539 lines
22 KiB
YAML
539 lines
22 KiB
YAML
# =============================================================================
|
|
# STELLA OPS - MAIN STACK
|
|
# =============================================================================
|
|
# Consolidated Docker Compose for the complete StellaOps platform.
|
|
# Infrastructure: PostgreSQL 18.1, Valkey 9.0.1, RustFS, Rekor v2
|
|
#
|
|
# Usage:
|
|
# docker compose -f devops/compose/docker-compose.stella-ops.yml up -d
|
|
#
|
|
# With Sigstore tools:
|
|
# docker compose -f devops/compose/docker-compose.stella-ops.yml --profile sigstore up -d
|
|
#
|
|
# With Telemetry:
|
|
# docker compose -f devops/compose/docker-compose.stella-ops.yml \
|
|
# -f devops/compose/docker-compose.telemetry.yml up -d
|
|
#
|
|
# With Compliance overlay (e.g., China):
|
|
# docker compose -f devops/compose/docker-compose.stella-ops.yml \
|
|
# -f devops/compose/docker-compose.compliance-china.yml up -d
|
|
#
|
|
# =============================================================================
|
|
|
|
x-release-labels: &release-labels
|
|
com.stellaops.release.version: "2025.10.0"
|
|
com.stellaops.release.channel: "stable"
|
|
com.stellaops.profile: "default"
|
|
|
|
x-postgres-connection: &postgres-connection
|
|
"Host=postgres;Port=5432;Database=${POSTGRES_DB:-stellaops_platform};Username=${POSTGRES_USER:-stellaops};Password=${POSTGRES_PASSWORD:-stellaops}"
|
|
|
|
networks:
|
|
stellaops:
|
|
driver: bridge
|
|
name: stellaops
|
|
frontdoor:
|
|
external: true
|
|
name: ${FRONTDOOR_NETWORK:-stellaops_frontdoor}
|
|
|
|
volumes:
|
|
postgres-data:
|
|
valkey-data:
|
|
rustfs-data:
|
|
rekor-tiles-data:
|
|
concelier-jobs:
|
|
scanner-surface-cache:
|
|
advisory-ai-queue:
|
|
advisory-ai-plans:
|
|
advisory-ai-outputs:
|
|
|
|
services:
|
|
# ===========================================================================
|
|
# INFRASTRUCTURE SERVICES
|
|
# ===========================================================================
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# PostgreSQL 18.1 - Primary database
|
|
# ---------------------------------------------------------------------------
|
|
postgres:
|
|
image: docker.io/library/postgres:18.1
|
|
container_name: stellaops-postgres
|
|
restart: unless-stopped
|
|
environment:
|
|
POSTGRES_USER: "${POSTGRES_USER:-stellaops}"
|
|
POSTGRES_PASSWORD: "${POSTGRES_PASSWORD:-stellaops}"
|
|
POSTGRES_DB: "${POSTGRES_DB:-stellaops_platform}"
|
|
PGDATA: /var/lib/postgresql/data/pgdata
|
|
volumes:
|
|
- postgres-data:/var/lib/postgresql/data
|
|
- ./postgres-init:/docker-entrypoint-initdb.d:ro
|
|
ports:
|
|
- "${POSTGRES_PORT:-5432}:5432"
|
|
networks:
|
|
- stellaops
|
|
healthcheck:
|
|
test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-stellaops} -d ${POSTGRES_DB:-stellaops_platform}"]
|
|
interval: 10s
|
|
timeout: 5s
|
|
retries: 5
|
|
start_period: 10s
|
|
labels: *release-labels
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Valkey 9.0.1 - Cache and message queue (Redis-compatible)
|
|
# ---------------------------------------------------------------------------
|
|
valkey:
|
|
image: docker.io/valkey/valkey:9.0.1
|
|
container_name: stellaops-valkey
|
|
restart: unless-stopped
|
|
command: ["valkey-server", "--appendonly", "yes"]
|
|
volumes:
|
|
- valkey-data:/data
|
|
ports:
|
|
- "${VALKEY_PORT:-6379}:6379"
|
|
networks:
|
|
- stellaops
|
|
healthcheck:
|
|
test: ["CMD", "valkey-cli", "ping"]
|
|
interval: 10s
|
|
timeout: 5s
|
|
retries: 5
|
|
labels: *release-labels
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# RustFS - S3-compatible object storage
|
|
# ---------------------------------------------------------------------------
|
|
rustfs:
|
|
image: registry.stella-ops.org/stellaops/rustfs:2025.09.2
|
|
container_name: stellaops-rustfs
|
|
command: ["serve", "--listen", "0.0.0.0:8080", "--root", "/data"]
|
|
restart: unless-stopped
|
|
environment:
|
|
RUSTFS__LOG__LEVEL: info
|
|
RUSTFS__STORAGE__PATH: /data
|
|
volumes:
|
|
- rustfs-data:/data
|
|
ports:
|
|
- "${RUSTFS_HTTP_PORT:-8080}:8080"
|
|
networks:
|
|
- stellaops
|
|
healthcheck:
|
|
test: ["CMD", "curl", "-f", "http://localhost:8080/health"]
|
|
interval: 30s
|
|
timeout: 10s
|
|
retries: 3
|
|
labels: *release-labels
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Rekor v2 (tiles) - Sigstore transparency log
|
|
# ---------------------------------------------------------------------------
|
|
rekor-v2:
|
|
image: ${REKOR_TILES_IMAGE:-ghcr.io/sigstore/rekor-tiles:latest}
|
|
container_name: stellaops-rekor
|
|
restart: unless-stopped
|
|
volumes:
|
|
- rekor-tiles-data:/var/lib/rekor-tiles
|
|
networks:
|
|
- stellaops
|
|
profiles: ["sigstore"]
|
|
labels:
|
|
<<: *release-labels
|
|
com.stellaops.component: "rekor-v2"
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Sigstore CLI tools (on-demand)
|
|
# ---------------------------------------------------------------------------
|
|
rekor-cli:
|
|
image: ghcr.io/sigstore/rekor-cli:v1.4.3
|
|
entrypoint: ["rekor-cli"]
|
|
command: ["version"]
|
|
profiles: ["sigstore"]
|
|
networks:
|
|
- stellaops
|
|
labels: *release-labels
|
|
|
|
cosign:
|
|
image: ghcr.io/sigstore/cosign:v3.0.4
|
|
entrypoint: ["cosign"]
|
|
command: ["version"]
|
|
profiles: ["sigstore"]
|
|
networks:
|
|
- stellaops
|
|
labels: *release-labels
|
|
|
|
# ===========================================================================
|
|
# APPLICATION SERVICES
|
|
# ===========================================================================
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Authority - OAuth2/OIDC identity provider
|
|
# ---------------------------------------------------------------------------
|
|
authority:
|
|
image: registry.stella-ops.org/stellaops/authority@sha256:b0348bad1d0b401cc3c71cb40ba034c8043b6c8874546f90d4783c9dbfcc0bf5
|
|
container_name: stellaops-authority
|
|
restart: unless-stopped
|
|
depends_on:
|
|
postgres:
|
|
condition: service_healthy
|
|
valkey:
|
|
condition: service_healthy
|
|
environment:
|
|
STELLAOPS_AUTHORITY__ISSUER: "${AUTHORITY_ISSUER}"
|
|
STELLAOPS_AUTHORITY__STORAGE__DRIVER: "postgres"
|
|
STELLAOPS_AUTHORITY__STORAGE__POSTGRES__CONNECTIONSTRING: *postgres-connection
|
|
STELLAOPS_AUTHORITY__CACHE__REDIS__CONNECTIONSTRING: "valkey:6379"
|
|
STELLAOPS_AUTHORITY__PLUGINDIRECTORIES__0: "/app/plugins"
|
|
STELLAOPS_AUTHORITY__PLUGINS__CONFIGURATIONDIRECTORY: "/app/etc/authority/plugins"
|
|
volumes:
|
|
- ../../etc/authority:/app/etc/authority:ro
|
|
- ../../etc/certificates/trust-roots:/etc/ssl/certs/stellaops:ro
|
|
ports:
|
|
- "${AUTHORITY_PORT:-8440}:8440"
|
|
networks:
|
|
- stellaops
|
|
- frontdoor
|
|
labels: *release-labels
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Signer - Cryptographic signing service
|
|
# ---------------------------------------------------------------------------
|
|
signer:
|
|
image: registry.stella-ops.org/stellaops/signer@sha256:8ad574e61f3a9e9bda8a58eb2700ae46813284e35a150b1137bc7c2b92ac0f2e
|
|
container_name: stellaops-signer
|
|
restart: unless-stopped
|
|
depends_on:
|
|
- authority
|
|
- valkey
|
|
environment:
|
|
SIGNER__AUTHORITY__BASEURL: "https://authority:8440"
|
|
SIGNER__POE__INTROSPECTURL: "${SIGNER_POE_INTROSPECT_URL}"
|
|
SIGNER__STORAGE__DRIVER: "postgres"
|
|
SIGNER__STORAGE__POSTGRES__CONNECTIONSTRING: *postgres-connection
|
|
SIGNER__CACHE__REDIS__CONNECTIONSTRING: "valkey:6379"
|
|
ports:
|
|
- "${SIGNER_PORT:-8441}:8441"
|
|
networks:
|
|
- stellaops
|
|
- frontdoor
|
|
labels: *release-labels
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Attestor - SLSA attestation service
|
|
# ---------------------------------------------------------------------------
|
|
attestor:
|
|
image: registry.stella-ops.org/stellaops/attestor@sha256:0534985f978b0b5d220d73c96fddd962cd9135f616811cbe3bff4666c5af568f
|
|
container_name: stellaops-attestor
|
|
restart: unless-stopped
|
|
depends_on:
|
|
- signer
|
|
environment:
|
|
ATTESTOR__SIGNER__BASEURL: "https://signer:8441"
|
|
ATTESTOR__STORAGE__DRIVER: "postgres"
|
|
ATTESTOR__STORAGE__POSTGRES__CONNECTIONSTRING: *postgres-connection
|
|
ATTESTOR__CACHE__REDIS__CONNECTIONSTRING: "valkey:6379"
|
|
ports:
|
|
- "${ATTESTOR_PORT:-8442}:8442"
|
|
networks:
|
|
- stellaops
|
|
- frontdoor
|
|
labels: *release-labels
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Issuer Directory - CSAF publisher registry
|
|
# ---------------------------------------------------------------------------
|
|
issuer-directory:
|
|
image: registry.stella-ops.org/stellaops/issuer-directory-web:2025.10.0
|
|
container_name: stellaops-issuer-directory
|
|
restart: unless-stopped
|
|
depends_on:
|
|
- postgres
|
|
- authority
|
|
environment:
|
|
ISSUERDIRECTORY__CONFIG: "/app/etc/issuer-directory/issuer-directory.yaml"
|
|
ISSUERDIRECTORY__AUTHORITY__ISSUER: "${AUTHORITY_ISSUER}"
|
|
ISSUERDIRECTORY__AUTHORITY__BASEURL: "https://authority:8440"
|
|
ISSUERDIRECTORY__STORAGE__DRIVER: "postgres"
|
|
ISSUERDIRECTORY__STORAGE__POSTGRES__CONNECTIONSTRING: *postgres-connection
|
|
ISSUERDIRECTORY__SEEDCSAFPUBLISHERS: "${ISSUER_DIRECTORY_SEED_CSAF:-true}"
|
|
volumes:
|
|
- ../../etc/issuer-directory:/app/etc/issuer-directory:ro
|
|
ports:
|
|
- "${ISSUER_DIRECTORY_PORT:-8447}:8080"
|
|
networks:
|
|
- stellaops
|
|
labels: *release-labels
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Concelier - Advisory aggregation service
|
|
# ---------------------------------------------------------------------------
|
|
concelier:
|
|
image: registry.stella-ops.org/stellaops/concelier@sha256:c58cdcaee1d266d68d498e41110a589dd204b487d37381096bd61ab345a867c5
|
|
container_name: stellaops-concelier
|
|
restart: unless-stopped
|
|
depends_on:
|
|
- postgres
|
|
- valkey
|
|
- rustfs
|
|
environment:
|
|
CONCELIER__STORAGE__DRIVER: "postgres"
|
|
CONCELIER__STORAGE__POSTGRES__CONNECTIONSTRING: *postgres-connection
|
|
CONCELIER__STORAGE__S3__ENDPOINT: "http://rustfs:8080"
|
|
CONCELIER__CACHE__REDIS__CONNECTIONSTRING: "valkey:6379"
|
|
CONCELIER__AUTHORITY__BASEURL: "https://authority:8440"
|
|
CONCELIER__AUTHORITY__RESILIENCE__ALLOWOFFLINECACHEFALLBACK: "true"
|
|
CONCELIER__AUTHORITY__RESILIENCE__OFFLINECACHETOLERANCE: "${AUTHORITY_OFFLINE_CACHE_TOLERANCE:-00:30:00}"
|
|
volumes:
|
|
- concelier-jobs:/var/lib/concelier/jobs
|
|
ports:
|
|
- "${CONCELIER_PORT:-8445}:8445"
|
|
networks:
|
|
- stellaops
|
|
- frontdoor
|
|
labels: *release-labels
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Scanner Web - SBOM/vulnerability scanning API
|
|
# ---------------------------------------------------------------------------
|
|
scanner-web:
|
|
image: registry.stella-ops.org/stellaops/scanner-web@sha256:14b23448c3f9586a9156370b3e8c1991b61907efa666ca37dd3aaed1e79fe3b7
|
|
container_name: stellaops-scanner-web
|
|
restart: unless-stopped
|
|
depends_on:
|
|
- postgres
|
|
- valkey
|
|
- concelier
|
|
- rustfs
|
|
environment:
|
|
SCANNER__STORAGE__DRIVER: "postgres"
|
|
SCANNER__STORAGE__POSTGRES__CONNECTIONSTRING: *postgres-connection
|
|
SCANNER__CACHE__REDIS__CONNECTIONSTRING: "valkey:6379"
|
|
SCANNER__ARTIFACTSTORE__DRIVER: "rustfs"
|
|
SCANNER__ARTIFACTSTORE__ENDPOINT: "http://rustfs:8080/api/v1"
|
|
SCANNER__ARTIFACTSTORE__BUCKET: "scanner-artifacts"
|
|
SCANNER__ARTIFACTSTORE__TIMEOUTSECONDS: "30"
|
|
# Queue configuration - Valkey only
|
|
SCANNER__QUEUE__BROKER: "valkey://valkey:6379"
|
|
# Event streaming
|
|
SCANNER__EVENTS__ENABLED: "${SCANNER_EVENTS_ENABLED:-false}"
|
|
SCANNER__EVENTS__DRIVER: "valkey"
|
|
SCANNER__EVENTS__DSN: "valkey:6379"
|
|
SCANNER__EVENTS__STREAM: "${SCANNER_EVENTS_STREAM:-stella.events}"
|
|
SCANNER__EVENTS__PUBLISHTIMEOUTSECONDS: "${SCANNER_EVENTS_PUBLISH_TIMEOUT_SECONDS:-5}"
|
|
SCANNER__EVENTS__MAXSTREAMLENGTH: "${SCANNER_EVENTS_MAX_STREAM_LENGTH:-10000}"
|
|
# Offline kit
|
|
SCANNER__OFFLINEKIT__ENABLED: "${SCANNER_OFFLINEKIT_ENABLED:-false}"
|
|
SCANNER__OFFLINEKIT__REQUIREDSSE: "${SCANNER_OFFLINEKIT_REQUIREDSSE:-true}"
|
|
SCANNER__OFFLINEKIT__REKOROFFLINEMODE: "${SCANNER_OFFLINEKIT_REKOROFFLINEMODE:-true}"
|
|
SCANNER__OFFLINEKIT__TRUSTROOTDIRECTORY: "${SCANNER_OFFLINEKIT_TRUSTROOTDIRECTORY:-/etc/stellaops/trust-roots}"
|
|
SCANNER__OFFLINEKIT__REKORSNAPSHOTDIRECTORY: "${SCANNER_OFFLINEKIT_REKORSNAPSHOTDIRECTORY:-/var/lib/stellaops/rekor-snapshot}"
|
|
# Surface cache
|
|
SCANNER_SURFACE_FS_ENDPOINT: "${SCANNER_SURFACE_FS_ENDPOINT:-http://rustfs:8080}"
|
|
SCANNER_SURFACE_FS_BUCKET: "${SCANNER_SURFACE_FS_BUCKET:-surface-cache}"
|
|
SCANNER_SURFACE_CACHE_ROOT: "${SCANNER_SURFACE_CACHE_ROOT:-/var/lib/stellaops/surface}"
|
|
SCANNER_SURFACE_CACHE_QUOTA_MB: "${SCANNER_SURFACE_CACHE_QUOTA_MB:-4096}"
|
|
SCANNER_SURFACE_PREFETCH_ENABLED: "${SCANNER_SURFACE_PREFETCH_ENABLED:-false}"
|
|
SCANNER_SURFACE_TENANT: "${SCANNER_SURFACE_TENANT:-default}"
|
|
SCANNER_SURFACE_FEATURES: "${SCANNER_SURFACE_FEATURES:-}"
|
|
SCANNER_SURFACE_SECRETS_PROVIDER: "${SCANNER_SURFACE_SECRETS_PROVIDER:-file}"
|
|
SCANNER_SURFACE_SECRETS_NAMESPACE: "${SCANNER_SURFACE_SECRETS_NAMESPACE:-}"
|
|
SCANNER_SURFACE_SECRETS_ROOT: "${SCANNER_SURFACE_SECRETS_ROOT:-/etc/stellaops/secrets}"
|
|
SCANNER_SURFACE_SECRETS_FALLBACK_PROVIDER: "${SCANNER_SURFACE_SECRETS_FALLBACK_PROVIDER:-}"
|
|
SCANNER_SURFACE_SECRETS_ALLOW_INLINE: "${SCANNER_SURFACE_SECRETS_ALLOW_INLINE:-false}"
|
|
volumes:
|
|
- ../../etc/scanner:/app/etc/scanner:ro
|
|
- ../../etc/certificates/trust-roots:/etc/ssl/certs/stellaops:ro
|
|
- scanner-surface-cache:/var/lib/stellaops/surface
|
|
- ${SURFACE_SECRETS_HOST_PATH:-./offline/surface-secrets}:${SCANNER_SURFACE_SECRETS_ROOT:-/etc/stellaops/secrets}:ro
|
|
- ${SCANNER_OFFLINEKIT_TRUSTROOTS_HOST_PATH:-./offline/trust-roots}:${SCANNER_OFFLINEKIT_TRUSTROOTDIRECTORY:-/etc/stellaops/trust-roots}:ro
|
|
- ${SCANNER_OFFLINEKIT_REKOR_SNAPSHOT_HOST_PATH:-./offline/rekor-snapshot}:${SCANNER_OFFLINEKIT_REKORSNAPSHOTDIRECTORY:-/var/lib/stellaops/rekor-snapshot}:ro
|
|
ports:
|
|
- "${SCANNER_WEB_PORT:-8444}:8444"
|
|
networks:
|
|
- stellaops
|
|
- frontdoor
|
|
labels: *release-labels
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Scanner Worker - Background scanning jobs
|
|
# ---------------------------------------------------------------------------
|
|
scanner-worker:
|
|
image: registry.stella-ops.org/stellaops/scanner-worker@sha256:32e25e76386eb9ea8bee0a1ad546775db9a2df989fab61ac877e351881960dab
|
|
container_name: stellaops-scanner-worker
|
|
restart: unless-stopped
|
|
depends_on:
|
|
- scanner-web
|
|
- valkey
|
|
- rustfs
|
|
environment:
|
|
SCANNER__STORAGE__DRIVER: "postgres"
|
|
SCANNER__STORAGE__POSTGRES__CONNECTIONSTRING: *postgres-connection
|
|
SCANNER__CACHE__REDIS__CONNECTIONSTRING: "valkey:6379"
|
|
SCANNER__ARTIFACTSTORE__DRIVER: "rustfs"
|
|
SCANNER__ARTIFACTSTORE__ENDPOINT: "http://rustfs:8080/api/v1"
|
|
SCANNER__ARTIFACTSTORE__BUCKET: "scanner-artifacts"
|
|
SCANNER__ARTIFACTSTORE__TIMEOUTSECONDS: "30"
|
|
# Queue configuration - Valkey only
|
|
SCANNER__QUEUE__BROKER: "valkey://valkey:6379"
|
|
# Surface cache
|
|
SCANNER_SURFACE_FS_ENDPOINT: "${SCANNER_SURFACE_FS_ENDPOINT:-http://rustfs:8080}"
|
|
SCANNER_SURFACE_FS_BUCKET: "${SCANNER_SURFACE_FS_BUCKET:-surface-cache}"
|
|
SCANNER_SURFACE_CACHE_ROOT: "${SCANNER_SURFACE_CACHE_ROOT:-/var/lib/stellaops/surface}"
|
|
SCANNER_SURFACE_CACHE_QUOTA_MB: "${SCANNER_SURFACE_CACHE_QUOTA_MB:-4096}"
|
|
SCANNER_SURFACE_PREFETCH_ENABLED: "${SCANNER_SURFACE_PREFETCH_ENABLED:-false}"
|
|
SCANNER_SURFACE_TENANT: "${SCANNER_SURFACE_TENANT:-default}"
|
|
SCANNER_SURFACE_FEATURES: "${SCANNER_SURFACE_FEATURES:-}"
|
|
SCANNER_SURFACE_SECRETS_PROVIDER: "${SCANNER_SURFACE_SECRETS_PROVIDER:-file}"
|
|
SCANNER_SURFACE_SECRETS_NAMESPACE: "${SCANNER_SURFACE_SECRETS_NAMESPACE:-}"
|
|
SCANNER_SURFACE_SECRETS_ROOT: "${SCANNER_SURFACE_SECRETS_ROOT:-/etc/stellaops/secrets}"
|
|
SCANNER_SURFACE_SECRETS_FALLBACK_PROVIDER: "${SCANNER_SURFACE_SECRETS_FALLBACK_PROVIDER:-}"
|
|
SCANNER_SURFACE_SECRETS_ALLOW_INLINE: "${SCANNER_SURFACE_SECRETS_ALLOW_INLINE:-false}"
|
|
volumes:
|
|
- scanner-surface-cache:/var/lib/stellaops/surface
|
|
- ${SURFACE_SECRETS_HOST_PATH:-./offline/surface-secrets}:${SCANNER_SURFACE_SECRETS_ROOT:-/etc/stellaops/secrets}:ro
|
|
networks:
|
|
- stellaops
|
|
labels: *release-labels
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Scheduler Worker - Background job scheduling
|
|
# ---------------------------------------------------------------------------
|
|
scheduler-worker:
|
|
image: registry.stella-ops.org/stellaops/scheduler-worker:2025.10.0
|
|
container_name: stellaops-scheduler-worker
|
|
restart: unless-stopped
|
|
depends_on:
|
|
- postgres
|
|
- valkey
|
|
- scanner-web
|
|
command:
|
|
- "dotnet"
|
|
- "StellaOps.Scheduler.Worker.Host.dll"
|
|
environment:
|
|
SCHEDULER__STORAGE__DRIVER: "postgres"
|
|
SCHEDULER__STORAGE__POSTGRES__CONNECTIONSTRING: *postgres-connection
|
|
# Queue configuration - Valkey only
|
|
SCHEDULER__QUEUE__KIND: "Valkey"
|
|
SCHEDULER__QUEUE__VALKEY__URL: "valkey:6379"
|
|
SCHEDULER__WORKER__RUNNER__SCANNER__BASEADDRESS: "${SCHEDULER_SCANNER_BASEADDRESS:-http://scanner-web:8444}"
|
|
networks:
|
|
- stellaops
|
|
labels: *release-labels
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Notify Web - Notification service
|
|
# ---------------------------------------------------------------------------
|
|
notify-web:
|
|
image: ${NOTIFY_WEB_IMAGE:-registry.stella-ops.org/stellaops/notify-web:2025.10.0}
|
|
container_name: stellaops-notify-web
|
|
restart: unless-stopped
|
|
depends_on:
|
|
- postgres
|
|
- authority
|
|
- valkey
|
|
environment:
|
|
DOTNET_ENVIRONMENT: Production
|
|
NOTIFY__STORAGE__DRIVER: "postgres"
|
|
NOTIFY__STORAGE__POSTGRES__CONNECTIONSTRING: *postgres-connection
|
|
# Queue configuration - Valkey only
|
|
NOTIFY__QUEUE__DRIVER: "valkey"
|
|
NOTIFY__QUEUE__VALKEY__URL: "valkey:6379"
|
|
volumes:
|
|
- ../../etc/notify:/app/etc/notify:ro
|
|
ports:
|
|
- "${NOTIFY_WEB_PORT:-8446}:8446"
|
|
networks:
|
|
- stellaops
|
|
- frontdoor
|
|
labels: *release-labels
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Excititor - VEX generation service
|
|
# ---------------------------------------------------------------------------
|
|
excititor:
|
|
image: registry.stella-ops.org/stellaops/excititor@sha256:59022e2016aebcef5c856d163ae705755d3f81949d41195256e935ef40a627fa
|
|
container_name: stellaops-excititor
|
|
restart: unless-stopped
|
|
depends_on:
|
|
- postgres
|
|
- concelier
|
|
environment:
|
|
EXCITITOR__CONCELIER__BASEURL: "https://concelier:8445"
|
|
EXCITITOR__STORAGE__DRIVER: "postgres"
|
|
EXCITITOR__STORAGE__POSTGRES__CONNECTIONSTRING: *postgres-connection
|
|
networks:
|
|
- stellaops
|
|
labels: *release-labels
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Advisory AI Web - AI-powered advisory analysis API
|
|
# ---------------------------------------------------------------------------
|
|
advisory-ai-web:
|
|
image: registry.stella-ops.org/stellaops/advisory-ai-web:2025.10.0
|
|
container_name: stellaops-advisory-ai-web
|
|
restart: unless-stopped
|
|
depends_on:
|
|
- scanner-web
|
|
environment:
|
|
ADVISORYAI__AdvisoryAI__SbomBaseAddress: "${ADVISORY_AI_SBOM_BASEADDRESS:-http://scanner-web:8444}"
|
|
ADVISORYAI__AdvisoryAI__Queue__DirectoryPath: "/var/lib/advisory-ai/queue"
|
|
ADVISORYAI__AdvisoryAI__Storage__PlanCacheDirectory: "/var/lib/advisory-ai/plans"
|
|
ADVISORYAI__AdvisoryAI__Storage__OutputDirectory: "/var/lib/advisory-ai/outputs"
|
|
ADVISORYAI__AdvisoryAI__Inference__Mode: "${ADVISORY_AI_INFERENCE_MODE:-Local}"
|
|
ADVISORYAI__AdvisoryAI__Inference__Remote__BaseAddress: "${ADVISORY_AI_REMOTE_BASEADDRESS:-}"
|
|
ADVISORYAI__AdvisoryAI__Inference__Remote__ApiKey: "${ADVISORY_AI_REMOTE_APIKEY:-}"
|
|
ports:
|
|
- "${ADVISORY_AI_WEB_PORT:-8448}:8448"
|
|
volumes:
|
|
- ../../etc/llm-providers:/app/etc/llm-providers:ro
|
|
- advisory-ai-queue:/var/lib/advisory-ai/queue
|
|
- advisory-ai-plans:/var/lib/advisory-ai/plans
|
|
- advisory-ai-outputs:/var/lib/advisory-ai/outputs
|
|
networks:
|
|
- stellaops
|
|
- frontdoor
|
|
labels: *release-labels
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Advisory AI Worker - Background AI processing
|
|
# ---------------------------------------------------------------------------
|
|
advisory-ai-worker:
|
|
image: registry.stella-ops.org/stellaops/advisory-ai-worker:2025.10.0
|
|
container_name: stellaops-advisory-ai-worker
|
|
restart: unless-stopped
|
|
depends_on:
|
|
- advisory-ai-web
|
|
environment:
|
|
ADVISORYAI__AdvisoryAI__SbomBaseAddress: "${ADVISORY_AI_SBOM_BASEADDRESS:-http://scanner-web:8444}"
|
|
ADVISORYAI__AdvisoryAI__Queue__DirectoryPath: "/var/lib/advisory-ai/queue"
|
|
ADVISORYAI__AdvisoryAI__Storage__PlanCacheDirectory: "/var/lib/advisory-ai/plans"
|
|
ADVISORYAI__AdvisoryAI__Storage__OutputDirectory: "/var/lib/advisory-ai/outputs"
|
|
ADVISORYAI__AdvisoryAI__Inference__Mode: "${ADVISORY_AI_INFERENCE_MODE:-Local}"
|
|
ADVISORYAI__AdvisoryAI__Inference__Remote__BaseAddress: "${ADVISORY_AI_REMOTE_BASEADDRESS:-}"
|
|
ADVISORYAI__AdvisoryAI__Inference__Remote__ApiKey: "${ADVISORY_AI_REMOTE_APIKEY:-}"
|
|
volumes:
|
|
- ../../etc/llm-providers:/app/etc/llm-providers:ro
|
|
- advisory-ai-queue:/var/lib/advisory-ai/queue
|
|
- advisory-ai-plans:/var/lib/advisory-ai/plans
|
|
- advisory-ai-outputs:/var/lib/advisory-ai/outputs
|
|
networks:
|
|
- stellaops
|
|
labels: *release-labels
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Web UI - Angular frontend
|
|
# ---------------------------------------------------------------------------
|
|
web-ui:
|
|
image: registry.stella-ops.org/stellaops/web-ui@sha256:10d924808c48e4353e3a241da62eb7aefe727a1d6dc830eb23a8e181013b3a23
|
|
container_name: stellaops-web-ui
|
|
restart: unless-stopped
|
|
depends_on:
|
|
- scanner-web
|
|
environment:
|
|
STELLAOPS_UI__BACKEND__BASEURL: "https://scanner-web:8444"
|
|
ports:
|
|
- "${UI_PORT:-8443}:8443"
|
|
networks:
|
|
- stellaops
|
|
- frontdoor
|
|
labels: *release-labels
|