mcpworks-api/docker-compose.self-hosted.yml at main · MCPWorks-Technologies-Inc/mcpworks-api · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
services:
  postgres:
    image: postgres:15-alpine
    container_name: mcpworks-postgres
    restart: unless-stopped
    environment:
      POSTGRES_DB: mcpworks
      POSTGRES_USER: mcpworks
      POSTGRES_PASSWORD: mcpworks_selfhost  # pragma: allowlist secret
    volumes:
      - postgres-data:/var/lib/postgresql/data
    networks:
      - mcpworks-net
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U mcpworks"]
      interval: 10s
      timeout: 5s
      retries: 5

  redis:
    image: redis:7-alpine
    container_name: mcpworks-redis
    restart: unless-stopped
    volumes:
      - redis-data:/data
    networks:
      - mcpworks-net
    healthcheck:
      test: ["CMD", "redis-cli", "ping"]
      interval: 10s
      timeout: 5s
      retries: 5

  api:
    build:
      context: .
      dockerfile: Dockerfile
    container_name: mcpworks-api
    restart: unless-stopped
    env_file: .env
    expose:
      - "8000"
    volumes:
      - sandbox-tmp:/tmp/sandbox
      - scratchpad-data:/opt/mcpworks/scratchpad
      # Docker socket: required for agent runtime (container lifecycle management).
      # Remove this mount if you do not use the agent runtime feature.
      - /var/run/docker.sock:/var/run/docker.sock
    # Privileged mode + capabilities: required for nsjail sandbox isolation.
    # nsjail creates Linux namespaces (user, pid, net, mount) which require
    # CAP_SYS_ADMIN. User code runs inside nsjail with dropped privileges.
    privileged: true
    security_opt:
      - seccomp:unconfined
    cap_add:
      - SYS_ADMIN
      - SYS_PTRACE
      - NET_ADMIN
    depends_on:
      postgres:
        condition: service_healthy
      redis:
        condition: service_healthy
    networks:
      - mcpworks-net
      - mcpworks-agents
    healthcheck:
      test: ["CMD", "python", "-c", "import httpx; httpx.get('http://localhost:8000/v1/health').raise_for_status()"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 60s

  caddy:
    image: caddy:2-alpine
    container_name: mcpworks-caddy
    restart: unless-stopped
    env_file: .env
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./Caddyfile.self-hosted:/etc/caddy/Caddyfile:ro
      - caddy-data:/data
      - caddy-config:/config
    depends_on:
      api:
        condition: service_healthy
    networks:
      - mcpworks-net

volumes:
  postgres-data:
  redis-data:
  sandbox-tmp:
  scratchpad-data:
  caddy-data:
  caddy-config:

networks:
  mcpworks-net:
    driver: bridge
  mcpworks-agents:
    driver: bridge
    name: mcpworks-agents