live-memory/docker-compose.yml at main · Cloud-Temple/live-memory · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
# docker-compose.yml — Service MCP + WAF + MinIO
#
# Usage :
#   docker compose build
#   docker compose up -d                  # prod (WAF + live-mem, S3 = remote via .env)
#   docker compose --profile dev up -d    # dev  (MinIO + WAF + live-mem, S3 = local)
#   docker compose logs -f
#
# Architecture réseau :
#   Internet → WAF (port 8080) → live-mem-service (port 8002, interne)
#   MinIO S3 (port 9000 interne, console 9001 exposée pour admin) — profil dev uniquement
#   Le service MCP n'est PAS exposé directement.
services:
  # ─────────────────────────────────────────────────────────────
  # MinIO — S3-compatible object storage (local dev)
  # ─────────────────────────────────────────────────────────────
  minio:
    profiles: [dev]
    image: minio/minio:latest
    command: server /data --console-address ":9001"
    ports:
      - "9001:9001"       # Web console only — S3 API stays internal
    environment:
      MINIO_ROOT_USER: ${S3_ACCESS_KEY_ID:-minioadmin}
      MINIO_ROOT_PASSWORD: ${S3_SECRET_ACCESS_KEY:-minioadmin}
      MINIO_DRIVE_MAX_TIMEOUT: 1m
    volumes:
      - minio_data:/data
    restart: unless-stopped
    networks:
      - live-mem-network
    healthcheck:
      test: ["CMD", "mc", "ready", "local"]
      interval: 10s
      timeout: 5s
      start_period: 5s
      retries: 3

  # ─────────────────────────────────────────────────────────────
  # MinIO init — creates the bucket on first run, then exits
  # ─────────────────────────────────────────────────────────────
  minio-init:
    profiles: [dev]
    image: minio/mc:latest
    depends_on:
      minio:
        condition: service_healthy
    entrypoint: >
      /bin/sh -c "
        mc alias set local http://minio:9000 $${MINIO_ROOT_USER} $${MINIO_ROOT_PASSWORD};
        mc mb --ignore-existing local/$${BUCKET_NAME};
        echo 'Bucket ready';
      "
    environment:
      MINIO_ROOT_USER: ${S3_ACCESS_KEY_ID:-minioadmin}
      MINIO_ROOT_PASSWORD: ${S3_SECRET_ACCESS_KEY:-minioadmin}
      BUCKET_NAME: ${S3_BUCKET_NAME:-live-mem}
    networks:
      - live-mem-network

  # ─────────────────────────────────────────────────────────────
  # WAF — Caddy + Coraza OWASP CRS + Rate Limiting
  # ─────────────────────────────────────────────────────────────
  # Seul point d'entrée exposé publiquement.
  # Protège contre : injections, XSS, LFI, SSRF, DoS, bots.
  # Gère le TLS automatique via Let's Encrypt en production.
  # ─────────────────────────────────────────────────────────────
  waf:
    build: ./waf
    ports:
      - "${WAF_PORT:-8080}:8080"
      # Décommenter en production avec TLS Let's Encrypt :
      # - "80:80"
      # - "443:443"
    volumes:
      - ./waf/Caddyfile:/etc/caddy/Caddyfile:ro
      # Décommenter pour persister les certificats Let's Encrypt :
      # - caddy_data:/data
      # - caddy_config:/config
    environment:
      - SITE_ADDRESS=${SITE_ADDRESS:-:8080}
    depends_on:
      - live-mem-service
    restart: unless-stopped
    networks:
      - live-mem-network

  # ─────────────────────────────────────────────────────────────
  # Service MCP — Live Memory
  # ─────────────────────────────────────────────────────────────
  # NON exposé publiquement — accessible uniquement via le WAF.
  # ─────────────────────────────────────────────────────────────
  live-mem-service:
    build: .
    image: live-memory:latest
    # PAS de "ports:" — le WAF est le seul point d'entrée
    env_file: .env
    restart: unless-stopped
    networks:
      - live-mem-network
    healthcheck:
      test: ["CMD", "python", "-c", "import urllib.request; urllib.request.urlopen('http://localhost:8002/health', timeout=2)"]
      interval: 30s
      timeout: 5s
      start_period: 10s
      retries: 3

networks:
  live-mem-network:
    driver: bridge

volumes:
  minio_data:  # dev profile only — not created in prod
# Décommenter en production :
#   caddy_data:
#   caddy_config: