This compose stack runs one journal with gateway, explorer, workbench, router, and the file-system SMB service.
- Docker
- Docker Compose
SECRET(required): authentication secret for restricted journal/gateway operationsPORT(default8192): host HTTP port exposed by routerHTTPS_PORT(default443): host TLS port exposed by routerPERIOD(default2): journal periodicity exponentWINDOW(default1024): retained historical state windowTLS_CERT_HOST_PATH(default./tls/tls.crt): host certificate file mounted into routerTLS_KEY_HOST_PATH(default./tls/tls.key): host key file mounted into routerACME_WEBROOT_HOST_PATH(default./acme-challenge): host directory mounted at/var/www/acme-challengefor HTTP-01 challenge filesTLS_CERT_FILE(default/etc/nginx/certs/tls.crt): in-container certificate path used by routerTLS_KEY_FILE(default/etc/nginx/certs/tls.key): in-container key path used by routerSMB_PORT(default445): host port exposed by thefile-systemserviceFILE_SYSTEM_IMAGE(defaultghcr.io/sandialabs/sync-services/file-system:1.1.0): image used by the optionalfile-systemserviceSYNC_FS_Backend(defaulthttp-journal-stage): file-system backend overrideSYNC_FS_JournalJsonUrl(defaulthttp://journal/interface/json): direct journal JSON endpoint used by the default file-system backendSYNC_FS_GatewayBaseUrl(defaulthttp://gateway/api/v1): gateway endpoint used only when gateway-backed file-system modes are selected
Gateway note:
ALLOW_ADMIN_ROUTESis enabled by default incompose/general/docker-compose.yml.- Public/client-facing API traffic should go to
gatewayunder/api/v1/general/*and/api/v1/root/*. - The raw
/interfaceendpoint is still present for direct journal transport use and bridge-oriented internals. - The journal's periodic scheduler uses the raw root-step call
(*step* "<secret>"), which depends on the mergedsync-recordsroot-step pipeline.
This stack uses one compose file. Router auto-selects mode at startup:
- HTTP mode: if TLS cert/key files are not present
- TLS mode: if both
TLS_CERT_FILEandTLS_KEY_FILEexist
./tests/local-compose.sh runs in normal HTTP mode by default unless valid TLS files are present at the configured paths.
./tests/local-compose.sh now forces HTTP mode by default (LOCAL_COMPOSE_FORCE_HTTP=1) for predictable local smoke runs.
Set LOCAL_COMPOSE_FORCE_HTTP=0 if you explicitly want TLS behavior during local-compose execution.
In TLS mode, router serves:
80for ACME HTTP-01 challenge path and HTTPS redirects443for proxied application routes
This is certificate-provider agnostic. Only file paths are required.
HTTP-only deployment (no TLS files configured):
SECRET=password PORT=8192 \
docker compose -f compose/general/docker-compose.yml up -dThe default compose stack now mounts ACME webroot to /var/www/acme-challenge.
Use ACME_WEBROOT_HOST_PATH to override where challenge files come from on the host.
Example:
TLS_CERT_HOST_PATH=/absolute/path/to/fullchain.pem \
TLS_KEY_HOST_PATH=/absolute/path/to/privkey.pem \
SECRET=password PORT=8192 \
HTTPS_PORT=443 \
docker compose -f compose/general/docker-compose.yml up -dUse the local helper from repository root:
# Interactive run
./tests/local-compose.sh up
# Smoke test
./tests/local-compose.sh smokeThe local compose helper enables the SMB file-system service by default:
./tests/local-compose.sh up
./tests/local-compose.sh smokeTo override the published file-system image during local development:
FILE_SYSTEM_IMAGE=sync-services/file-system:dev ./tests/local-compose.sh up
FILE_SYSTEM_IMAGE=sync-services/file-system:dev ./tests/local-compose.sh smokeIf LOCAL_LISP_DIRECTORY is set, the runner serves that directory over a temporary local HTTP server and builds compose/general with LISP_REPOSITORY pointing at that local server.
LOCAL_LISP_DIRECTORY=/absolute/path/to/lisp ./tests/local-compose.sh up
LOCAL_LISP_DIRECTORY=/absolute/path/to/lisp ./tests/local-compose.sh smokeLOCAL_LISP_DIRECTORY must contain:
root.scmstandard.scmlog-chain.scmlinear-chain.scmtree.scmledger.scminterface.scm
docker compose -f compose/general/docker-compose.yml down -v