cleanup, and important settings from the sysetem admin, HELLO

docker-compose.yml

@@ -1,36 +1,3 @@
-# neuronetz-gateway — FULL production stack, hosted behind jwilder-proxy
-# (the same setup used by neuronetz.ai / neuro-landing).
-#
-#   Internet ──TLS──▶ nginx-proxy (jwilder) ──HTTP/1.1──▶ gateway
-#                                                        │
-#                                                        └─▶ postgres / redis / ollama
-#                                                            (private network only)
-#
-# Public traffic is terminated by the jwilder/nginx-proxy that already runs on
-# this host. The gateway joins its external `proxy` network and advertises
-# itself with VIRTUAL_HOST / VIRTUAL_PORT; letsencrypt-nginx-proxy-companion
-# obtains and renews the cert for api.neuronetz.ai automatically.
-#
-#  ┌─────────────────────────────────────────────────────────────────────────┐
-#  │ SECURITY NON-NEGOTIABLE:                                                  │
-#  │   The `ollama` service has NO `ports:` mapping and MUST NEVER get one.    │
-#  │   Ollama is reachable only on the internal Docker network via the         │
-#  │   service name `ollama:11434`. Publishing it would re-open the exact      │
-#  │   unauthenticated exposure this whole project exists to close.            │
-#  └─────────────────────────────────────────────────────────────────────────┘
-#
-# Prerequisites on the host:
-#   - A jwilder-proxy stack (nginx-proxy + acme-companion) already running and
-#     attached to an external Docker network named `proxy`.
-#   - DNS A/AAAA record for api.neuronetz.ai pointing at this host.
-#
-# Bring it up:
-#   cp .env.example .env       # set POSTGRES_PASSWORD and any overrides
-#   docker compose up -d --build
-#
-# Users without jwilder-proxy can use the Caddy sidecar example in
-# ops/caddy/Caddyfile.example instead — see docs/DEPLOYMENT.md.
-
 services:
   gateway:
     build:
@@ -48,7 +15,6 @@ services:
       VIRTUAL_PORT: "8080"
       LETSENCRYPT_HOST: ${GATEWAY_VIRTUAL_HOST:-api.neuronetz.ai}
       LETSENCRYPT_EMAIL: ${LETSENCRYPT_EMAIL:-admin@neuronetz.ai}
-      # ─── Gateway runtime ──────────────────────────────────────────────
       GATEWAY_BIND_HOST: 0.0.0.0
       GATEWAY_BIND_PORT: "8080"
       GATEWAY_LOG_LEVEL: ${GATEWAY_LOG_LEVEL:-INFO}
@@ -56,7 +22,6 @@ services:
       GATEWAY_REQUEST_ID_HEADER: ${GATEWAY_REQUEST_ID_HEADER:-X-Request-ID}
       # nginx-proxy forwards from the `proxy` network — trust its IP space.
       GATEWAY_TRUSTED_PROXIES: ${GATEWAY_TRUSTED_PROXIES:-127.0.0.1,nginx-proxy}
-      # ─── Internal service addressing ──────────────────────────────────
       DATABASE_URL: postgresql+asyncpg://${POSTGRES_USER:-gateway}:${POSTGRES_PASSWORD:-changeme}@postgres:5432/${POSTGRES_DB:-neuronetz}
       DATABASE_POOL_SIZE: ${DATABASE_POOL_SIZE:-10}
       DATABASE_POOL_OVERFLOW: ${DATABASE_POOL_OVERFLOW:-20}
@@ -117,7 +82,6 @@ services:
       POSTGRES_DB: ${POSTGRES_DB:-neuronetz}
     volumes:
       - postgres_data:/var/lib/postgresql/data
-    # No `ports:` — Postgres is internal-only.
     healthcheck:
       test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-gateway} -d ${POSTGRES_DB:-neuronetz}"]
       interval: 5s
@@ -140,15 +104,10 @@ services:
     networks:
       - internal
 
-  # ───────────────────────────────────────────────────────────────────────────
-  # Ollama — INTERNAL NETWORK ONLY. DO NOT ADD A `ports:` MAPPING.
-  # Reachable only as `http://ollama:11434` from the gateway container.
-  # ───────────────────────────────────────────────────────────────────────────
   ollama:
     image: ollama/ollama:latest
     container_name: neuronetz-ollama
     restart: unless-stopped
-    # !!! NO `ports:` — never publish Ollama to the host or the internet. !!!
     volumes:
       - ollama_data:/root/.ollama
     networks: