionStrings__Redis: "cache.stella-ops.local:6379" Excititor__Concelier__BaseUrl: "http://concelier.stella-ops.local" Excititor__Storage__Driver: "postgres" Excititor__Worker__DisableConsensus: "true" # TenantAuthorityOptionsValidator requires BaseUrls dict with at least one entry Excititor__Authority__BaseUrls__default: "http://authority.stella-ops.local" # IssuerDirectoryClientOptions.Validate() requires BaseAddress IssuerDirectory__Client__BaseAddress: "http://issuerdirectory.stella-ops.local" volumes: - *cert-volume networks: stellaops: aliases: - excititor-worker.stella-ops.local healthcheck: <<: *healthcheck-worker labels: *release-labels # --- Slot 11: VexHub ------------------------------------------------------- vexhub-web: image: stellaops/vexhub-web:dev container_name: stellaops-vexhub-web restart: unless-stopped depends_on: *depends-infra environment: ASPNETCORE_URLS: "http://+:8080" <<: *kestrel-cert ConnectionStrings__Default: *postgres-connection ConnectionStrings__Redis: "cache.stella-ops.local:6379" volumes: - *cert-volume ports: - "127.1.0.11:80:80" networks: stellaops: aliases: - vexhub.stella-ops.local frontdoor: {} healthcheck: test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"] <<: *healthcheck-tcp labels: *release-labels # --- Slot 12: VexLens ------------------------------------------------------ vexlens-web: image: stellaops/vexlens-web:dev container_name: stellaops-vexlens-web restart: unless-stopped depends_on: *depends-infra environment: ASPNETCORE_URLS: "http://+:8080" <<: *kestrel-cert ConnectionStrings__Default: *postgres-connection ConnectionStrings__Redis: "cache.stella-ops.local:6379" volumes: - *cert-volume ports: - "127.1.0.12:80:80" networks: stellaops: aliases: - vexlens.stella-ops.local frontdoor: {} healthcheck: test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"] <<: *healthcheck-tcp labels: *release-labels # --- Slot 13: VulnExplorer (api) ------------------------------------------- api: image: stellaops/api:dev container_name: stellaops-api restart: unless-stopped depends_on: *depends-infra environment: ASPNETCORE_URLS: "http://+:8080" <<: *kestrel-cert ConnectionStrings__Default: *postgres-connection ConnectionStrings__Redis: "cache.stella-ops.local:6379" volumes: - *cert-volume ports: - "127.1.0.13:80:80" networks: stellaops: aliases: - vulnexplorer.stella-ops.local frontdoor: {} healthcheck: test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"] <<: *healthcheck-tcp labels: *release-labels # --- Slot 14: Policy Engine ------------------------------------------------ policy-engine: image: stellaops/policy-engine:dev container_name: stellaops-policy-engine restart: unless-stopped depends_on: *depends-infra environment: ASPNETCORE_URLS: "http://+:8080" <<: *kestrel-cert STELLAOPS_POLICY_ENGINE_Postgres__Policy__ConnectionString: *postgres-connection STELLAOPS_POLICY_ENGINE_ConnectionStrings__Redis: "cache.stella-ops.local:6379" volumes: - *cert-volume ports: - "127.1.0.14:80:80" networks: stellaops: aliases: - policy-engine.stella-ops.local frontdoor: {} healthcheck: test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"] <<: *healthcheck-tcp labels: *release-labels # --- Slot 15: Policy Gateway ----------------------------------------------- policy: image: stellaops/policy:dev container_name: stellaops-policy restart: unless-stopped depends_on: *depends-infra environment: ASPNETCORE_URLS: "http://+:8084" <<: *kestrel-cert ConnectionStrings__Default: *postgres-connection ConnectionStrings__Redis: "cache.stella-ops.local:6379" volumes: - *cert-volume ports: - "127.1.0.15:80:80" networks: stellaops: aliases: - policy-gateway.stella-ops.local frontdoor: {} healthcheck: test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"] <<: *healthcheck-tcp labels: *release-labels # --- Slot 16: RiskEngine --------------------------------------------------- riskengine-web: image: stellaops/riskengine-web:dev container_name: stellaops-riskengine-web restart: unless-stopped depends_on: *depends-infra environment: ASPNETCORE_URLS: "http://+:8080" <<: *kestrel-cert ConnectionStrings__Default: *postgres-connection ConnectionStrings__Redis: "cache.stella-ops.local:6379" volumes: - *cert-volume ports: - "127.1.0.16:80:80" networks: stellaops: aliases: - riskengine.stella-ops.local frontdoor: {} healthcheck: test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"] <<: *healthcheck-tcp labels: *release-labels riskengine-worker: image: stellaops/riskengine-worker:dev container_name: stellaops-riskengine-worker restart: unless-stopped depends_on: *depends-infra environment: <<: *kestrel-cert ConnectionStrings__Default: *postgres-connection ConnectionStrings__Redis: "cache.stella-ops.local:6379" volumes: - *cert-volume healthcheck: <<: *healthcheck-worker networks: stellaops: aliases: - riskengine-worker.stella-ops.local labels: *release-labels # --- Slot 17: Orchestrator ------------------------------------------------- orchestrator: image: stellaops/orchestrator:dev container_name: stellaops-orchestrator restart: unless-stopped depends_on: *depends-infra environment: ASPNETCORE_URLS: "http://+:8080" <<: *kestrel-cert ConnectionStrings__Default: *postgres-connection ConnectionStrings__Redis: "cache.stella-ops.local:6379" volumes: - *cert-volume ports: - "127.1.0.17:80:80" networks: stellaops: aliases: - orchestrator.stella-ops.local frontdoor: {} healthcheck: test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"] <<: *healthcheck-tcp labels: *release-labels orchestrator-worker: image: stellaops/orchestrator-worker:dev container_name: stellaops-orchestrator-worker restart: unless-stopped depends_on: *depends-infra environment: <<: *kestrel-cert ConnectionStrings__Default: *postgres-connection ConnectionStrings__Redis: "cache.stella-ops.local:6379" volumes: - *cert-volume healthcheck: <<: *healthcheck-worker networks: stellaops: aliases: - orchestrator-worker.stella-ops.local labels: *release-labels # --- Slot 18: TaskRunner --------------------------------------------------- taskrunner-web: image: stellaops/taskrunner-web:dev container_name: stellaops-taskrunner-web restart: unless-stopped depends_on: *depends-infra environment: ASPNETCORE_URLS: "http://+:8080" <<: *kestrel-cert ConnectionStrings__Default: *postgres-connection ConnectionStrings__Redis: "cache.stella-ops.local:6379" volumes: - *cert-volume ports: - "127.1.0.18:80:80" networks: stellaops: aliases: - taskrunner.stella-ops.local frontdoor: {} healthcheck: test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"] <<: *healthcheck-tcp labels: *release-labels taskrunner-worker: image: stellaops/taskrunner-worker:dev container_name: stellaops-taskrunner-worker restart: unless-stopped depends_on: *depends-infra environment: <<: *kestrel-cert ConnectionStrings__Default: *postgres-connection ConnectionStrings__Redis: "cache.stella-ops.local:6379" # AirGap egress policy (disable for dev) AirGap__Egress__Enabled: "false" volumes: - *cert-volume tmpfs: - /app/queue:mode=1777 - /app/state:mode=1777 - /app/artifacts:mode=1777 - /app/approvals:mode=1777 - /app/logs:mode=1777 networks: stellaops: aliases: - taskrunner-worker.stella-ops.local healthcheck: <<: *healthcheck-worker labels: *release-labels # --- Slot 19: Scheduler ---------------------------------------------------- scheduler-web: image: stellaops/scheduler-web:dev container_name: stellaops-scheduler-web restart: unless-stopped depends_on: *depends-infra environment: ASPNETCORE_URLS: "http://+:8080" <<: *kestrel-cert ConnectionStrings__Default: *postgres-connection ConnectionStrings__Redis: "cache.stella-ops.local:6379" volumes: - *cert-volume tmpfs: - /app/plugins:mode=1777 - /plugins:mode=1777 ports: - "127.1.0.19:80:80" networks: stellaops: aliases: - scheduler.stella-ops.local frontdoor: {} healthcheck: test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"] <<: *healthcheck-tcp labels: *release-labels scheduler-worker: image: stellaops/scheduler-worker:dev container_name: stellaops-scheduler-worker restart: unless-stopped depends_on: postgres: condition: service_healthy valkey: condition: service_healthy environment: <<: *kestrel-cert # Queue config (Redis transport) scheduler__queue__Kind: "Redis" scheduler__queue__Redis__ConnectionString: "cache.stella-ops.local:6379" # Persistence config (section: Scheduler:Storage, subsection: Postgres:Scheduler) Scheduler__Storage__Postgres__Scheduler__ConnectionString: *postgres-connection Scheduler__Storage__Postgres__Scheduler__SchemaName: "scheduler" # Worker config Scheduler__Worker__Runner__Scanner__BaseAddress: "${SCHEDULER_SCANNER_BASEADDRESS:-http://scanner.stella-ops.local}" Scheduler__Worker__Graph__Cartographer__BaseAddress: "http://cartographer.stella-ops.local" Scheduler__Worker__Graph__SchedulerApi__BaseAddress: "http://scheduler.stella-ops.local" Scheduler__Worker__Policy__Api__BaseAddress: "http://policy.stella-ops.local" # Surface environment SURFACE_FS_ENDPOINT: "http://s3.stella-ops.local:8333" volumes: - *cert-volume tmpfs: - /var/lib/stellaops/surface:mode=1777 networks: stellaops: aliases: - scheduler-worker.stella-ops.local healthcheck: <<: *healthcheck-worker labels: *release-labels # --- Slot 20: Graph API ---------------------------------------------------- graph-api: image: stellaops/graph-api:dev container_name: stellaops-graph-api restart: unless-stopped depends_on: *depends-infra environment: ASPNETCORE_URLS: "http://+:8080" <<: *kestrel-cert ConnectionStrings__Default: *postgres-connection ConnectionStrings__Redis: "cache.stella-ops.local:6379" volumes: - *cert-volume ports: - "127.1.0.20:80:80" networks: stellaops: aliases: - graph.stella-ops.local frontdoor: {} healthcheck: test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"] <<: *healthcheck-tcp labels: *release-labels # --- Slot 21: Cartographer ------------------------------------------------- cartographer: image: stellaops/cartographer:dev container_name: stellaops-cartographer restart: unless-stopped depends_on: *depends-infra environment: ASPNETCORE_URLS: "http://+:8080" <<: *kestrel-cert ConnectionStrings__Default: *postgres-connection ConnectionStrings__Redis: "cache.stella-ops.local:6379" volumes: - *cert-volume ports: - "127.1.0.21:80:80" networks: stellaops: aliases: - cartographer.stella-ops.local frontdoor: {} healthcheck: test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"] <<: *healthcheck-tcp labels: *release-labels # --- Slot 22: ReachGraph --------------------------------------------------- reachgraph-web: image: stellaops/reachgraph-web:dev container_name: stellaops-reachgraph-web restart: unless-stopped depends_on: *depends-infra environment: ASPNETCORE_URLS: "http://+:8080" <<: *kestrel-cert ConnectionStrings__Default: *postgres-connection ConnectionStrings__Redis: "cache.stella-ops.local:6379" volumes: - *cert-volume ports: - "127.1.0.22:80:80" networks: stellaops: aliases: - reachgraph.stella-ops.local frontdoor: {} healthcheck: test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"] <<: *healthcheck-tcp labels: *release-labels # --- Slot 23: Timeline Indexer --------------------------------------------- timeline-indexer-web: image: stellaops/timeline-indexer-web:dev container_name: stellaops-timeline-indexer-web restart: unless-stopped depends_on: *depends-infra environment: ASPNETCORE_URLS: "http://+:8080" <<: *kestrel-cert ConnectionStrings__Default: *postgres-connection ConnectionStrings__Redis: "cache.stella-ops.local:6379" volumes: - *cert-volume ports: - "127.1.0.23:80:80" networks: stellaops: aliases: - timelineindexer.stella-ops.local frontdoor: {} healthcheck: test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"] <<: *healthcheck-tcp labels: *release-labels timeline-indexer-worker: image: stellaops/timeline-indexer-worker:dev container_name: stellaops-timeline-indexer-worker restart: unless-stopped depends_on: *depends-infra environment: <<: *kestrel-cert ConnectionStrings__Default: *postgres-connection ConnectionStrings__Redis: "cache.stella-ops.local:6379" volumes: - *cert-volume healthcheck: <<: *healthcheck-worker networks: stellaops: aliases: - timeline-indexer-worker.stella-ops.local labels: *release-labels # --- Slot 24: Timeline ---------------------------------------------------- timeline-web: image: stellaops/timeline-web:dev container_name: stellaops-timeline-web restart: unless-stopped depends_on: *depends-infra environment: ASPNETCORE_URLS: "http://+:8080" <<: *kestrel-cert ConnectionStrings__Default: *postgres-connection ConnectionStrings__Redis: "cache.stella-ops.local:6379" volumes: - *cert-volume ports: - "127.1.0.24:80:80" networks: stellaops: aliases: - timeline.stella-ops.local frontdoor: {} healthcheck: test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"] <<: *healthcheck-tcp labels: *release-labels # --- Slot 25: Findings Ledger ---------------------------------------------- findings-ledger-web: image: stellaops/findings-ledger-web:dev container_name: stellaops-findings-ledger-web restart: unless-stopped depends_on: *depends-infra environment: ASPNETCORE_URLS: "http://+:8080" <<: *kestrel-cert ConnectionStrings__Default: *postgres-connection ConnectionStrings__FindingsLedger: *postgres-connection ConnectionStrings__Redis: "cache.stella-ops.local:6379" findings__ledger__Database__ConnectionString: *postgres-connection findings__ledger__Authority__Issuer: "http://authority.stella-ops.local" findings__ledger__Authority__RequireHttpsMetadata: "false" findings__ledger__Attachments__EncryptionKey: "IiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiI=" findings__ledger__Attachments__SignedUrlBase: "http://findings.stella-ops.local/attachments" findings__ledger__Attachments__SignedUrlSecret: "dev-signed-url-secret" findings__ledger__Attachments__SignedUrlLifetime: "00:15:00" findings__ledger__Attachments__RequireConsoleCsrf: "false" volumes: - *cert-volume ports: - "127.1.0.25:80:80" networks: stellaops: aliases: - findings.stella-ops.local frontdoor: {} healthcheck: test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"] <<: *healthcheck-tcp labels: *release-labels # --- Slot 26: Doctor ------------------------------------------------------- doctor-web: image: stellaops/doctor-web:dev container_name: stellaops-doctor-web restart: unless-stopped depends_on: *depends-infra environment: ASPNETCORE_URLS: "http://+:8080" <<: *kestrel-cert ConnectionStrings__Default: *postgres-connection ConnectionStrings__Redis: "cache.stella-ops.local:6379" volumes: - *cert-volume ports: - "127.1.0.26:80:80" networks: stellaops: aliases: - doctor.stella-ops.local frontdoor: {} healthcheck: test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"] <<: *healthcheck-tcp labels: *release-labels doctor-scheduler: image: stellaops/doctor-scheduler:dev container_name: stellaops-doctor-scheduler restart: unless-stopped depends_on: *depends-infra environment: <<: *kestrel-cert ConnectionStrings__Default: *postgres-connection ConnectionStrings__Redis: "cache.stella-ops.local:6379" volumes: - *cert-volume healthcheck: <<: *healthcheck-worker networks: stellaops: aliases: - doctor-scheduler.stella-ops.local labels: *release-labels # --- Slot 27: OpsMemory --------------------------------------------------- opsmemory-web: image: stellaops/opsmemory-web:dev container_name: stellaops-opsmemory-web restart: unless-stopped depends_on: *depends-infra environment: ASPNETCORE_URLS: "http://+:8080" <<: *kestrel-cert ConnectionStrings__Default: *postgres-connection ConnectionStrings__Redis: "cache.stella-ops.local:6379" volumes: - *cert-volume ports: - "127.1.0.27:80:80" networks: stellaops: aliases: - opsmemory.stella-ops.local frontdoor: {} healthcheck: test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"] <<: *healthcheck-tcp labels: *release-labels # --- Slot 28: Notifier ---------------------------------------------------- notifier-web: image: stellaops/notifier-web:dev container_name: stellaops-notifier-web restart: unless-stopped depends_on: *depends-infra environment: ASPNETCORE_URLS: "http://+:8080" <<: *kestrel-cert ConnectionStrings__Default: *postgres-connection ConnectionStrings__Redis: "cache.stella-ops.local:6379" volumes: - *cert-volume ports: - "127.1.0.28:80:80" networks: stellaops: aliases: - notifier.stella-ops.local frontdoor: {} healthcheck: test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"] <<: *healthcheck-tcp labels: *release-labels notifier-worker: image: stellaops/notifier-worker:dev container_name: stellaops-notifier-worker restart: unless-stopped depends_on: *depends-infra environment: <<: *kestrel-cert ConnectionStrings__Default: *postgres-connection ConnectionStrings__Redis: "cache.stella-ops.local:6379" notifier__queue__Transport: "redis" notifier__queue__Redis__ConnectionString: "cache.stella-ops.local:6379" notifier__storage__postgres__ConnectionString: *postgres-connection volumes: - *cert-volume healthcheck: <<: *healthcheck-worker networks: stellaops: aliases: - notifier-worker.stella-ops.local labels: *release-labels # --- Slot 29: Notify ------------------------------------------------------ notify-web: image: stellaops/notify-web:dev container_name: stellaops-notify-web restart: unless-stopped depends_on: *depends-infra environment: ASPNETCORE_URLS: "http://+:8080" <<: *kestrel-cert DOTNET_ENVIRONMENT: Production NOTIFY_NOTIFY__STORAGE__DRIVER: "postgres" NOTIFY_NOTIFY__STORAGE__CONNECTIONSTRING: *postgres-connection NOTIFY_NOTIFY__STORAGE__DATABASE: "notify" NOTIFY_NOTIFY__PLUGINS__BASEDIRECTORY: "/app" Postgres__Notify__ConnectionString: *postgres-connection volumes: - ../../etc/notify:/app/etc/notify:ro - *cert-volume tmpfs: - /app/plugins:mode=1777 ports: - "127.1.0.29:80:80" networks: stellaops: aliases: - notify.stella-ops.local frontdoor: {} healthcheck: test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"] <<: *healthcheck-tcp labels: *release-labels # --- Slot 30: Signer ------------------------------------------------------ signer: image: stellaops/signer:dev container_name: stellaops-signer restart: unless-stopped depends_on: - authority - valkey environment: ASPNETCORE_URLS: "http://+:8441" <<: *kestrel-cert ConnectionStrings__KeyManagement: *postgres-connection ConnectionStrings__Default: *postgres-connection volumes: - *cert-volume ports: - "127.1.0.30:80:80" networks: stellaops: aliases: - signer.stella-ops.local frontdoor: {} healthcheck: test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"] <<: *healthcheck-tcp labels: *release-labels # --- Slot 31: SmRemote ---------------------------------------------------- smremote: image: stellaops/smremote:dev container_name: stellaops-smremote restart: unless-stopped depends_on: *depends-infra environment: ASPNETCORE_URLS: "http://+:8080" <<: *kestrel-cert ConnectionStrings__Default: *postgres-connection ConnectionStrings__Redis: "cache.stella-ops.local:6379" volumes: - *cert-volume ports: - "127.1.0.31:80:80" networks: stellaops: aliases: - smremote.stella-ops.local frontdoor: {} healthcheck: test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"] <<: *healthcheck-tcp labels: *release-labels # --- Slot 32: AirGap Controller -------------------------------------------- airgap-controller: image: stellaops/airgap-controller:dev container_name: stellaops-airgap-controller restart: unless-stopped depends_on: *depends-infra environment: ASPNETCORE_URLS: "http://+:8080" <<: *kestrel-cert ConnectionStrings__Default: *postgres-connection ConnectionStrings__Redis: "cache.stella-ops.local:6379" volumes: - *cert-volume ports: - "127.1.0.32:80:80" networks: stellaops: aliases: - airgap-controller.stella-ops.local frontdoor: {} healthcheck: test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"] <<: *healthcheck-tcp labels: *release-labels # --- Slot 33: AirGap Time ------------------------------------------------- airgap-time: image: stellaops/airgap-time:dev container_name: stellaops-airgap-time restart: unless-stopped profiles: ["airgap"] # Requires time anchor file - air-gap specific depends_on: *depends-infra environment: ASPNETCORE_URLS: "http://+:8080" <<: *kestrel-cert ConnectionStrings__Default: *postgres-connection volumes: - *cert-volume ports: - "127.1.0.33:80:80" networks: stellaops: aliases: - airgap-time.stella-ops.local frontdoor: {} healthcheck: test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"] <<: *healthcheck-tcp labels: *release-labels # --- Slot 34: PacksRegistry ----------------------------------------------- packsregistry-web: image: stellaops/packsregistry-web:dev container_name: stellaops-packsregistry-web restart: unless-stopped depends_on: *depends-infra environment: ASPNETCORE_URLS: "http://+:8080" <<: *kestrel-cert ConnectionStrings__Default: *postgres-connection ConnectionStrings__Redis: "cache.stella-ops.local:6379" volumes: - *cert-volume ports: - "127.1.0.34:80:80" networks: stellaops: aliases: - packsregistry.stella-ops.local frontdoor: {} healthcheck: test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"] <<: *healthcheck-tcp labels: *release-labels packsregistry-worker: image: stellaops/packsregistry-worker:dev container_name: stellaops-packsregistry-worker restart: unless-stopped depends_on: *depends-infra environment: <<: *kestrel-cert ConnectionStrings__Default: *postgres-connection ConnectionStrings__Redis: "cache.stella-ops.local:6379" volumes: - *cert-volume healthcheck: <<: *healthcheck-worker networks: stellaops: aliases: - packsregistry-worker.stella-ops.local labels: *release-labels # --- Slot 35: Registry Token ----------------------------------------------- registry-token: image: stellaops/registry-token:dev container_name: stellaops-registry-token restart: unless-stopped depends_on: *depends-infra environment: ASPNETCORE_URLS: "http://+:8080" <<: *kestrel-cert ConnectionStrings__Default: *postgres-connection RegistryTokenService__Signing__Issuer: "http://registry-token.stella-ops.local" RegistryTokenService__Signing__KeyPath: "/app/etc/certs/kestrel-dev.pfx" RegistryTokenService__Signing__Lifetime: "00:05:00" RegistryTokenService__Registry__Realm: "http://registry.stella-ops.local" RegistryTokenService__Authority__Issuer: "http://authority.stella-ops.local" RegistryTokenService__Authority__Audience: "api://registry" RegistryTokenService__Authority__RequireHttpsMetadata: "false" RegistryTokenService__Plans__0__Name: "default" RegistryTokenService__Plans__0__Repositories__0__Pattern: "*" RegistryTokenService__Plans__0__Repositories__0__Actions__0: "pull" RegistryTokenService__Plans__0__Repositories__0__Actions__1: "push" volumes: - *cert-volume ports: - "127.1.0.35:80:80" networks: stellaops: aliases: - registry-token.stella-ops.local frontdoor: {} healthcheck: test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"] <<: *healthcheck-tcp labels: *release-labels # --- Slot 36: BinaryIndex -------------------------------------------------- binaryindex-web: image: stellaops/binaryindex-web:dev container_name: stellaops-binaryindex-web restart: unless-stopped depends_on: *depends-infra environment: ASPNETCORE_URLS: "http://+:8080" <<: *kestrel-cert ConnectionStrings__Default: *postgres-connection ConnectionStrings__Redis: "cache.stella-ops.local:6379" volumes: - *cert-volume ports: - "127.1.0.36:80:80" networks: stellaops: aliases: - binaryindex.stella-ops.local frontdoor: {} healthcheck: test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"] <<: *healthcheck-tcp labels: *release-labels # --- Slot 37: Issuer Directory --------------------------------------------- issuer-directory: image: stellaops/issuer-directory-web:dev container_name: stellaops-issuer-directory restart: unless-stopped depends_on: - postgres - authority environment: ASPNETCORE_URLS: "http://+:8080" <<: *kestrel-cert ISSUERDIRECTORY__AUTHORITY__ENABLED: "true" ISSUERDIRECTORY__AUTHORITY__ISSUER: "${AUTHORITY_ISSUER:-http://authority.stella-ops.local}" ISSUERDIRECTORY__AUTHORITY__AUDIENCES__0: "api://issuer-directory" ISSUERDIRECTORY__AUTHORITY__REQUIREHTTPSMETADATA: "false" ISSUERDIRECTORY__PERSISTENCE__PROVIDER: "Postgres" ISSUERDIRECTORY__PERSISTENCE__POSTGRESCONNECTIONSTRING: *postgres-connection ISSUERDIRECTORY__SEEDCSAFPUBLISHERS: "false" volumes: - ../../etc/issuer-directory:/app/etc/issuer-directory:ro - *cert-volume ports: - "127.1.0.37:80:80" networks: stellaops: aliases: - issuerdirectory.stella-ops.local healthcheck: test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"] <<: *healthcheck-tcp labels: *release-labels # --- Slot 38: Symbols ------------------------------------------------------ symbols: image: stellaops/symbols:dev container_name: stellaops-symbols restart: unless-stopped depends_on: *depends-infra environment: ASPNETCORE_URLS: "http://+:8080" <<: *kestrel-cert ConnectionStrings__Default: *postgres-connection ConnectionStrings__Redis: "cache.stella-ops.local:6379" volumes: - *cert-volume ports: - "127.1.0.38:80:80" networks: stellaops: aliases: - symbols.stella-ops.local frontdoor: {} healthcheck: test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"] <<: *healthcheck-tcp labels: *release-labels # --- Slot 39: SbomService -------------------------------------------------- sbomservice: image: stellaops/sbomservice:dev container_name: stellaops-sbomservice restart: unless-stopped depends_on: *depends-infra environment: ASPNETCORE_URLS: "http://+:8080" <<: *kestrel-cert ConnectionStrings__Default: *postgres-connection ConnectionStrings__Redis: "cache.stella-ops.local:6379" volumes: - *cert-volume ports: - "127.1.0.39:80:80" networks: stellaops: aliases: - sbomservice.stella-ops.local frontdoor: {} healthcheck: test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"] <<: *healthcheck-tcp labels: *release-labels # --- Slot 40: ExportCenter ------------------------------------------------- export: image: stellaops/export:dev container_name: stellaops-export restart: unless-stopped depends_on: *depends-infra environment: ASPNETCORE_URLS: "http://+:8080" <<: *kestrel-cert ConnectionStrings__Default: *postgres-connection ConnectionStrings__Redis: "cache.stella-ops.local:6379" Export__AllowInMemoryRepositories: "true" volumes: - *cert-volume ports: - "127.1.0.40:80:80" networks: stellaops: aliases: - exportcenter.stella-ops.local frontdoor: {} healthcheck: test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"] <<: *healthcheck-tcp labels: *release-labels export-worker: image: stellaops/export-worker:dev container_name: stellaops-export-worker restart: unless-stopped depends_on: *depends-infra environment: <<: *kestrel-cert ConnectionStrings__Default: *postgres-connection ConnectionStrings__Redis: "cache.stella-ops.local:6379" Export__AllowInMemoryRepositories: "true" volumes: - *cert-volume networks: stellaops: aliases: - export-worker.stella-ops.local healthcheck: <<: *healthcheck-worker labels: *release-labels # --- Slot 41: Replay ------------------------------------------------------- replay-web: image: stellaops/replay-web:dev container_name: stellaops-replay-web restart: unless-stopped depends_on: *depends-infra environment: ASPNETCORE_URLS: "http://+:8080" <<: *kestrel-cert ConnectionStrings__Default: *postgres-connection ConnectionStrings__Redis: "cache.stella-ops.local:6379" volumes: - *cert-volume ports: - "127.1.0.41:80:80" networks: stellaops: aliases: - replay.stella-ops.local frontdoor: {} healthcheck: test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"] <<: *healthcheck-tcp labels: *release-labels # --- Slot 42: Integrations ------------------------------------------------ integrations-web: image: stellaops/integrations-web:dev container_name: stellaops-integrations-web restart: unless-stopped depends_on: *depends-infra environment: ASPNETCORE_URLS: "http://+:8080" <<: *kestrel-cert ConnectionStrings__Default: *postgres-connection ConnectionStrings__Redis: "cache.stella-ops.local:6379" volumes: - *cert-volume tmpfs: - /app/plugins:mode=1777 ports: - "127.1.0.42:80:80" networks: stellaops: aliases: - integrations.stella-ops.local frontdoor: {} healthcheck: test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"] <<: *healthcheck-tcp labels: *release-labels # --- Slot 43: Zastava Webhook ---------------------------------------------- zastava-webhook: image: stellaops/zastava-webhook:dev container_name: stellaops-zastava-webhook restart: unless-stopped depends_on: authority: condition: service_healthy environment: ASPNETCORE_URLS: "http://+:8080" <<: *kestrel-cert # Runtime authority (used by token provider for OIDC discovery) zastava__runtime__authority__Issuer: "http://authority.stella-ops.local" zastava__runtime__authority__allowStaticTokenFallback: "true" zastava__runtime__authority__staticTokenValue: "dev-bypass-token" zastava__runtime__tenant: "default" zastava__runtime__environment: "local" # Webhook authority zastava__webhook__authority__Issuer: "http://authority.stella-ops.local" zastava__webhook__authority__staticTokenValue: "dev-bypass-token" # TLS (PFX from cert volume) zastava__webhook__tls__mode: "Secret" zastava__webhook__tls__pfxPath: "/app/etc/certs/kestrel-dev.pfx" zastava__webhook__tls__pfxPassword: "devpass" # Backend (scanner service) zastava__webhook__backend__baseAddress: "http://scanner.stella-ops.local" zastava__webhook__backend__allowInsecureHttp: "true" volumes: - *cert-volume networks: stellaops: aliases: - zastava-webhook.stella-ops.local labels: *release-labels # --- Slot 44: Signals ------------------------------------------------------ signals: image: stellaops/signals:dev container_name: stellaops-signals restart: unless-stopped depends_on: *depends-infra environment: ASPNETCORE_URLS: "http://+:8080" <<: *kestrel-cert ConnectionStrings__Default: *postgres-connection ConnectionStrings__Redis: "cache.stella-ops.local:6379" volumes: - *cert-volume ports: - "127.1.0.43:80:80" networks: stellaops: aliases: - signals.stella-ops.local frontdoor: {} healthcheck: test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"] <<: *healthcheck-tcp labels: *release-labels # --- Slot 45: Advisory AI -------------------------------------------------- advisory-ai-web: image: stellaops/advisory-ai-web:dev container_name: stellaops-advisory-ai-web restart: unless-stopped depends_on: - scanner-web environment: ASPNETCORE_URLS: "http://+:8080" <<: *kestrel-cert ADVISORYAI__AdvisoryAI__SbomBaseAddress: "${ADVISORY_AI_SBOM_BASEADDRESS:-http://scanner.stella-ops.local}" ADVISORYAI__AdvisoryAI__Queue__DirectoryPath: "/var/lib/advisory-ai/queue" ADVISORYAI__AdvisoryAI__Storage__PlanCacheDirectory: "/var/lib/advisory-ai/plans" ADVISORYAI__AdvisoryAI__Storage__OutputDirectory: "/var/lib/advisory-ai/outputs" ADVISORYAI__AdvisoryAI__Inference__Mode: "${ADVISORY_AI_INFERENCE_MODE:-Local}" ADVISORYAI__AdvisoryAI__Inference__Remote__BaseAddress: "${ADVISORY_AI_REMOTE_BASEADDRESS:-}" ADVISORYAI__AdvisoryAI__Inference__Remote__ApiKey: "${ADVISORY_AI_REMOTE_APIKEY:-}" ports: - "127.1.0.44:80:80" volumes: - *cert-volume - ../../etc/llm-providers:/app/etc/llm-providers:ro - advisory-ai-queue:/var/lib/advisory-ai/queue - advisory-ai-plans:/var/lib/advisory-ai/plans - advisory-ai-outputs:/var/lib/advisory-ai/outputs tmpfs: - /app/plugins:mode=1777 networks: stellaops: aliases: - advisoryai.stella-ops.local frontdoor: {} healthcheck: test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"] <<: *healthcheck-tcp labels: *release-labels advisory-ai-worker: image: stellaops/advisory-ai-worker:dev container_name: stellaops-advisory-ai-worker restart: unless-stopped depends_on: - scanner-web environment: <<: *kestrel-cert ADVISORYAI__AdvisoryAI__SbomBaseAddress: "${ADVISORY_AI_SBOM_BASEADDRESS:-http://scanner.stella-ops.local}" ADVISORYAI__AdvisoryAI__Queue__DirectoryPath: "/tmp/advisory-ai/queue" ADVISORYAI__AdvisoryAI__Storage__PlanCacheDirectory: "/tmp/advisory-ai/plans" ADVISORYAI__AdvisoryAI__Storage__OutputDirectory: "/tmp/advisory-ai/outputs" ADVISORYAI__AdvisoryAI__Inference__Mode: "${ADVISORY_AI_INFERENCE_MODE:-Local}" ADVISORYAI__AdvisoryAI__Inference__Remote__BaseAddress: "${ADVISORY_AI_REMOTE_BASEADDRESS:-}" ADVISORYAI__AdvisoryAI__Inference__Remote__ApiKey: "${ADVISORY_AI_REMOTE_APIKEY:-}" volumes: - *cert-volume networks: stellaops: aliases: - advisory-ai-worker.stella-ops.local healthcheck: <<: *healthcheck-worker labels: *release-labels # --- Slot 46: Unknowns ---------------------------------------------------- unknowns-web: image: stellaops/unknowns-web:dev container_name: stellaops-unknowns-web restart: unless-stopped depends_on: *depends-infra environment: ASPNETCORE_URLS: "http://+:8080" <<: *kestrel-cert ConnectionStrings__Default: *postgres-connection ConnectionStrings__UnknownsDb: *postgres-connection ConnectionStrings__Redis: "cache.stella-ops.local:6379" volumes: - *cert-volume ports: - "127.1.0.45:80:80" networks: stellaops: aliases: - unknowns.stella-ops.local frontdoor: {} healthcheck: test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"] <<: *healthcheck-tcp labels: *release-labels # --- Console (Angular frontend) ------------------------------------------- web-ui: image: stellaops/console:dev container_name: stellaops-web-ui restart: unless-stopped depends_on: - platform environment: STELLAOPS_UI__BACKEND__BASEURL: "http://platform.stella-ops.local" ports: - "127.1.0.1:80:8080" networks: stellaops: aliases: - stella-ops.local frontdoor: {} healthcheck: test: ["CMD", "wget", "-qO-", "http://localhost:8080/"] <<: *healthcheck-tcp labels: *release-labels