m17hr1l/psyc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
372ee7235329c8546de852256983f6abc8aab846
psyc/docs/deploy.md
m17hr1l 372ee72353 stage-9: consolidate into one compose stack behind nginx-proxy 
psyc now runs as a single docker compose stack — cockpit + mock-cert +
(gpu-profile) inference — on the shared external `backend` network, fronted
by nginx-proxy as psyc.neuronetz.ai. Replaces the venv processes + one-off
docker run. MOCK_CERT_BASE and INFERENCE_URL are now env-configurable
(PSYC_MOCK_CERT_URL / PSYC_INFERENCE_URL) so the cockpit reaches the other
services by compose service name. Restart policies + healthchecks. deploy.md
rewritten to match.

Verified: cockpit serves directly and via the proxy; the full
scout→…→courier→ledger chain runs over the compose network.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-18 22:57:33 +02:00

79 lines
2.8 KiB
Markdown
Raw Blame History

# psyc — deployment
psyc deploys as a three-service Docker Compose stack, fronted by an existing
`jwilder/nginx-proxy` on the shared external `backend` network and served as
`psyc.neuronetz.ai`.
## Read this before deploying
- **No built-in authentication.** The cockpit exposes cases, the ledger, and
sealed-package metadata to anyone who can reach it. The reverse proxy / network
perimeter **is** the security boundary — keep `psyc.neuronetz.ai` on the
internal network or behind SSO. nginx-proxy can add per-vhost basic auth via a
mounted `htpasswd` file if you need a quick gate. (In-app auth is not built.)
- **The live model is GPU-only.** The `inference` service needs an NVIDIA GPU
and the `psyc-trainer` image (`docker build -f Dockerfile.train`). It is gated
behind the `gpu` compose profile. Without it the Classifier bot falls back to
rules — the platform runs fine.
- **Outbound network.** Scoutline (URLhaus / CISA KEV / Feodo) and Mapline
(ip-api.com) make outbound HTTPS. Behind a company egress proxy, set
`HTTPS_PROXY` / `HTTP_PROXY` on the `cockpit` service.
- **mock-cert is a stand-in** for real destinations — wire real CERT / MISP /
abuse endpoints (and credentials, per `docs/dossier.md` §18) before relying on
routing in production.
## Prerequisites
- A Docker host (on Proxmox: a VM running Docker — cleanest; or a privileged LXC).
- The external `backend` network and an `nginx-proxy` on it (the shared
reverse-proxy stack). psyc joins that network; the proxy auto-discovers the
cockpit by its `VIRTUAL_HOST`.
- DNS: point `psyc.neuronetz.ai` at the proxy host.
- For the live model: an NVIDIA GPU + the NVIDIA container runtime, and the
`psyc-trainer` image built.
## Deploy
```bash
git clone ssh://git@gitea.neuronetz.ai:222/m17hr1l/psyc.git
cd psyc
docker compose up -d --build # cockpit + mock-cert
docker compose --profile gpu up -d --build # + the live model (GPU host)
```
| Service | Exposure | Role |
|---|---|---|
| `cockpit` | `psyc.neuronetz.ai` via the proxy (+ `:8767` direct, debug) | operator UI |
| `mock-cert` | internal to `backend` only | stand-in destination receiver |
| `inference` | internal to `backend` only · `gpu` profile | live fine-tuned model |
Data (sqlite db, sealed packages, recipient keys, model adapters) is bind-mounted
from `./data` and persists across restarts and rebuilds.
## First run
The schema is created on cockpit startup; ingest to populate it:
```bash
docker compose exec cockpit psyc fetch-all
docker compose exec cockpit psyc classify-all
docker compose exec cockpit psyc map-all
```
Schedule `fetch-all` (host cron → `docker compose exec`) to keep ingesting.
## Updating
```bash
git pull
docker compose --profile gpu up -d --build
```
## Health
```bash
curl -H 'Host: psyc.neuronetz.ai' http://<proxy-host>/healthz
docker compose ps
```
Reference in New Issue View Git Blame Copy Permalink