version: "3.8" services: agent: image: code.letsbe.solutions/letsbe/sysadmin-agent:latest container_name: {{ customer }}-agent environment: # Required: Orchestrator connection - ORCHESTRATOR_URL=https://orchestrator.letsbe.biz # Registration token (new secure flow) # This token is obtained from the orchestrator's registration-tokens API # and is only needed for first-time registration. After registration, # credentials are persisted to ~/.letsbe-agent/credentials.json - REGISTRATION_TOKEN={{ sysadmin_registration_token }} # Timing (seconds) - HEARTBEAT_INTERVAL=${HEARTBEAT_INTERVAL:-30} - POLL_INTERVAL=${POLL_INTERVAL:-5} # Logging - LOG_LEVEL=${LOG_LEVEL:-INFO} - LOG_JSON=${LOG_JSON:-true} # Resilience - MAX_CONCURRENT_TASKS=${MAX_CONCURRENT_TASKS:-3} - BACKOFF_BASE=${BACKOFF_BASE:-1.0} - BACKOFF_MAX=${BACKOFF_MAX:-60.0} - CIRCUIT_BREAKER_THRESHOLD=${CIRCUIT_BREAKER_THRESHOLD:-5} - CIRCUIT_BREAKER_COOLDOWN=${CIRCUIT_BREAKER_COOLDOWN:-300} # Security - ALLOWED_FILE_ROOT=${ALLOWED_FILE_ROOT:-/opt/letsbe} - MAX_FILE_SIZE=${MAX_FILE_SIZE:-10485760} - SHELL_TIMEOUT=${SHELL_TIMEOUT:-60} volumes: # Docker socket for container management - /var/run/docker.sock:/var/run/docker.sock # Host directory mounts for real infrastructure access - /opt/letsbe/env:/opt/letsbe/env - /opt/letsbe/stacks:/opt/letsbe/stacks - /opt/letsbe/nginx:/opt/letsbe/nginx # Credential persistence (survives restarts without re-registration) - agent_home:/home/agent/.letsbe-agent # Run as root for Docker socket access # TODO: Use Docker group membership instead for better security user: root restart: unless-stopped # Resource limits deploy: resources: limits: cpus: '1.0' memory: 512M reservations: cpus: '0.1' memory: 128M volumes: agent_home: name: {{ customer }}-agent-home