From 5044a44a17573746b6abcb63d8a2653627fb12bb Mon Sep 17 00:00:00 2001 From: Stephan Kasdorf Date: Wed, 27 May 2026 20:14:09 +0200 Subject: [PATCH] cleanup, and important settings from the sysetem admin, HELLO --- docker-compose.yml | 41 ----------------------------------------- 1 file changed, 41 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index bd2040a..a66028b 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,36 +1,3 @@ -# neuronetz-gateway — FULL production stack, hosted behind jwilder-proxy -# (the same setup used by neuronetz.ai / neuro-landing). -# -# Internet ──TLS──▶ nginx-proxy (jwilder) ──HTTP/1.1──▶ gateway -# │ -# └─▶ postgres / redis / ollama -# (private network only) -# -# Public traffic is terminated by the jwilder/nginx-proxy that already runs on -# this host. The gateway joins its external `proxy` network and advertises -# itself with VIRTUAL_HOST / VIRTUAL_PORT; letsencrypt-nginx-proxy-companion -# obtains and renews the cert for api.neuronetz.ai automatically. -# -# ┌─────────────────────────────────────────────────────────────────────────┐ -# │ SECURITY NON-NEGOTIABLE: │ -# │ The `ollama` service has NO `ports:` mapping and MUST NEVER get one. │ -# │ Ollama is reachable only on the internal Docker network via the │ -# │ service name `ollama:11434`. Publishing it would re-open the exact │ -# │ unauthenticated exposure this whole project exists to close. │ -# └─────────────────────────────────────────────────────────────────────────┘ -# -# Prerequisites on the host: -# - A jwilder-proxy stack (nginx-proxy + acme-companion) already running and -# attached to an external Docker network named `proxy`. -# - DNS A/AAAA record for api.neuronetz.ai pointing at this host. -# -# Bring it up: -# cp .env.example .env # set POSTGRES_PASSWORD and any overrides -# docker compose up -d --build -# -# Users without jwilder-proxy can use the Caddy sidecar example in -# ops/caddy/Caddyfile.example instead — see docs/DEPLOYMENT.md. - services: gateway: build: @@ -48,7 +15,6 @@ services: VIRTUAL_PORT: "8080" LETSENCRYPT_HOST: ${GATEWAY_VIRTUAL_HOST:-api.neuronetz.ai} LETSENCRYPT_EMAIL: ${LETSENCRYPT_EMAIL:-admin@neuronetz.ai} - # ─── Gateway runtime ────────────────────────────────────────────── GATEWAY_BIND_HOST: 0.0.0.0 GATEWAY_BIND_PORT: "8080" GATEWAY_LOG_LEVEL: ${GATEWAY_LOG_LEVEL:-INFO} @@ -56,7 +22,6 @@ services: GATEWAY_REQUEST_ID_HEADER: ${GATEWAY_REQUEST_ID_HEADER:-X-Request-ID} # nginx-proxy forwards from the `proxy` network — trust its IP space. GATEWAY_TRUSTED_PROXIES: ${GATEWAY_TRUSTED_PROXIES:-127.0.0.1,nginx-proxy} - # ─── Internal service addressing ────────────────────────────────── DATABASE_URL: postgresql+asyncpg://${POSTGRES_USER:-gateway}:${POSTGRES_PASSWORD:-changeme}@postgres:5432/${POSTGRES_DB:-neuronetz} DATABASE_POOL_SIZE: ${DATABASE_POOL_SIZE:-10} DATABASE_POOL_OVERFLOW: ${DATABASE_POOL_OVERFLOW:-20} @@ -117,7 +82,6 @@ services: POSTGRES_DB: ${POSTGRES_DB:-neuronetz} volumes: - postgres_data:/var/lib/postgresql/data - # No `ports:` — Postgres is internal-only. healthcheck: test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-gateway} -d ${POSTGRES_DB:-neuronetz}"] interval: 5s @@ -140,15 +104,10 @@ services: networks: - internal - # ─────────────────────────────────────────────────────────────────────────── - # Ollama — INTERNAL NETWORK ONLY. DO NOT ADD A `ports:` MAPPING. - # Reachable only as `http://ollama:11434` from the gateway container. - # ─────────────────────────────────────────────────────────────────────────── ollama: image: ollama/ollama:latest container_name: neuronetz-ollama restart: unless-stopped - # !!! NO `ports:` — never publish Ollama to the host or the internet. !!! volumes: - ollama_data:/root/.ollama networks: