m17hr1l/psyc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0d9baef4c8559028037078558b0d56b27ec63edf
psyc/docs/deploy.md
m17hr1l 372ee72353 stage-9: consolidate into one compose stack behind nginx-proxy 
psyc now runs as a single docker compose stack — cockpit + mock-cert +
(gpu-profile) inference — on the shared external `backend` network, fronted
by nginx-proxy as psyc.neuronetz.ai. Replaces the venv processes + one-off
docker run. MOCK_CERT_BASE and INFERENCE_URL are now env-configurable
(PSYC_MOCK_CERT_URL / PSYC_INFERENCE_URL) so the cockpit reaches the other
services by compose service name. Restart policies + healthchecks. deploy.md
rewritten to match.

Verified: cockpit serves directly and via the proxy; the full
scout→…→courier→ledger chain runs over the compose network.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-18 22:57:33 +02:00

2.8 KiB
Raw Blame History

psyc — deployment

psyc deploys as a three-service Docker Compose stack, fronted by an existing jwilder/nginx-proxy on the shared external backend network and served as psyc.neuronetz.ai.

Read this before deploying

  • No built-in authentication. The cockpit exposes cases, the ledger, and sealed-package metadata to anyone who can reach it. The reverse proxy / network perimeter is the security boundary — keep psyc.neuronetz.ai on the internal network or behind SSO. nginx-proxy can add per-vhost basic auth via a mounted htpasswd file if you need a quick gate. (In-app auth is not built.)
  • The live model is GPU-only. The inference service needs an NVIDIA GPU and the psyc-trainer image (docker build -f Dockerfile.train). It is gated behind the gpu compose profile. Without it the Classifier bot falls back to rules — the platform runs fine.
  • Outbound network. Scoutline (URLhaus / CISA KEV / Feodo) and Mapline (ip-api.com) make outbound HTTPS. Behind a company egress proxy, set HTTPS_PROXY / HTTP_PROXY on the cockpit service.
  • mock-cert is a stand-in for real destinations — wire real CERT / MISP / abuse endpoints (and credentials, per docs/dossier.md §18) before relying on routing in production.

Prerequisites

  • A Docker host (on Proxmox: a VM running Docker — cleanest; or a privileged LXC).
  • The external backend network and an nginx-proxy on it (the shared reverse-proxy stack). psyc joins that network; the proxy auto-discovers the cockpit by its VIRTUAL_HOST.
  • DNS: point psyc.neuronetz.ai at the proxy host.
  • For the live model: an NVIDIA GPU + the NVIDIA container runtime, and the psyc-trainer image built.

Deploy

git clone ssh://git@gitea.neuronetz.ai:222/m17hr1l/psyc.git
cd psyc

docker compose up -d --build                  # cockpit + mock-cert
docker compose --profile gpu up -d --build     # + the live model (GPU host)
Service Exposure Role
cockpit psyc.neuronetz.ai via the proxy (+ :8767 direct, debug) operator UI
mock-cert internal to backend only stand-in destination receiver
inference internal to backend only · gpu profile live fine-tuned model

Data (sqlite db, sealed packages, recipient keys, model adapters) is bind-mounted from ./data and persists across restarts and rebuilds.

First run

The schema is created on cockpit startup; ingest to populate it:

docker compose exec cockpit psyc fetch-all
docker compose exec cockpit psyc classify-all
docker compose exec cockpit psyc map-all

Schedule fetch-all (host cron → docker compose exec) to keep ingesting.

Updating

git pull
docker compose --profile gpu up -d --build

Health

curl -H 'Host: psyc.neuronetz.ai' http://<proxy-host>/healthz
docker compose ps
Reference in New Issue View Git Blame Copy Permalink