# ============================================================================= # STELLA OPS - MAIN STACK # ============================================================================= # Consolidated Docker Compose for the complete StellaOps platform. # Infrastructure: PostgreSQL 18.1, Valkey 9.0.1, RustFS, Rekor v2 # # Usage: # docker compose -f devops/compose/docker-compose.stella-ops.yml up -d # # With Sigstore tools: # docker compose -f devops/compose/docker-compose.stella-ops.yml --profile sigstore up -d # # With Telemetry: # docker compose -f devops/compose/docker-compose.stella-ops.yml \ # -f devops/compose/docker-compose.telemetry.yml up -d # # With Compliance overlay (e.g., China): # docker compose -f devops/compose/docker-compose.stella-ops.yml \ # -f devops/compose/docker-compose.compliance-china.yml up -d # # ============================================================================= x-release-labels: &release-labels com.stellaops.release.version: "2025.10.0" com.stellaops.release.channel: "stable" com.stellaops.profile: "default" x-postgres-connection: &postgres-connection "Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}" networks: stellaops: driver: bridge name: stellaops frontdoor: external: true name: ${FRONTDOOR_NETWORK:-stellaops_frontdoor} volumes: postgres-data: valkey-data: rustfs-data: rekor-tiles-data: concelier-jobs: scanner-surface-cache: advisory-ai-queue: advisory-ai-plans: advisory-ai-outputs: services: # =========================================================================== # INFRASTRUCTURE SERVICES # =========================================================================== # --------------------------------------------------------------------------- # PostgreSQL 18.1 - Primary database # --------------------------------------------------------------------------- postgres: image: docker.io/library/postgres:18.1 container_name: stellaops-postgres restart: unless-stopped environment: POSTGRES_USER: "${POSTGRES_USER:-stellaops}" POSTGRES_PASSWORD: "${POSTGRES_PASSWORD:-stellaops}" POSTGRES_DB: "${POSTGRES_DB:-stellaops_platform}" PGDATA: /var/lib/postgresql/data/pgdata volumes: - postgres-data:/var/lib/postgresql/data - ./postgres-init:/docker-entrypoint-initdb.d:ro ports: - "${POSTGRES_PORT:-5432}:5432" networks: - stellaops healthcheck: test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-stellaops} -d ${POSTGRES_DB:-stellaops_platform}"] interval: 10s timeout: 5s retries: 5 start_period: 10s labels: *release-labels # --------------------------------------------------------------------------- # Valkey 9.0.1 - Cache and message queue (Redis-compatible) # --------------------------------------------------------------------------- valkey: image: docker.io/valkey/valkey:9.0.1 container_name: stellaops-valkey restart: unless-stopped command: ["valkey-server", "--appendonly", "yes"] volumes: - valkey-data:/data ports: - "${VALKEY_PORT:-6379}:6379" networks: - stellaops healthcheck: test: ["CMD", "valkey-cli", "ping"] interval: 10s timeout: 5s retries: 5 labels: *release-labels # --------------------------------------------------------------------------- # RustFS - S3-compatible object storage # --------------------------------------------------------------------------- rustfs: image: registry.stella-ops.org/stellaops/rustfs:2025.09.2 container_name: stellaops-rustfs command: ["serve", "--listen", "0.0.0.0:8080", "--root", "/data"] restart: unless-stopped environment: RUSTFS__LOG__LEVEL: info RUSTFS__STORAGE__PATH: /data volumes: - rustfs-data:/data ports: - "${RUSTFS_HTTP_PORT:-8080}:8080" networks: - stellaops healthcheck: test: ["CMD", "curl", "-f", "http://localhost:8080/health"] interval: 30s timeout: 10s retries: 3 labels: *release-labels # --------------------------------------------------------------------------- # Rekor v2 (tiles) - Sigstore transparency log # --------------------------------------------------------------------------- rekor-v2: image: ${REKOR_TILES_IMAGE:-ghcr.io/sigstore/rekor-tiles:latest} container_name: stellaops-rekor restart: unless-stopped volumes: - rekor-tiles-data:/var/lib/rekor-tiles networks: - stellaops profiles: ["sigstore"] labels: <<: *release-labels com.stellaops.component: "rekor-v2" # --------------------------------------------------------------------------- # Sigstore CLI tools (on-demand) # --------------------------------------------------------------------------- rekor-cli: image: ghcr.io/sigstore/rekor-cli:v1.4.3 entrypoint: ["rekor-cli"] command: ["version"] profiles: ["sigstore"] networks: - stellaops labels: *release-labels cosign: image: ghcr.io/sigstore/cosign:v3.0.4 entrypoint: ["cosign"] command: ["version"] profiles: ["sigstore"] networks: - stellaops labels: *release-labels # =========================================================================== # APPLICATION SERVICES # =========================================================================== # --------------------------------------------------------------------------- # Authority - OAuth2/OIDC identity provider # --------------------------------------------------------------------------- authority: image: registry.stella-ops.org/stellaops/authority@sha256:b0348bad1d0b401cc3c71cb40ba034c8043b6c8874546f90d4783c9dbfcc0bf5 container_name: stellaops-authority restart: unless-stopped depends_on: postgres: condition: service_healthy valkey: condition: service_healthy environment: STELLAOPS_AUTHORITY__ISSUER: "${AUTHORITY_ISSUER}" STELLAOPS_AUTHORITY__STORAGE__DRIVER: "postgres" STELLAOPS_AUTHORITY__STORAGE__POSTGRES__CONNECTIONSTRING: *postgres-connection STELLAOPS_AUTHORITY__CACHE__REDIS__CONNECTIONSTRING: "valkey:6379" STELLAOPS_AUTHORITY__PLUGINDIRECTORIES__0: "/app/plugins" STELLAOPS_AUTHORITY__PLUGINS__CONFIGURATIONDIRECTORY: "/app/etc/authority/plugins" volumes: - ../../etc/authority:/app/etc/authority:ro - ../../etc/certificates/trust-roots:/etc/ssl/certs/stellaops:ro ports: - "${AUTHORITY_PORT:-8440}:8440" networks: - stellaops - frontdoor labels: *release-labels # --------------------------------------------------------------------------- # Signer - Cryptographic signing service # --------------------------------------------------------------------------- signer: image: registry.stella-ops.org/stellaops/signer@sha256:8ad574e61f3a9e9bda8a58eb2700ae46813284e35a150b1137bc7c2b92ac0f2e container_name: stellaops-signer restart: unless-stopped depends_on: - authority - valkey environment: SIGNER__AUTHORITY__BASEURL: "https://authority:8440" SIGNER__POE__INTROSPECTURL: "${SIGNER_POE_INTROSPECT_URL}" SIGNER__STORAGE__DRIVER: "postgres" SIGNER__STORAGE__POSTGRES__CONNECTIONSTRING: *postgres-connection SIGNER__CACHE__REDIS__CONNECTIONSTRING: "valkey:6379" ports: - "${SIGNER_PORT:-8441}:8441" networks: - stellaops - frontdoor labels: *release-labels # --------------------------------------------------------------------------- # Attestor - SLSA attestation service # --------------------------------------------------------------------------- attestor: image: registry.stella-ops.org/stellaops/attestor@sha256:0534985f978b0b5d220d73c96fddd962cd9135f616811cbe3bff4666c5af568f container_name: stellaops-attestor restart: unless-stopped depends_on: - signer environment: ATTESTOR__SIGNER__BASEURL: "https://signer:8441" ATTESTOR__STORAGE__DRIVER: "postgres" ATTESTOR__STORAGE__POSTGRES__CONNECTIONSTRING: *postgres-connection ATTESTOR__CACHE__REDIS__CONNECTIONSTRING: "valkey:6379" ports: - "${ATTESTOR_PORT:-8442}:8442" networks: - stellaops - frontdoor labels: *release-labels # --------------------------------------------------------------------------- # Issuer Directory - CSAF publisher registry # --------------------------------------------------------------------------- issuer-directory: image: registry.stella-ops.org/stellaops/issuer-directory-web:2025.10.0 container_name: stellaops-issuer-directory restart: unless-stopped depends_on: - postgres - authority environment: ISSUERDIRECTORY__CONFIG: "/app/etc/issuer-directory/issuer-directory.yaml" ISSUERDIRECTORY__AUTHORITY__ISSUER: "${AUTHORITY_ISSUER}" ISSUERDIRECTORY__AUTHORITY__BASEURL: "https://authority:8440" ISSUERDIRECTORY__STORAGE__DRIVER: "postgres" ISSUERDIRECTORY__STORAGE__POSTGRES__CONNECTIONSTRING: *postgres-connection ISSUERDIRECTORY__SEEDCSAFPUBLISHERS: "${ISSUER_DIRECTORY_SEED_CSAF:-true}" volumes: - ../../etc/issuer-directory:/app/etc/issuer-directory:ro ports: - "${ISSUER_DIRECTORY_PORT:-8447}:8080" networks: - stellaops labels: *release-labels # --------------------------------------------------------------------------- # Concelier - Advisory aggregation service # --------------------------------------------------------------------------- concelier: image: registry.stella-ops.org/stellaops/concelier@sha256:c58cdcaee1d266d68d498e41110a589dd204b487d37381096bd61ab345a867c5 container_name: stellaops-concelier restart: unless-stopped depends_on: - postgres - valkey - rustfs environment: CONCELIER__STORAGE__DRIVER: "postgres" CONCELIER__STORAGE__POSTGRES__CONNECTIONSTRING: *postgres-connection CONCELIER__STORAGE__S3__ENDPOINT: "http://rustfs:8080" CONCELIER__CACHE__REDIS__CONNECTIONSTRING: "valkey:6379" CONCELIER__AUTHORITY__BASEURL: "https://authority:8440" CONCELIER__AUTHORITY__RESILIENCE__ALLOWOFFLINECACHEFALLBACK: "true" CONCELIER__AUTHORITY__RESILIENCE__OFFLINECACHETOLERANCE: "${AUTHORITY_OFFLINE_CACHE_TOLERANCE:-00:30:00}" volumes: - concelier-jobs:/var/lib/concelier/jobs ports: - "${CONCELIER_PORT:-8445}:8445" networks: - stellaops - frontdoor labels: *release-labels # --------------------------------------------------------------------------- # Scanner Web - SBOM/vulnerability scanning API # --------------------------------------------------------------------------- scanner-web: image: registry.stella-ops.org/stellaops/scanner-web@sha256:14b23448c3f9586a9156370b3e8c1991b61907efa666ca37dd3aaed1e79fe3b7 container_name: stellaops-scanner-web restart: unless-stopped depends_on: - postgres - valkey - concelier - rustfs environment: SCANNER__STORAGE__DRIVER: "postgres" SCANNER__STORAGE__POSTGRES__CONNECTIONSTRING: *postgres-connection SCANNER__CACHE__REDIS__CONNECTIONSTRING: "valkey:6379" SCANNER__ARTIFACTSTORE__DRIVER: "rustfs" SCANNER__ARTIFACTSTORE__ENDPOINT: "http://rustfs:8080/api/v1" SCANNER__ARTIFACTSTORE__BUCKET: "scanner-artifacts" SCANNER__ARTIFACTSTORE__TIMEOUTSECONDS: "30" # Queue configuration - Valkey only SCANNER__QUEUE__BROKER: "valkey://valkey:6379" # Event streaming SCANNER__EVENTS__ENABLED: "${SCANNER_EVENTS_ENABLED:-false}" SCANNER__EVENTS__DRIVER: "valkey" SCANNER__EVENTS__DSN: "valkey:6379" SCANNER__EVENTS__STREAM: "${SCANNER_EVENTS_STREAM:-stella.events}" SCANNER__EVENTS__PUBLISHTIMEOUTSECONDS: "${SCANNER_EVENTS_PUBLISH_TIMEOUT_SECONDS:-5}" SCANNER__EVENTS__MAXSTREAMLENGTH: "${SCANNER_EVENTS_MAX_STREAM_LENGTH:-10000}" # Offline kit SCANNER__OFFLINEKIT__ENABLED: "${SCANNER_OFFLINEKIT_ENABLED:-false}" SCANNER__OFFLINEKIT__REQUIREDSSE: "${SCANNER_OFFLINEKIT_REQUIREDSSE:-true}" SCANNER__OFFLINEKIT__REKOROFFLINEMODE: "${SCANNER_OFFLINEKIT_REKOROFFLINEMODE:-true}" SCANNER__OFFLINEKIT__TRUSTROOTDIRECTORY: "${SCANNER_OFFLINEKIT_TRUSTROOTDIRECTORY:-/etc/stellaops/trust-roots}" SCANNER__OFFLINEKIT__REKORSNAPSHOTDIRECTORY: "${SCANNER_OFFLINEKIT_REKORSNAPSHOTDIRECTORY:-/var/lib/stellaops/rekor-snapshot}" # Surface cache SCANNER_SURFACE_FS_ENDPOINT: "${SCANNER_SURFACE_FS_ENDPOINT:-http://rustfs:8080}" SCANNER_SURFACE_FS_BUCKET: "${SCANNER_SURFACE_FS_BUCKET:-surface-cache}" SCANNER_SURFACE_CACHE_ROOT: "${SCANNER_SURFACE_CACHE_ROOT:-/var/lib/stellaops/surface}" SCANNER_SURFACE_CACHE_QUOTA_MB: "${SCANNER_SURFACE_CACHE_QUOTA_MB:-4096}" SCANNER_SURFACE_PREFETCH_ENABLED: "${SCANNER_SURFACE_PREFETCH_ENABLED:-false}" SCANNER_SURFACE_TENANT: "${SCANNER_SURFACE_TENANT:-default}" SCANNER_SURFACE_FEATURES: "${SCANNER_SURFACE_FEATURES:-}" SCANNER_SURFACE_SECRETS_PROVIDER: "${SCANNER_SURFACE_SECRETS_PROVIDER:-file}" SCANNER_SURFACE_SECRETS_NAMESPACE: "${SCANNER_SURFACE_SECRETS_NAMESPACE:-}" SCANNER_SURFACE_SECRETS_ROOT: "${SCANNER_SURFACE_SECRETS_ROOT:-/etc/stellaops/secrets}" SCANNER_SURFACE_SECRETS_FALLBACK_PROVIDER: "${SCANNER_SURFACE_SECRETS_FALLBACK_PROVIDER:-}" SCANNER_SURFACE_SECRETS_ALLOW_INLINE: "${SCANNER_SURFACE_SECRETS_ALLOW_INLINE:-false}" volumes: - ../../etc/scanner:/app/etc/scanner:ro - ../../etc/certificates/trust-roots:/etc/ssl/certs/stellaops:ro - scanner-surface-cache:/var/lib/stellaops/surface - ${SURFACE_SECRETS_HOST_PATH:-./offline/surface-secrets}:${SCANNER_SURFACE_SECRETS_ROOT:-/etc/stellaops/secrets}:ro - ${SCANNER_OFFLINEKIT_TRUSTROOTS_HOST_PATH:-./offline/trust-roots}:${SCANNER_OFFLINEKIT_TRUSTROOTDIRECTORY:-/etc/stellaops/trust-roots}:ro - ${SCANNER_OFFLINEKIT_REKOR_SNAPSHOT_HOST_PATH:-./offline/rekor-snapshot}:${SCANNER_OFFLINEKIT_REKORSNAPSHOTDIRECTORY:-/var/lib/stellaops/rekor-snapshot}:ro ports: - "${SCANNER_WEB_PORT:-8444}:8444" networks: - stellaops - frontdoor labels: *release-labels # --------------------------------------------------------------------------- # Scanner Worker - Background scanning jobs # --------------------------------------------------------------------------- scanner-worker: image: registry.stella-ops.org/stellaops/scanner-worker@sha256:32e25e76386eb9ea8bee0a1ad546775db9a2df989fab61ac877e351881960dab container_name: stellaops-scanner-worker restart: unless-stopped depends_on: - scanner-web - valkey - rustfs environment: SCANNER__STORAGE__DRIVER: "postgres" SCANNER__STORAGE__POSTGRES__CONNECTIONSTRING: *postgres-connection SCANNER__CACHE__REDIS__CONNECTIONSTRING: "valkey:6379" SCANNER__ARTIFACTSTORE__DRIVER: "rustfs" SCANNER__ARTIFACTSTORE__ENDPOINT: "http://rustfs:8080/api/v1" SCANNER__ARTIFACTSTORE__BUCKET: "scanner-artifacts" SCANNER__ARTIFACTSTORE__TIMEOUTSECONDS: "30" # Queue configuration - Valkey only SCANNER__QUEUE__BROKER: "valkey://valkey:6379" # Surface cache SCANNER_SURFACE_FS_ENDPOINT: "${SCANNER_SURFACE_FS_ENDPOINT:-http://rustfs:8080}" SCANNER_SURFACE_FS_BUCKET: "${SCANNER_SURFACE_FS_BUCKET:-surface-cache}" SCANNER_SURFACE_CACHE_ROOT: "${SCANNER_SURFACE_CACHE_ROOT:-/var/lib/stellaops/surface}" SCANNER_SURFACE_CACHE_QUOTA_MB: "${SCANNER_SURFACE_CACHE_QUOTA_MB:-4096}" SCANNER_SURFACE_PREFETCH_ENABLED: "${SCANNER_SURFACE_PREFETCH_ENABLED:-false}" SCANNER_SURFACE_TENANT: "${SCANNER_SURFACE_TENANT:-default}" SCANNER_SURFACE_FEATURES: "${SCANNER_SURFACE_FEATURES:-}" SCANNER_SURFACE_SECRETS_PROVIDER: "${SCANNER_SURFACE_SECRETS_PROVIDER:-file}" SCANNER_SURFACE_SECRETS_NAMESPACE: "${SCANNER_SURFACE_SECRETS_NAMESPACE:-}" SCANNER_SURFACE_SECRETS_ROOT: "${SCANNER_SURFACE_SECRETS_ROOT:-/etc/stellaops/secrets}" SCANNER_SURFACE_SECRETS_FALLBACK_PROVIDER: "${SCANNER_SURFACE_SECRETS_FALLBACK_PROVIDER:-}" SCANNER_SURFACE_SECRETS_ALLOW_INLINE: "${SCANNER_SURFACE_SECRETS_ALLOW_INLINE:-false}" volumes: - scanner-surface-cache:/var/lib/stellaops/surface - ${SURFACE_SECRETS_HOST_PATH:-./offline/surface-secrets}:${SCANNER_SURFACE_SECRETS_ROOT:-/etc/stellaops/secrets}:ro networks: - stellaops labels: *release-labels # --------------------------------------------------------------------------- # Scheduler Worker - Background job scheduling # --------------------------------------------------------------------------- scheduler-worker: image: registry.stella-ops.org/stellaops/scheduler-worker:2025.10.0 container_name: stellaops-scheduler-worker restart: unless-stopped depends_on: - postgres - valkey - scanner-web command: - "dotnet" - "StellaOps.Scheduler.Worker.Host.dll" environment: SCHEDULER__STORAGE__DRIVER: "postgres" SCHEDULER__STORAGE__POSTGRES__CONNECTIONSTRING: *postgres-connection # Queue configuration - Valkey only SCHEDULER__QUEUE__KIND: "Valkey" SCHEDULER__QUEUE__VALKEY__URL: "valkey:6379" SCHEDULER__WORKER__RUNNER__SCANNER__BASEADDRESS: "${SCHEDULER_SCANNER_BASEADDRESS:-http://scanner-web:8444}" networks: - stellaops labels: *release-labels # --------------------------------------------------------------------------- # Notify Web - Notification service # --------------------------------------------------------------------------- notify-web: image: ${NOTIFY_WEB_IMAGE:-registry.stella-ops.org/stellaops/notify-web:2025.10.0} container_name: stellaops-notify-web restart: unless-stopped depends_on: - postgres - authority - valkey environment: DOTNET_ENVIRONMENT: Production NOTIFY__STORAGE__DRIVER: "postgres" NOTIFY__STORAGE__POSTGRES__CONNECTIONSTRING: *postgres-connection # Queue configuration - Valkey only NOTIFY__QUEUE__DRIVER: "valkey" NOTIFY__QUEUE__VALKEY__URL: "valkey:6379" volumes: - ../../etc/notify:/app/etc/notify:ro ports: - "${NOTIFY_WEB_PORT:-8446}:8446" networks: - stellaops - frontdoor labels: *release-labels # --------------------------------------------------------------------------- # Excititor - VEX generation service # --------------------------------------------------------------------------- excititor: image: registry.stella-ops.org/stellaops/excititor@sha256:59022e2016aebcef5c856d163ae705755d3f81949d41195256e935ef40a627fa container_name: stellaops-excititor restart: unless-stopped depends_on: - postgres - concelier environment: EXCITITOR__CONCELIER__BASEURL: "https://concelier:8445" EXCITITOR__STORAGE__DRIVER: "postgres" EXCITITOR__STORAGE__POSTGRES__CONNECTIONSTRING: *postgres-connection networks: - stellaops labels: *release-labels # --------------------------------------------------------------------------- # Advisory AI Web - AI-powered advisory analysis API # --------------------------------------------------------------------------- advisory-ai-web: image: registry.stella-ops.org/stellaops/advisory-ai-web:2025.10.0 container_name: stellaops-advisory-ai-web restart: unless-stopped depends_on: - scanner-web environment: ADVISORYAI__AdvisoryAI__SbomBaseAddress: "${ADVISORY_AI_SBOM_BASEADDRESS:-http://scanner-web:8444}" ADVISORYAI__AdvisoryAI__Queue__DirectoryPath: "/var/lib/advisory-ai/queue" ADVISORYAI__AdvisoryAI__Storage__PlanCacheDirectory: "/var/lib/advisory-ai/plans" ADVISORYAI__AdvisoryAI__Storage__OutputDirectory: "/var/lib/advisory-ai/outputs" ADVISORYAI__AdvisoryAI__Inference__Mode: "${ADVISORY_AI_INFERENCE_MODE:-Local}" ADVISORYAI__AdvisoryAI__Inference__Remote__BaseAddress: "${ADVISORY_AI_REMOTE_BASEADDRESS:-}" ADVISORYAI__AdvisoryAI__Inference__Remote__ApiKey: "${ADVISORY_AI_REMOTE_APIKEY:-}" ports: - "${ADVISORY_AI_WEB_PORT:-8448}:8448" volumes: - ../../etc/llm-providers:/app/etc/llm-providers:ro - advisory-ai-queue:/var/lib/advisory-ai/queue - advisory-ai-plans:/var/lib/advisory-ai/plans - advisory-ai-outputs:/var/lib/advisory-ai/outputs networks: - stellaops - frontdoor labels: *release-labels # --------------------------------------------------------------------------- # Advisory AI Worker - Background AI processing # --------------------------------------------------------------------------- advisory-ai-worker: image: registry.stella-ops.org/stellaops/advisory-ai-worker:2025.10.0 container_name: stellaops-advisory-ai-worker restart: unless-stopped depends_on: - advisory-ai-web environment: ADVISORYAI__AdvisoryAI__SbomBaseAddress: "${ADVISORY_AI_SBOM_BASEADDRESS:-http://scanner-web:8444}" ADVISORYAI__AdvisoryAI__Queue__DirectoryPath: "/var/lib/advisory-ai/queue" ADVISORYAI__AdvisoryAI__Storage__PlanCacheDirectory: "/var/lib/advisory-ai/plans" ADVISORYAI__AdvisoryAI__Storage__OutputDirectory: "/var/lib/advisory-ai/outputs" ADVISORYAI__AdvisoryAI__Inference__Mode: "${ADVISORY_AI_INFERENCE_MODE:-Local}" ADVISORYAI__AdvisoryAI__Inference__Remote__BaseAddress: "${ADVISORY_AI_REMOTE_BASEADDRESS:-}" ADVISORYAI__AdvisoryAI__Inference__Remote__ApiKey: "${ADVISORY_AI_REMOTE_APIKEY:-}" volumes: - ../../etc/llm-providers:/app/etc/llm-providers:ro - advisory-ai-queue:/var/lib/advisory-ai/queue - advisory-ai-plans:/var/lib/advisory-ai/plans - advisory-ai-outputs:/var/lib/advisory-ai/outputs networks: - stellaops labels: *release-labels # --------------------------------------------------------------------------- # Web UI - Angular frontend # --------------------------------------------------------------------------- web-ui: image: registry.stella-ops.org/stellaops/web-ui@sha256:10d924808c48e4353e3a241da62eb7aefe727a1d6dc830eb23a8e181013b3a23 container_name: stellaops-web-ui restart: unless-stopped depends_on: - scanner-web environment: STELLAOPS_UI__BACKEND__BASEURL: "https://scanner-web:8444" ports: - "${UI_PORT:-8443}:8443" networks: - stellaops - frontdoor labels: *release-labels