Include full contents of all nested repositories

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

letsbe-ansible-runner/stacks/sysadmin/docker-compose.yml

@@ -0,0 +1,158 @@
+services:
+  agent:
+    image: code.letsbe.solutions/letsbe/sysadmin-agent:latest
+    container_name: {{ customer }}-agent
+
+    # Join orchestrator network for container-to-container communication
+    networks:
+      - {{ customer }}-orchestrator
+
+    # Enable host.docker.internal on Linux (for accessing host services)
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
+
+    environment:
+      # Required: Orchestrator connection
+      # In LOCAL_MODE, connect via shared Docker network
+      - ORCHESTRATOR_URL=http://{{ customer }}-orchestrator-api:8000
+
+      # ============================================================
+      # AUTHENTICATION - Supports two modes (choose one)
+      # ============================================================
+
+      # LOCAL_MODE: Single-tenant local deployment
+      # When LOCAL_MODE=true, agent uses LOCAL_AGENT_KEY to register
+      # via the /register-local endpoint (Phase 2 secure flow)
+      - LOCAL_MODE=true
+      - LOCAL_AGENT_KEY={{ local_agent_key }}
+
+      # Multi-tenant mode: Registration token from orchestrator
+      # When LOCAL_MODE=false (default), agent uses REGISTRATION_TOKEN
+      # to register via the standard /register endpoint
+      # This token is obtained from the orchestrator's registration-tokens API
+      - REGISTRATION_TOKEN={{ sysadmin_registration_token }}
+
+      # Note: After first registration, credentials are persisted to
+      # ~/.letsbe-agent/credentials.json and tokens are no longer needed
+      # ============================================================
+
+      # Timing (seconds)
+      - HEARTBEAT_INTERVAL=${HEARTBEAT_INTERVAL:-30}
+      - POLL_INTERVAL=${POLL_INTERVAL:-5}
+
+      # Logging
+      - LOG_LEVEL=${LOG_LEVEL:-INFO}
+      - LOG_JSON=${LOG_JSON:-true}
+
+      # Resilience
+      - MAX_CONCURRENT_TASKS=${MAX_CONCURRENT_TASKS:-3}
+      - BACKOFF_BASE=${BACKOFF_BASE:-1.0}
+      - BACKOFF_MAX=${BACKOFF_MAX:-60.0}
+      - CIRCUIT_BREAKER_THRESHOLD=${CIRCUIT_BREAKER_THRESHOLD:-5}
+      - CIRCUIT_BREAKER_COOLDOWN=${CIRCUIT_BREAKER_COOLDOWN:-300}
+
+      # Security
+      - ALLOWED_FILE_ROOT=${ALLOWED_FILE_ROOT:-/opt/letsbe}
+      - MAX_FILE_SIZE=${MAX_FILE_SIZE:-10485760}
+      - SHELL_TIMEOUT=${SHELL_TIMEOUT:-60}
+
+      # Playwright browser automation
+      - PLAYWRIGHT_ARTIFACTS_DIR=/opt/letsbe/playwright-artifacts
+      - PLAYWRIGHT_DEFAULT_TIMEOUT_MS=60000
+      - PLAYWRIGHT_NAVIGATION_TIMEOUT_MS=120000
+
+      # MCP Browser Sidecar connection (for LLM-driven browser control)
+      - MCP_BROWSER_URL=http://mcp-browser:8931
+      - MCP_BROWSER_API_KEY={{ mcp_browser_api_key }}
+
+    volumes:
+      # Docker socket for container management
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+
+      # Host directory mounts for real infrastructure access
+      - /opt/letsbe/env:/opt/letsbe/env
+      - /opt/letsbe/stacks:/opt/letsbe/stacks
+      - /opt/letsbe/nginx:/opt/letsbe/nginx
+
+      # Credential persistence (survives restarts without re-registration)
+      - agent_home:/home/agent/.letsbe-agent
+
+      # Playwright artifacts storage
+      - playwright_artifacts:/opt/letsbe/playwright-artifacts
+
+    # Security options for Chromium sandboxing
+    security_opt:
+      - seccomp=./chromium-seccomp.json
+
+    # Run as root for Docker socket access
+    # TODO: Use Docker group membership instead for better security
+    user: root
+
+    restart: unless-stopped
+
+    # Resource limits (increased for Playwright browser automation)
+    deploy:
+      resources:
+        limits:
+          cpus: '1.5'
+          memory: 1G
+        reservations:
+          cpus: '0.25'
+          memory: 256M
+
+  mcp-browser:
+    image: code.letsbe.solutions/letsbe/mcp-browser:latest
+    container_name: {{ customer }}-mcp-browser
+
+    # Join orchestrator network (shared with agent)
+    networks:
+      - {{ customer }}-orchestrator
+
+    environment:
+      # Session limits
+      - MAX_SESSIONS=${MAX_SESSIONS:-3}
+      - IDLE_TIMEOUT_SECONDS=${IDLE_TIMEOUT_SECONDS:-300}
+      - MAX_SESSION_LIFETIME_SECONDS=${MAX_SESSION_LIFETIME_SECONDS:-1800}
+      - MAX_ACTIONS_PER_SESSION=${MAX_ACTIONS_PER_SESSION:-50}
+
+      # Logging
+      - LOG_LEVEL=${LOG_LEVEL:-INFO}
+      - LOG_JSON=${LOG_JSON:-true}
+
+      # Screenshots
+      - SCREENSHOTS_DIR=/screenshots
+
+      # Authentication
+      - API_KEY={{ mcp_browser_api_key }}
+
+    volumes:
+      # Screenshots storage
+      - mcp_screenshots:/screenshots
+
+    # Security options for Chromium sandboxing
+    security_opt:
+      - seccomp=./chromium-seccomp.json
+
+    restart: unless-stopped
+
+    # Resource limits for browser automation
+    deploy:
+      resources:
+        limits:
+          cpus: '1.5'
+          memory: 1G
+        reservations:
+          cpus: '0.25'
+          memory: 256M
+
+volumes:
+  agent_home:
+    name: {{ customer }}-agent-home
+  playwright_artifacts:
+    name: {{ customer }}-playwright-artifacts
+  mcp_screenshots:
+    name: {{ customer }}-mcp-screenshots
+
+networks:
+  {{ customer }}-orchestrator:
+    external: true