automated-setup/script/stacks/sysadmin/docker-compose.yml

version: "3.8"

services:
  agent:
    image: code.letsbe.solutions/letsbe/sysadmin-agent:latest
    container_name: {{ customer }}-agent

    environment:
      # Required: Orchestrator connection
      - ORCHESTRATOR_URL=https://orchestrator.letsbe.biz

      # Registration token (new secure flow)
      # This token is obtained from the orchestrator's registration-tokens API
      # and is only needed for first-time registration. After registration,
      # credentials are persisted to ~/.letsbe-agent/credentials.json
      - REGISTRATION_TOKEN={{ sysadmin_registration_token }}

      # Timing (seconds)
      - HEARTBEAT_INTERVAL=${HEARTBEAT_INTERVAL:-30}
      - POLL_INTERVAL=${POLL_INTERVAL:-5}

      # Logging
      - LOG_LEVEL=${LOG_LEVEL:-INFO}
      - LOG_JSON=${LOG_JSON:-true}

      # Resilience
      - MAX_CONCURRENT_TASKS=${MAX_CONCURRENT_TASKS:-3}
      - BACKOFF_BASE=${BACKOFF_BASE:-1.0}
      - BACKOFF_MAX=${BACKOFF_MAX:-60.0}
      - CIRCUIT_BREAKER_THRESHOLD=${CIRCUIT_BREAKER_THRESHOLD:-5}
      - CIRCUIT_BREAKER_COOLDOWN=${CIRCUIT_BREAKER_COOLDOWN:-300}

      # Security
      - ALLOWED_FILE_ROOT=${ALLOWED_FILE_ROOT:-/opt/letsbe}
      - MAX_FILE_SIZE=${MAX_FILE_SIZE:-10485760}
      - SHELL_TIMEOUT=${SHELL_TIMEOUT:-60}

    volumes:
      # Docker socket for container management
      - /var/run/docker.sock:/var/run/docker.sock

      # Host directory mounts for real infrastructure access
      - /opt/letsbe/env:/opt/letsbe/env
      - /opt/letsbe/stacks:/opt/letsbe/stacks
      - /opt/letsbe/nginx:/opt/letsbe/nginx

      # Credential persistence (survives restarts without re-registration)
      - agent_home:/home/agent/.letsbe-agent

    # Run as root for Docker socket access
    # TODO: Use Docker group membership instead for better security
    user: root

    restart: unless-stopped

    # Resource limits
    deploy:
      resources:
        limits:
          cpus: '1.0'
          memory: 512M
        reservations:
          cpus: '0.1'
          memory: 128M

volumes:
  agent_home:
    name: {{ customer }}-agent-home
Initial commit: LetsBe automated server setup scripts 2025-12-04 01:00:41 +01:00			`version: "3.8"`

			`services:`
			`agent:`
refactor: use Gitea container registry for sysadmin agent Image: code.letsbe.solutions/letsbe/sysadmin-agent:latest 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-12-08 12:13:11 +01:00			`image: code.letsbe.solutions/letsbe/sysadmin-agent:latest`
Initial commit: LetsBe automated server setup scripts 2025-12-04 01:00:41 +01:00			`container_name: {{ customer }}-agent`

			`environment:`
			`# Required: Orchestrator connection`
			`- ORCHESTRATOR_URL=https://orchestrator.letsbe.biz`
feat: update agent deployment for secure registration - Update docker-compose to use REGISTRATION_TOKEN instead of AGENT_TOKEN - Require SYSADMIN_REGISTRATION_TOKEN env var in env_setup.sh - Add instructions for obtaining registration token from orchestrator - Update credentials.env to document registration token usage The registration token must now be obtained from the orchestrator API: POST /api/v1/tenants/{tenant_id}/registration-tokens 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-12-07 11:12:23 +01:00
			`# Registration token (new secure flow)`
			`# This token is obtained from the orchestrator's registration-tokens API`
			`# and is only needed for first-time registration. After registration,`
			`# credentials are persisted to ~/.letsbe-agent/credentials.json`
			`- REGISTRATION_TOKEN={{ sysadmin_registration_token }}`

Initial commit: LetsBe automated server setup scripts 2025-12-04 01:00:41 +01:00			`# Timing (seconds)`
			`- HEARTBEAT_INTERVAL=${HEARTBEAT_INTERVAL:-30}`
			`- POLL_INTERVAL=${POLL_INTERVAL:-5}`

			`# Logging`
refactor: use Docker registry image instead of local builds - docker-compose now pulls letsbesolutions/sysadmin-agent:latest - setup.sh pulls image instead of cloning repo and building - Removed dev-only volume mounts - Updated resource limits for production This enables proper CI/CD: push to repo → Gitea builds image → tenant servers pull latest image. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-12-08 12:08:32 +01:00			`- LOG_LEVEL=${LOG_LEVEL:-INFO}`
			`- LOG_JSON=${LOG_JSON:-true}`
Initial commit: LetsBe automated server setup scripts 2025-12-04 01:00:41 +01:00
			`# Resilience`
			`- MAX_CONCURRENT_TASKS=${MAX_CONCURRENT_TASKS:-3}`
			`- BACKOFF_BASE=${BACKOFF_BASE:-1.0}`
			`- BACKOFF_MAX=${BACKOFF_MAX:-60.0}`
			`- CIRCUIT_BREAKER_THRESHOLD=${CIRCUIT_BREAKER_THRESHOLD:-5}`
			`- CIRCUIT_BREAKER_COOLDOWN=${CIRCUIT_BREAKER_COOLDOWN:-300}`

			`# Security`
			`- ALLOWED_FILE_ROOT=${ALLOWED_FILE_ROOT:-/opt/letsbe}`
			`- MAX_FILE_SIZE=${MAX_FILE_SIZE:-10485760}`
			`- SHELL_TIMEOUT=${SHELL_TIMEOUT:-60}`

			`volumes:`
refactor: use Docker registry image instead of local builds - docker-compose now pulls letsbesolutions/sysadmin-agent:latest - setup.sh pulls image instead of cloning repo and building - Removed dev-only volume mounts - Updated resource limits for production This enables proper CI/CD: push to repo → Gitea builds image → tenant servers pull latest image. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-12-08 12:08:32 +01:00			`# Docker socket for container management`
Initial commit: LetsBe automated server setup scripts 2025-12-04 01:00:41 +01:00			`- /var/run/docker.sock:/var/run/docker.sock`

			`# Host directory mounts for real infrastructure access`
			`- /opt/letsbe/env:/opt/letsbe/env`
			`- /opt/letsbe/stacks:/opt/letsbe/stacks`
			`- /opt/letsbe/nginx:/opt/letsbe/nginx`

feat: update agent deployment for secure registration - Update docker-compose to use REGISTRATION_TOKEN instead of AGENT_TOKEN - Require SYSADMIN_REGISTRATION_TOKEN env var in env_setup.sh - Add instructions for obtaining registration token from orchestrator - Update credentials.env to document registration token usage The registration token must now be obtained from the orchestrator API: POST /api/v1/tenants/{tenant_id}/registration-tokens 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-12-07 11:12:23 +01:00			`# Credential persistence (survives restarts without re-registration)`
Initial commit: LetsBe automated server setup scripts 2025-12-04 01:00:41 +01:00			`- agent_home:/home/agent/.letsbe-agent`

refactor: use Docker registry image instead of local builds - docker-compose now pulls letsbesolutions/sysadmin-agent:latest - setup.sh pulls image instead of cloning repo and building - Removed dev-only volume mounts - Updated resource limits for production This enables proper CI/CD: push to repo → Gitea builds image → tenant servers pull latest image. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-12-08 12:08:32 +01:00			`# Run as root for Docker socket access`
			`# TODO: Use Docker group membership instead for better security`
Initial commit: LetsBe automated server setup scripts 2025-12-04 01:00:41 +01:00			`user: root`

			`restart: unless-stopped`

			`# Resource limits`
			`deploy:`
			`resources:`
			`limits:`
refactor: use Docker registry image instead of local builds - docker-compose now pulls letsbesolutions/sysadmin-agent:latest - setup.sh pulls image instead of cloning repo and building - Removed dev-only volume mounts - Updated resource limits for production This enables proper CI/CD: push to repo → Gitea builds image → tenant servers pull latest image. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-12-08 12:08:32 +01:00			`cpus: '1.0'`
			`memory: 512M`
Initial commit: LetsBe automated server setup scripts 2025-12-04 01:00:41 +01:00			`reservations:`
			`cpus: '0.1'`
refactor: use Docker registry image instead of local builds - docker-compose now pulls letsbesolutions/sysadmin-agent:latest - setup.sh pulls image instead of cloning repo and building - Removed dev-only volume mounts - Updated resource limits for production This enables proper CI/CD: push to repo → Gitea builds image → tenant servers pull latest image. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-12-08 12:08:32 +01:00			`memory: 128M`
Initial commit: LetsBe automated server setup scripts 2025-12-04 01:00:41 +01:00
			`volumes:`
			`agent_home:`
			`name: {{ customer }}-agent-home`