m17hr1l/psyc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e54242178fb09d6f355b1c86410949212c7893a9
psyc/docs/deploy.md
m17hr1l e54242178f stage-8: deployable platform — Dockerfile + compose for company-network deploy 
Lean python:3.12-slim platform image (cockpit + CLI + workers, 214 MB — no GPU,
no model). docker-compose.yml runs cockpit + mock-cert on a persistent
psyc-data volume. DATA_DIR is now overridable via PSYC_DATA_DIR so the
container's data path is explicit. docs/deploy.md covers Proxmox hosting,
first-run ingestion, and the honest caveats — no built-in auth (deploy behind
the perimeter), the GPU model server is separate, egress-proxy config.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-18 21:53:03 +02:00

2.7 KiB
Raw Blame History

psyc — deployment

Deploying the psyc platform (cockpit + workers) as Docker containers — e.g. on a Proxmox-hosted VM in the company network.

Read this before deploying

  • No built-in authentication. The cockpit exposes cases, the ledger, and sealed-package metadata to anyone who can reach port 8767. Deploy it behind the company reverse proxy / SSO / VPN, or firewall the ports to the SOC subnet. Do not expose 8767 to the open network. (If you want in-app auth instead of relying on the perimeter, that's a feature to add — not present today.)
  • The live model is separate. This image has no GPU and no torch. The fine-tuned-model bot needs serve_model.py running in the CUDA container on a GPU host (Proxmox GPU passthrough to a VM). Without it the Classifier bot falls back to rules — the platform works fine, just rules-only.
  • Outbound network. Scoutline (URLhaus / CISA KEV / Feodo) and Mapline (ip-api.com) make outbound HTTPS. Behind a company egress proxy, set HTTPS_PROXY / HTTP_PROXY in the container environment (see the commented block in docker-compose.yml).
  • mock-cert is a stand-in. It accepts submissions for testing — it is not a real destination. Wire real CERT / MISP / abuse endpoints (and their credentials, per docs/dossier.md §18) before relying on routing in production.

Proxmox

Docker is not native to Proxmox. Run it inside a Proxmox VM (recommended — clean isolation, simplest Docker support) or a privileged LXC. Install Docker + the Compose plugin in that guest, give it outbound network for the feeds, then deploy as below. The GPU inference server, if used, needs a separate VM with GPU passthrough.

Deploy

git clone ssh://git@gitea.neuronetz.ai:222/m17hr1l/psyc.git
cd psyc
docker compose up -d --build

Starts two containers from one psyc:latest image:

Service Port Role
cockpit 8767 operator UI
mock-cert 8770 stand-in destination receiver (testing)

The sqlite db, sealed packages, and recipient keys persist in the psyc-data named volume — they survive container restarts and rebuilds.

First run

The schema is created on cockpit startup, but there are no cases until you ingest. Run inside the container:

docker compose exec cockpit psyc fetch-all
docker compose exec cockpit psyc classify-all
docker compose exec cockpit psyc map-all

Keep it ingesting by scheduling fetch-all — a host cron entry calling docker compose exec cockpit psyc fetch-all, e.g. hourly.

Updating

git pull
docker compose up -d --build

The psyc-data volume is preserved across updates.

Health

curl http://<host>:8767/healthz      # cockpit
curl http://<host>:8770/healthz      # mock-cert
Reference in New Issue View Git Blame Copy Permalink