# psyc — deployment Deploying the psyc platform (cockpit + workers) as Docker containers — e.g. on a Proxmox-hosted VM in the company network. ## Read this before deploying - **No built-in authentication.** The cockpit exposes cases, the ledger, and sealed-package metadata to anyone who can reach port 8767. Deploy it **behind the company reverse proxy / SSO / VPN**, or firewall the ports to the SOC subnet. Do not expose 8767 to the open network. (If you want in-app auth instead of relying on the perimeter, that's a feature to add — not present today.) - **The live model is separate.** This image has no GPU and no torch. The fine-tuned-model bot needs `serve_model.py` running in the CUDA container on a GPU host (Proxmox GPU passthrough to a VM). Without it the Classifier bot falls back to rules — the platform works fine, just rules-only. - **Outbound network.** Scoutline (URLhaus / CISA KEV / Feodo) and Mapline (ip-api.com) make outbound HTTPS. Behind a company egress proxy, set `HTTPS_PROXY` / `HTTP_PROXY` in the container environment (see the commented block in `docker-compose.yml`). - **mock-cert is a stand-in.** It accepts submissions for testing — it is not a real destination. Wire real CERT / MISP / abuse endpoints (and their credentials, per `docs/dossier.md` §18) before relying on routing in production. ## Proxmox Docker is not native to Proxmox. Run it inside a Proxmox **VM** (recommended — clean isolation, simplest Docker support) or a privileged LXC. Install Docker + the Compose plugin in that guest, give it outbound network for the feeds, then deploy as below. The GPU inference server, if used, needs a separate VM with GPU passthrough. ## Deploy ```bash git clone ssh://git@gitea.neuronetz.ai:222/m17hr1l/psyc.git cd psyc docker compose up -d --build ``` Starts two containers from one `psyc:latest` image: | Service | Port | Role | |---|---|---| | `cockpit` | 8767 | operator UI | | `mock-cert` | 8770 | stand-in destination receiver (testing) | The sqlite db, sealed packages, and recipient keys persist in the `psyc-data` named volume — they survive container restarts and rebuilds. ## First run The schema is created on cockpit startup, but there are no cases until you ingest. Run inside the container: ```bash docker compose exec cockpit psyc fetch-all docker compose exec cockpit psyc classify-all docker compose exec cockpit psyc map-all ``` Keep it ingesting by scheduling `fetch-all` — a host cron entry calling `docker compose exec cockpit psyc fetch-all`, e.g. hourly. ## Updating ```bash git pull docker compose up -d --build ``` The `psyc-data` volume is preserved across updates. ## Health ```bash curl http://:8767/healthz # cockpit curl http://:8770/healthz # mock-cert ```