crashlabs/huskies
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 26 Wiki Activity
Files
v0.9.0
huskies/docker/docker-compose.yml
T
Timmy 2d8ccb3eb6 huskies: rename project from storkit to huskies 
Rename all references from storkit to huskies across the codebase:
- .storkit/ directory → .huskies/
- Binary name, Cargo package name, Docker image references
- Server code, frontend code, config files, scripts
- Fix script/test to build frontend before cargo clippy/test
  so merge worktrees have frontend/dist available for RustEmbed

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-03 16:12:52 +01:00

125 lines
4.5 KiB
YAML
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Huskies single-container deployment
#
# Usage:
# # Set your API key and project path, then:
# ANTHROPIC_API_KEY=sk-ant-... PROJECT_PATH=/path/to/your/repo \
# docker compose -f docker/docker-compose.yml up
#
# OrbStack users: just install OrbStack and use `docker compose` normally.
# OrbStack's VirtioFS bind mount driver is significantly faster than
# Docker Desktop's default (see spike findings).
services:
huskies:
build:
context: ..
dockerfile: docker/Dockerfile
container_name: huskies
ports:
# Bind to localhost only — not exposed on all interfaces.
- "127.0.0.1:3001:3001"
environment:
# Optional: Anthropic API key. If unset, Claude Code falls back to
# OAuth credentials from `claude login` (e.g. Max subscription).
- ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY:-}
# Required: git identity for agent commits
- GIT_USER_NAME=${GIT_USER_NAME:?Set GIT_USER_NAME}
- GIT_USER_EMAIL=${GIT_USER_EMAIL:?Set GIT_USER_EMAIL}
# Optional: override the server port (default 3001)
- HUSKIES_PORT=3001
# Bind to all interfaces so Docker port forwarding works.
- HUSKIES_HOST=0.0.0.0
# Optional: Matrix bot credentials (if using Matrix integration)
- MATRIX_HOMESERVER=${MATRIX_HOMESERVER:-}
- MATRIX_USER=${MATRIX_USER:-}
- MATRIX_PASSWORD=${MATRIX_PASSWORD:-}
# Optional: Slack webhook (if using Slack integration)
- SLACK_BOT_TOKEN=${SLACK_BOT_TOKEN:-}
- SLACK_APP_TOKEN=${SLACK_APP_TOKEN:-}
volumes:
# The target project repo bind-mounted from host.
# Changes made by agents inside the container are immediately
# visible on the host (and vice versa).
- ${PROJECT_PATH:?Set PROJECT_PATH}:/workspace
# Cargo registry cache persists downloaded crates across
# container restarts so `cargo build` doesn't re-download.
- cargo-registry:/usr/local/cargo/registry
# Cargo git checkouts persists git-based dependencies.
- cargo-git:/usr/local/cargo/git
# Claude Code state persists session history, projects config,
# and conversation transcripts so --resume works across restarts.
- claude-state:/home/huskies/.claude
# Huskies source tree for rebuild_and_restart.
# The binary has CARGO_MANIFEST_DIR baked in at compile time
# pointing to /app/server, so the source must be at /app.
# This is COPY'd in the Dockerfile; mounting over it allows
# live source updates without rebuilding the image.
# Mount host source so rebuild_and_restart picks up live changes:
- ./..:/app
# Keep cargo build artifacts off the bind mount.
# Bind-mount directory traversal is ~23x slower than Docker volumes
# (confirmed in spike 329). Cargo stat-checks every file in target/
# on incremental builds — leaving it on the bind mount makes builds
# catastrophically slow (~12s just to traverse the tree).
- workspace-target:/workspace/target
- huskies-target:/app/target
# ── Security hardening ──────────────────────────────────────────
# Read-only root filesystem. Only explicitly mounted volumes and
# tmpfs paths are writable.
read_only: true
tmpfs:
- /tmp:size=512M,exec
- /home/huskies:size=512M,uid=999,gid=999,exec
# Drop all Linux capabilities, then add back only what's needed.
# SETUID/SETGID needed by Claude Code's PTY allocation (openpty).
cap_drop:
- ALL
cap_add:
- SETUID
- SETGID
# Prevent child processes from gaining new privileges via setuid,
# setgid, or other mechanisms.
security_opt:
- no-new-privileges:true
# Resource limits cap the whole system.
deploy:
resources:
limits:
cpus: "8"
memory: 24G
reservations:
cpus: "2"
memory: 4G
# Health check verify the MCP endpoint responds
healthcheck:
test: ["CMD", "curl", "-sf", "http://localhost:3001/health"]
interval: 30s
timeout: 5s
retries: 3
start_period: 10s
# Use tini as PID 1 to reap zombie child processes.
# Without this, grandchild processes (esbuild, cargo, etc.) spawned by
# npm/cargo during worktree setup and gate checks become zombies.
init: true
# Restart policy restart on crash but not on manual stop
restart: unless-stopped
volumes:
cargo-registry:
cargo-git:
claude-state:
workspace-target:
huskies-target:
Reference in New Issue View Git Blame Copy Permalink