# psyc — deployment psyc deploys as a three-service Docker Compose stack, fronted by an existing `jwilder/nginx-proxy` on the shared external `backend` network and served as `psyc.neuronetz.ai`. ## Read this before deploying - **No built-in authentication.** The cockpit exposes cases, the ledger, and sealed-package metadata to anyone who can reach it. The reverse proxy / network perimeter **is** the security boundary — keep `psyc.neuronetz.ai` on the internal network or behind SSO. nginx-proxy can add per-vhost basic auth via a mounted `htpasswd` file if you need a quick gate. (In-app auth is not built.) - **The live model is GPU-only.** The `inference` service needs an NVIDIA GPU and the `psyc-trainer` image (`docker build -f Dockerfile.train`). It is gated behind the `gpu` compose profile. Without it the Classifier bot falls back to rules — the platform runs fine. - **Outbound network.** Scoutline (URLhaus / CISA KEV / Feodo) and Mapline (ip-api.com) make outbound HTTPS. Behind a company egress proxy, set `HTTPS_PROXY` / `HTTP_PROXY` on the `cockpit` service. - **mock-cert is a stand-in** for real destinations — wire real CERT / MISP / abuse endpoints (and credentials, per `docs/dossier.md` §18) before relying on routing in production. ## Prerequisites - A Docker host (on Proxmox: a VM running Docker — cleanest; or a privileged LXC). - The external `backend` network and an `nginx-proxy` on it (the shared reverse-proxy stack). psyc joins that network; the proxy auto-discovers the cockpit by its `VIRTUAL_HOST`. - DNS: point `psyc.neuronetz.ai` at the proxy host. - For the live model: an NVIDIA GPU + the NVIDIA container runtime, and the `psyc-trainer` image built. ## Deploy ```bash git clone ssh://git@gitea.neuronetz.ai:222/m17hr1l/psyc.git cd psyc docker compose up -d --build # cockpit + mock-cert docker compose --profile gpu up -d --build # + the live model (GPU host) ``` | Service | Exposure | Role | |---|---|---| | `cockpit` | `psyc.neuronetz.ai` via the proxy (+ `:8767` direct, debug) | operator UI | | `mock-cert` | internal to `backend` only | stand-in destination receiver | | `inference` | internal to `backend` only · `gpu` profile | live fine-tuned model | Data (sqlite db, sealed packages, recipient keys, model adapters) is bind-mounted from `./data` and persists across restarts and rebuilds. ## First run The schema is created on cockpit startup; ingest to populate it: ```bash docker compose exec cockpit psyc fetch-all docker compose exec cockpit psyc classify-all docker compose exec cockpit psyc map-all ``` Schedule `fetch-all` (host cron → `docker compose exec`) to keep ingesting. ## Updating ```bash git pull docker compose --profile gpu up -d --build ``` ## Health ```bash curl -H 'Host: psyc.neuronetz.ai' http:///healthz docker compose ps ```