stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
6592cdcc9bf1e38d09485da707acbd8780e26d43
git.stella-ops.org/devops/compose/docker-compose.stella-services.yml
master 6592cdcc9b refactor(graph): absorb Cartographer into graph-api + wire Graph Indexer 
- Wire Graph Indexer library + Persistence into graph-api (csproj refs + DI)
- Add build/overlay endpoints matching Scheduler HTTP contracts
  (POST/GET /api/graphs/builds, POST/GET /api/graphs/overlays)
- Add PostgresGraphRepository for reading from graph.graph_nodes/edges
- Register SBOM ingest, analytics, change-stream, and inspector pipelines
- Comment out Cartographer container in compose (empty shell, Slot 21)
- Add cartographer.stella-ops.local as backwards-compat alias on graph-api
- Update Scheduler config to target graph.stella-ops.local
- Update services-matrix.env, hosts file, port-registry, module-matrix
- Update component-map, architecture docs, Scanner/Graph READMEs
- Eliminates 1 container (stellaops-cartographer)

All 133 existing tests pass (77 Api + 37 Indexer + 19 Core).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-08 15:48:18 +03:00

2078 lines
91 KiB
YAML
Raw Blame History

# =============================================================================
# STELLA OPS - APPLICATION SERVICES
# =============================================================================
# All 57+ Stella Ops microservices. Requires the infrastructure layer from
# docker-compose.stella-infra.yml to be running (postgres, valkey, rustfs, etc.).
#
# The "stellaops" network is created by the infra file and referenced here
# as external. The "frontdoor" network remains external as before.
#
# Usage (full stack):
# docker compose \
# -f docker-compose.stella-infra.yml \
# -f docker-compose.stella-services.yml up -d
#
# With overlays (compliance, telemetry, dev-ui):
# docker compose \
# -f docker-compose.stella-infra.yml \
# -f docker-compose.stella-services.yml \
# -f docker-compose.compliance-china.yml up -d
#
# Legacy single-file mode (original monolith):
# docker compose -f docker-compose.stella-ops.yml up -d
#
# =============================================================================
# Anchor migration notes:
# - *postgres-connection -> ${STELLAOPS_POSTGRES_CONNECTION}
# - *postgres-authority-connection -> ${STELLAOPS_POSTGRES_AUTHORITY_CONNECTION}
# - *cert-volume -> ${STELLAOPS_CERT_VOLUME}
# - *ca-bundle -> ${STELLAOPS_CA_BUNDLE_VOLUME}
# - *depends-infra -> removed (services have connection retry logic)
# - All structural anchors (router-defaults, resources, GC, healthchecks)
# are redefined locally in this file.
# =============================================================================
x-release-labels: &release-labels
com.stellaops.release.version: "2025.10.0"
com.stellaops.release.channel: "stable"
com.stellaops.profile: "default"
x-kestrel-cert: &kestrel-cert
Kestrel__Certificates__Default__Path: "/app/etc/certs/kestrel-dev.pfx"
Kestrel__Certificates__Default__Password: "devpass"
x-plugin-tmpfs: &plugin-tmpfs
/app/plugins:
mode: "1777"
x-router-microservice-defaults: &router-microservice-defaults
Router__Region: "local"
Router__Gateways__0__Host: "router.stella-ops.local"
Router__Gateways__0__Port: "9100"
Router__Gateways__0__TransportType: "Messaging"
Router__OnMissingAuthorization: "${ROUTER_ON_MISSING_AUTHORIZATION:-WarnAndAllow}"
Router__TransportPlugins__Directory: "/app/plugins/router/transports"
Router__TransportPlugins__SearchPattern: "StellaOps.Router.Transport.*.dll"
Router__Messaging__Transport: "valkey"
Router__Messaging__PluginDirectory: "/app/plugins/messaging"
Router__Messaging__SearchPattern: "StellaOps.Messaging.Transport.*.dll"
Router__Messaging__RequestQueueTemplate: "router:requests:{service}"
Router__Messaging__ResponseQueueName: "router:responses"
Router__Messaging__RequestTimeout: "30s"
Router__Messaging__LeaseDuration: "5m"
Router__Messaging__BatchSize: "10"
Router__Messaging__HeartbeatInterval: "${ROUTER_MESSAGING_HEARTBEAT_INTERVAL:-30s}"
Router__RegistrationRefreshIntervalSeconds: "${ROUTER_REGISTRATION_REFRESH_INTERVAL_SECONDS:-30}"
Router__Messaging__valkey__ConnectionString: "cache.stella-ops.local:6379"
Router__Messaging__valkey__Database: "0"
Router__Messaging__valkey__QueueWaitTimeoutSeconds: "${VALKEY_QUEUE_WAIT_TIMEOUT:-0}"
# Identity envelope verification (signed by gateway, verified by services)
Router__IdentityEnvelopeSigningKey: "${STELLAOPS_IDENTITY_ENVELOPE_SIGNING_KEY}"
x-healthcheck-tcp: &healthcheck-tcp
interval: ${HEALTHCHECK_INTERVAL:-60s}
timeout: 5s
retries: 3
start_period: 15s
x-healthcheck-worker: &healthcheck-worker
test: ["CMD", "/usr/local/bin/healthcheck.sh"]
interval: ${HEALTHCHECK_INTERVAL:-60s}
timeout: 5s
start_period: 30s
retries: 3
# ---------------------------------------------------------------------------
# Resource limit tiers (Workstream 1: CPU optimization)
# ---------------------------------------------------------------------------
x-resources-heavy: &resources-heavy
deploy:
resources:
limits:
cpus: "1.0"
memory: 2G
x-resources-medium: &resources-medium
deploy:
resources:
limits:
cpus: "0.50"
memory: 1G
x-resources-light: &resources-light
deploy:
resources:
limits:
cpus: "0.25"
memory: 512M
# ---------------------------------------------------------------------------
# .NET GC tuning tiers (Workstream 6: GC configuration)
# ---------------------------------------------------------------------------
x-gc-heavy: &gc-heavy
DOTNET_gcServer: "1"
DOTNET_GCConserveMemory: "5"
DOTNET_GCDynamicAdaptationMode: "1"
x-gc-medium: &gc-medium
DOTNET_gcServer: "1"
DOTNET_GCConserveMemory: "7"
DOTNET_GCDynamicAdaptationMode: "1"
x-gc-light: &gc-light
DOTNET_gcServer: "0"
DOTNET_GCConserveMemory: "9"
DOTNET_GCDynamicAdaptationMode: "1"
networks:
stellaops:
external: true
name: stellaops
frontdoor:
external: true
name: ${FRONTDOOR_NETWORK:-stellaops_frontdoor}
volumes:
concelier-jobs:
scanner-surface-cache:
scanner-cache-data:
console-dist:
advisory-ai-queue:
advisory-ai-plans:
advisory-ai-outputs:
evidence-data:
services:
# ===========================================================================
# APPLICATION SERVICES (ordered by port-registry slot)
# ===========================================================================
# --- Console builder (init container) ---------------------------------------
console-builder:
image: stellaops/console:dev
container_name: stellaops-console-builder
user: "0:0"
entrypoint: ["sh", "-c"]
command: ["cp -r /usr/share/nginx/html/browser/* /output/ 2>/dev/null || cp -r /usr/share/nginx/html/* /output/"]
volumes:
- console-dist:/output
restart: "no"
networks:
- stellaops
# --- Slot 0: Router Gateway (Front Door) -----------------------------------
router-gateway:
<<: *resources-heavy
image: stellaops/router-gateway:dev
container_name: stellaops-router-gateway
restart: unless-stopped
depends_on:
console-builder:
condition: service_completed_successfully
environment:
ASPNETCORE_URLS: "http://0.0.0.0:8080;https://0.0.0.0:443"
<<: [*kestrel-cert, *gc-heavy]
ConnectionStrings__Default: "${STELLAOPS_POSTGRES_CONNECTION}"
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
Gateway__Auth__DpopEnabled: "false"
Gateway__Auth__Authority__Issuer: "https://authority.stella-ops.local/"
Gateway__Auth__Authority__RequireHttpsMetadata: "false"
Gateway__Auth__Authority__MetadataAddress: "https://authority.stella-ops.local/.well-known/openid-configuration"
Gateway__Auth__Authority__ClaimsOverridesUrl: "${ROUTER_AUTHORITY_CLAIMS_OVERRIDES_URL:-http://authority.stella-ops.local}"
Gateway__Transports__Messaging__Enabled: "${ROUTER_GATEWAY_MESSAGING_ENABLED:-true}"
Gateway__Transports__Messaging__transport: "valkey"
Gateway__Transports__Messaging__ConnectionString: "cache.stella-ops.local:6379"
Gateway__Transports__Messaging__Database: "0"
Gateway__Transports__Messaging__valkey__ConnectionString: "cache.stella-ops.local:6379"
Gateway__Transports__Messaging__valkey__Database: "0"
Gateway__Transports__Messaging__valkey__QueueWaitTimeoutSeconds: "${VALKEY_QUEUE_WAIT_TIMEOUT:-0}"
Gateway__Transports__Messaging__RequestQueueTemplate: "router:requests:{service}"
Gateway__Transports__Messaging__ResponseQueueName: "router:responses"
Gateway__Transports__Messaging__ConsumerGroup: "router-gateway"
Gateway__Transports__Messaging__RequestTimeout: "30s"
Gateway__Transports__Messaging__LeaseDuration: "5m"
Gateway__Transports__Messaging__BatchSize: "10"
Gateway__Transports__Messaging__HeartbeatInterval: "${ROUTER_MESSAGING_HEARTBEAT_INTERVAL:-30s}"
# Identity envelope signing (gateway -> microservice auth)
Gateway__Auth__IdentityEnvelopeSigningKey: "${STELLAOPS_IDENTITY_ENVELOPE_SIGNING_KEY}"
# Audience validation disabled until authority includes aud in access tokens
# Gateway__Auth__Authority__Audiences__0: "stella-ops-api"
# Logging__LogLevel__Microsoft.AspNetCore.Authentication: "Debug"
Logging__LogLevel__Microsoft.AspNetCore.Authentication: "Information"
# Logging__LogLevel__Microsoft.IdentityModel: "Debug"
Logging__LogLevel__Microsoft.IdentityModel: "Information"
# Logging__LogLevel__StellaOps: "Debug"
Logging__LogLevel__StellaOps: "Information"
volumes:
- ${STELLAOPS_CERT_VOLUME}
- console-dist:/app/wwwroot:ro
- ${ROUTER_GATEWAY_CONFIG:-./router-gateway-local.json}:/app/appsettings.local.json:ro
- ./envsettings-override.json:/app/envsettings-override.json:ro
- ./gateway-ca-bundle.crt:/etc/ssl/certs/ca-certificates.crt:ro
ports:
- "127.1.0.1:80:8080"
- "127.1.0.1:443:443"
networks:
stellaops:
aliases:
- router.stella-ops.local
- stella-ops.local
healthcheck:
test: ["CMD-SHELL", "bash -lc 'exec 3<>/dev/tcp/127.0.0.1/8080 && printf \"GET /health/ready HTTP/1.1\\r\\nHost: localhost\\r\\nConnection: close\\r\\n\\r\\n\" >&3 && head -n 1 <&3 | grep -q \"200\"'"]
<<: *healthcheck-tcp
labels: *release-labels
# --- Slot 1: Platform ------------------------------------------------------
platform:
<<: *resources-heavy
image: stellaops/platform:dev
container_name: stellaops-platform
restart: unless-stopped
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: [*kestrel-cert, *router-microservice-defaults, *gc-heavy]
ConnectionStrings__Default: "${STELLAOPS_POSTGRES_CONNECTION}"
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
Platform__Authority__Issuer: "https://authority.stella-ops.local/"
Platform__Authority__RequireHttpsMetadata: "false"
Platform__Authority__BypassNetworks__0: "172.0.0.0/8"
Platform__Authority__BypassNetworks__1: "127.0.0.0/8"
Platform__Authority__BypassNetworks__2: "::1/128"
# Logging__LogLevel__StellaOps.Auth: "Debug"
Logging__LogLevel__StellaOps.Auth: "Information"
# Logging__LogLevel__Microsoft.AspNetCore.Authentication: "Debug"
Logging__LogLevel__Microsoft.AspNetCore.Authentication: "Information"
# Logging__LogLevel__Microsoft.AspNetCore.Authorization: "Debug"
Logging__LogLevel__Microsoft.AspNetCore.Authorization: "Information"
Platform__Storage__Driver: "postgres"
Platform__Storage__PostgresConnectionString: "${STELLAOPS_POSTGRES_CONNECTION}"
Platform__EnvironmentSettings__AuthorizeEndpoint: "https://stella-ops.local/connect/authorize"
Platform__EnvironmentSettings__TokenEndpoint: "https://stella-ops.local/connect/token"
Platform__EnvironmentSettings__RedirectUri: "https://stella-ops.local/auth/callback"
Platform__EnvironmentSettings__PostLogoutRedirectUri: "https://stella-ops.local/"
Platform__EnvironmentSettings__Scope: "openid profile email offline_access ui.read ui.admin ui.preferences.read ui.preferences.write authority:tenants.read authority:tenants.write authority:users.read authority:users.write authority:roles.read authority:roles.write authority:clients.read authority:clients.write authority:tokens.read authority:tokens.revoke authority:branding.read authority:branding.write authority.audit.read graph:read sbom:read scanner:read policy:read policy:simulate policy:author policy:review policy:approve policy:run policy:activate policy:audit policy:edit policy:operate policy:publish airgap:seal airgap:status:read orch:read orch:operate orch:quota analytics.read advisory:read advisory-ai:view advisory-ai:operate vex:read vexhub:read exceptions:read exceptions:approve aoc:verify findings:read release:read release:write release:publish scheduler:read scheduler:operate notify.viewer notify.operator notify.admin notify.escalate evidence:read export.viewer export.operator export.admin vuln:view vuln:investigate vuln:operate vuln:audit platform.context.read platform.context.write doctor:run doctor:admin ops.health integration:read integration:write integration:operate packs.read packs.write packs.run packs.approve registry.admin timeline:read timeline:write trust:read trust:write trust:admin signer:read signer:sign signer:rotate signer:admin"
STELLAOPS_ROUTER_URL: "http://router.stella-ops.local"
STELLAOPS_PLATFORM_URL: "http://platform.stella-ops.local"
STELLAOPS_AUTHORITY_URL: "http://authority.stella-ops.local"
STELLAOPS_GATEWAY_URL: "http://router.stella-ops.local"
STELLAOPS_ATTESTOR_URL: "http://attestor.stella-ops.local"
STELLAOPS_EVIDENCELOCKER_URL: "http://evidencelocker.stella-ops.local"
STELLAOPS_SCANNER_URL: "http://scanner.stella-ops.local"
STELLAOPS_CONCELIER_URL: "http://concelier.stella-ops.local"
STELLAOPS_EXCITITOR_URL: "http://excititor.stella-ops.local"
STELLAOPS_VEXHUB_URL: "http://vexhub.stella-ops.local"
STELLAOPS_VEXLENS_URL: "http://vexlens.stella-ops.local"
STELLAOPS_VULNEXPLORER_URL: "http://findings.stella-ops.local"
STELLAOPS_POLICY_ENGINE_URL: "http://policy-engine.stella-ops.local"
# STELLAOPS_POLICY_GATEWAY_URL removed: gateway merged into policy-engine
STELLAOPS_RISKENGINE_URL: "http://riskengine.stella-ops.local"
# STELLAOPS_JOBENGINE_URL removed: WebService retired; audit/first-signal now served by release-orchestrator
STELLAOPS_RELEASE_ORCHESTRATOR_URL: "http://release-orchestrator.stella-ops.local"
# STELLAOPS_TASKRUNNER_URL removed: TaskRunner service deleted
STELLAOPS_SCHEDULER_URL: "http://scheduler.stella-ops.local"
STELLAOPS_GRAPH_URL: "http://graph.stella-ops.local"
# STELLAOPS_CARTOGRAPHER_URL: merged into graph-api; use STELLAOPS_GRAPH_URL instead
STELLAOPS_CARTOGRAPHER_URL: "http://graph.stella-ops.local"
STELLAOPS_REACHGRAPH_URL: "http://reachgraph.stella-ops.local"
STELLAOPS_TIMELINEINDEXER_URL: "http://timelineindexer.stella-ops.local"
STELLAOPS_TIMELINE_URL: "http://timeline.stella-ops.local"
STELLAOPS_FINDINGS_LEDGER_URL: "http://findings.stella-ops.local"
STELLAOPS_DOCTOR_URL: "http://doctor.stella-ops.local"
STELLAOPS_OPSMEMORY_URL: "http://opsmemory.stella-ops.local"
STELLAOPS_NOTIFIER_URL: "http://notify.stella-ops.local"
STELLAOPS_NOTIFY_URL: "http://notify.stella-ops.local"
STELLAOPS_SIGNER_URL: "http://signer.stella-ops.local"
STELLAOPS_SMREMOTE_URL: "http://smremote.stella-ops.local"
STELLAOPS_AIRGAP_CONTROLLER_URL: "http://airgap-controller.stella-ops.local"
STELLAOPS_AIRGAP_TIME_URL: "http://airgap-time.stella-ops.local"
STELLAOPS_PACKSREGISTRY_URL: "http://packsregistry.stella-ops.local"
STELLAOPS_REGISTRY_TOKENSERVICE_URL: "http://registry-token.stella-ops.local"
STELLAOPS_BINARYINDEX_URL: "http://binaryindex.stella-ops.local"
STELLAOPS_ISSUERDIRECTORY_URL: "http://issuerdirectory.stella-ops.local"
STELLAOPS_SYMBOLS_URL: "http://symbols.stella-ops.local"
STELLAOPS_SBOMSERVICE_URL: "http://sbomservice.stella-ops.local"
STELLAOPS_EXPORTCENTER_URL: "http://exportcenter.stella-ops.local"
STELLAOPS_REPLAY_URL: "http://replay.stella-ops.local"
STELLAOPS_INTEGRATIONS_URL: "http://integrations.stella-ops.local"
STELLAOPS_SIGNALS_URL: "http://signals.stella-ops.local"
STELLAOPS_ADVISORYAI_URL: "http://advisoryai.stella-ops.local"
STELLAOPS_UNKNOWNS_URL: "http://unknowns.stella-ops.local"
Router__Enabled: "${PLATFORM_ROUTER_ENABLED:-true}"
Router__Messaging__ConsumerGroup: "platform"
volumes:
- ${STELLAOPS_CERT_VOLUME}
- ${STELLAOPS_CA_BUNDLE_VOLUME}
ports:
- "127.1.0.3:80:80"
networks:
stellaops:
aliases:
- platform.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
# --- Slot 2: Authority -----------------------------------------------------
authority:
<<: *resources-heavy
image: stellaops/authority:dev
container_name: stellaops-authority
restart: unless-stopped
environment:
ASPNETCORE_URLS: "http://+:8440"
Kestrel__Certificates__Default__Path: "/app/etc/authority/keys/kestrel-dev.pfx"
Kestrel__Certificates__Default__Password: "devpass"
STELLAOPS_DISABLE_TRANSPORT_SECURITY: "true"
STELLAOPS_AUTHORITY_AUTHORITY__ACCESSTOKENLIFETIME: "00:30:00"
STELLAOPS_AUTHORITY_AUTHORITY__SCHEMAVERSION: "1"
STELLAOPS_AUTHORITY_AUTHORITY__ISSUER: "${AUTHORITY_ISSUER:-http://authority.stella-ops.local}"
STELLAOPS_AUTHORITY_AUTHORITY__STORAGE__CONNECTIONSTRING: "${STELLAOPS_POSTGRES_AUTHORITY_CONNECTION}"
STELLAOPS_AUTHORITY_AUTHORITY__CACHE__REDIS__CONNECTIONSTRING: "cache.stella-ops.local:6379"
STELLAOPS_AUTHORITY_AUTHORITY__SIGNING__ACTIVEKEYID: "dev-signing-key-1"
STELLAOPS_AUTHORITY_AUTHORITY__SIGNING__KEYPATH: "/app/etc/authority/keys/signing-dev.pem"
STELLAOPS_AUTHORITY_AUTHORITY__NOTIFICATIONS__ACKTOKENS__ACTIVEKEYID: "dev-ack-key-1"
STELLAOPS_AUTHORITY_AUTHORITY__NOTIFICATIONS__ACKTOKENS__KEYPATH: "/app/etc/authority/keys/ack-token-dev.pem"
STELLAOPS_AUTHORITY_AUTHORITY__NOTIFICATIONS__WEBHOOKS__ALLOWEDHOSTS__0: "notify.stella-ops.local"
STELLAOPS_AUTHORITY_AUTHORITY__NOTIFICATIONS__ESCALATION__SCOPE: "notify.escalate"
STELLAOPS_AUTHORITY_AUTHORITY__BOOTSTRAP__ENABLED: "${AUTHORITY_BOOTSTRAP_ENABLED:-true}"
STELLAOPS_AUTHORITY_AUTHORITY__BOOTSTRAP__APIKEY: "${AUTHORITY_BOOTSTRAP_APIKEY:-stellaops-dev-bootstrap-key}"
STELLAOPS_AUTHORITY_AUTHORITY__PLUGINDIRECTORIES__0: "/app"
STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__CONFIGURATIONDIRECTORY: "/app/etc/authority/plugins"
STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__Type: "standard"
STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__AssemblyName: "StellaOps.Authority.Plugin.Standard"
STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__Enabled: "true"
STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__TenantId: "demo-prod"
STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapUser__Username: "admin"
STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapUser__Password: "Admin@Stella2026!"
STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapUser__Roles__0: "admin"
STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapClients__0__ClientId: "stella-ops-ui"
STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapClients__0__DisplayName: "Stella Ops Console"
STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapClients__0__AllowedGrantTypes: "authorization_code refresh_token"
STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapClients__0__AllowedScopes: "openid profile email offline_access ui.read ui.admin ui.preferences.read ui.preferences.write authority:tenants.read authority:tenants.write authority:users.read authority:users.write authority:roles.read authority:roles.write authority:clients.read authority:clients.write authority:tokens.read authority:tokens.revoke authority:branding.read authority:branding.write authority.audit.read graph:read sbom:read scanner:read policy:read policy:simulate policy:author policy:review policy:approve policy:run policy:activate policy:audit policy:edit policy:operate policy:publish airgap:seal airgap:status:read orch:read orch:operate orch:quota analytics.read advisory:read advisory-ai:view advisory-ai:operate vex:read vexhub:read exceptions:read exceptions:approve aoc:verify findings:read release:read release:write release:publish scheduler:read scheduler:operate notify.viewer notify.operator notify.admin notify.escalate evidence:read export.viewer export.operator export.admin vuln:view vuln:investigate vuln:operate vuln:audit platform.context.read platform.context.write doctor:run doctor:admin ops.health integration:read integration:write integration:operate packs.read packs.write packs.run packs.approve registry.admin timeline:read timeline:write trust:read trust:write trust:admin signer:read signer:sign signer:rotate signer:admin"
STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapClients__0__RedirectUris: "https://stella-ops.local/auth/callback https://stella-ops.local/auth/silent-refresh https://127.1.0.1/auth/callback https://127.1.0.1/auth/silent-refresh"
STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapClients__0__PostLogoutRedirectUris: "https://stella-ops.local/ https://127.1.0.1/"
STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapClients__0__RequirePkce: "true"
STELLAOPS_AUTHORITY_AUTHORITY__PLUGINS__DESCRIPTORS__standard__BootstrapClients__0__AllowPlainTextPkce: "false"
STELLAOPS_AUTHORITY_AUTHORITY__TENANTS__0__ID: "demo-prod"
STELLAOPS_AUTHORITY_AUTHORITY__TENANTS__0__DISPLAYNAME: "Demo Production"
STELLAOPS_AUTHORITY_AUTHORITY__TENANTS__0__STATUS: "active"
<<: [*router-microservice-defaults, *gc-heavy]
Router__Enabled: "${AUTHORITY_ROUTER_ENABLED:-true}"
Router__Messaging__ConsumerGroup: "authority"
volumes:
- ../../etc/authority:/app/etc/authority:ro
- ../../etc/certificates/trust-roots:/etc/ssl/certs/stellaops:ro
ports:
- "127.1.0.4:80:80"
networks:
stellaops:
aliases:
- authority.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
# --- Slot 3: (removed -- Gateway consolidated into Router Gateway, slot 0) ---
# --- Slot 4: Attestor ------------------------------------------------------
attestor:
<<: *resources-light
image: stellaops/attestor:dev
container_name: stellaops-attestor
restart: unless-stopped
depends_on:
- signer
environment:
ASPNETCORE_URLS: "http://+:8442"
<<: [*kestrel-cert, *router-microservice-defaults, *gc-light]
ATTESTOR_ATTESTOR__SIGNER__BASEURL: "http://signer.stella-ops.local"
ATTESTOR_ATTESTOR__POSTGRES__CONNECTIONSTRING: "${STELLAOPS_POSTGRES_CONNECTION}"
ConnectionStrings__Default: "${STELLAOPS_POSTGRES_CONNECTION}"
Router__Enabled: "${ATTESTOR_ROUTER_ENABLED:-true}"
Router__Messaging__ConsumerGroup: "attestor"
volumes:
- ${STELLAOPS_CERT_VOLUME}
- ${STELLAOPS_CA_BUNDLE_VOLUME}
ports:
- "127.1.0.6:80:80"
networks:
stellaops:
aliases:
- attestor.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
# --- Slot 5: Attestor TileProxy --------------------------------------------
attestor-tileproxy:
<<: *resources-light
image: stellaops/attestor-tileproxy:dev
container_name: stellaops-attestor-tileproxy
restart: unless-stopped
depends_on:
- attestor
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: [*kestrel-cert, *gc-light]
TILE_PROXY__tile_proxy__UpstreamUrl: "https://rekor.sigstore.dev"
TILE_PROXY__tile_proxy__Origin: "stellaops-tileproxy"
TILE_PROXY__tile_proxy__Cache__BasePath: "/var/cache/stellaops/tiles"
TILE_PROXY__tile_proxy__Cache__MaxSizeGb: "1"
volumes:
- ${STELLAOPS_CERT_VOLUME}
tmpfs:
- /var/cache/stellaops/tiles:mode=1777
networks:
stellaops:
aliases:
- attestor-tileproxy.stella-ops.local
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/8080'"]
<<: *healthcheck-tcp
labels: *release-labels
# --- Slot 6: Evidence Locker ------------------------------------------------
evidence-locker-web:
<<: *resources-light
image: stellaops/evidence-locker-web:dev
container_name: stellaops-evidence-locker-web
restart: unless-stopped
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: [*kestrel-cert, *router-microservice-defaults, *gc-light]
EvidenceLocker__Database__ConnectionString: "${STELLAOPS_POSTGRES_CONNECTION}"
EvidenceLocker__Database__ApplyMigrationsAtStartup: "true"
EvidenceLocker__ObjectStore__Kind: "FileSystem"
EvidenceLocker__ObjectStore__FileSystem__RootPath: "/data/evidence"
EvidenceLocker__ObjectStore__EnforceWriteOnce: "false"
EvidenceLocker__Signing__Enabled: "false"
EvidenceLocker__Signing__Algorithm: "ES256"
EvidenceLocker__Signing__KeyId: "dev-evidence-key"
EvidenceLocker__Quotas__MaxMaterialCount: "128"
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
EvidenceLocker__Authority__BaseUrl: "https://authority.stella-ops.local"
Authority__ResourceServer__Authority: "https://authority.stella-ops.local/"
Authority__ResourceServer__MetadataAddress: "https://authority.stella-ops.local/.well-known/openid-configuration"
Authority__ResourceServer__RequireHttpsMetadata: "false"
Authority__ResourceServer__Audiences__0: ""
Authority__ResourceServer__BypassNetworks__0: "172.19.0.0/16"
Authority__ResourceServer__BypassNetworks__1: "127.0.0.1/32"
Authority__ResourceServer__BypassNetworks__2: "::1/128"
Authority__ResourceServer__BypassNetworks__3: "0.0.0.0/0"
Authority__ResourceServer__BypassNetworks__4: "::/0"
Router__Enabled: "${EVIDENCELOCKER_ROUTER_ENABLED:-true}"
Router__Messaging__ConsumerGroup: "evidencelocker"
volumes:
- ${STELLAOPS_CERT_VOLUME}
- ${STELLAOPS_CA_BUNDLE_VOLUME}
- evidence-data:/data/evidence
ports:
- "127.1.0.7:80:80"
networks:
stellaops:
aliases:
- evidencelocker.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
evidence-locker-worker:
<<: *resources-light
image: stellaops/evidence-locker-worker:dev
container_name: stellaops-evidence-locker-worker
restart: unless-stopped
environment:
<<: [*kestrel-cert, *gc-light]
EvidenceLocker__Database__ConnectionString: "${STELLAOPS_POSTGRES_CONNECTION}"
EvidenceLocker__Database__ApplyMigrationsAtStartup: "true"
EvidenceLocker__ObjectStore__Kind: "FileSystem"
EvidenceLocker__ObjectStore__FileSystem__RootPath: "/data/evidence"
EvidenceLocker__ObjectStore__EnforceWriteOnce: "false"
EvidenceLocker__Signing__Enabled: "false"
EvidenceLocker__Signing__Algorithm: "ES256"
EvidenceLocker__Signing__KeyId: "dev-evidence-key"
EvidenceLocker__Quotas__MaxMaterialCount: "128"
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
volumes:
- ${STELLAOPS_CERT_VOLUME}
- evidence-data:/data/evidence
networks:
stellaops:
aliases:
- evidence-locker-worker.stella-ops.local
healthcheck:
<<: *healthcheck-worker
labels: *release-labels
# --- Slot 8: Scanner -------------------------------------------------------
scanner-cache-init:
image: stellaops/scanner-worker:dev
container_name: stellaops-scanner-cache-init
restart: "no"
user: "0:0"
entrypoint:
- /bin/sh
- -lc
- |
mkdir -p /var/lib/stellaops/cache/scanner/layers /var/lib/stellaops/cache/scanner/cas &&
chown -R 10001:10001 /var/lib/stellaops/cache/scanner &&
chmod -R u+rwX,go-rwx /var/lib/stellaops/cache/scanner
volumes:
- scanner-cache-data:/var/lib/stellaops/cache/scanner
networks:
stellaops: {}
labels: *release-labels
scanner-web:
<<: *resources-heavy
image: stellaops/scanner-web:dev
container_name: stellaops-scanner-web
restart: unless-stopped
depends_on:
scanner-cache-init:
condition: service_completed_successfully
environment:
ASPNETCORE_URLS: "http://+:8444"
<<: [*kestrel-cert, *router-microservice-defaults, *gc-heavy]
SCANNER_SCANNER__PLUGINS__BASEDIRECTORY: "/tmp/stellaops"
SCANNER_SCANNER__STORAGE__DRIVER: "postgres"
SCANNER_SCANNER__STORAGE__DSN: "${STELLAOPS_POSTGRES_CONNECTION}"
SCANNER_SCANNER__STORAGE__COMMANDTIMEOUTSECONDS: "30"
SCANNER_SCANNER__STORAGE__HEALTHCHECKTIMEOUTSECONDS: "5"
SCANNER_SCANNER__ARTIFACTSTORE__DRIVER: "rustfs"
SCANNER_SCANNER__ARTIFACTSTORE__ENDPOINT: "http://s3.stella-ops.local:8333"
SCANNER_SCANNER__ARTIFACTSTORE__BUCKET: "scanner-artifacts"
SCANNER_SCANNER__ARTIFACTSTORE__TIMEOUTSECONDS: "30"
SCANNER_SCANNER__QUEUE__DRIVER: "redis"
SCANNER_SCANNER__QUEUE__DSN: "cache.stella-ops.local:6379"
SCANNER_SCANNER__EVENTS__ENABLED: "${SCANNER_EVENTS_ENABLED:-false}"
SCANNER_SCANNER__EVENTS__DRIVER: "redis"
SCANNER_SCANNER__EVENTS__DSN: "cache.stella-ops.local:6379"
SCANNER_SCANNER__EVENTS__STREAM: "${SCANNER_EVENTS_STREAM:-stella.events}"
SCANNER_SCANNER__EVENTS__PUBLISHTIMEOUTSECONDS: "${SCANNER_EVENTS_PUBLISH_TIMEOUT_SECONDS:-5}"
SCANNER_SCANNER__EVENTS__MAXSTREAMLENGTH: "${SCANNER_EVENTS_MAX_STREAM_LENGTH:-10000}"
SCANNER_SCANNER__CACHE__ROOTPATH: "/var/lib/stellaops/cache/scanner"
SCANNER_SCANNER__OFFLINEKIT__ENABLED: "${SCANNER_OFFLINEKIT_ENABLED:-false}"
SCANNER_SURFACE_FS_ENDPOINT: "${SCANNER_SURFACE_FS_ENDPOINT:-http://s3.stella-ops.local:8333}"
SCANNER_SURFACE_FS_BUCKET: "${SCANNER_SURFACE_FS_BUCKET:-surface-cache}"
SCANNER_SURFACE_CACHE_ROOT: "${SCANNER_SURFACE_CACHE_ROOT:-/var/lib/stellaops/surface}"
SCANNER_SURFACE_CACHE_QUOTA_MB: "${SCANNER_SURFACE_CACHE_QUOTA_MB:-4096}"
SCANNER_SURFACE_PREFETCH_ENABLED: "${SCANNER_SURFACE_PREFETCH_ENABLED:-false}"
SCANNER_SURFACE_TENANT: "${SCANNER_SURFACE_TENANT:-default}"
SCANNER_SURFACE_FEATURES: "${SCANNER_SURFACE_FEATURES:-}"
SCANNER_SURFACE_SECRETS_PROVIDER: "${SCANNER_SURFACE_SECRETS_PROVIDER:-file}"
SCANNER_SURFACE_SECRETS_NAMESPACE: "${SCANNER_SURFACE_SECRETS_NAMESPACE:-}"
SCANNER_SURFACE_SECRETS_ROOT: "${SCANNER_SURFACE_SECRETS_ROOT:-/etc/stellaops/secrets}"
SCANNER_SURFACE_SECRETS_FALLBACK_PROVIDER: "${SCANNER_SURFACE_SECRETS_FALLBACK_PROVIDER:-}"
SCANNER_SURFACE_SECRETS_ALLOW_INLINE: "${SCANNER_SURFACE_SECRETS_ALLOW_INLINE:-false}"
Router__Enabled: "${SCANNER_ROUTER_ENABLED:-true}"
Router__Messaging__ConsumerGroup: "scanner"
volumes:
- ../../etc/scanner:/app/etc/scanner:ro
- ../../etc/certificates/trust-roots:/etc/ssl/certs/stellaops:ro
- ${SURFACE_SECRETS_HOST_PATH:-./offline/surface-secrets}:${SCANNER_SURFACE_SECRETS_ROOT:-/etc/stellaops/secrets}:ro
- ${SCANNER_OFFLINEKIT_TRUSTROOTS_HOST_PATH:-./offline/trust-roots}:${SCANNER_OFFLINEKIT_TRUSTROOTDIRECTORY:-/etc/stellaops/trust-roots}:ro
- ${SCANNER_OFFLINEKIT_REKOR_SNAPSHOT_HOST_PATH:-./offline/rekor-snapshot}:${SCANNER_OFFLINEKIT_REKORSNAPSHOTDIRECTORY:-/var/lib/stellaops/rekor-snapshot}:ro
- ${STELLAOPS_CERT_VOLUME}
- scanner-cache-data:/var/lib/stellaops/cache/scanner
tmpfs:
- /var/lib/stellaops/surface:mode=1777
ports:
- "127.1.0.8:80:80"
networks:
stellaops:
aliases:
- scanner.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
scanner-worker:
<<: *resources-heavy
image: stellaops/scanner-worker:dev
container_name: stellaops-scanner-worker
restart: unless-stopped
depends_on:
scanner-cache-init:
condition: service_completed_successfully
environment:
<<: [*kestrel-cert, *gc-heavy]
# Scanner worker options
Scanner__Worker__Authority__Enabled: "false"
BinaryIndex__Enabled: "false"
# Scanner storage (Postgres + S3/RustFS object store)
ScannerStorage__Postgres__ConnectionString: "${STELLAOPS_POSTGRES_CONNECTION}"
ScannerStorage__Postgres__SchemaName: "scanner"
ScannerStorage__ObjectStore__Driver: "rustfs"
ScannerStorage__ObjectStore__BucketName: "scanner-artifacts"
ScannerStorage__ObjectStore__RustFs__BaseUrl: "http://s3.stella-ops.local:8333"
# Surface environment (read via Environment.GetEnvironmentVariable)
SCANNER_SURFACE_FS_ENDPOINT: "http://s3.stella-ops.local:8333"
SURFACE_FS_ENDPOINT: "http://s3.stella-ops.local:8333"
SCANNER_SURFACE_SECRETS_NAMESPACE: "stellaops"
SCANNER_SURFACE_SECRETS_PROVIDER: "file"
SCANNER_SURFACE_SECRETS_ROOT: "/var/lib/stellaops/surface"
SCANNER_SURFACE_VALIDATION_DISABLED: "true"
SCANNER_SCANNER__CACHE__ROOTPATH: "/var/lib/stellaops/cache/scanner"
# EPSS bundle source path (EpssBundleSource constructor)
EPSS_BUNDLE_PATH: "/app/epss"
volumes:
- ${STELLAOPS_CERT_VOLUME}
- scanner-cache-data:/var/lib/stellaops/cache/scanner
tmpfs:
- /var/lib/stellaops/surface:mode=1777
- /app/epss:mode=1777
networks:
stellaops:
aliases:
- scanner-worker.stella-ops.local
healthcheck:
<<: *healthcheck-worker
labels: *release-labels
# --- Slot 9: Concelier -----------------------------------------------------
concelier:
<<: *resources-medium
image: stellaops/concelier:dev
container_name: stellaops-concelier
restart: unless-stopped
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: [*kestrel-cert, *router-microservice-defaults, *gc-medium]
CONCELIER_PLUGINS__BASEDIRECTORY: "/tmp/stellaops"
CONCELIER_POSTGRESSTORAGE__CONNECTIONSTRING: "${STELLAOPS_POSTGRES_CONNECTION}"
CONCELIER_POSTGRESSTORAGE__ENABLED: "true"
CONCELIER_MIRROR__ENABLED: "true"
CONCELIER_MIRROR__EXPORTROOT: "/var/lib/concelier/jobs/mirror-exports"
CONCELIER_MIRROR__ACTIVEEXPORTID: "latest"
CONCELIER_S3__ENDPOINT: "http://s3.stella-ops.local:8333"
CONCELIER_AUTHORITY__ENABLED: "true"
CONCELIER_AUTHORITY__ISSUER: "https://authority.stella-ops.local/"
CONCELIER_AUTHORITY__REQUIREHTTPSMETADATA: "false"
CONCELIER_AUTHORITY__METADATAADDRESS: "https://authority.stella-ops.local/.well-known/openid-configuration"
CONCELIER_AUTHORITY__BYPASSNETWORKS__0: "172.19.0.0/16"
CONCELIER_AUTHORITY__BYPASSNETWORKS__1: "172.20.0.0/16"
CONCELIER_AUTHORITY__BYPASSNETWORKS__2: "0.0.0.0/0"
CONCELIER_AUTHORITY__AUDIENCES__0: "stellaops"
CONCELIER_AUTHORITY__BASEURL: "https://authority.stella-ops.local"
CONCELIER_AUTHORITY__RESILIENCE__ALLOWOFFLINECACHEFALLBACK: "true"
CONCELIER_AUTHORITY__RESILIENCE__OFFLINECACHETOLERANCE: "${AUTHORITY_OFFLINE_CACHE_TOLERANCE:-00:30:00}"
Router__Enabled: "${CONCELIER_ROUTER_ENABLED:-true}"
Router__Messaging__ConsumerGroup: "concelier"
CONCELIER_IMPORT__STAGINGROOT: "/var/lib/concelier/import"
volumes:
- concelier-jobs:/var/lib/concelier/jobs
- ${STELLAOPS_AIRGAP_IMPORT_DIR:-./airgap-import}:/var/lib/concelier/import:ro
- ${STELLAOPS_CERT_VOLUME}
- ${STELLAOPS_CA_BUNDLE_VOLUME}
ports:
- "127.1.0.9:80:80"
networks:
stellaops:
aliases:
- concelier.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
# --- Slot 10: Excititor ----------------------------------------------------
excititor-web:
<<: *resources-medium
image: stellaops/excititor-web:dev
container_name: stellaops-excititor-web
restart: unless-stopped
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: [*kestrel-cert, *router-microservice-defaults, *gc-medium]
# Postgres options (section: Postgres:Excititor)
Postgres__Excititor__ConnectionString: "${STELLAOPS_POSTGRES_CONNECTION}"
Postgres__Excititor__SchemaName: "vex"
Excititor__Concelier__BaseUrl: "http://concelier.stella-ops.local"
Excititor__Storage__Driver: "postgres"
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
# TenantAuthorityOptionsValidator requires BaseUrls dict with at least one entry
Excititor__Authority__BaseUrls__default: "https://authority.stella-ops.local"
# IssuerDirectoryClientOptions.Validate() requires BaseAddress
IssuerDirectory__Client__BaseAddress: "http://issuerdirectory.stella-ops.local"
Router__Enabled: "${EXCITITOR_ROUTER_ENABLED:-true}"
Router__Messaging__ConsumerGroup: "excititor"
volumes:
- ${STELLAOPS_CERT_VOLUME}
- ${STELLAOPS_CA_BUNDLE_VOLUME}
ports:
- "127.1.0.10:80:80"
networks:
stellaops:
aliases:
- excititor.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
excititor-worker:
<<: *resources-medium
image: stellaops/excititor-worker:dev
container_name: stellaops-excititor-worker
restart: unless-stopped
environment:
<<: [*kestrel-cert, *gc-medium]
# Postgres options (section: Postgres:Excititor)
Postgres__Excititor__ConnectionString: "${STELLAOPS_POSTGRES_CONNECTION}"
Postgres__Excititor__SchemaName: "vex"
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
Excititor__Concelier__BaseUrl: "http://concelier.stella-ops.local"
Excititor__Storage__Driver: "postgres"
Excititor__Worker__DisableConsensus: "true"
# TenantAuthorityOptionsValidator requires BaseUrls dict with at least one entry
Excititor__Authority__BaseUrls__default: "https://authority.stella-ops.local"
# IssuerDirectoryClientOptions.Validate() requires BaseAddress
IssuerDirectory__Client__BaseAddress: "http://issuerdirectory.stella-ops.local"
volumes:
- ${STELLAOPS_CERT_VOLUME}
- ${STELLAOPS_CA_BUNDLE_VOLUME}
networks:
stellaops:
aliases:
- excititor-worker.stella-ops.local
healthcheck:
<<: *healthcheck-worker
labels: *release-labels
# --- Slot 11: VexHub -------------------------------------------------------
vexhub-web:
<<: *resources-light
image: stellaops/vexhub-web:dev
container_name: stellaops-vexhub-web
restart: unless-stopped
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: [*kestrel-cert, *router-microservice-defaults, *gc-light]
ConnectionStrings__Default: "${STELLAOPS_POSTGRES_CONNECTION}"
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
Postgres__ConnectionString: "${STELLAOPS_POSTGRES_CONNECTION}"
Postgres__SchemaName: "vexhub"
Router__Enabled: "${VEXHUB_ROUTER_ENABLED:-true}"
Router__Messaging__ConsumerGroup: "vexhub"
volumes:
- ${STELLAOPS_CERT_VOLUME}
ports:
- "127.1.0.11:80:80"
networks:
stellaops:
aliases:
- vexhub.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
# --- Slot 12: VexLens ------------------------------------------------------
vexlens-web:
<<: *resources-light
image: stellaops/vexlens-web:dev
container_name: stellaops-vexlens-web
restart: unless-stopped
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: [*kestrel-cert, *router-microservice-defaults, *gc-light]
ConnectionStrings__Default: "${STELLAOPS_POSTGRES_CONNECTION}"
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
Router__Enabled: "${VEXLENS_ROUTER_ENABLED:-true}"
Router__Messaging__ConsumerGroup: "vexlens"
volumes:
- ${STELLAOPS_CERT_VOLUME}
ports:
- "127.1.0.12:80:80"
networks:
stellaops:
aliases:
- vexlens.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
# --- Slot 13: VulnExplorer (api) - MERGED into findings-ledger-web (SPRINT_20260408_002) ---
# VulnExplorer endpoints are now served by the Findings Ledger WebService.
# api:
# <<: *resources-light
# image: stellaops/api:dev
# container_name: stellaops-api
# restart: unless-stopped
# environment:
# ASPNETCORE_URLS: "http://+:8080"
# <<: [*kestrel-cert, *router-microservice-defaults, *gc-light]
# ConnectionStrings__Default: "${STELLAOPS_POSTGRES_CONNECTION}"
# ConnectionStrings__Redis: "cache.stella-ops.local:6379"
# Router__Enabled: "${VULNEXPLORER_ROUTER_ENABLED:-true}"
# Router__Messaging__ConsumerGroup: "vulnexplorer"
# volumes:
# - ${STELLAOPS_CERT_VOLUME}
# ports:
# - "127.1.0.13:80:80"
# networks:
# stellaops:
# aliases:
# - vulnexplorer.stella-ops.local
# frontdoor: {}
# healthcheck:
# test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
# <<: *healthcheck-tcp
# labels: *release-labels
# --- Slot 14: Policy Engine ------------------------------------------------
policy-engine:
<<: *resources-medium
image: stellaops/policy-engine:dev
container_name: stellaops-policy-engine
restart: unless-stopped
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: [*kestrel-cert, *router-microservice-defaults, *gc-medium]
STELLAOPS_POLICY_ENGINE_Postgres__Policy__ConnectionString: "${STELLAOPS_POSTGRES_CONNECTION}"
STELLAOPS_POLICY_ENGINE_ConnectionStrings__Redis: "cache.stella-ops.local:6379"
STELLAOPS_POLICY_ENGINE_PolicyEngine__ResourceServer__Authority: "https://authority.stella-ops.local/"
STELLAOPS_POLICY_ENGINE_PolicyEngine__ResourceServer__MetadataAddress: "https://authority.stella-ops.local/.well-known/openid-configuration"
STELLAOPS_POLICY_ENGINE_PolicyEngine__ResourceServer__RequireHttpsMetadata: "false"
# UI tokens in local compose currently carry scopes but no aud claim.
# Keep this empty and let Program.cs explicitly clear default audience lists.
STELLAOPS_POLICY_ENGINE_PolicyEngine__ResourceServer__Audiences__0: ""
STELLAOPS_POLICY_ENGINE_PolicyEngine__ResourceServer__RequiredScopes__0: "policy:read"
STELLAOPS_POLICY_ENGINE_PolicyEngine__ResourceServer__BypassNetworks__0: "172.19.0.0/16"
STELLAOPS_POLICY_ENGINE_PolicyEngine__ResourceServer__BypassNetworks__1: "127.0.0.1/32"
STELLAOPS_POLICY_ENGINE_PolicyEngine__ResourceServer__BypassNetworks__2: "::1/128"
PolicyEngine__ResourceServer__Authority: "https://authority.stella-ops.local/"
PolicyEngine__ResourceServer__RequireHttpsMetadata: "false"
PolicyEngine__ResourceServer__Audiences__0: ""
PolicyEngine__ResourceServer__RequiredScopes__0: "policy:read"
PolicyEngine__ResourceServer__BypassNetworks__0: "172.19.0.0/16"
PolicyEngine__ResourceServer__BypassNetworks__1: "127.0.0.1/32"
PolicyEngine__ResourceServer__BypassNetworks__2: "::1/128"
# Logging__LogLevel__Microsoft.AspNetCore.Authentication: "Debug"
Logging__LogLevel__Microsoft.AspNetCore.Authentication: "Information"
# Logging__LogLevel__Microsoft.IdentityModel: "Debug"
Logging__LogLevel__Microsoft.IdentityModel: "Information"
Router__Enabled: "${POLICY_ENGINE_ROUTER_ENABLED:-true}"
Router__Messaging__ConsumerGroup: "policy-engine"
volumes:
- ${STELLAOPS_CERT_VOLUME}
- ${STELLAOPS_CA_BUNDLE_VOLUME}
ports:
- "127.1.0.14:80:80"
networks:
stellaops:
aliases:
- policy-engine.stella-ops.local
- policy-gateway.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
# --- Slot 15: Policy Gateway (DEPRECATED - merged into policy-engine above)
# Kept commented out for reference; remove in next compose cleanup.
# policy:
# <<: *resources-medium
# image: stellaops/policy:dev
# container_name: stellaops-policy
# ... (merged into policy-engine service above)
# --- Slot 16: RiskEngine [src/Findings/StellaOps.RiskEngine.*] ---------------
riskengine-web:
<<: *resources-medium
image: stellaops/riskengine-web:dev
container_name: stellaops-riskengine-web
restart: unless-stopped
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: [*kestrel-cert, *router-microservice-defaults, *gc-medium]
ConnectionStrings__Default: "${STELLAOPS_POSTGRES_CONNECTION}"
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
RISKENGINE__STORAGE__DRIVER: "postgres"
RISKENGINE__STORAGE__POSTGRES__CONNECTIONSTRING: "${STELLAOPS_POSTGRES_CONNECTION}"
Router__Enabled: "${RISKENGINE_ROUTER_ENABLED:-true}"
Router__Messaging__ConsumerGroup: "riskengine"
volumes:
- ${STELLAOPS_CERT_VOLUME}
ports:
- "127.1.0.16:80:80"
networks:
stellaops:
aliases:
- riskengine.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
riskengine-worker:
<<: *resources-medium
image: stellaops/riskengine-worker:dev
container_name: stellaops-riskengine-worker
restart: unless-stopped
environment:
<<: [*kestrel-cert, *gc-medium]
ConnectionStrings__Default: "${STELLAOPS_POSTGRES_CONNECTION}"
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
volumes:
- ${STELLAOPS_CERT_VOLUME}
healthcheck:
<<: *healthcheck-worker
networks:
stellaops:
aliases:
- riskengine-worker.stella-ops.local
labels: *release-labels
# --- Slot 48: Release Orchestrator ------------------------------------------
release-orchestrator:
<<: *resources-medium
image: stellaops/release-orchestrator:dev
container_name: stellaops-release-orchestrator
restart: unless-stopped
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: [*kestrel-cert, *router-microservice-defaults, *gc-medium]
ConnectionStrings__Default: "${STELLAOPS_POSTGRES_CONNECTION}"
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
Authority__ResourceServer__Authority: "https://authority.stella-ops.local/"
Authority__ResourceServer__MetadataAddress: "https://authority.stella-ops.local/.well-known/openid-configuration"
Authority__ResourceServer__RequireHttpsMetadata: "false"
Authority__ResourceServer__Audiences__0: ""
Authority__ResourceServer__BypassNetworks__0: "172.19.0.0/16"
Authority__ResourceServer__BypassNetworks__1: "127.0.0.1/32"
Authority__ResourceServer__BypassNetworks__2: "::1/128"
Authority__ResourceServer__BypassNetworks__3: "0.0.0.0/0"
Authority__ResourceServer__BypassNetworks__4: "::/0"
# Scripts schema (moved from scheduler to release-orchestrator)
Scripts__Postgres__ConnectionString: "${STELLAOPS_POSTGRES_CONNECTION}"
Scripts__Postgres__SchemaName: "scripts"
Router__Enabled: "${RELEASE_ORCHESTRATOR_ROUTER_ENABLED:-true}"
Router__Messaging__ConsumerGroup: "release-orchestrator"
volumes:
- ${STELLAOPS_CERT_VOLUME}
- ${STELLAOPS_CA_BUNDLE_VOLUME}
ports:
- "127.1.0.47:80:8080"
networks:
stellaops:
aliases:
- release-orchestrator.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/8080'"]
<<: *healthcheck-tcp
labels: *release-labels
# --- Slot 17: Orchestrator (DECOMPOSED) -------------------------------------
# jobengine and jobengine-worker removed.
# Release endpoints -> release-orchestrator service (Slot 47)
# Workflow orchestration -> workflow service (Slot 46)
# Scheduler remains in Slot 14 (scheduler-web / scheduler-worker)
# --- Slot 18: TaskRunner (REMOVED) ------------------------------------------
# taskrunner-web and taskrunner-worker deleted; task_runner_id DB columns left as nullable legacy
# --- Slot 19: Scheduler ----------------------------------------------------
scheduler-web:
<<: *resources-medium
image: stellaops/scheduler-web:dev
container_name: stellaops-scheduler-web
restart: unless-stopped
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: [*kestrel-cert, *router-microservice-defaults, *gc-medium]
ConnectionStrings__Default: "${STELLAOPS_POSTGRES_CONNECTION}"
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
Scheduler__Authority__Enabled: "false"
# Worker options are validated even in web mode
scheduler__queue__Kind: "Redis"
scheduler__queue__Redis__ConnectionString: "cache.stella-ops.local:6379"
Scheduler__Storage__Postgres__Scheduler__ConnectionString: "${STELLAOPS_POSTGRES_CONNECTION}"
Scheduler__Storage__Postgres__Scheduler__SchemaName: "scheduler"
Scheduler__Worker__Runner__Scanner__BaseAddress: "http://scanner.stella-ops.local"
Scheduler__Worker__Graph__Cartographer__BaseAddress: "http://graph.stella-ops.local"
Scheduler__Worker__Graph__SchedulerApi__BaseAddress: "http://scheduler.stella-ops.local"
Scheduler__Worker__Policy__Api__BaseAddress: "http://policy.stella-ops.local"
Router__Enabled: "${SCHEDULER_ROUTER_ENABLED:-true}"
Router__Messaging__ConsumerGroup: "scheduler"
volumes:
- ${STELLAOPS_CERT_VOLUME}
tmpfs:
- /plugins:mode=1777
ports:
- "127.1.0.19:80:80"
networks:
stellaops:
aliases:
- scheduler.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
scheduler-worker:
<<: *resources-medium
image: stellaops/scheduler-worker:dev
container_name: stellaops-scheduler-worker
restart: unless-stopped
environment:
<<: [*kestrel-cert, *gc-medium]
# Queue config (Redis transport)
scheduler__queue__Kind: "Redis"
scheduler__queue__Redis__ConnectionString: "cache.stella-ops.local:6379"
# Persistence config (section: Scheduler:Storage, subsection: Postgres:Scheduler)
Scheduler__Storage__Postgres__Scheduler__ConnectionString: "${STELLAOPS_POSTGRES_CONNECTION}"
Scheduler__Storage__Postgres__Scheduler__SchemaName: "scheduler"
# Worker config
Scheduler__Worker__Runner__Scanner__BaseAddress: "${SCHEDULER_SCANNER_BASEADDRESS:-http://scanner.stella-ops.local}"
Scheduler__Worker__Graph__Cartographer__BaseAddress: "http://graph.stella-ops.local"
Scheduler__Worker__Graph__SchedulerApi__BaseAddress: "http://scheduler.stella-ops.local"
Scheduler__Worker__Policy__Api__BaseAddress: "http://policy.stella-ops.local"
# Surface environment
SURFACE_FS_ENDPOINT: "http://s3.stella-ops.local:8333"
volumes:
- ${STELLAOPS_CERT_VOLUME}
tmpfs:
- /var/lib/stellaops/surface:mode=1777
networks:
stellaops:
aliases:
- scheduler-worker.stella-ops.local
healthcheck:
<<: *healthcheck-worker
labels: *release-labels
# --- Slot 20: Graph API ----------------------------------------------------
graph-api:
<<: *resources-medium
image: stellaops/graph-api:dev
container_name: stellaops-graph-api
restart: unless-stopped
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: [*kestrel-cert, *router-microservice-defaults, *gc-medium]
ConnectionStrings__Default: "${STELLAOPS_POSTGRES_CONNECTION}"
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
Router__Enabled: "${GRAPH_ROUTER_ENABLED:-true}"
Router__Messaging__ConsumerGroup: "graph"
volumes:
- ${STELLAOPS_CERT_VOLUME}
ports:
- "127.1.0.20:80:80"
networks:
stellaops:
aliases:
- graph.stella-ops.local
# Backwards-compat: absorb Cartographer traffic (Slot 21 merged into graph-api)
- cartographer.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
# --- Slot 21: Cartographer (RETIRED -- merged into graph-api Slot 20) ------
# cartographer:
# <<: *resources-light
# image: stellaops/cartographer:dev
# container_name: stellaops-cartographer
# restart: unless-stopped
# environment:
# ASPNETCORE_URLS: "http://+:8080"
# <<: [*kestrel-cert, *router-microservice-defaults, *gc-light]
# ConnectionStrings__Default: "${STELLAOPS_POSTGRES_CONNECTION}"
# ConnectionStrings__Redis: "cache.stella-ops.local:6379"
# Router__Enabled: "${CARTOGRAPHER_ROUTER_ENABLED:-true}"
# Router__Messaging__ConsumerGroup: "cartographer"
# volumes:
# - ${STELLAOPS_CERT_VOLUME}
# ports:
# - "127.1.0.21:80:80"
# networks:
# stellaops:
# aliases:
# - cartographer.stella-ops.local
# frontdoor: {}
# healthcheck:
# test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
# <<: *healthcheck-tcp
# labels: *release-labels
# --- Slot 22: ReachGraph ---------------------------------------------------
reachgraph-web:
<<: *resources-light
image: stellaops/reachgraph-web:dev
container_name: stellaops-reachgraph-web
restart: unless-stopped
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: [*kestrel-cert, *router-microservice-defaults, *gc-light]
ConnectionStrings__Default: "${STELLAOPS_POSTGRES_CONNECTION}"
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
Router__Enabled: "${REACHGRAPH_ROUTER_ENABLED:-true}"
Router__Messaging__ConsumerGroup: "reachgraph"
volumes:
- ${STELLAOPS_CERT_VOLUME}
ports:
- "127.1.0.22:80:80"
networks:
stellaops:
aliases:
- reachgraph.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
# --- Slot 23: Timeline Indexer (MERGED into timeline-web in Slot 24) --------
# timeline-indexer-web and timeline-indexer-worker have been merged into
# timeline-web. The indexer endpoints, DI services, and background ingestion
# worker now run inside the unified timeline-web container.
# Network alias timelineindexer.stella-ops.local is preserved on timeline-web
# for backwards compatibility.
# timeline-indexer-web:
# <<: *resources-light
# image: stellaops/timeline-indexer-web:dev
# container_name: stellaops-timeline-indexer-web
# ...
# timeline-indexer-worker:
# <<: *resources-light
# image: stellaops/timeline-indexer-worker:dev
# container_name: stellaops-timeline-indexer-worker
# ...
# --- Slot 24: Timeline (unified: includes merged timeline-indexer) ----------
timeline-web:
<<: *resources-light
image: stellaops/timeline-web:dev
container_name: stellaops-timeline-web
restart: unless-stopped
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: [*kestrel-cert, *router-microservice-defaults, *gc-light]
ConnectionStrings__Default: "${STELLAOPS_POSTGRES_CONNECTION}"
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
Authority__ResourceServer__Authority: "http://authority.stella-ops.local/"
Authority__ResourceServer__RequireHttpsMetadata: "false"
Authority__ResourceServer__Audiences__0: ""
Authority__ResourceServer__BypassNetworks__0: "172.19.0.0/16"
Authority__ResourceServer__BypassNetworks__1: "172.20.0.0/16"
TIMELINE_Postgres__Timeline__ConnectionString: "${STELLAOPS_POSTGRES_CONNECTION}"
Router__Enabled: "${TIMELINE_SERVICE_ROUTER_ENABLED:-true}"
Router__Messaging__ConsumerGroup: "timeline"
volumes:
- ${STELLAOPS_CERT_VOLUME}
ports:
- "127.1.0.24:80:80"
networks:
stellaops:
aliases:
- timeline.stella-ops.local
- timelineindexer.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
# --- Slot 25: Findings Ledger ----------------------------------------------
findings-ledger-web:
<<: *resources-medium
image: stellaops/findings-ledger-web:dev
container_name: stellaops-findings-ledger-web
restart: unless-stopped
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: [*kestrel-cert, *router-microservice-defaults, *gc-medium]
ConnectionStrings__Default: "${STELLAOPS_POSTGRES_CONNECTION}"
ConnectionStrings__FindingsLedger: "${STELLAOPS_POSTGRES_CONNECTION}"
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
findings__ledger__Database__ConnectionString: "${STELLAOPS_POSTGRES_CONNECTION}"
findings__ledger__Authority__Issuer: "https://authority.stella-ops.local/"
findings__ledger__Authority__RequireHttpsMetadata: "false"
# Local compose UI tokens may omit aud; keep audience validation relaxed.
findings__ledger__Authority__Audiences__0: ""
findings__ledger__Authority__RequiredScopes__0: "findings:read"
findings__ledger__Authority__BypassNetworks__0: "172.19.0.0/16"
# Logging__LogLevel__Microsoft.AspNetCore.Authentication: "Debug"
Logging__LogLevel__Microsoft.AspNetCore.Authentication: "Information"
# Logging__LogLevel__Microsoft.IdentityModel: "Debug"
Logging__LogLevel__Microsoft.IdentityModel: "Information"
findings__ledger__Attachments__EncryptionKey: "IiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiIiI="
findings__ledger__Attachments__SignedUrlBase: "http://findings.stella-ops.local/attachments"
findings__ledger__Attachments__SignedUrlSecret: "dev-signed-url-secret"
findings__ledger__Attachments__SignedUrlLifetime: "00:15:00"
findings__ledger__Attachments__RequireConsoleCsrf: "false"
Router__Enabled: "${FINDINGS_ROUTER_ENABLED:-true}"
Router__Messaging__ConsumerGroup: "findings-ledger"
volumes:
- ${STELLAOPS_CERT_VOLUME}
- ${STELLAOPS_CA_BUNDLE_VOLUME}
ports:
- "127.1.0.25:80:80"
networks:
stellaops:
aliases:
- findings.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
# --- Slot 26: Doctor -------------------------------------------------------
doctor-web:
<<: *resources-light
image: stellaops/doctor-web:dev
container_name: stellaops-doctor-web
restart: unless-stopped
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: [*kestrel-cert, *router-microservice-defaults, *gc-light]
ConnectionStrings__Default: "${STELLAOPS_POSTGRES_CONNECTION}"
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
Doctor__Authority__Issuer: "https://authority.stella-ops.local/"
Doctor__Authority__RequireHttpsMetadata: "false"
Doctor__Authority__BypassNetworks__0: "172.19.0.0/16"
Router__Enabled: "${DOCTOR_ROUTER_ENABLED:-true}"
Router__Messaging__ConsumerGroup: "doctor"
volumes:
- ${STELLAOPS_CERT_VOLUME}
- ${STELLAOPS_CA_BUNDLE_VOLUME}
ports:
- "127.1.0.26:80:80"
networks:
stellaops:
aliases:
- doctor.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
# doctor-scheduler: DEPRECATED -- replaced by DoctorJobPlugin in the Scheduler service.
# Doctor health check scheduling is now handled by scheduler-web via the plugin architecture.
# This service will be removed in a future release. See:
# docs/implplan/SPRINT_20260408_003_JobEngine_scheduler_plugin_architecture.md
#
# doctor-scheduler:
# <<: *resources-light
# image: stellaops/doctor-scheduler:dev
# container_name: stellaops-doctor-scheduler
# restart: unless-stopped
# environment:
# ASPNETCORE_URLS: "http://+:80"
# <<: [*kestrel-cert, *router-microservice-defaults, *gc-light]
# ConnectionStrings__Default: "${STELLAOPS_POSTGRES_CONNECTION}"
# ConnectionStrings__Redis: "cache.stella-ops.local:6379"
# Router__Enabled: "${DOCTOR_SCHEDULER_ROUTER_ENABLED:-true}"
# Router__Messaging__ConsumerGroup: "doctor-scheduler"
# volumes:
# - ${STELLAOPS_CERT_VOLUME}
# healthcheck:
# test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
# <<: *healthcheck-tcp
# networks:
# stellaops:
# aliases:
# - doctor-scheduler.stella-ops.local
# labels: *release-labels
# --- Slot 27: OpsMemory (src/AdvisoryAI/StellaOps.OpsMemory.WebService) ---
opsmemory-web:
<<: *resources-light
image: stellaops/opsmemory-web:dev
container_name: stellaops-opsmemory-web
restart: unless-stopped
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: [*kestrel-cert, *router-microservice-defaults, *gc-light]
ConnectionStrings__Default: "${STELLAOPS_POSTGRES_CONNECTION}"
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
Router__Enabled: "${OPSMEMORY_ROUTER_ENABLED:-true}"
Router__Messaging__ConsumerGroup: "opsmemory"
volumes:
- ${STELLAOPS_CERT_VOLUME}
ports:
- "127.1.0.27:80:80"
networks:
stellaops:
aliases:
- opsmemory.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
# --- Slot 28: Notifier (MERGED into notify-web — kept commented for rollback) ---
# notifier-web:
# <<: *resources-medium
# image: stellaops/notifier-web:dev
# container_name: stellaops-notifier-web
# restart: unless-stopped
# environment:
# ASPNETCORE_URLS: "http://+:8080"
# <<: [*kestrel-cert, *router-microservice-defaults, *gc-medium]
# ConnectionStrings__Default: "${STELLAOPS_POSTGRES_CONNECTION}"
# ConnectionStrings__Redis: "cache.stella-ops.local:6379"
# Authority__ResourceServer__Authority: "https://authority.stella-ops.local/"
# Authority__ResourceServer__MetadataAddress: "https://authority.stella-ops.local/.well-known/openid-configuration"
# Authority__ResourceServer__RequireHttpsMetadata: "false"
# Authority__ResourceServer__Audiences__0: ""
# Authority__ResourceServer__BypassNetworks__0: "172.19.0.0/16"
# Authority__ResourceServer__BypassNetworks__1: "127.0.0.1/32"
# Authority__ResourceServer__BypassNetworks__2: "::1/128"
# Authority__ResourceServer__BypassNetworks__3: "0.0.0.0/0"
# Authority__ResourceServer__BypassNetworks__4: "::/0"
# Router__Enabled: "${NOTIFIER_ROUTER_ENABLED:-true}"
# Router__Messaging__ConsumerGroup: "notifier"
# volumes:
# - ${STELLAOPS_CERT_VOLUME}
# - ${STELLAOPS_CA_BUNDLE_VOLUME}
# ports:
# - "127.1.0.28:80:80"
# networks:
# stellaops:
# aliases:
# - notifier.stella-ops.local
# frontdoor: {}
# healthcheck:
# test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
# <<: *healthcheck-tcp
# labels: *release-labels
notifier-worker:
<<: *resources-light
image: stellaops/notifier-worker:dev
container_name: stellaops-notifier-worker
restart: unless-stopped
environment:
<<: [*kestrel-cert, *gc-light]
ConnectionStrings__Default: "${STELLAOPS_POSTGRES_CONNECTION}"
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
notifier__queue__Transport: "redis"
notifier__queue__Redis__ConnectionString: "cache.stella-ops.local:6379"
notifier__storage__postgres__ConnectionString: "${STELLAOPS_POSTGRES_CONNECTION}"
volumes:
- ${STELLAOPS_CERT_VOLUME}
healthcheck:
<<: *healthcheck-worker
networks:
stellaops:
aliases:
- notifier-worker.stella-ops.local
labels: *release-labels
# --- Slot 29: Notify ------------------------------------------------------
notify-web:
<<: *resources-medium
image: stellaops/notify-web:dev
container_name: stellaops-notify-web
restart: unless-stopped
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: [*kestrel-cert, *router-microservice-defaults, *gc-medium]
DOTNET_ENVIRONMENT: Production
NOTIFY_NOTIFY__STORAGE__DRIVER: "postgres"
NOTIFY_NOTIFY__STORAGE__CONNECTIONSTRING: "${STELLAOPS_POSTGRES_CONNECTION}"
NOTIFY_NOTIFY__STORAGE__DATABASE: "notify"
NOTIFY_NOTIFY__PLUGINS__BASEDIRECTORY: "/tmp/stellaops"
NOTIFY_NOTIFY__AUTHORITY__ENABLED: "false"
NOTIFY_NOTIFY__AUTHORITY__ALLOWANONYMOUSFALLBACK: "true"
NOTIFY_NOTIFY__AUTHORITY__DEVELOPMENTSIGNINGKEY: "StellaOps-Development-Key-NotifyService-2026!!"
NOTIFY_Postgres__Notify__ConnectionString: "${STELLAOPS_POSTGRES_CONNECTION}"
Postgres__Notify__ConnectionString: "${STELLAOPS_POSTGRES_CONNECTION}"
Router__Enabled: "${NOTIFY_ROUTER_ENABLED:-true}"
Router__Messaging__ConsumerGroup: "notify"
volumes:
- ../../etc/notify:/app/etc/notify:ro
- ${STELLAOPS_CERT_VOLUME}
ports:
- "127.1.0.29:80:80"
networks:
stellaops:
aliases:
- notify.stella-ops.local
- notifier.stella-ops.local # merged from notifier-web
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
# --- Slot 30: Signer ------------------------------------------------------
signer:
<<: *resources-light
image: stellaops/signer:dev
container_name: stellaops-signer
restart: unless-stopped
depends_on:
- authority
environment:
ASPNETCORE_URLS: "http://+:8441"
<<: [*kestrel-cert, *router-microservice-defaults, *gc-light]
ConnectionStrings__KeyManagement: "${STELLAOPS_POSTGRES_CONNECTION}"
ConnectionStrings__Default: "${STELLAOPS_POSTGRES_CONNECTION}"
Router__Enabled: "${SIGNER_ROUTER_ENABLED:-true}"
Router__Messaging__ConsumerGroup: "signer"
volumes:
- ${STELLAOPS_CERT_VOLUME}
ports:
- "127.1.0.30:80:80"
networks:
stellaops:
aliases:
- signer.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
# --- Slot 31: SmRemote (moved to docker-compose.crypto-provider.smremote.yml) ---
# --- Slot 32: AirGap Controller --------------------------------------------
airgap-controller:
<<: *resources-light
image: stellaops/airgap-controller:dev
container_name: stellaops-airgap-controller
restart: unless-stopped
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: [*kestrel-cert, *router-microservice-defaults, *gc-light]
ConnectionStrings__Default: "${STELLAOPS_POSTGRES_CONNECTION}"
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
Router__Enabled: "${AIRGAP_CONTROLLER_ROUTER_ENABLED:-true}"
Router__Messaging__ConsumerGroup: "airgap-controller"
volumes:
- ${STELLAOPS_CERT_VOLUME}
ports:
- "127.1.0.32:80:80"
networks:
stellaops:
aliases:
- airgap-controller.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
# --- Slot 33: AirGap Time -------------------------------------------------
airgap-time:
<<: *resources-light
image: stellaops/airgap-time:dev
container_name: stellaops-airgap-time
restart: unless-stopped
profiles: ["airgap"] # Requires time anchor file - air-gap specific
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: [*kestrel-cert, *router-microservice-defaults, *gc-light]
ConnectionStrings__Default: "${STELLAOPS_POSTGRES_CONNECTION}"
Router__Enabled: "${AIRGAP_TIME_ROUTER_ENABLED:-true}"
Router__Messaging__ConsumerGroup: "airgap-time"
volumes:
- ${STELLAOPS_CERT_VOLUME}
ports:
- "127.1.0.33:80:80"
networks:
stellaops:
aliases:
- airgap-time.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
# --- Slot 34: PacksRegistry -----------------------------------------------
packsregistry-web:
<<: *resources-light
image: stellaops/packsregistry-web:dev
container_name: stellaops-packsregistry-web
restart: unless-stopped
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: [*kestrel-cert, *router-microservice-defaults, *gc-light]
ConnectionStrings__Default: "${STELLAOPS_POSTGRES_CONNECTION}"
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
PACKSREGISTRY__STORAGE__DRIVER: "postgres"
PACKSREGISTRY__STORAGE__POSTGRES__CONNECTIONSTRING: "${STELLAOPS_POSTGRES_CONNECTION}"
PACKSREGISTRY__STORAGE__OBJECTSTORE__DRIVER: "seed-fs"
PACKSREGISTRY__STORAGE__OBJECTSTORE__SEEDFS__ROOTPATH: "/app/data/packs"
Router__Enabled: "${PACKSREGISTRY_ROUTER_ENABLED:-true}"
Router__Messaging__ConsumerGroup: "packsregistry"
volumes:
- ${STELLAOPS_CERT_VOLUME}
ports:
- "127.1.0.34:80:80"
networks:
stellaops:
aliases:
- packsregistry.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
packsregistry-worker:
<<: *resources-light
image: stellaops/packsregistry-worker:dev
container_name: stellaops-packsregistry-worker
restart: unless-stopped
environment:
<<: [*kestrel-cert, *gc-light]
ConnectionStrings__Default: "${STELLAOPS_POSTGRES_CONNECTION}"
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
volumes:
- ${STELLAOPS_CERT_VOLUME}
healthcheck:
<<: *healthcheck-worker
networks:
stellaops:
aliases:
- packsregistry-worker.stella-ops.local
labels: *release-labels
# --- Slot 35: Registry Token -----------------------------------------------
registry-token:
<<: *resources-light
image: stellaops/registry-token:dev
container_name: stellaops-registry-token
restart: unless-stopped
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: [*kestrel-cert, *router-microservice-defaults, *gc-light]
ConnectionStrings__Default: "${STELLAOPS_POSTGRES_CONNECTION}"
RegistryTokenService__Signing__Issuer: "http://registry-token.stella-ops.local"
RegistryTokenService__Signing__KeyPath: "/app/etc/certs/kestrel-dev.pfx"
RegistryTokenService__Signing__Lifetime: "00:05:00"
RegistryTokenService__Registry__Realm: "http://registry.stella-ops.local"
RegistryTokenService__Authority__Issuer: "https://authority.stella-ops.local/"
RegistryTokenService__Authority__Audience: "api://registry"
RegistryTokenService__Authority__RequireHttpsMetadata: "false"
RegistryTokenService__Plans__0__Name: "default"
RegistryTokenService__Plans__0__Repositories__0__Pattern: "*"
RegistryTokenService__Plans__0__Repositories__0__Actions__0: "pull"
RegistryTokenService__Plans__0__Repositories__0__Actions__1: "push"
Router__Enabled: "${REGISTRY_TOKEN_ROUTER_ENABLED:-true}"
Router__Messaging__ConsumerGroup: "registry-token"
volumes:
- ${STELLAOPS_CERT_VOLUME}
- ${STELLAOPS_CA_BUNDLE_VOLUME}
ports:
- "127.1.0.35:80:80"
networks:
stellaops:
aliases:
- registry-token.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
# --- Slot 36: BinaryIndex --------------------------------------------------
binaryindex-web:
<<: *resources-light
image: stellaops/binaryindex-web:dev
container_name: stellaops-binaryindex-web
restart: unless-stopped
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: [*kestrel-cert, *router-microservice-defaults, *gc-light]
ConnectionStrings__Default: "${STELLAOPS_POSTGRES_CONNECTION}"
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
Router__Enabled: "${BINARYINDEX_ROUTER_ENABLED:-true}"
Router__Messaging__ConsumerGroup: "binaryindex"
volumes:
- ${STELLAOPS_CERT_VOLUME}
ports:
- "127.1.0.36:80:80"
networks:
stellaops:
aliases:
- binaryindex.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
# --- Slot 37: Issuer Directory ---------------------------------------------
issuer-directory:
<<: *resources-light
image: stellaops/issuer-directory-web:dev
container_name: stellaops-issuer-directory
restart: unless-stopped
depends_on:
- authority
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: [*kestrel-cert, *router-microservice-defaults, *gc-light]
ISSUERDIRECTORY__AUTHORITY__ENABLED: "true"
ISSUERDIRECTORY__AUTHORITY__ISSUER: "${AUTHORITY_ISSUER:-http://authority.stella-ops.local}"
ISSUERDIRECTORY__AUTHORITY__AUDIENCES__0: "api://issuer-directory"
ISSUERDIRECTORY__AUTHORITY__REQUIREHTTPSMETADATA: "false"
ISSUERDIRECTORY__PERSISTENCE__PROVIDER: "Postgres"
ISSUERDIRECTORY__PERSISTENCE__POSTGRESCONNECTIONSTRING: "${STELLAOPS_POSTGRES_CONNECTION}"
ISSUERDIRECTORY__SEEDCSAFPUBLISHERS: "false"
Router__Enabled: "${ISSUERDIRECTORY_ROUTER_ENABLED:-true}"
Router__Messaging__ConsumerGroup: "issuerdirectory"
volumes:
- ../../etc/issuer-directory:/app/etc/issuer-directory:ro
- ${STELLAOPS_CERT_VOLUME}
- ${STELLAOPS_CA_BUNDLE_VOLUME}
ports:
- "127.1.0.37:80:80"
networks:
stellaops:
aliases:
- issuerdirectory.stella-ops.local
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
# --- Slot 38: Symbols ------------------------------------------------------
symbols:
<<: *resources-light
image: stellaops/symbols:dev
container_name: stellaops-symbols
restart: unless-stopped
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: [*kestrel-cert, *router-microservice-defaults, *gc-light]
ConnectionStrings__Default: "${STELLAOPS_POSTGRES_CONNECTION}"
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
Authority__ResourceServer__Authority: "https://authority.stella-ops.local/"
Authority__ResourceServer__RequireHttpsMetadata: "false"
Authority__ResourceServer__BypassNetworks__0: "172.19.0.0/16"
Router__Enabled: "${SYMBOLS_ROUTER_ENABLED:-true}"
Router__Messaging__ConsumerGroup: "symbols"
volumes:
- ${STELLAOPS_CERT_VOLUME}
- ${STELLAOPS_CA_BUNDLE_VOLUME}
ports:
- "127.1.0.38:80:80"
networks:
stellaops:
aliases:
- symbols.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
# --- Slot 39: SbomService --------------------------------------------------
sbomservice:
<<: *resources-light
image: stellaops/sbomservice:dev
container_name: stellaops-sbomservice
restart: unless-stopped
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: [*kestrel-cert, *router-microservice-defaults, *gc-light]
ConnectionStrings__Default: "${STELLAOPS_POSTGRES_CONNECTION}"
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
Router__Enabled: "${SBOMSERVICE_ROUTER_ENABLED:-true}"
Router__Messaging__ConsumerGroup: "sbomservice"
volumes:
- ${STELLAOPS_CERT_VOLUME}
ports:
- "127.1.0.39:80:80"
networks:
stellaops:
aliases:
- sbomservice.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
# --- Slot 40: ExportCenter -------------------------------------------------
export-web:
<<: *resources-light
image: stellaops/export-web:dev
container_name: stellaops-export-web
restart: unless-stopped
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: [*kestrel-cert, *router-microservice-defaults, *gc-light]
ConnectionStrings__Default: "${STELLAOPS_POSTGRES_CONNECTION}"
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
Export__AllowInMemoryRepositories: "true"
Authority__ResourceServer__Authority: "https://authority.stella-ops.local/"
Authority__ResourceServer__MetadataAddress: "https://authority.stella-ops.local/.well-known/openid-configuration"
Authority__ResourceServer__RequireHttpsMetadata: "false"
Authority__ResourceServer__Audiences__0: ""
Authority__ResourceServer__BypassNetworks__0: "172.19.0.0/16"
Authority__ResourceServer__BypassNetworks__1: "127.0.0.1/32"
Authority__ResourceServer__BypassNetworks__2: "::1/128"
Authority__ResourceServer__BypassNetworks__3: "0.0.0.0/0"
Authority__ResourceServer__BypassNetworks__4: "::/0"
Router__Enabled: "${EXPORTCENTER_ROUTER_ENABLED:-true}"
Router__Messaging__ConsumerGroup: "exportcenter"
volumes:
- ${STELLAOPS_CERT_VOLUME}
- ${STELLAOPS_CA_BUNDLE_VOLUME}
ports:
- "127.1.0.40:80:80"
networks:
stellaops:
aliases:
- exportcenter.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
export-worker:
<<: *resources-light
image: stellaops/export-worker:dev
container_name: stellaops-export-worker
restart: unless-stopped
environment:
<<: [*kestrel-cert, *gc-light]
ConnectionStrings__Default: "${STELLAOPS_POSTGRES_CONNECTION}"
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
Export__AllowInMemoryRepositories: "true"
Authority__ResourceServer__Authority: "https://authority.stella-ops.local/"
Authority__ResourceServer__MetadataAddress: "https://authority.stella-ops.local/.well-known/openid-configuration"
Authority__ResourceServer__RequireHttpsMetadata: "false"
Authority__ResourceServer__Audiences__0: ""
Authority__ResourceServer__BypassNetworks__0: "172.19.0.0/16"
volumes:
- ${STELLAOPS_CERT_VOLUME}
- ${STELLAOPS_CA_BUNDLE_VOLUME}
networks:
stellaops:
aliases:
- export-worker.stella-ops.local
healthcheck:
<<: *healthcheck-worker
labels: *release-labels
# --- Slot 41: Replay -------------------------------------------------------
replay-web:
<<: *resources-light
image: stellaops/replay-web:dev
container_name: stellaops-replay-web
restart: unless-stopped
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: [*kestrel-cert, *router-microservice-defaults, *gc-light]
ConnectionStrings__Default: "${STELLAOPS_POSTGRES_CONNECTION}"
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
REPLAY__STORAGE__DRIVER: "postgres"
REPLAY__STORAGE__POSTGRES__CONNECTIONSTRING: "${STELLAOPS_POSTGRES_CONNECTION}"
REPLAY__STORAGE__OBJECTSTORE__DRIVER: "seed-fs"
REPLAY__STORAGE__OBJECTSTORE__SEEDFS__ROOTPATH: "/app/data/replay-snapshots"
Router__Enabled: "${REPLAY_ROUTER_ENABLED:-true}"
Router__Messaging__ConsumerGroup: "replay"
volumes:
- ${STELLAOPS_CERT_VOLUME}
ports:
- "127.1.0.41:80:80"
networks:
stellaops:
aliases:
- replay.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
# --- Slot 42: Integrations ------------------------------------------------
integrations-web:
<<: *resources-light
image: stellaops/integrations-web:dev
container_name: stellaops-integrations-web
restart: unless-stopped
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: [*kestrel-cert, *router-microservice-defaults, *gc-light]
ConnectionStrings__IntegrationsDb: "${STELLAOPS_POSTGRES_CONNECTION}"
ConnectionStrings__Default: "${STELLAOPS_POSTGRES_CONNECTION}"
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
Authority__ResourceServer__Authority: "https://authority.stella-ops.local/"
Authority__ResourceServer__MetadataAddress: "https://authority.stella-ops.local/.well-known/openid-configuration"
Authority__ResourceServer__RequireHttpsMetadata: "false"
Authority__ResourceServer__Audiences__0: ""
Authority__ResourceServer__BypassNetworks__0: "172.19.0.0/16"
Authority__ResourceServer__BypassNetworks__1: "127.0.0.1/32"
Authority__ResourceServer__BypassNetworks__2: "::1/128"
Authority__ResourceServer__BypassNetworks__3: "0.0.0.0/0"
Authority__ResourceServer__BypassNetworks__4: "::/0"
Router__Enabled: "${INTEGRATIONS_ROUTER_ENABLED:-true}"
Router__Messaging__ConsumerGroup: "integrations"
volumes:
- ${STELLAOPS_CERT_VOLUME}
- ${STELLAOPS_CA_BUNDLE_VOLUME}
ports:
- "127.1.0.42:80:80"
networks:
stellaops:
aliases:
- integrations.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
# --- Slot 43: Zastava Webhook ----------------------------------------------
zastava-webhook:
<<: *resources-light
image: stellaops/zastava-webhook:dev
container_name: stellaops-zastava-webhook
restart: unless-stopped
depends_on:
- authority
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: [*kestrel-cert, *gc-light]
# Runtime authority (used by token provider for OIDC discovery)
zastava__runtime__authority__Issuer: "https://authority.stella-ops.local/"
zastava__runtime__authority__allowStaticTokenFallback: "true"
zastava__runtime__authority__staticTokenValue: "dev-bypass-token"
zastava__runtime__tenant: "default"
zastava__runtime__environment: "local"
# Webhook authority
zastava__webhook__authority__Issuer: "https://authority.stella-ops.local/"
zastava__webhook__authority__staticTokenValue: "dev-bypass-token"
# TLS (PFX from cert volume)
zastava__webhook__tls__mode: "Secret"
zastava__webhook__tls__pfxPath: "/app/etc/certs/kestrel-dev.pfx"
zastava__webhook__tls__pfxPassword: "devpass"
# Backend (scanner service)
zastava__webhook__backend__baseAddress: "http://scanner.stella-ops.local"
zastava__webhook__backend__allowInsecureHttp: "true"
volumes:
- ${STELLAOPS_CERT_VOLUME}
- ${STELLAOPS_CA_BUNDLE_VOLUME}
networks:
stellaops:
aliases:
- zastava-webhook.stella-ops.local
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/8080'"]
interval: 30s
timeout: 5s
retries: 3
start_period: 15s
labels: *release-labels
# --- Slot 44: Signals ------------------------------------------------------
signals:
<<: *resources-light
image: stellaops/signals:dev
container_name: stellaops-signals
restart: unless-stopped
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: [*kestrel-cert, *router-microservice-defaults, *gc-light]
ConnectionStrings__Default: "${STELLAOPS_POSTGRES_CONNECTION}"
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
Authority__ResourceServer__Authority: "https://authority.stella-ops.local/"
Authority__ResourceServer__MetadataAddress: "https://authority.stella-ops.local/.well-known/openid-configuration"
Authority__ResourceServer__RequireHttpsMetadata: "false"
Authority__ResourceServer__Audiences__0: ""
Authority__ResourceServer__BypassNetworks__0: "172.19.0.0/16"
Authority__ResourceServer__BypassNetworks__1: "127.0.0.1/32"
Authority__ResourceServer__BypassNetworks__2: "::1/128"
Authority__ResourceServer__BypassNetworks__3: "0.0.0.0/0"
Authority__ResourceServer__BypassNetworks__4: "::/0"
Router__Enabled: "${SIGNALS_ROUTER_ENABLED:-true}"
Router__Messaging__ConsumerGroup: "signals"
volumes:
- ${STELLAOPS_CERT_VOLUME}
- ${STELLAOPS_CA_BUNDLE_VOLUME}
ports:
- "127.1.0.43:80:80"
networks:
stellaops:
aliases:
- signals.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
# --- Slot 45: Advisory AI --------------------------------------------------
advisory-ai-web:
<<: *resources-medium
image: stellaops/advisory-ai-web:dev
container_name: stellaops-advisory-ai-web
restart: unless-stopped
depends_on:
- scanner-web
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: [*kestrel-cert, *router-microservice-defaults, *gc-medium]
ADVISORYAI__AdvisoryAI__SbomBaseAddress: "${ADVISORY_AI_SBOM_BASEADDRESS:-http://scanner.stella-ops.local}"
ADVISORYAI__AdvisoryAI__Queue__DirectoryPath: "/var/lib/advisory-ai/queue"
ADVISORYAI__AdvisoryAI__Storage__PlanCacheDirectory: "/var/lib/advisory-ai/plans"
ADVISORYAI__AdvisoryAI__Storage__OutputDirectory: "/var/lib/advisory-ai/outputs"
ADVISORYAI__AdvisoryAI__Chat__Enabled: "true"
ADVISORYAI__AdvisoryAI__Adapters__Llm__Enabled: "${ADVISORY_AI_LLM_ADAPTERS_ENABLED:-true}"
ADVISORYAI__AdvisoryAI__LlmProviders__ConfigDirectory: "${ADVISORY_AI_LLM_PROVIDERS_DIRECTORY:-/app/etc/llm-providers}"
ADVISORYAI__AdvisoryAI__Inference__Mode: "${ADVISORY_AI_INFERENCE_MODE:-Local}"
ADVISORYAI__AdvisoryAI__Inference__Remote__BaseAddress: "${ADVISORY_AI_REMOTE_BASEADDRESS:-}"
ADVISORYAI__AdvisoryAI__Inference__Remote__ApiKey: "${ADVISORY_AI_REMOTE_APIKEY:-}"
ADVISORYAI__KnowledgeSearch__ConnectionString: "${STELLAOPS_POSTGRES_CONNECTION}"
ADVISORYAI__KnowledgeSearch__DatabaseApplicationName: "${ADVISORY_AI_KNOWLEDGESEARCH_DB_APPLICATION_NAME:-stellaops-advisory-ai-web/knowledge-search}"
ADVISORYAI__KnowledgeSearch__DatabaseConnectionIdleLifetimeSeconds: "${ADVISORY_AI_KNOWLEDGESEARCH_DB_IDLE_LIFETIME_SECONDS:-900}"
ADVISORYAI__KnowledgeSearch__FindingsAdapterEnabled: "true"
ADVISORYAI__KnowledgeSearch__FindingsAdapterBaseUrl: "http://scanner.stella-ops.local"
ADVISORYAI__KnowledgeSearch__VexAdapterEnabled: "true"
ADVISORYAI__KnowledgeSearch__VexAdapterBaseUrl: "http://concelier.stella-ops.local"
ADVISORYAI__KnowledgeSearch__PolicyAdapterEnabled: "true"
ADVISORYAI__KnowledgeSearch__PolicyAdapterBaseUrl: "http://policy-engine.stella-ops.local"
Router__Enabled: "${ADVISORYAI_ROUTER_ENABLED:-true}"
Router__Messaging__ConsumerGroup: "advisoryai"
ports:
- "127.1.0.44:80:80"
volumes:
- ${STELLAOPS_CERT_VOLUME}
- ../../etc/llm-providers:/app/etc/llm-providers:ro
- advisory-ai-queue:/var/lib/advisory-ai/queue
- advisory-ai-plans:/var/lib/advisory-ai/plans
- advisory-ai-outputs:/var/lib/advisory-ai/outputs
networks:
stellaops:
aliases:
- advisoryai.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
advisory-ai-worker:
<<: *resources-medium
image: stellaops/advisory-ai-worker:dev
container_name: stellaops-advisory-ai-worker
restart: unless-stopped
depends_on:
- scanner-web
environment:
<<: [*kestrel-cert, *gc-medium]
ADVISORYAI__AdvisoryAI__SbomBaseAddress: "${ADVISORY_AI_SBOM_BASEADDRESS:-http://scanner.stella-ops.local}"
ADVISORYAI__AdvisoryAI__Queue__DirectoryPath: "/tmp/advisory-ai/queue"
ADVISORYAI__AdvisoryAI__Storage__PlanCacheDirectory: "/tmp/advisory-ai/plans"
ADVISORYAI__AdvisoryAI__Storage__OutputDirectory: "/tmp/advisory-ai/outputs"
ADVISORYAI__AdvisoryAI__Inference__Mode: "${ADVISORY_AI_INFERENCE_MODE:-Local}"
ADVISORYAI__AdvisoryAI__Inference__Remote__BaseAddress: "${ADVISORY_AI_REMOTE_BASEADDRESS:-}"
ADVISORYAI__AdvisoryAI__Inference__Remote__ApiKey: "${ADVISORY_AI_REMOTE_APIKEY:-}"
ADVISORYAI__KnowledgeSearch__ConnectionString: "${STELLAOPS_POSTGRES_CONNECTION}"
ADVISORYAI__KnowledgeSearch__FindingsAdapterEnabled: "true"
ADVISORYAI__KnowledgeSearch__FindingsAdapterBaseUrl: "http://scanner.stella-ops.local"
ADVISORYAI__KnowledgeSearch__VexAdapterEnabled: "true"
ADVISORYAI__KnowledgeSearch__VexAdapterBaseUrl: "http://concelier.stella-ops.local"
ADVISORYAI__KnowledgeSearch__PolicyAdapterEnabled: "true"
ADVISORYAI__KnowledgeSearch__PolicyAdapterBaseUrl: "http://policy-engine.stella-ops.local"
volumes:
- ${STELLAOPS_CERT_VOLUME}
networks:
stellaops:
aliases:
- advisory-ai-worker.stella-ops.local
healthcheck:
<<: *healthcheck-worker
labels: *release-labels
# --- Slot 46: Unknowns ----------------------------------------------------
unknowns-web:
<<: *resources-light
image: stellaops/unknowns-web:dev
container_name: stellaops-unknowns-web
restart: unless-stopped
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: [*kestrel-cert, *router-microservice-defaults, *gc-light]
ConnectionStrings__Default: "${STELLAOPS_POSTGRES_CONNECTION}"
ConnectionStrings__UnknownsDb: "${STELLAOPS_POSTGRES_CONNECTION}"
ConnectionStrings__Redis: "cache.stella-ops.local:6379"
Router__Enabled: "${UNKNOWNS_ROUTER_ENABLED:-true}"
Router__Messaging__ConsumerGroup: "unknowns"
volumes:
- ${STELLAOPS_CERT_VOLUME}
ports:
- "127.1.0.45:80:80"
networks:
stellaops:
aliases:
- unknowns.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/80'"]
<<: *healthcheck-tcp
labels: *release-labels
# --- Workflow Engine --------------------------------------------------------
workflow:
<<: *resources-medium
image: stellaops/workflow-web:dev
container_name: stellaops-workflow
restart: unless-stopped
environment:
ASPNETCORE_URLS: "http://+:8080"
<<: [*kestrel-cert, *router-microservice-defaults, *gc-medium]
ConnectionStrings__WorkflowPostgres: "${STELLAOPS_POSTGRES_CONNECTION}"
WorkflowBackend__Provider: "Postgres"
WorkflowBackend__Postgres__SchemaName: "workflow"
WorkflowBackend__Postgres__ConnectionStringName: "WorkflowPostgres"
WorkflowSignalDriver__Provider: "Native"
Router__Enabled: "true"
Router__Messaging__ConsumerGroup: "workflow"
volumes:
- ${STELLAOPS_CERT_VOLUME}
ports:
- "127.1.0.46:80:8080"
networks:
stellaops:
aliases:
- workflow.stella-ops.local
frontdoor: {}
healthcheck:
test: ["CMD-SHELL", "bash -c 'echo > /dev/tcp/$(hostname)/8080'"]
<<: *healthcheck-tcp
labels: *release-labels
# --- Console (Angular frontend) -------------------------------------------
# web-ui is replaced by router-gateway serving static files from console-dist volume.
# The console-builder init container copies Angular dist to the shared volume.
Reference in New Issue View Git Blame Copy Permalink