stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
5548cf83bf8114fd7921f35fde4c2ff3dea863bf
git.stella-ops.org/devops/compose/docker-compose.stella-ops.yml
master 5548cf83bf part #2
2026-02-04 19:59:20 +02:00

1911 lines
64 KiB
YAML
Raw Blame History

# =============================================================================
# STELLA OPS - MAIN STACK
# =============================================================================
# Consolidated Docker Compose for the complete StellaOps platform.
# Infrastructure: PostgreSQL 18.1, Valkey 9.0.1, SeaweedFS (S3), Rekor v2, Zot (OCI)
#
# Usage:
# docker compose -f devops/compose/docker-compose.stella-ops.yml up -d
#
# With Sigstore tools:
# docker compose -f devops/compose/docker-compose.stella-ops.yml --profile sigstore up -d
#
# With Telemetry:
# docker compose -f devops/compose/docker-compose.stella-ops.yml \
# -f devops/compose/docker-compose.telemetry.yml up -d
#
# With Compliance overlay (e.g., China):
# docker compose -f devops/compose/docker-compose.stella-ops.yml \
# -f devops/compose/docker-compose.compliance-china.yml up -d
#
# =============================================================================
x-release-labels: &release-labels
com.stellaops.release.version: "2025.10.0"
com.stellaops.release.channel: "stable"
com.stellaops.profile: "default"
x-postgres-connection: &postgres-connection
"Host=db.stella-ops.local;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
x-kestrel-cert: &kestrel-cert
Kestrel__Certificates__Default__Path: "/app/etc/certs/kestrel-dev.pfx"
Kestrel__Certificates__Default__Password: "devpass"
x-cert-volume: &cert-volume
"../../etc/authority/keys:/app/etc/certs:ro"
x-plugin-tmpfs: &plugin-tmpfs
/app/plugins:
mode: "1777"
# ---------------------------------------------------------------------------
# Common anchors for the 60-service stack
# ---------------------------------------------------------------------------
x-depends-infra: &depends-infra
postgres:
condition: service_healthy
valkey:
condition: service_healthy
x-healthcheck-tcp: &healthcheck-tcp
interval: 30s
timeout: 5s
retries: 3
start_period: 15s
x-healthcheck-worker: &healthcheck-worker
test: ["CMD", "/usr/local/bin/healthcheck.sh"]
interval: 30s
timeout: 5s
start_period: 30s
retries: 3
networks:
stellaops:
driver: bridge
name: stellaops
frontdoor:
external: true
name: ${FRONTDOOR_NETWORK:-stellaops_frontdoor}
volumes:
postgres-data:
valkey-data:
rustfs-data:
rekor-tiles-data:
registry-data:
concelier-jobs:
scanner-surface-cache:
advisory-ai-queue:
advisory-ai-plans:
advisory-ai-outputs:
evidence-data:
services:
# ===========================================================================
# INFRASTRUCTURE SERVICES
# ===========================================================================
postgres:
image: docker.io/library/postgres:18.1
container_name: stellaops-postgres
restart: unless-stopped
environment:
POSTGRES_USER: "${POSTGRES_USER:-stellaops}"
POSTGRES_PASSWORD: "${POSTGRES_PASSWORD:-stellaops}"
POSTGRES_DB: "${POSTGRES_DB:-stellaops_platform}"
PGDATA: /var/lib/postgresql/data/pgdata
volumes:
- postgres-data:/var/lib/postgresql/data
- ./postgres-init:/docker-entrypoint-initdb.d:ro
ports:
- "127.1.1.1:${POSTGRES_PORT:-5432}:5432"
networks:
stellaops:
aliases:
- db.stella-ops.local
healthcheck:
test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-stellaops} -d ${POSTGRES_DB:-stellaops_platform}"]
interval: 10s
timeout: 5s
retries: 5
start_period: 10s
labels: *release-labels
valkey:
image: docker.io/valkey/valkey:9.0.1
container_name: stellaops-valkey
restart: unless-stopped
command: ["valkey-server", "--appendonly", "yes"]
volumes:
- valkey-data:/data
ports:
- "127.1.1.2:${VALKEY_PORT:-6379}:6379"
networks:
stellaops:
aliases:
- cache.stella-ops.local
healthcheck:
test: ["CMD", "valkey-cli", "ping"]
interval: 10s
timeout: 5s
retries: 5
labels: *release-labels
rustfs:
image: chrislusf/seaweedfs:latest
container_name: stellaops-rustfs
command: ["server", "-s3", "-s3.port=8333", "-volume.port=8080", "-dir=/data"]
restart: unless-stopped
volumes:
- rustfs-data:/data
ports:
- "127.1.1.3:${RUSTFS_HTTP_PORT:-8333}:8333"
networks:
stellaops:
aliases:
- s3.stella-ops.local
healthcheck:
test: ["CMD", "wget", "-qO-", "http://127.0.0.1:8333/"]
interval: 30s
timeout: 10s
retries: 3
labels: *release-labels
registry:
image: ghcr.io/project-zot/zot-linux-amd64:v2.1.3
container_name: stellaops-registry
restart: unless-stopped
volumes:
- registry-data:/var/lib/registry
- ./zot-config.json:/etc/zot/config.json:ro
ports:
- "127.1.1.5:80:5000"
networks:
stellaops:
aliases:
- registry.stella-ops.local
healthcheck:
disable: true
labels: *release-labels
rekor-v2:
image: ${REKOR_TILES_IMAGE:-ghcr.io/sigstore/rekor-tiles:latest}
container_name: stellaops-rekor
restart: unless-stopped
volumes:
- rekor-tiles-data:/var/lib/rekor-tiles
ports:
- "127.1.1.4:${REKOR_PORT:-3322}:3322"
networks:
stellaops:
aliases:
- rekor.stella-ops.local
profiles: ["sigstore"]
labels:
<<: *release-labels
com.stellaops.component: "rekor-v2"
rekor-cli:
image: ghcr.io/sigstore/rekor-cli:v1.4.3
entrypoint: ["rekor-cli"]
command: ["version"]
profiles: ["sigstore"]
networks: [stellaops]
labels: *release-labels
cosign:
image: ghcr.io/sigstore/cosign:v3.0.4
entrypoint: ["cosign"]
command: ["version"]
profiles: ["sigstore"]
networks: [stellaops]
labels: *release-labels
# ===========================================================================
# APPLICATION SERVICES (ordered by port-registry slot)
# ===========================================================================
# --- Slot 0: Router Gateway ------------------------------------------------
router-gateway:
image: stellaops/router-gateway:dev
container_name: stellaops-router-gateway
restart: unless-stopped
depends_on: *depends-infra
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: *kestrel-cert
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
volumes:
- *cert-volume
ports:
- "127.1.0.2:80:80"
networks:
stellaops:
aliases:
- router.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
# --- Slot 1: Platform ------------------------------------------------------
platform:
image: stellaops/platform:dev
container_name: stellaops-platform
restart: unless-stopped
depends_on: *depends-infra
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: *kestrel-cert
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
STELLAOPS_ROUTER_URL: "http://router.stella-ops.local"
STELLAOPS_PLATFORM_URL: "http://platform.stella-ops.local"
STELLAOPS_AUTHORITY_URL: "http://authority.stella-ops.local"
STELLAOPS_GATEWAY_URL: "http://gateway.stella-ops.local"
STELLAOPS_ATTESTOR_URL: "http://attestor.stella-ops.local"
STELLAOPS_EVIDENCELOCKER_URL: "http://evidencelocker.stella-ops.local"
STELLAOPS_SCANNER_URL: "http://scanner.stella-ops.local"
STELLAOPS_CONCELIER_URL: "http://concelier.stella-ops.local"
STELLAOPS_EXCITITOR_URL: "http://excititor.stella-ops.local"
STELLAOPS_VEXHUB_URL: "http://vexhub.stella-ops.local"
STELLAOPS_VEXLENS_URL: "http://vexlens.stella-ops.local"
STELLAOPS_VULNEXPLORER_URL: "http://vulnexplorer.stella-ops.local"
STELLAOPS_POLICY_ENGINE_URL: "http://policy-engine.stella-ops.local"
STELLAOPS_POLICY_GATEWAY_URL: "http://policy-gateway.stella-ops.local"
STELLAOPS_RISKENGINE_URL: "http://riskengine.stella-ops.local"
STELLAOPS_ORCHESTRATOR_URL: "http://orchestrator.stella-ops.local"
STELLAOPS_TASKRUNNER_URL: "http://taskrunner.stella-ops.local"
STELLAOPS_SCHEDULER_URL: "http://scheduler.stella-ops.local"
STELLAOPS_GRAPH_URL: "http://graph.stella-ops.local"
STELLAOPS_CARTOGRAPHER_URL: "http://cartographer.stella-ops.local"
STELLAOPS_REACHGRAPH_URL: "http://reachgraph.stella-ops.local"
STELLAOPS_TIMELINEINDEXER_URL: "http://timelineindexer.stella-ops.local"
STELLAOPS_TIMELINE_URL: "http://timeline.stella-ops.local"
STELLAOPS_FINDINGS_LEDGER_URL: "http://findings.stella-ops.local"
STELLAOPS_DOCTOR_URL: "http://doctor.stella-ops.local"
STELLAOPS_OPSMEMORY_URL: "http://opsmemory.stella-ops.local"
STELLAOPS_NOTIFIER_URL: "http://notifier.stella-ops.local"
STELLAOPS_NOTIFY_URL: "http://notify.stella-ops.local"
STELLAOPS_SIGNER_URL: "http://signer.stella-ops.local"
STELLAOPS_SMREMOTE_URL: "http://smremote.stella-ops.local"
STELLAOPS_AIRGAP_CONTROLLER_URL: "http://airgap-controller.stella-ops.local"
STELLAOPS_AIRGAP_TIME_URL: "http://airgap-time.stella-ops.local"
STELLAOPS_PACKSREGISTRY_URL: "http://packsregistry.stella-ops.local"
STELLAOPS_REGISTRY_TOKENSERVICE_URL: "http://registry-token.stella-ops.local"
STELLAOPS_BINARYINDEX_URL: "http://binaryindex.stella-ops.local"
STELLAOPS_ISSUERDIRECTORY_URL: "http://issuerdirectory.stella-ops.local"
STELLAOPS_SYMBOLS_URL: "http://symbols.stella-ops.local"
STELLAOPS_SBOMSERVICE_URL: "http://sbomservice.stella-ops.local"
STELLAOPS_EXPORTCENTER_URL: "http://exportcenter.stella-ops.local"
STELLAOPS_REPLAY_URL: "http://replay.stella-ops.local"
STELLAOPS_INTEGRATIONS_URL: "http://integrations.stella-ops.local"
STELLAOPS_SIGNALS_URL: "http://signals.stella-ops.local"
STELLAOPS_ADVISORYAI_URL: "http://advisoryai.stella-ops.local"
STELLAOPS_UNKNOWNS_URL: "http://unknowns.stella-ops.local"
volumes:
- *cert-volume
ports:
- "127.1.0.3:80:80"
networks:
stellaops:
aliases:
- platform.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
# --- Slot 2: Authority -----------------------------------------------------
authority:
image: stellaops/authority:dev
container_name: stellaops-authority
restart: unless-stopped
depends_on:
postgres:
condition: service_healthy
valkey:
condition: service_healthy
environment:
ASPNETCORE_URLS: "http://+:8440"
Kestrel__Certificates__Default__Path: "/app/etc/authority/keys/kestrel-dev.pfx"
Kestrel__Certificates__Default__Password: "devpass"
STELLAOPS_AUTHORITY_AUTHORITY__SCHEMAVERSION: "1"
STELLAOPS_AUTHORITY_AUTHORITY__ISSUER: "${AUTHORITY_ISSUER:-http://authority.stella-ops.local}"
STELLAOPS_AUTHORITY_AUTHORITY__STORAGE__CONNECTIONSTRING: *postgres-connection
STELLAOPS_AUTHORITY_AUTHORITY__CACHE__REDIS__CONNECTIONSTRING: "cache.stella-ops.local:6379"
STELLAOPS_AUTHORITY_AUTHORITY__SIGNING__ACTIVEKEYID: "dev-signing-key-1"
STELLAOPS_AUTHORITY_AUTHORITY__SIGNING__KEYPATH: "/app/etc/authority/keys/signing-dev.pem"
STELLAOPS_AUTHORITY_AUTHORITY__NOTIFICATIONS__ACKTOKENS__ACTIVEKEYID: "dev-ack-key-1"
STELLAOPS_AUTHORITY_AUTHORITY__NOTIFICATIONS__ACKTOKENS__KEYPATH: "/app/etc/authority/keys/ack-token-dev.pem"
STELLAOPS_AUTHORITY_AUTHORITY__NOTIFICATIONS__WEBHOOKS__ALLOWEDHOSTS__0: "notify.stella-ops.local"
STELLAOPS_AUTHORITY_AUTHORITY__NOTIFICATIONS__ESCALATION__SCOPE: "notify.escalate"
STELLAOPS_AUTHORITY_AUTHORITY__BOOTSTRAP__ENABLED: "false"
STELLAOPS_AUTHORITY_AUTHORITY__PLUGINDIRECTORIES__0: "/app/plugins"
STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__CONFIGURATIONDIRECTORY: "/app/etc/authority/plugins"
volumes:
- ../../etc/authority:/app/etc/authority:ro
- ../../etc/certificates/trust-roots:/etc/ssl/certs/stellaops:ro
tmpfs:
- /app/plugins:mode=1777
ports:
- "127.1.0.4:80:80"
networks:
stellaops:
aliases:
- authority.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
# --- Slot 3: Gateway -------------------------------------------------------
gateway:
image: stellaops/gateway:dev
container_name: stellaops-gateway
restart: unless-stopped
depends_on: *depends-infra
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: *kestrel-cert
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
volumes:
- *cert-volume
ports:
- "127.1.0.5:80:80"
networks:
stellaops:
aliases:
- gateway.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
# --- Slot 4: Attestor ------------------------------------------------------
attestor:
image: stellaops/attestor:dev
container_name: stellaops-attestor
restart: unless-stopped
depends_on:
- signer
environment:
ASPNETCORE_URLS: "http://+:8442"
<<: *kestrel-cert
ATTESTOR_ATTESTOR__SIGNER__BASEURL: "http://signer.stella-ops.local"
ConnectionStrings__Default: *postgres-connection
volumes:
- *cert-volume
ports:
- "127.1.0.6:80:80"
networks:
stellaops:
aliases:
- attestor.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
# --- Slot 5: Attestor TileProxy --------------------------------------------
attestor-tileproxy:
image: stellaops/attestor-tileproxy:dev
container_name: stellaops-attestor-tileproxy
restart: unless-stopped
depends_on:
- attestor
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: *kestrel-cert
TILE_PROXY__tile_proxy__UpstreamUrl: "http://rekor.stella-ops.local:3322"
TILE_PROXY__tile_proxy__Origin: "stellaops-tileproxy"
TILE_PROXY__tile_proxy__Cache__BasePath: "/var/cache/stellaops/tiles"
TILE_PROXY__tile_proxy__Cache__MaxSizeGb: "1"
volumes:
- *cert-volume
tmpfs:
- /var/cache/stellaops/tiles:mode=1777
networks:
stellaops:
aliases:
- attestor-tileproxy.stella-ops.local
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
# --- Slot 6: Evidence Locker ------------------------------------------------
evidence-locker-web:
image: stellaops/evidence-locker-web:dev
container_name: stellaops-evidence-locker-web
restart: unless-stopped
depends_on: *depends-infra
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: *kestrel-cert
EvidenceLocker__Database__ConnectionString: *postgres-connection
EvidenceLocker__Database__ApplyMigrationsAtStartup: "true"
EvidenceLocker__ObjectStore__Kind: "FileSystem"
EvidenceLocker__ObjectStore__FileSystem__RootPath: "/data/evidence"
EvidenceLocker__ObjectStore__EnforceWriteOnce: "false"
EvidenceLocker__Signing__Enabled: "false"
EvidenceLocker__Signing__Algorithm: "ES256"
EvidenceLocker__Signing__KeyId: "dev-evidence-key"
EvidenceLocker__Quotas__MaxMaterialCount: "128"
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
EvidenceLocker__Authority__BaseUrl: "http://authority.stella-ops.local"
volumes:
- *cert-volume
- evidence-data:/data/evidence
ports:
- "127.1.0.7:80:80"
networks:
stellaops:
aliases:
- evidencelocker.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
evidence-locker-worker:
image: stellaops/evidence-locker-worker:dev
container_name: stellaops-evidence-locker-worker
restart: unless-stopped
depends_on: *depends-infra
environment:
<<: *kestrel-cert
EvidenceLocker__Database__ConnectionString: *postgres-connection
EvidenceLocker__Database__ApplyMigrationsAtStartup: "true"
EvidenceLocker__ObjectStore__Kind: "FileSystem"
EvidenceLocker__ObjectStore__FileSystem__RootPath: "/data/evidence"
EvidenceLocker__ObjectStore__EnforceWriteOnce: "false"
EvidenceLocker__Signing__Enabled: "false"
EvidenceLocker__Signing__Algorithm: "ES256"
EvidenceLocker__Signing__KeyId: "dev-evidence-key"
EvidenceLocker__Quotas__MaxMaterialCount: "128"
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
volumes:
- *cert-volume
- evidence-data:/data/evidence
networks:
stellaops:
aliases:
- evidence-locker-worker.stella-ops.local
healthcheck:
<<: *healthcheck-worker
labels: *release-labels
# --- Slot 8: Scanner -------------------------------------------------------
scanner-web:
image: stellaops/scanner-web:dev
container_name: stellaops-scanner-web
restart: unless-stopped
depends_on:
postgres:
condition: service_healthy
valkey:
condition: service_healthy
rustfs:
condition: service_started
environment:
ASPNETCORE_URLS: "http://+:8444"
<<: *kestrel-cert
SCANNER_SCANNER__PLUGINS__BASEDIRECTORY: "/app"
SCANNER_SCANNER__STORAGE__DRIVER: "postgres"
SCANNER_SCANNER__STORAGE__DSN: *postgres-connection
SCANNER_SCANNER__STORAGE__COMMANDTIMEOUTSECONDS: "30"
SCANNER_SCANNER__STORAGE__HEALTHCHECKTIMEOUTSECONDS: "5"
SCANNER_SCANNER__ARTIFACTSTORE__DRIVER: "rustfs"
SCANNER_SCANNER__ARTIFACTSTORE__ENDPOINT: "http://s3.stella-ops.local:8333"
SCANNER_SCANNER__ARTIFACTSTORE__BUCKET: "scanner-artifacts"
SCANNER_SCANNER__ARTIFACTSTORE__TIMEOUTSECONDS: "30"
SCANNER_SCANNER__QUEUE__DRIVER: "redis"
SCANNER_SCANNER__QUEUE__DSN: "cache.stella-ops.local:6379"
SCANNER_SCANNER__EVENTS__ENABLED: "${SCANNER_EVENTS_ENABLED:-false}"
SCANNER_SCANNER__EVENTS__DRIVER: "redis"
SCANNER_SCANNER__EVENTS__DSN: "cache.stella-ops.local:6379"
SCANNER_SCANNER__EVENTS__STREAM: "${SCANNER_EVENTS_STREAM:-stella.events}"
SCANNER_SCANNER__EVENTS__PUBLISHTIMEOUTSECONDS: "${SCANNER_EVENTS_PUBLISH_TIMEOUT_SECONDS:-5}"
SCANNER_SCANNER__EVENTS__MAXSTREAMLENGTH: "${SCANNER_EVENTS_MAX_STREAM_LENGTH:-10000}"
SCANNER_SCANNER__OFFLINEKIT__ENABLED: "${SCANNER_OFFLINEKIT_ENABLED:-false}"
SCANNER_SURFACE_FS_ENDPOINT: "${SCANNER_SURFACE_FS_ENDPOINT:-http://s3.stella-ops.local:8333}"
SCANNER_SURFACE_FS_BUCKET: "${SCANNER_SURFACE_FS_BUCKET:-surface-cache}"
SCANNER_SURFACE_CACHE_ROOT: "${SCANNER_SURFACE_CACHE_ROOT:-/var/lib/stellaops/surface}"
SCANNER_SURFACE_CACHE_QUOTA_MB: "${SCANNER_SURFACE_CACHE_QUOTA_MB:-4096}"
SCANNER_SURFACE_PREFETCH_ENABLED: "${SCANNER_SURFACE_PREFETCH_ENABLED:-false}"
SCANNER_SURFACE_TENANT: "${SCANNER_SURFACE_TENANT:-default}"
SCANNER_SURFACE_FEATURES: "${SCANNER_SURFACE_FEATURES:-}"
SCANNER_SURFACE_SECRETS_PROVIDER: "${SCANNER_SURFACE_SECRETS_PROVIDER:-file}"
SCANNER_SURFACE_SECRETS_NAMESPACE: "${SCANNER_SURFACE_SECRETS_NAMESPACE:-}"
SCANNER_SURFACE_SECRETS_ROOT: "${SCANNER_SURFACE_SECRETS_ROOT:-/etc/stellaops/secrets}"
SCANNER_SURFACE_SECRETS_FALLBACK_PROVIDER: "${SCANNER_SURFACE_SECRETS_FALLBACK_PROVIDER:-}"
SCANNER_SURFACE_SECRETS_ALLOW_INLINE: "${SCANNER_SURFACE_SECRETS_ALLOW_INLINE:-false}"
volumes:
- ../../etc/scanner:/app/etc/scanner:ro
- ../../etc/certificates/trust-roots:/etc/ssl/certs/stellaops:ro
- ${SURFACE_SECRETS_HOST_PATH:-./offline/surface-secrets}:${SCANNER_SURFACE_SECRETS_ROOT:-/etc/stellaops/secrets}:ro
- ${SCANNER_OFFLINEKIT_TRUSTROOTS_HOST_PATH:-./offline/trust-roots}:${SCANNER_OFFLINEKIT_TRUSTROOTDIRECTORY:-/etc/stellaops/trust-roots}:ro
- ${SCANNER_OFFLINEKIT_REKOR_SNAPSHOT_HOST_PATH:-./offline/rekor-snapshot}:${SCANNER_OFFLINEKIT_REKORSNAPSHOTDIRECTORY:-/var/lib/stellaops/rekor-snapshot}:ro
- *cert-volume
tmpfs:
- /app/plugins:mode=1777
- /var/lib/stellaops/surface:mode=1777
ports:
- "127.1.0.8:80:80"
networks:
stellaops:
aliases:
- scanner.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
scanner-worker:
image: stellaops/scanner-worker:dev
container_name: stellaops-scanner-worker
restart: unless-stopped
depends_on:
postgres:
condition: service_healthy
valkey:
condition: service_healthy
rustfs:
condition: service_started
environment:
<<: *kestrel-cert
# Scanner worker options
Scanner__Worker__Authority__Enabled: "false"
BinaryIndex__Enabled: "false"
# Scanner storage (Postgres + S3/RustFS object store)
ScannerStorage__Postgres__ConnectionString: *postgres-connection
ScannerStorage__Postgres__SchemaName: "scanner"
ScannerStorage__ObjectStore__Driver: "rustfs"
ScannerStorage__ObjectStore__BucketName: "scanner-artifacts"
ScannerStorage__ObjectStore__RustFs__BaseUrl: "http://s3.stella-ops.local:8333"
# Surface environment (read via Environment.GetEnvironmentVariable)
SCANNER_SURFACE_FS_ENDPOINT: "http://s3.stella-ops.local:8333"
SURFACE_FS_ENDPOINT: "http://s3.stella-ops.local:8333"
SCANNER_SURFACE_SECRETS_NAMESPACE: "stellaops"
SCANNER_SURFACE_SECRETS_PROVIDER: "file"
SCANNER_SURFACE_SECRETS_ROOT: "/var/lib/stellaops/surface"
SCANNER_SURFACE_VALIDATION_DISABLED: "true"
# EPSS bundle source path (EpssBundleSource constructor)
EPSS_BUNDLE_PATH: "/app/epss"
volumes:
- *cert-volume
tmpfs:
- /var/lib/stellaops/surface:mode=1777
- /app/epss:mode=1777
networks:
stellaops:
aliases:
- scanner-worker.stella-ops.local
healthcheck:
<<: *healthcheck-worker
labels: *release-labels
# --- Slot 9: Concelier -----------------------------------------------------
concelier:
image: stellaops/concelier:dev
container_name: stellaops-concelier
restart: unless-stopped
depends_on:
postgres:
condition: service_healthy
valkey:
condition: service_healthy
rustfs:
condition: service_started
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: *kestrel-cert
CONCELIER_PLUGINS__BASEDIRECTORY: "/app"
CONCELIER_POSTGRESSTORAGE__CONNECTIONSTRING: *postgres-connection
CONCELIER_POSTGRESSTORAGE__ENABLED: "true"
CONCELIER_S3__ENDPOINT: "http://s3.stella-ops.local:8333"
CONCELIER_AUTHORITY__BASEURL: "http://authority.stella-ops.local"
CONCELIER_AUTHORITY__RESILIENCE__ALLOWOFFLINECACHEFALLBACK: "true"
CONCELIER_AUTHORITY__RESILIENCE__OFFLINECACHETOLERANCE: "${AUTHORITY_OFFLINE_CACHE_TOLERANCE:-00:30:00}"
volumes:
- concelier-jobs:/var/lib/concelier/jobs
- *cert-volume
tmpfs:
- /app/plugins:mode=1777
ports:
- "127.1.0.9:80:80"
networks:
stellaops:
aliases:
- concelier.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
# --- Slot 10: Excititor ----------------------------------------------------
excititor:
image: stellaops/excititor:dev
container_name: stellaops-excititor
restart: unless-stopped
profiles: ["code-fix-pending"] # Docker build error from prior session
depends_on: *depends-infra
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: *kestrel-cert
# Postgres options (section: Postgres:Excititor)
Postgres__Excititor__ConnectionString: *postgres-connection
Postgres__Excititor__SchemaName: "vex"
Excititor__Concelier__BaseUrl: "http://concelier.stella-ops.local"
Excititor__Storage__Driver: "postgres"
volumes:
- *cert-volume
tmpfs:
- /app/plugins:mode=1777
ports:
- "127.1.0.10:80:80"
networks:
stellaops:
aliases:
- excititor.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
excititor-worker:
image: stellaops/excititor-worker:dev
container_name: stellaops-excititor-worker
restart: unless-stopped
depends_on:
postgres:
condition: service_healthy
valkey:
condition: service_healthy
environment:
<<: *kestrel-cert
# Postgres options (section: Postgres:Excititor)
Postgres__Excititor__ConnectionString: *postgres-connection
Postgres__Excititor__SchemaName: "vex"
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
Excititor__Concelier__BaseUrl: "http://concelier.stella-ops.local"
Excititor__Storage__Driver: "postgres"
Excititor__Worker__DisableConsensus: "true"
# TenantAuthorityOptionsValidator requires BaseUrls dict with at least one entry
Excititor__Authority__BaseUrls__default: "http://authority.stella-ops.local"
# IssuerDirectoryClientOptions.Validate() requires BaseAddress
IssuerDirectory__Client__BaseAddress: "http://issuerdirectory.stella-ops.local"
volumes:
- *cert-volume
networks:
stellaops:
aliases:
- excititor-worker.stella-ops.local
healthcheck:
<<: *healthcheck-worker
labels: *release-labels
# --- Slot 11: VexHub -------------------------------------------------------
vexhub-web:
image: stellaops/vexhub-web:dev
container_name: stellaops-vexhub-web
restart: unless-stopped
depends_on: *depends-infra
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: *kestrel-cert
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
volumes:
- *cert-volume
ports:
- "127.1.0.11:80:80"
networks:
stellaops:
aliases:
- vexhub.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
# --- Slot 12: VexLens ------------------------------------------------------
vexlens-web:
image: stellaops/vexlens-web:dev
container_name: stellaops-vexlens-web
restart: unless-stopped
depends_on: *depends-infra
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: *kestrel-cert
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
volumes:
- *cert-volume
ports:
- "127.1.0.12:80:80"
networks:
stellaops:
aliases:
- vexlens.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
# --- Slot 13: VulnExplorer (api) -------------------------------------------
api:
image: stellaops/api:dev
container_name: stellaops-api
restart: unless-stopped
depends_on: *depends-infra
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: *kestrel-cert
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
volumes:
- *cert-volume
ports:
- "127.1.0.13:80:80"
networks:
stellaops:
aliases:
- vulnexplorer.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
# --- Slot 14: Policy Engine ------------------------------------------------
policy-engine:
image: stellaops/policy-engine:dev
container_name: stellaops-policy-engine
restart: unless-stopped
depends_on: *depends-infra
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: *kestrel-cert
STELLAOPS_POLICY_ENGINE_Postgres__Policy__ConnectionString: *postgres-connection
STELLAOPS_POLICY_ENGINE_ConnectionStrings__Redis: "cache.stella-ops.local:6379"
volumes:
- *cert-volume
ports:
- "127.1.0.14:80:80"
networks:
stellaops:
aliases:
- policy-engine.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
# --- Slot 15: Policy Gateway -----------------------------------------------
policy:
image: stellaops/policy:dev
container_name: stellaops-policy
restart: unless-stopped
depends_on: *depends-infra
environment:
ASPNETCORE_URLS: "http://+:8084"
<<: *kestrel-cert
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
volumes:
- *cert-volume
ports:
- "127.1.0.15:80:80"
networks:
stellaops:
aliases:
- policy-gateway.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
# --- Slot 16: RiskEngine ---------------------------------------------------
riskengine-web:
image: stellaops/riskengine-web:dev
container_name: stellaops-riskengine-web
restart: unless-stopped
depends_on: *depends-infra
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: *kestrel-cert
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
volumes:
- *cert-volume
ports:
- "127.1.0.16:80:80"
networks:
stellaops:
aliases:
- riskengine.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
riskengine-worker:
image: stellaops/riskengine-worker:dev
container_name: stellaops-riskengine-worker
restart: unless-stopped
depends_on: *depends-infra
environment:
<<: *kestrel-cert
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
volumes:
- *cert-volume
healthcheck:
<<: *healthcheck-worker
networks:
stellaops:
aliases:
- riskengine-worker.stella-ops.local
labels: *release-labels
# --- Slot 17: Orchestrator -------------------------------------------------
orchestrator:
image: stellaops/orchestrator:dev
container_name: stellaops-orchestrator
restart: unless-stopped
depends_on: *depends-infra
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: *kestrel-cert
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
volumes:
- *cert-volume
ports:
- "127.1.0.17:80:80"
networks:
stellaops:
aliases:
- orchestrator.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
orchestrator-worker:
image: stellaops/orchestrator-worker:dev
container_name: stellaops-orchestrator-worker
restart: unless-stopped
depends_on: *depends-infra
environment:
<<: *kestrel-cert
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
volumes:
- *cert-volume
healthcheck:
<<: *healthcheck-worker
networks:
stellaops:
aliases:
- orchestrator-worker.stella-ops.local
labels: *release-labels
# --- Slot 18: TaskRunner ---------------------------------------------------
taskrunner-web:
image: stellaops/taskrunner-web:dev
container_name: stellaops-taskrunner-web
restart: unless-stopped
depends_on: *depends-infra
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: *kestrel-cert
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
volumes:
- *cert-volume
ports:
- "127.1.0.18:80:80"
networks:
stellaops:
aliases:
- taskrunner.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
taskrunner-worker:
image: stellaops/taskrunner-worker:dev
container_name: stellaops-taskrunner-worker
restart: unless-stopped
depends_on: *depends-infra
environment:
<<: *kestrel-cert
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
# AirGap egress policy (disable for dev)
AirGap__Egress__Enabled: "false"
volumes:
- *cert-volume
tmpfs:
- /app/queue:mode=1777
- /app/state:mode=1777
- /app/artifacts:mode=1777
- /app/approvals:mode=1777
- /app/logs:mode=1777
networks:
stellaops:
aliases:
- taskrunner-worker.stella-ops.local
healthcheck:
<<: *healthcheck-worker
labels: *release-labels
# --- Slot 19: Scheduler ----------------------------------------------------
scheduler-web:
image: stellaops/scheduler-web:dev
container_name: stellaops-scheduler-web
restart: unless-stopped
depends_on: *depends-infra
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: *kestrel-cert
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
volumes:
- *cert-volume
tmpfs:
- /app/plugins:mode=1777
- /plugins:mode=1777
ports:
- "127.1.0.19:80:80"
networks:
stellaops:
aliases:
- scheduler.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
scheduler-worker:
image: stellaops/scheduler-worker:dev
container_name: stellaops-scheduler-worker
restart: unless-stopped
depends_on:
postgres:
condition: service_healthy
valkey:
condition: service_healthy
environment:
<<: *kestrel-cert
# Queue config (Redis transport)
scheduler__queue__Kind: "Redis"
scheduler__queue__Redis__ConnectionString: "cache.stella-ops.local:6379"
# Persistence config (section: Scheduler:Storage, subsection: Postgres:Scheduler)
Scheduler__Storage__Postgres__Scheduler__ConnectionString: *postgres-connection
Scheduler__Storage__Postgres__Scheduler__SchemaName: "scheduler"
# Worker config
Scheduler__Worker__Runner__Scanner__BaseAddress: "${SCHEDULER_SCANNER_BASEADDRESS:-http://scanner.stella-ops.local}"
Scheduler__Worker__Graph__Cartographer__BaseAddress: "http://cartographer.stella-ops.local"
Scheduler__Worker__Graph__SchedulerApi__BaseAddress: "http://scheduler.stella-ops.local"
Scheduler__Worker__Policy__Api__BaseAddress: "http://policy.stella-ops.local"
# Surface environment
SURFACE_FS_ENDPOINT: "http://s3.stella-ops.local:8333"
volumes:
- *cert-volume
tmpfs:
- /var/lib/stellaops/surface:mode=1777
networks:
stellaops:
aliases:
- scheduler-worker.stella-ops.local
healthcheck:
<<: *healthcheck-worker
labels: *release-labels
# --- Slot 20: Graph API ----------------------------------------------------
graph-api:
image: stellaops/graph-api:dev
container_name: stellaops-graph-api
restart: unless-stopped
depends_on: *depends-infra
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: *kestrel-cert
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
volumes:
- *cert-volume
ports:
- "127.1.0.20:80:80"
networks:
stellaops:
aliases:
- graph.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
# --- Slot 21: Cartographer -------------------------------------------------
cartographer:
image: stellaops/cartographer:dev
container_name: stellaops-cartographer
restart: unless-stopped
depends_on: *depends-infra
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: *kestrel-cert
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
volumes:
- *cert-volume
ports:
- "127.1.0.21:80:80"
networks:
stellaops:
aliases:
- cartographer.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
# --- Slot 22: ReachGraph ---------------------------------------------------
reachgraph-web:
image: stellaops/reachgraph-web:dev
container_name: stellaops-reachgraph-web
restart: unless-stopped
depends_on: *depends-infra
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: *kestrel-cert
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
volumes:
- *cert-volume
ports:
- "127.1.0.22:80:80"
networks:
stellaops:
aliases:
- reachgraph.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
# --- Slot 23: Timeline Indexer ---------------------------------------------
timeline-indexer-web:
image: stellaops/timeline-indexer-web:dev
container_name: stellaops-timeline-indexer-web
restart: unless-stopped
depends_on: *depends-infra
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: *kestrel-cert
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
volumes:
- *cert-volume
ports:
- "127.1.0.23:80:80"
networks:
stellaops:
aliases:
- timelineindexer.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
timeline-indexer-worker:
image: stellaops/timeline-indexer-worker:dev
container_name: stellaops-timeline-indexer-worker
restart: unless-stopped
depends_on: *depends-infra
environment:
<<: *kestrel-cert
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
volumes:
- *cert-volume
healthcheck:
<<: *healthcheck-worker
networks:
stellaops:
aliases:
- timeline-indexer-worker.stella-ops.local
labels: *release-labels
# --- Slot 24: Timeline ----------------------------------------------------
timeline-web:
image: stellaops/timeline-web:dev
container_name: stellaops-timeline-web
restart: unless-stopped
depends_on: *depends-infra
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: *kestrel-cert
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
volumes:
- *cert-volume
ports:
- "127.1.0.24:80:80"
networks:
stellaops:
aliases:
- timeline.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
# --- Slot 25: Findings Ledger ----------------------------------------------
findings-ledger-web:
image: stellaops/findings-ledger-web:dev
container_name: stellaops-findings-ledger-web
restart: unless-stopped
depends_on: *depends-infra
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: *kestrel-cert
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__FindingsLedger: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
findings__ledger__Database__ConnectionString: *postgres-connection
findings__ledger__Authority__Issuer: "http://authority.stella-ops.local"
findings__ledger__Authority__RequireHttpsMetadata: "false"
findings__ledger__Attachments__EncryptionKey: "IiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiI="
findings__ledger__Attachments__SignedUrlBase: "http://findings.stella-ops.local/attachments"
findings__ledger__Attachments__SignedUrlSecret: "dev-signed-url-secret"
findings__ledger__Attachments__SignedUrlLifetime: "00:15:00"
findings__ledger__Attachments__RequireConsoleCsrf: "false"
volumes:
- *cert-volume
ports:
- "127.1.0.25:80:80"
networks:
stellaops:
aliases:
- findings.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
# --- Slot 26: Doctor -------------------------------------------------------
doctor-web:
image: stellaops/doctor-web:dev
container_name: stellaops-doctor-web
restart: unless-stopped
depends_on: *depends-infra
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: *kestrel-cert
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
volumes:
- *cert-volume
ports:
- "127.1.0.26:80:80"
networks:
stellaops:
aliases:
- doctor.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
doctor-scheduler:
image: stellaops/doctor-scheduler:dev
container_name: stellaops-doctor-scheduler
restart: unless-stopped
depends_on: *depends-infra
environment:
<<: *kestrel-cert
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
volumes:
- *cert-volume
healthcheck:
<<: *healthcheck-worker
networks:
stellaops:
aliases:
- doctor-scheduler.stella-ops.local
labels: *release-labels
# --- Slot 27: OpsMemory ---------------------------------------------------
opsmemory-web:
image: stellaops/opsmemory-web:dev
container_name: stellaops-opsmemory-web
restart: unless-stopped
depends_on: *depends-infra
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: *kestrel-cert
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
volumes:
- *cert-volume
ports:
- "127.1.0.27:80:80"
networks:
stellaops:
aliases:
- opsmemory.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
# --- Slot 28: Notifier ----------------------------------------------------
notifier-web:
image: stellaops/notifier-web:dev
container_name: stellaops-notifier-web
restart: unless-stopped
depends_on: *depends-infra
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: *kestrel-cert
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
volumes:
- *cert-volume
ports:
- "127.1.0.28:80:80"
networks:
stellaops:
aliases:
- notifier.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
notifier-worker:
image: stellaops/notifier-worker:dev
container_name: stellaops-notifier-worker
restart: unless-stopped
depends_on: *depends-infra
environment:
<<: *kestrel-cert
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
notifier__queue__Transport: "redis"
notifier__queue__Redis__ConnectionString: "cache.stella-ops.local:6379"
notifier__storage__postgres__ConnectionString: *postgres-connection
volumes:
- *cert-volume
healthcheck:
<<: *healthcheck-worker
networks:
stellaops:
aliases:
- notifier-worker.stella-ops.local
labels: *release-labels
# --- Slot 29: Notify ------------------------------------------------------
notify-web:
image: stellaops/notify-web:dev
container_name: stellaops-notify-web
restart: unless-stopped
depends_on: *depends-infra
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: *kestrel-cert
DOTNET_ENVIRONMENT: Production
NOTIFY_NOTIFY__STORAGE__DRIVER: "postgres"
NOTIFY_NOTIFY__STORAGE__CONNECTIONSTRING: *postgres-connection
NOTIFY_NOTIFY__STORAGE__DATABASE: "notify"
NOTIFY_NOTIFY__PLUGINS__BASEDIRECTORY: "/app"
Postgres__Notify__ConnectionString: *postgres-connection
volumes:
- ../../etc/notify:/app/etc/notify:ro
- *cert-volume
tmpfs:
- /app/plugins:mode=1777
ports:
- "127.1.0.29:80:80"
networks:
stellaops:
aliases:
- notify.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
# --- Slot 30: Signer ------------------------------------------------------
signer:
image: stellaops/signer:dev
container_name: stellaops-signer
restart: unless-stopped
depends_on:
- authority
- valkey
environment:
ASPNETCORE_URLS: "http://+:8441"
<<: *kestrel-cert
ConnectionStrings__KeyManagement: *postgres-connection
ConnectionStrings__Default: *postgres-connection
volumes:
- *cert-volume
ports:
- "127.1.0.30:80:80"
networks:
stellaops:
aliases:
- signer.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
# --- Slot 31: SmRemote ----------------------------------------------------
smremote:
image: stellaops/smremote:dev
container_name: stellaops-smremote
restart: unless-stopped
depends_on: *depends-infra
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: *kestrel-cert
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
volumes:
- *cert-volume
ports:
- "127.1.0.31:80:80"
networks:
stellaops:
aliases:
- smremote.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
# --- Slot 32: AirGap Controller --------------------------------------------
airgap-controller:
image: stellaops/airgap-controller:dev
container_name: stellaops-airgap-controller
restart: unless-stopped
depends_on: *depends-infra
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: *kestrel-cert
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
volumes:
- *cert-volume
ports:
- "127.1.0.32:80:80"
networks:
stellaops:
aliases:
- airgap-controller.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
# --- Slot 33: AirGap Time -------------------------------------------------
airgap-time:
image: stellaops/airgap-time:dev
container_name: stellaops-airgap-time
restart: unless-stopped
profiles: ["airgap"] # Requires time anchor file - air-gap specific
depends_on: *depends-infra
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: *kestrel-cert
ConnectionStrings__Default: *postgres-connection
volumes:
- *cert-volume
ports:
- "127.1.0.33:80:80"
networks:
stellaops:
aliases:
- airgap-time.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
# --- Slot 34: PacksRegistry -----------------------------------------------
packsregistry-web:
image: stellaops/packsregistry-web:dev
container_name: stellaops-packsregistry-web
restart: unless-stopped
depends_on: *depends-infra
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: *kestrel-cert
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
volumes:
- *cert-volume
ports:
- "127.1.0.34:80:80"
networks:
stellaops:
aliases:
- packsregistry.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
packsregistry-worker:
image: stellaops/packsregistry-worker:dev
container_name: stellaops-packsregistry-worker
restart: unless-stopped
depends_on: *depends-infra
environment:
<<: *kestrel-cert
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
volumes:
- *cert-volume
healthcheck:
<<: *healthcheck-worker
networks:
stellaops:
aliases:
- packsregistry-worker.stella-ops.local
labels: *release-labels
# --- Slot 35: Registry Token -----------------------------------------------
registry-token:
image: stellaops/registry-token:dev
container_name: stellaops-registry-token
restart: unless-stopped
depends_on: *depends-infra
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: *kestrel-cert
ConnectionStrings__Default: *postgres-connection
RegistryTokenService__Signing__Issuer: "http://registry-token.stella-ops.local"
RegistryTokenService__Signing__KeyPath: "/app/etc/certs/kestrel-dev.pfx"
RegistryTokenService__Signing__Lifetime: "00:05:00"
RegistryTokenService__Registry__Realm: "http://registry.stella-ops.local"
RegistryTokenService__Authority__Issuer: "http://authority.stella-ops.local"
RegistryTokenService__Authority__Audience: "api://registry"
RegistryTokenService__Authority__RequireHttpsMetadata: "false"
RegistryTokenService__Plans__0__Name: "default"
RegistryTokenService__Plans__0__Repositories__0__Pattern: "*"
RegistryTokenService__Plans__0__Repositories__0__Actions__0: "pull"
RegistryTokenService__Plans__0__Repositories__0__Actions__1: "push"
volumes:
- *cert-volume
ports:
- "127.1.0.35:80:80"
networks:
stellaops:
aliases:
- registry-token.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
# --- Slot 36: BinaryIndex --------------------------------------------------
binaryindex-web:
image: stellaops/binaryindex-web:dev
container_name: stellaops-binaryindex-web
restart: unless-stopped
depends_on: *depends-infra
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: *kestrel-cert
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
volumes:
- *cert-volume
ports:
- "127.1.0.36:80:80"
networks:
stellaops:
aliases:
- binaryindex.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
# --- Slot 37: Issuer Directory ---------------------------------------------
issuer-directory:
image: stellaops/issuer-directory-web:dev
container_name: stellaops-issuer-directory
restart: unless-stopped
depends_on:
- postgres
- authority
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: *kestrel-cert
ISSUERDIRECTORY__AUTHORITY__ENABLED: "true"
ISSUERDIRECTORY__AUTHORITY__ISSUER: "${AUTHORITY_ISSUER:-http://authority.stella-ops.local}"
ISSUERDIRECTORY__AUTHORITY__AUDIENCES__0: "api://issuer-directory"
ISSUERDIRECTORY__AUTHORITY__REQUIREHTTPSMETADATA: "false"
ISSUERDIRECTORY__PERSISTENCE__PROVIDER: "Postgres"
ISSUERDIRECTORY__PERSISTENCE__POSTGRESCONNECTIONSTRING: *postgres-connection
ISSUERDIRECTORY__SEEDCSAFPUBLISHERS: "false"
volumes:
- ../../etc/issuer-directory:/app/etc/issuer-directory:ro
- *cert-volume
ports:
- "127.1.0.37:80:80"
networks:
stellaops:
aliases:
- issuerdirectory.stella-ops.local
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
# --- Slot 38: Symbols ------------------------------------------------------
symbols:
image: stellaops/symbols:dev
container_name: stellaops-symbols
restart: unless-stopped
depends_on: *depends-infra
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: *kestrel-cert
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
volumes:
- *cert-volume
ports:
- "127.1.0.38:80:80"
networks:
stellaops:
aliases:
- symbols.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
# --- Slot 39: SbomService --------------------------------------------------
sbomservice:
image: stellaops/sbomservice:dev
container_name: stellaops-sbomservice
restart: unless-stopped
depends_on: *depends-infra
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: *kestrel-cert
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
volumes:
- *cert-volume
ports:
- "127.1.0.39:80:80"
networks:
stellaops:
aliases:
- sbomservice.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
# --- Slot 40: ExportCenter -------------------------------------------------
export:
image: stellaops/export:dev
container_name: stellaops-export
restart: unless-stopped
depends_on: *depends-infra
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: *kestrel-cert
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
Export__AllowInMemoryRepositories: "true"
volumes:
- *cert-volume
ports:
- "127.1.0.40:80:80"
networks:
stellaops:
aliases:
- exportcenter.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
export-worker:
image: stellaops/export-worker:dev
container_name: stellaops-export-worker
restart: unless-stopped
depends_on: *depends-infra
environment:
<<: *kestrel-cert
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
Export__AllowInMemoryRepositories: "true"
volumes:
- *cert-volume
networks:
stellaops:
aliases:
- export-worker.stella-ops.local
healthcheck:
<<: *healthcheck-worker
labels: *release-labels
# --- Slot 41: Replay -------------------------------------------------------
replay-web:
image: stellaops/replay-web:dev
container_name: stellaops-replay-web
restart: unless-stopped
depends_on: *depends-infra
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: *kestrel-cert
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
volumes:
- *cert-volume
ports:
- "127.1.0.41:80:80"
networks:
stellaops:
aliases:
- replay.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
# --- Slot 42: Integrations ------------------------------------------------
integrations-web:
image: stellaops/integrations-web:dev
container_name: stellaops-integrations-web
restart: unless-stopped
depends_on: *depends-infra
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: *kestrel-cert
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
volumes:
- *cert-volume
tmpfs:
- /app/plugins:mode=1777
ports:
- "127.1.0.42:80:80"
networks:
stellaops:
aliases:
- integrations.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
# --- Slot 43: Zastava Webhook ----------------------------------------------
zastava-webhook:
image: stellaops/zastava-webhook:dev
container_name: stellaops-zastava-webhook
restart: unless-stopped
depends_on:
authority:
condition: service_healthy
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: *kestrel-cert
# Runtime authority (used by token provider for OIDC discovery)
zastava__runtime__authority__Issuer: "http://authority.stella-ops.local"
zastava__runtime__authority__allowStaticTokenFallback: "true"
zastava__runtime__authority__staticTokenValue: "dev-bypass-token"
zastava__runtime__tenant: "default"
zastava__runtime__environment: "local"
# Webhook authority
zastava__webhook__authority__Issuer: "http://authority.stella-ops.local"
zastava__webhook__authority__staticTokenValue: "dev-bypass-token"
# TLS (PFX from cert volume)
zastava__webhook__tls__mode: "Secret"
zastava__webhook__tls__pfxPath: "/app/etc/certs/kestrel-dev.pfx"
zastava__webhook__tls__pfxPassword: "devpass"
# Backend (scanner service)
zastava__webhook__backend__baseAddress: "http://scanner.stella-ops.local"
zastava__webhook__backend__allowInsecureHttp: "true"
volumes:
- *cert-volume
networks:
stellaops:
aliases:
- zastava-webhook.stella-ops.local
labels: *release-labels
# --- Slot 44: Signals ------------------------------------------------------
signals:
image: stellaops/signals:dev
container_name: stellaops-signals
restart: unless-stopped
depends_on: *depends-infra
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: *kestrel-cert
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
volumes:
- *cert-volume
ports:
- "127.1.0.43:80:80"
networks:
stellaops:
aliases:
- signals.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
# --- Slot 45: Advisory AI --------------------------------------------------
advisory-ai-web:
image: stellaops/advisory-ai-web:dev
container_name: stellaops-advisory-ai-web
restart: unless-stopped
depends_on:
- scanner-web
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: *kestrel-cert
ADVISORYAI__AdvisoryAI__SbomBaseAddress: "${ADVISORY_AI_SBOM_BASEADDRESS:-http://scanner.stella-ops.local}"
ADVISORYAI__AdvisoryAI__Queue__DirectoryPath: "/var/lib/advisory-ai/queue"
ADVISORYAI__AdvisoryAI__Storage__PlanCacheDirectory: "/var/lib/advisory-ai/plans"
ADVISORYAI__AdvisoryAI__Storage__OutputDirectory: "/var/lib/advisory-ai/outputs"
ADVISORYAI__AdvisoryAI__Inference__Mode: "${ADVISORY_AI_INFERENCE_MODE:-Local}"
ADVISORYAI__AdvisoryAI__Inference__Remote__BaseAddress: "${ADVISORY_AI_REMOTE_BASEADDRESS:-}"
ADVISORYAI__AdvisoryAI__Inference__Remote__ApiKey: "${ADVISORY_AI_REMOTE_APIKEY:-}"
ports:
- "127.1.0.44:80:80"
volumes:
- *cert-volume
- ../../etc/llm-providers:/app/etc/llm-providers:ro
- advisory-ai-queue:/var/lib/advisory-ai/queue
- advisory-ai-plans:/var/lib/advisory-ai/plans
- advisory-ai-outputs:/var/lib/advisory-ai/outputs
tmpfs:
- /app/plugins:mode=1777
networks:
stellaops:
aliases:
- advisoryai.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
advisory-ai-worker:
image: stellaops/advisory-ai-worker:dev
container_name: stellaops-advisory-ai-worker
restart: unless-stopped
depends_on:
- scanner-web
environment:
<<: *kestrel-cert
ADVISORYAI__AdvisoryAI__SbomBaseAddress: "${ADVISORY_AI_SBOM_BASEADDRESS:-http://scanner.stella-ops.local}"
ADVISORYAI__AdvisoryAI__Queue__DirectoryPath: "/tmp/advisory-ai/queue"
ADVISORYAI__AdvisoryAI__Storage__PlanCacheDirectory: "/tmp/advisory-ai/plans"
ADVISORYAI__AdvisoryAI__Storage__OutputDirectory: "/tmp/advisory-ai/outputs"
ADVISORYAI__AdvisoryAI__Inference__Mode: "${ADVISORY_AI_INFERENCE_MODE:-Local}"
ADVISORYAI__AdvisoryAI__Inference__Remote__BaseAddress: "${ADVISORY_AI_REMOTE_BASEADDRESS:-}"
ADVISORYAI__AdvisoryAI__Inference__Remote__ApiKey: "${ADVISORY_AI_REMOTE_APIKEY:-}"
volumes:
- *cert-volume
networks:
stellaops:
aliases:
- advisory-ai-worker.stella-ops.local
healthcheck:
<<: *healthcheck-worker
labels: *release-labels
# --- Slot 46: Unknowns ----------------------------------------------------
unknowns-web:
image: stellaops/unknowns-web:dev
container_name: stellaops-unknowns-web
restart: unless-stopped
depends_on: *depends-infra
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: *kestrel-cert
ConnectionStrings__Default: *postgres-connection
ConnectionStrings__UnknownsDb: *postgres-connection
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
volumes:
- *cert-volume
ports:
- "127.1.0.45:80:80"
networks:
stellaops:
aliases:
- unknowns.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
# --- Console (Angular frontend) -------------------------------------------
web-ui:
image: stellaops/console:dev
container_name: stellaops-web-ui
restart: unless-stopped
depends_on:
- platform
environment:
STELLAOPS_UI__BACKEND__BASEURL: "http://platform.stella-ops.local"
ports:
- "127.1.0.1:80:8080"
networks:
stellaops:
aliases:
- stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD", "wget", "-qO-", "http://localhost:8080/"]
<<: *healthcheck-tcp
labels: *release-labels
Reference in New Issue View Git Blame Copy Permalink