-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathdocker-compose.yml
More file actions
109 lines (104 loc) · 3.88 KB
/
docker-compose.yml
File metadata and controls
109 lines (104 loc) · 3.88 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
# Runs on the Lightsail instance at /opt/vault-cortex/docker-compose.yml
#
# Two services sharing the vault volume:
# 1. obsidian-sync: keeps /vault in sync with Obsidian Sync (bidirectional)
# 2. vault-mcp: MCP server with FTS5 search, listens on :8000
#
# API Gateway handles TLS + auth upstream. vault-mcp ALSO validates
# the bearer token in-process (Express middleware) as defense in
# depth — see src/vault-mcp/server.ts. Port 8000 is publicly bound
# but unauthenticated requests are rejected at the application layer.
name: vault-cortex
services:
# Workaround: the upstream Dockerfile creates /home/obsidian/.config as
# root (mkdir runs as root before chown). Docker named volumes inherit
# this root ownership, so the obsidian user (UID 1000) can't write sync
# state. This init container chowns the volume before obsidian-sync starts.
# Remove when upstream fixes: github.com/Belphemur/obsidian-headless-sync-docker
init-config-perms:
image: alpine:latest
command: sh -c "chown -R ${PUID:-1000}:${PGID:-1000} /config"
volumes:
- obsidian_config:/config
restart: "no"
obsidian-sync:
image: ghcr.io/belphemur/obsidian-headless-sync-docker:latest
container_name: obsidian-sync
restart: unless-stopped
depends_on:
init-config-perms:
condition: service_completed_successfully
environment:
OBSIDIAN_AUTH_TOKEN: ${OBSIDIAN_AUTH_TOKEN}
VAULT_NAME: ${VAULT_NAME}
VAULT_PASSWORD: ${VAULT_PASSWORD:-}
PUID: ${PUID:-1000}
PGID: ${PGID:-1000}
DEVICE_NAME: ${DEVICE_NAME:-vault-cortex-lightsail}
CONFLICT_STRATEGY: ${CONFLICT_STRATEGY:-merge}
SYNC_MODE: ${SYNC_MODE:-bidirectional}
TZ: ${TZ:-UTC}
volumes:
- vault_data:/vault
- obsidian_config:/home/obsidian/.config
healthcheck:
test: ["CMD-SHELL", "test -d /vault && pgrep -f 'ob sync' >/dev/null"]
interval: 30s
timeout: 5s
retries: 5
start_period: 60s
logging:
driver: json-file
options: { max-size: "10m", max-file: "3" }
vault-mcp:
image: ghcr.io/${GHCR_USER:?GHCR_USER required}/vault-mcp:latest
container_name: vault-mcp
restart: unless-stopped
depends_on:
obsidian-sync:
condition: service_started
environment:
NODE_ENV: production
PORT: "8000"
HOST: "0.0.0.0"
VAULT_PATH: /vault
INDEX_DB_PATH: /data/index.db
MCP_AUTH_TOKEN: ${MCP_AUTH_TOKEN:?MCP_AUTH_TOKEN required for in-process auth}
PUBLIC_URL: ${PUBLIC_URL:?PUBLIC_URL required for OAuth metadata}
LOG_LEVEL: ${LOG_LEVEL:-info}
LOG_DIR: /data/logs
LOG_RETENTION_DAYS: ${LOG_RETENTION_DAYS:-30}
TZ: ${TZ:-UTC}
MEMORY_DIR: ${MEMORY_DIR:-About Me}
# Left empty = the server applies smart defaults
# (<MEMORY_DIR> below is the resolved MEMORY_DIR value, default "About Me"):
# PROTECTED_PATHS default: "<MEMORY_DIR>, Daily Notes"
# ORPHAN_EXCLUDE_FOLDERS default: "Daily Notes, Templates, <MEMORY_DIR>"
# SERVICE_DOCUMENTATION_URL default: https://github.com/aliasunder/vault-cortex
PROTECTED_PATHS: ${PROTECTED_PATHS:-}
ORPHAN_EXCLUDE_FOLDERS: ${ORPHAN_EXCLUDE_FOLDERS:-}
SERVICE_DOCUMENTATION_URL: ${SERVICE_DOCUMENTATION_URL:-}
volumes:
- vault_data:/vault:rw
- mcp_index_data:/data
ports:
- "0.0.0.0:8000:8000"
healthcheck:
test:
[
"CMD",
"node",
"-e",
"fetch('http://127.0.0.1:8000/healthz').then(r=>process.exit(r.ok?0:1)).catch(()=>process.exit(1))",
]
interval: 15s
timeout: 5s
retries: 3
start_period: 20s
logging:
driver: json-file
options: { max-size: "10m", max-file: "3" }
volumes:
vault_data: { name: vault-cortex_vault_data }
mcp_index_data: { name: vault-cortex_mcp_index_data }
obsidian_config: { name: vault-cortex_obsidian_config }