stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
a743bb9a1d52b453227de5aab07a2d58b5e5bcd0
git.stella-ops.org/devops/compose
History
master a743bb9a1d devops folders consolidate
2026-01-25 23:39:14 +02:00
..
env
devops folders consolidate
2026-01-25 23:39:14 +02:00
scripts
devops folders consolidate
2026-01-25 23:39:14 +02:00
docker-compose.bsim.yml
devops folders consolidate
2026-01-25 23:39:14 +02:00
docker-compose.cas.yaml
devops folders consolidate
2026-01-25 23:39:14 +02:00
docker-compose.compliance-china.yml
devops folders consolidate
2026-01-25 23:39:14 +02:00
docker-compose.compliance-eu.yml
devops folders consolidate
2026-01-25 23:39:14 +02:00
docker-compose.compliance-russia.yml
devops folders consolidate
2026-01-25 23:39:14 +02:00
docker-compose.corpus.yml
devops folders consolidate
2026-01-25 23:39:14 +02:00
docker-compose.crypto-sim.yml
devops folders consolidate
2026-01-25 23:39:14 +02:00
docker-compose.cryptopro.yml
devops folders consolidate
2026-01-25 23:39:14 +02:00
docker-compose.dev.yml
devops folders consolidate
2026-01-25 23:39:14 +02:00
docker-compose.gpu.yaml
devops folders consolidate
2026-01-25 23:39:14 +02:00
docker-compose.sealed-ci.yml
devops folders consolidate
2026-01-25 23:39:14 +02:00
docker-compose.sm-remote.yml
devops folders consolidate
2026-01-25 23:39:14 +02:00
docker-compose.stella-ops.yml
devops folders consolidate
2026-01-25 23:39:14 +02:00
docker-compose.telemetry-offline.yml
devops folders consolidate
2026-01-25 23:39:14 +02:00
docker-compose.telemetry.yml
devops folders consolidate
2026-01-25 23:39:14 +02:00
docker-compose.testing.yml
devops folders consolidate
2026-01-25 23:39:14 +02:00
docker-compose.tile-proxy.yml
devops folders consolidate
2026-01-25 23:39:14 +02:00
README.md
devops folders consolidate
2026-01-25 23:39:14 +02:00

README.md

Stella Ops Docker Compose Profiles

Consolidated Docker Compose configuration for the StellaOps platform. All profiles use immutable image digests from deploy/releases/*.yaml and are validated via docker compose config in CI.

Quick Reference

I want to... Command
Run the full platform docker compose -f docker-compose.stella-ops.yml up -d
Add observability docker compose -f docker-compose.stella-ops.yml -f docker-compose.telemetry.yml up -d
Run CI/testing infrastructure docker compose -f docker-compose.testing.yml --profile ci up -d
Deploy with China compliance See China Compliance
Deploy with Russia compliance See Russia Compliance
Deploy with EU compliance See EU Compliance

File Structure

Core Stack Files

File Purpose
docker-compose.stella-ops.yml Main stack: PostgreSQL 18.1, Valkey 9.0.1, RustFS, Rekor v2, all StellaOps services
docker-compose.telemetry.yml Observability: OpenTelemetry collector, Prometheus, Tempo, Loki
docker-compose.testing.yml CI/Testing: Test databases, mock services, Gitea for integration tests
docker-compose.dev.yml Minimal dev infrastructure: PostgreSQL, Valkey, RustFS only

Specialized Infrastructure

File Purpose
docker-compose.bsim.yml BSim analysis: PostgreSQL for Ghidra binary similarity corpus
docker-compose.corpus.yml Function corpus: PostgreSQL for function behavior database
docker-compose.sealed-ci.yml Air-gapped CI: Sealed testing environment with authority, signer, attestor
docker-compose.telemetry-offline.yml Offline observability: Air-gapped Loki, Promtail, OTEL collector, Tempo, Prometheus

Regional Compliance Overlays

File Purpose Jurisdiction
docker-compose.compliance-china.yml SM2/SM3/SM4 ShangMi crypto configuration China (OSCCA)
docker-compose.compliance-russia.yml GOST R 34.10-2012 crypto configuration Russia (FSB)
docker-compose.compliance-eu.yml eIDAS qualified trust services configuration EU

Crypto Provider Overlays

File Purpose Use Case
docker-compose.crypto-sim.yml Universal crypto simulation Testing without licensed crypto
docker-compose.cryptopro.yml CryptoPro CSP (real GOST) Production Russia deployments
docker-compose.sm-remote.yml SM Remote service (real SM2) Production China deployments

Additional Overlays

File Purpose Use Case
docker-compose.gpu.yaml NVIDIA GPU acceleration Advisory AI inference with GPU
docker-compose.cas.yaml Content Addressable Storage Dedicated CAS with retention policies
docker-compose.tile-proxy.yml Rekor tile caching proxy Air-gapped Sigstore deployments

Supporting Files

Path Purpose
env/*.env.example Environment variable templates per profile
scripts/backup.sh Create deterministic volume snapshots
scripts/reset.sh Stop stack and remove volumes (with confirmation)

Usage Patterns

Basic Development

# Copy environment template
cp env/stellaops.env.example .env

# Validate configuration
docker compose -f docker-compose.stella-ops.yml config

# Start the platform
docker compose -f docker-compose.stella-ops.yml up -d

# View logs
docker compose -f docker-compose.stella-ops.yml logs -f scanner-web

With Observability

# Generate TLS certificates for telemetry
./ops/devops/telemetry/generate_dev_tls.sh

# Start platform with telemetry
docker compose -f docker-compose.stella-ops.yml \
  -f docker-compose.telemetry.yml up -d

CI/Testing Infrastructure

# Start CI infrastructure only (different ports to avoid conflicts)
docker compose -f docker-compose.testing.yml --profile ci up -d

# Start mock services for integration testing
docker compose -f docker-compose.testing.yml --profile mock up -d

# Start Gitea for SCM integration tests
docker compose -f docker-compose.testing.yml --profile gitea up -d

# Start everything
docker compose -f docker-compose.testing.yml --profile all up -d

Test Infrastructure Ports:

Service Port Purpose
postgres-test 5433 PostgreSQL 18 for tests
valkey-test 6380 Valkey for cache/queue tests
rustfs-test 8180 S3-compatible storage
mock-registry 5001 Container registry mock
gitea 3000 Git hosting for SCM tests

Regional Compliance Deployments

China Compliance (SM2/SM3/SM4)

For Testing (simulation):

docker compose -f docker-compose.stella-ops.yml \
  -f docker-compose.compliance-china.yml \
  -f docker-compose.crypto-sim.yml up -d

For Production (real SM crypto):

docker compose -f docker-compose.stella-ops.yml \
  -f docker-compose.compliance-china.yml \
  -f docker-compose.sm-remote.yml up -d

With OSCCA-certified HSM:

# Set HSM connection details in environment
export SM_REMOTE_HSM_URL="https://sm-hsm.example.com:8900"
export SM_REMOTE_HSM_API_KEY="your-api-key"

docker compose -f docker-compose.stella-ops.yml \
  -f docker-compose.compliance-china.yml \
  -f docker-compose.sm-remote.yml up -d

Algorithms:

  • SM2: Public key cryptography (GM/T 0003-2012)
  • SM3: Hash function, 256-bit (GM/T 0004-2012)
  • SM4: Block cipher, 128-bit (GM/T 0002-2012)

Russia Compliance (GOST)

For Testing (simulation):

docker compose -f docker-compose.stella-ops.yml \
  -f docker-compose.compliance-russia.yml \
  -f docker-compose.crypto-sim.yml up -d

For Production (CryptoPro CSP):

# CryptoPro requires EULA acceptance
CRYPTOPRO_ACCEPT_EULA=1 docker compose -f docker-compose.stella-ops.yml \
  -f docker-compose.compliance-russia.yml \
  -f docker-compose.cryptopro.yml up -d

Requirements for CryptoPro:

  • CryptoPro CSP license files in opt/cryptopro/downloads/
  • CRYPTOPRO_ACCEPT_EULA=1 environment variable
  • Valid CryptoPro container images

Algorithms:

  • GOST R 34.10-2012: Digital signature (256/512-bit)
  • GOST R 34.11-2012: Hash function (Streebog, 256/512-bit)
  • GOST R 34.12-2015: Block cipher (Kuznyechik, Magma)

EU Compliance (eIDAS)

For Testing (simulation):

docker compose -f docker-compose.stella-ops.yml \
  -f docker-compose.compliance-eu.yml \
  -f docker-compose.crypto-sim.yml up -d

For Production: EU eIDAS deployments typically integrate with external Qualified Trust Service Providers (QTSPs) rather than hosting crypto locally. Configure your QTSP integration in the application settings.

docker compose -f docker-compose.stella-ops.yml \
  -f docker-compose.compliance-eu.yml up -d

Standards:

  • ETSI TS 119 312 compliant algorithms
  • Qualified electronic signatures
  • QTSP integration for qualified trust services

Crypto Simulation Details

The docker-compose.crypto-sim.yml overlay provides a unified simulation service for all sovereign crypto profiles:

Algorithm ID Simulation Use Case
SM2, sm.sim HMAC-SHA256 China testing
GOST12-256, GOST12-512 HMAC-SHA256 Russia testing
ru.magma.sim, ru.kuznyechik.sim HMAC-SHA256 Russia testing
DILITHIUM3, FALCON512, pq.sim HMAC-SHA256 Post-quantum testing
fips.sim, eidas.sim, kcmvp.sim ECDSA P-256 FIPS/EU/Korea testing

Important: Simulation is for testing only. Uses deterministic HMAC or static ECDSA keys—not suitable for production or compliance certification.

Configuration Reference

Infrastructure Services

Service Default Port Purpose
PostgreSQL 5432 Primary database
Valkey 6379 Cache, queues, events
RustFS 8080 S3-compatible artifact storage
Rekor v2 (internal) Sigstore transparency log

Application Services

Service Default Port Purpose
Authority 8440 OAuth2/OIDC identity provider
Signer 8441 Cryptographic signing
Attestor 8442 SLSA attestation
Scanner Web 8444 SBOM/vulnerability scanning API
Concelier 8445 Advisory aggregation
Notify Web 8446 Notification service
Issuer Directory 8447 CSAF publisher registry
Advisory AI Web 8448 AI-powered advisory analysis
Web UI 8443 Angular frontend

Environment Variables

Key variables (see env/*.env.example for complete list):

# Database
POSTGRES_USER=stellaops
POSTGRES_PASSWORD=<secret>
POSTGRES_DB=stellaops_platform

# Authority
AUTHORITY_ISSUER=https://authority.example.com

# Scanner
SCANNER_EVENTS_ENABLED=false
SCANNER_OFFLINEKIT_ENABLED=false

# Crypto (for compliance overlays)
STELLAOPS_CRYPTO_PROFILE=default  # or: china, russia, eu
STELLAOPS_CRYPTO_ENABLE_SIM=0     # set to 1 for simulation

# CryptoPro (Russia only)
CRYPTOPRO_ACCEPT_EULA=0  # must be 1 to use CryptoPro

# SM Remote (China only)
SM_SOFT_ALLOWED=1  # software-only SM2
SM_REMOTE_HSM_URL= # optional: OSCCA-certified HSM

Networking

All profiles use a shared stellaops Docker network. Production deployments can attach a frontdoor network for reverse proxy integration:

# Create external network for load balancer
docker network create stellaops_frontdoor

# Set in environment
export FRONTDOOR_NETWORK=stellaops_frontdoor

Only externally-reachable services (Authority, Signer, Attestor, Concelier, Scanner Web, Notify Web, UI) attach to the frontdoor network. Infrastructure services (PostgreSQL, Valkey, RustFS) remain on the private network.

Sigstore Tools

Enable Sigstore CLI tools (rekor-cli, cosign) with the sigstore profile:

docker compose -f docker-compose.stella-ops.yml --profile sigstore up -d

GPU Support for Advisory AI

GPU is disabled by default. To enable NVIDIA GPU inference:

docker compose -f docker-compose.stella-ops.yml \
  -f docker-compose.gpu.yaml up -d

Requirements:

  • NVIDIA GPU with CUDA support
  • nvidia-container-toolkit installed
  • Docker configured with nvidia runtime

Content Addressable Storage (CAS)

The CAS overlay provides dedicated RustFS instances with retention policies for different artifact types:

# Standalone CAS infrastructure
docker compose -f docker-compose.cas.yaml up -d

# Combined with main stack
docker compose -f docker-compose.stella-ops.yml \
  -f docker-compose.cas.yaml up -d

CAS Services:

Service Port Purpose
rustfs-cas 8180 Runtime facts, signals, replay artifacts
rustfs-evidence 8181 Merkle roots, hash chains, evidence bundles (immutable)
rustfs-attestation 8182 DSSE envelopes, in-toto attestations (immutable)

Retention Policies (configurable via env/cas.env.example):

  • Vulnerability DB: 7 days
  • SBOM artifacts: 365 days
  • Scan results: 90 days
  • Evidence bundles: Indefinite (immutable)
  • Attestations: Indefinite (immutable)

Tile Proxy (Air-Gapped Sigstore)

For air-gapped deployments, the tile-proxy caches Rekor transparency log tiles locally from public Sigstore:

docker compose -f docker-compose.stella-ops.yml \
  -f docker-compose.tile-proxy.yml up -d

Tile Proxy vs Rekor v2:

  • Use --profile sigstore when running your own Rekor transparency log locally
  • Use docker-compose.tile-proxy.yml when caching tiles from public Sigstore (rekor.sigstore.dev)

Configuration:

Variable Default Purpose
REKOR_SERVER_URL https://rekor.sigstore.dev Upstream Rekor to proxy
TILE_PROXY_SYNC_ENABLED true Enable periodic tile sync
TILE_PROXY_SYNC_SCHEDULE 0 */6 * * * Sync every 6 hours
TILE_PROXY_CACHE_MAX_SIZE_GB 10 Local cache size limit

The proxy syncs tiles on schedule and serves them to internal services for offline verification.

Maintenance

Backup

./scripts/backup.sh  # Creates timestamped tar.gz of volumes

Reset

./scripts/reset.sh  # Stops stack, removes volumes (requires confirmation)

Validate Configuration

docker compose -f docker-compose.stella-ops.yml config

Update to New Release

  1. Import new manifest to deploy/releases/
  2. Update image digests in compose files
  3. Run docker compose config to validate
  4. Run deploy/tools/validate-profiles.sh for audit

Troubleshooting

Port Conflicts

Override ports in your .env file:

POSTGRES_PORT=5433
VALKEY_PORT=6380
SCANNER_WEB_PORT=8544

Service Dependencies

Services declare depends_on with health checks. If a service fails to start, check its dependencies:

docker compose -f docker-compose.stella-ops.yml ps
docker compose -f docker-compose.stella-ops.yml logs postgres
docker compose -f docker-compose.stella-ops.yml logs valkey

Crypto Provider Issues

For crypto simulation issues:

# Check sim-crypto service
docker compose logs sim-crypto
curl http://localhost:18090/keys

For CryptoPro issues:

# Verify EULA acceptance
echo $CRYPTOPRO_ACCEPT_EULA  # must be 1

# Check CryptoPro service
docker compose logs cryptopro-csp

Related Documentation