docker-compose.yml
yaml
sha256:ef10830ce231e0a20efcb0e2586cb879471247e916616e6fdd0d51df459e2595
fix: typing audit — 0 violations, 0 untyped defs across all…
Sonnet 4.6
minor
⚠ breaking
21 days ago
| 1 | networks: |
| 2 | musehub-internal: |
| 3 | driver: bridge |
| 4 | |
| 5 | services: |
| 6 | musehub: |
| 7 | build: |
| 8 | context: .. |
| 9 | dockerfile: musehub/Dockerfile |
| 10 | image: musehub/musehub |
| 11 | container_name: musehub |
| 12 | ports: |
| 13 | - "127.0.0.1:1337:1337" |
| 14 | env_file: .env |
| 15 | environment: |
| 16 | DATABASE_URL: "postgresql+asyncpg://musehub:${DB_PASSWORD:-musehub}@postgres:5432/musehub" |
| 17 | volumes: |
| 18 | - musehub_data:/data |
| 19 | # /tmp writable for uvicorn temp files; root filesystem is read-only. |
| 20 | - type: tmpfs |
| 21 | target: /tmp |
| 22 | # TLS cert for local HTTPS — enables HTTP/2 without a reverse proxy. |
| 23 | # Certs live outside the repo at ~/.config/musehub/local-tls/ so they |
| 24 | # survive repo cleans, checkouts, and directory recreations. |
| 25 | # First-time setup: mkcert localhost 127.0.0.1 ::1 (run in that dir). |
| 26 | - ${HOME}/.config/musehub/local-tls:/tls:ro |
| 27 | depends_on: |
| 28 | postgres: |
| 29 | condition: service_healthy |
| 30 | networks: |
| 31 | - musehub-internal |
| 32 | restart: unless-stopped |
| 33 | # Read-only root filesystem — prevents code injection and log-file exfiltration. |
| 34 | # Explicit writable mounts: /data (object store, named volume) and /tmp (tmpfs). |
| 35 | read_only: true |
| 36 | deploy: |
| 37 | resources: |
| 38 | limits: |
| 39 | # 1 vCPU cap prevents a runaway request from starving nginx/postgres. |
| 40 | cpus: "1.0" |
| 41 | # 2 GiB covers large mpack unpack operations (1000+ commits, 10k+ blobs). |
| 42 | memory: 2048M |
| 43 | reservations: |
| 44 | cpus: "0.25" |
| 45 | memory: 256M |
| 46 | |
| 47 | worker: |
| 48 | build: |
| 49 | context: .. |
| 50 | dockerfile: musehub/Dockerfile |
| 51 | image: musehub/musehub |
| 52 | container_name: musehub_worker |
| 53 | command: ["python", "-m", "musehub.worker"] |
| 54 | env_file: .env |
| 55 | environment: |
| 56 | DATABASE_URL: "postgresql+asyncpg://musehub:${DB_PASSWORD:-musehub}@postgres:5432/musehub" |
| 57 | WORKER_POLL_INTERVAL: "1.0" |
| 58 | volumes: |
| 59 | - musehub_data:/data |
| 60 | - type: tmpfs |
| 61 | target: /tmp |
| 62 | depends_on: |
| 63 | postgres: |
| 64 | condition: service_healthy |
| 65 | healthcheck: |
| 66 | test: ["CMD-SHELL", "kill -0 1 2>/dev/null || exit 1"] |
| 67 | interval: 30s |
| 68 | timeout: 5s |
| 69 | start_period: 15s |
| 70 | retries: 3 |
| 71 | networks: |
| 72 | - musehub-internal |
| 73 | restart: unless-stopped |
| 74 | read_only: true |
| 75 | deploy: |
| 76 | resources: |
| 77 | limits: |
| 78 | # Worker may use more memory than the web process — symbol indexing |
| 79 | # loads commit graphs into memory. 2 GiB covers the largest repos. |
| 80 | cpus: "1.0" |
| 81 | memory: 2048M |
| 82 | reservations: |
| 83 | cpus: "0.1" |
| 84 | memory: 128M |
| 85 | |
| 86 | postgres: |
| 87 | image: postgres:16-alpine |
| 88 | container_name: musehub_postgres |
| 89 | environment: |
| 90 | POSTGRES_DB: musehub |
| 91 | POSTGRES_USER: musehub |
| 92 | POSTGRES_PASSWORD: "${DB_PASSWORD:-musehub}" |
| 93 | volumes: |
| 94 | - postgres_data:/var/lib/postgresql/data |
| 95 | healthcheck: |
| 96 | test: ["CMD-SHELL", "pg_isready -U musehub -d musehub"] |
| 97 | interval: 5s |
| 98 | timeout: 5s |
| 99 | retries: 10 |
| 100 | networks: |
| 101 | - musehub-internal |
| 102 | restart: unless-stopped |
| 103 | # Expose on 5434 (not 5432/5433) to avoid colliding with a locally-installed |
| 104 | # Postgres or another project's container (e.g. agentception uses 5433). |
| 105 | # This lets the local test suite and Alembic CLI reach the DB directly: |
| 106 | # DATABASE_URL=postgresql+asyncpg://musehub:musehub@localhost:5434/musehub |
| 107 | # make test (the Makefile sets this automatically) |
| 108 | # alembic upgrade head |
| 109 | ports: |
| 110 | - "127.0.0.1:5434:5432" |
| 111 | deploy: |
| 112 | resources: |
| 113 | limits: |
| 114 | cpus: "0.5" |
| 115 | memory: 256M |
| 116 | reservations: |
| 117 | cpus: "0.1" |
| 118 | memory: 64M |
| 119 | |
| 120 | musehub-runner: |
| 121 | image: docker:24-dind |
| 122 | container_name: musehub_runner |
| 123 | privileged: true |
| 124 | env_file: .env |
| 125 | environment: |
| 126 | RUNNER_TOKEN: "${RUNNER_TOKEN:-}" |
| 127 | MUSEHUB_URL: "http://musehub:1337" |
| 128 | volumes: |
| 129 | - type: tmpfs |
| 130 | target: /tmp |
| 131 | depends_on: |
| 132 | - musehub |
| 133 | networks: |
| 134 | - musehub-internal |
| 135 | restart: unless-stopped |
| 136 | deploy: |
| 137 | resources: |
| 138 | limits: |
| 139 | cpus: "2.0" |
| 140 | memory: 1024M |
| 141 | reservations: |
| 142 | cpus: "0.25" |
| 143 | memory: 256M |
| 144 | |
| 145 | volumes: |
| 146 | musehub_data: |
| 147 | postgres_data: |
File History
1 commit
sha256:ef10830ce231e0a20efcb0e2586cb879471247e916616e6fdd0d51df459e2595
fix: typing audit — 0 violations, 0 untyped defs across all…
Sonnet 4.6
minor
⚠
21 days ago