bcc432a524
Replace all .. with proper relative paths: - Build context: Use '.' (current directory = project root when using --project-directory) - Volume mounts: Use './data/...' instead of '../data/...' - Config mounts: Use './configs/...' instead of '../configs/...' The '..' fallback was incorrect - when --project-directory is set to repo root, '..' would point to parent of repo instead of repo itself. Using '.' or './path' correctly resolves relative to project root. Environment variables for data directories (SMOKE_TEST_DATA_DIR, PROD_DATA_DIR, HOMELAB_DATA_DIR, LOCAL_DATA_DIR) are preserved for runtime customization.
157 lines
4.9 KiB
YAML
157 lines
4.9 KiB
YAML
# Secure Homelab Docker Compose Configuration
|
|
# Use with: docker-compose -f docker-compose.yml -f docker-compose.homelab-secure.yml up -d
|
|
|
|
services:
|
|
api-server:
|
|
build:
|
|
context: .
|
|
dockerfile: ./build/docker/simple.Dockerfile
|
|
container_name: ml-experiments-api
|
|
ports:
|
|
- "9101:9101"
|
|
- "9100:9100" # Prometheus metrics endpoint
|
|
volumes:
|
|
- ${HOMELAB_DATA_DIR:-./data/homelab}/experiments:/data/experiments
|
|
- ${HOMELAB_DATA_DIR:-./data/homelab}/active:/data/active
|
|
- ${HOMELAB_DATA_DIR:-./data/homelab}/logs:/logs
|
|
- ./ssl:/app/ssl:ro
|
|
- ./configs/api/homelab-secure.yaml:/app/configs/api/prod.yaml:ro
|
|
- ${FETCHML_REPO_ROOT:-..}/.env.secure:/app/.env.secure:ro
|
|
depends_on:
|
|
redis:
|
|
condition: service_healthy
|
|
restart: unless-stopped
|
|
environment:
|
|
- LOG_LEVEL=info
|
|
# Load secure environment variables
|
|
- JWT_SECRET_FILE=/app/.env.secure
|
|
healthcheck:
|
|
test: ["CMD", "curl", "-f", "http://localhost:9101/health"]
|
|
interval: 30s
|
|
timeout: 10s
|
|
retries: 3
|
|
start_period: 40s
|
|
labels:
|
|
logging: "promtail"
|
|
job: "api-server"
|
|
command: ["/bin/sh", "-c", "mkdir -p /data/active/datasets /data/active/snapshots && exec /usr/local/bin/api-server -config /app/configs/api/prod.yaml"]
|
|
networks:
|
|
- ml-experiments-network
|
|
# Add internal network for secure communication
|
|
- ml-backend-network
|
|
|
|
minio:
|
|
image: minio/minio:latest
|
|
container_name: ml-experiments-minio
|
|
ports:
|
|
- "9000:9000"
|
|
- "9001:9001"
|
|
volumes:
|
|
- ${HOMELAB_DATA_DIR:-./data/homelab}/minio:/data
|
|
environment:
|
|
- MINIO_ROOT_USER=${MINIO_ROOT_USER:-minioadmin}
|
|
- MINIO_ROOT_PASSWORD=${MINIO_ROOT_PASSWORD:-minioadmin123}
|
|
command: ["server", "/data", "--console-address", ":9001"]
|
|
restart: unless-stopped
|
|
networks:
|
|
- ml-backend-network
|
|
|
|
minio-init:
|
|
image: alpine:3.19
|
|
container_name: ml-experiments-minio-init
|
|
depends_on:
|
|
- minio
|
|
entrypoint: ["/bin/sh", "-c"]
|
|
command:
|
|
- |
|
|
apk add --no-cache ca-certificates curl >/dev/null
|
|
curl -fsSL -o /usr/local/bin/mc https://dl.min.io/client/mc/release/linux-amd64/mc
|
|
chmod +x /usr/local/bin/mc
|
|
mc alias set local http://minio:9000 ${MINIO_ROOT_USER:-minioadmin} ${MINIO_ROOT_PASSWORD:-minioadmin123}
|
|
# Skip if bucket already exists
|
|
if mc ls local/fetchml-snapshots 2>/dev/null; then
|
|
echo "Bucket fetchml-snapshots already exists, skipping init"
|
|
exit 0
|
|
fi
|
|
mc mb -p local/fetchml-snapshots || true
|
|
restart: "no"
|
|
networks:
|
|
- ml-backend-network
|
|
|
|
worker:
|
|
build:
|
|
context: .
|
|
dockerfile: ./build/docker/simple.Dockerfile
|
|
container_name: ml-experiments-worker
|
|
volumes:
|
|
- ${HOMELAB_DATA_DIR:-./data/homelab}/experiments:/app/data/experiments
|
|
- ${HOMELAB_DATA_DIR:-./data/homelab}/active:/data/active
|
|
- ${HOMELAB_DATA_DIR:-./data/homelab}/logs:/logs
|
|
- ./configs/workers/homelab-secure.yaml:/app/configs/worker.yaml
|
|
depends_on:
|
|
redis:
|
|
condition: service_healthy
|
|
api-server:
|
|
condition: service_healthy
|
|
minio-init:
|
|
condition: service_started
|
|
restart: unless-stopped
|
|
environment:
|
|
- LOG_LEVEL=info
|
|
- MINIO_ROOT_USER=${MINIO_ROOT_USER:-minioadmin}
|
|
- MINIO_ROOT_PASSWORD=${MINIO_ROOT_PASSWORD:-minioadmin123}
|
|
- REDIS_PASSWORD=${REDIS_PASSWORD}
|
|
privileged: true
|
|
command: ["/usr/local/bin/worker", "-config", "/app/configs/worker.yaml"]
|
|
networks:
|
|
- ml-backend-network
|
|
|
|
caddy:
|
|
image: caddy:2-alpine
|
|
container_name: ml-experiments-caddy
|
|
restart: unless-stopped
|
|
ports:
|
|
- "80:80"
|
|
- "443:443"
|
|
volumes:
|
|
- ./deployments/Caddyfile.homelab-secure:/etc/caddy/Caddyfile:ro
|
|
- ./ssl:/etc/caddy/ssl:ro
|
|
- ${HOMELAB_DATA_DIR:-./data/homelab}/caddy/data:/data
|
|
- ${HOMELAB_DATA_DIR:-./data/homelab}/caddy/config:/config
|
|
environment:
|
|
- FETCHML_DOMAIN=${FETCHML_DOMAIN:-ml.local}
|
|
depends_on:
|
|
api-server:
|
|
condition: service_healthy
|
|
networks:
|
|
- ml-experiments-network
|
|
|
|
# Redis with authentication
|
|
redis:
|
|
image: redis:7-alpine
|
|
container_name: ml-experiments-redis
|
|
user: "999:999"
|
|
ports:
|
|
- "127.0.0.1:6379:6379" # Bind to localhost only
|
|
volumes:
|
|
- ${HOMELAB_DATA_DIR:-./data/homelab}/redis:/data
|
|
- ./redis/redis-secure.conf:/usr/local/etc/redis/redis.conf:ro
|
|
restart: unless-stopped
|
|
command: redis-server /usr/local/etc/redis/redis.conf --requirepass ${REDIS_PASSWORD}
|
|
healthcheck:
|
|
test: ["CMD", "redis-cli", "--no-auth-warning", "-a", "${REDIS_PASSWORD}", "ping"]
|
|
interval: 30s
|
|
timeout: 10s
|
|
retries: 3
|
|
networks:
|
|
- ml-backend-network
|
|
environment:
|
|
- REDIS_PASSWORD=${REDIS_PASSWORD}
|
|
|
|
volumes: {}
|
|
|
|
networks:
|
|
ml-experiments-network:
|
|
driver: bridge
|
|
ml-backend-network:
|
|
driver: bridge
|