axon/docker-compose.yaml at main · jmagar/axon · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
name: axon

# App containers (workers + web).
# Infrastructure (postgres, redis, rabbitmq, qdrant, chrome) lives in
# docker-compose.services.yaml — start it first.

x-common-service: &common-service
  env_file:
    - .env
  networks:
    - axon
  restart: unless-stopped
  extra_hosts:
    - "host.docker.internal:host-gateway"
  ulimits:
    nofile:
      soft: 65535
      hard: 65535
  logging:
    driver: "json-file"
    options:
      max-size: "10m"
      max-file: "3"
      compress: "true"

services:
  axon-workers:
    <<: *common-service
    container_name: axon-workers
    build:
      context: .
      dockerfile: docker/Dockerfile
      args:
        AXON_GIT_SHA: ${AXON_GIT_SHA:-dev}
      additional_contexts:
        spider-agent: ../spider/spider_agent
        spider-agent-types: ../spider/spider_agent_types
        spider-agent-html: ../spider/spider_agent_html
    environment:
      RUST_LOG: "info"
      HOME: /home/axon
      AXON_DATA_DIR: /data
      AXON_OUTPUT_DIR: /data/axon/output
      AXON_MCP_ARTIFACT_DIR: /data/axon/artifacts
      AXON_CHROME_DIAGNOSTICS_DIR: /data/axon/chrome-diagnostics
      AXON_ENFORCE_IMAGE_SHA: ${AXON_ENFORCE_IMAGE_SHA:-false}
      AXON_GRAPH_LLM_URL: ${AXON_GRAPH_LLM_URL:-http://axon-ollama:11434}
    ports:
      - "49000:49000"             # axon serve (HTTP + WebSocket)
      - "8001:8001"               # MCP HTTP transport
    deploy:
      resources:
        limits:
          cpus: '4.0'
          memory: 4G
        reservations:
          cpus: '1.0'
          memory: 512M
    healthcheck:
      test:
        [
          "CMD-SHELL",
          "[ ! -f /run/sha-guard-failed ] && /command/s6-svstat -u /run/service/crawl-worker >/dev/null && /command/s6-svstat -u /run/service/extract-worker >/dev/null && /command/s6-svstat -u /run/service/embed-worker >/dev/null && /command/s6-svstat -u /run/service/ingest-worker >/dev/null && ( [ -z \"${AXON_NEO4J_URL:-}\" ] || /command/s6-svstat -u /run/service/graph-worker >/dev/null ) && /command/s6-svstat -u /run/service/web-server >/dev/null",
        ]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 30s
    volumes:
      - ./:/repo:ro
      - ${AXON_DATA_DIR:-./data}/axon/output:/data/axon/output
      - ${AXON_DATA_DIR:-./data}/axon/artifacts:/data/axon/artifacts
      - ${AXON_DATA_DIR:-./data}/axon/logs:/app/logs
      - ${AXON_DATA_DIR:-./data}/axon/chrome-diagnostics:/data/axon/chrome-diagnostics
      # Session history mounts — required for `axon sessions` ingest worker.
      # Set HOST_HOME in .env to your home directory (e.g. /home/yourname).
      - ${HOST_HOME:-${HOME}}/.claude/projects:/home/axon/.claude/projects
      - ${HOST_HOME:-${HOME}}/.codex/sessions:/home/axon/.codex/sessions
      - ${HOST_HOME:-${HOME}}/.gemini:/home/axon/.gemini
      # ACP adapter auth/config mounts — required for pulse_chat adapter handshake.
      # Both files are mounted read-only at staging paths; 17-materialize-claude-credentials
      # copies them into /home/axon/.claude/ owned by axon so the adapter can read and refresh
      # tokens without touching the host files' ownership or permissions.
      - ${HOST_HOME:-${HOME}}/.claude.json:/run/host-claude/claude.json:ro
      - ${HOST_HOME:-${HOME}}/.claude/.credentials.json:/run/host-claude/.credentials.json:ro
      - ${HOST_HOME:-${HOME}}/.codex/auth.json:/run/host-codex/auth.json:ro
      - ${HOST_HOME:-${HOME}}/.codex/config.toml:/run/host-codex/config.toml:ro
      - ${HOST_HOME:-${HOME}}/.codex/models_cache.json:/run/host-codex/models_cache.json:ro

  axon-web:
    <<: *common-service
    container_name: axon-web
    build:
      context: apps/web
      dockerfile: ../../docker/web/Dockerfile
      args:
        AXON_GIT_SHA: ${AXON_GIT_SHA:-dev}
      additional_contexts:
        web-s6: docker/web/s6-rc.d
        web-cont-init: docker/web/cont-init.d
    ports:
      - "49010:49010"
    environment:
      HOST: "0.0.0.0"
      HOME: /home/node
      PORT: "49010"
      AXON_WEB_APP_MODE: ${AXON_WEB_APP_MODE:-dev}
      AXON_ENFORCE_IMAGE_SHA: ${AXON_ENFORCE_IMAGE_SHA:-false}
      AXON_BACKEND_URL: "http://axon-workers:49000"
      NEXT_PUBLIC_AXON_PORT: "49000"
      AXON_WORKSPACE: /workspace
      AXON_DATA_DIR: /data
      AXON_OUTPUT_DIR: /data/axon/output
      AXON_WEB_ENABLE_DOCKER_SOCKET_LOGS: "false"  # opt-in: set to "true" to enable docker log streaming
      AXON_WEB_DOCKER_SOCKET_PATH: /var/run/docker.sock
      AXON_BIN: ${AXON_BIN:-}        # override binary path for /api/cortex/* routes (see .env.example)
      # Set WATCHPACK_POLLING=true in .env if file-watch events don't propagate
    volumes:
      - ./:/repo:ro
      - ./apps/web:/app               # bind-mount source for hot reload
      - /app/node_modules             # anonymous vol: preserves container's node_modules
      - /app/.next                    # anonymous vol: preserves Next.js build cache
      - ${AXON_DATA_DIR:-./data}/axon/output:/data/axon/output:ro
      - ${AXON_DATA_DIR:-./data}/axon/claude:/home/node/.claude
      - ${HOST_HOME:-${HOME}}/.claude.json:/home/node/.claude.json  # auth file — separate from config dir
      # ACP adapter credential staging — mounted read-only at staging paths;
      # 16-materialize-agent-credentials copies them into /home/node/{.claude,.codex}/
      # owned by node so `claude agents` and codex CLI can read/refresh OAuth tokens.
      - ${HOST_HOME:-${HOME}}/.claude/.credentials.json:/run/host-claude/.credentials.json:ro
      - ${HOST_HOME:-${HOME}}/.codex/auth.json:/run/host-codex/auth.json:ro
      - ${HOST_HOME:-${HOME}}/.codex/config.toml:/run/host-codex/config.toml:ro
      - ${HOST_HOME:-${HOME}}/.codex/models_cache.json:/run/host-codex/models_cache.json:ro
      # Uncomment to mount host SSH keys (opt-in — exposes keys to the container):
      # - ${HOST_HOME:-${HOME}}/.ssh:/home/node/.ssh:ro
      - ${AXON_WORKSPACE:-${HOME}/workspace}:/workspace
      - /var/run/docker.sock:/var/run/docker.sock:ro
    group_add:
      - "981"  # host docker group GID — grants node user access to /var/run/docker.sock
    depends_on:
      axon-workers:
        condition: service_healthy
    healthcheck:
      test:
        [
          "CMD-SHELL",
          "[ ! -f /run/sha-guard-failed ] && curl -fsSL --max-time 4 http://127.0.0.1:49010/evaluate > /dev/null",
        ]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 30s

networks:
  axon:
    external: true
    name: axon