letsbe-sysadmin/docker-compose.yml

version: "3.8"

services:
  agent:
    build:
      context: .
      dockerfile: Dockerfile
    container_name: letsbe-agent

    environment:
      # Required: Orchestrator connection
      - ORCHESTRATOR_URL=${ORCHESTRATOR_URL:-http://host.docker.internal:8000}

      # Registration token for first-time registration (multi-use tokens recommended)
      # After registration, credentials are persisted and token is no longer needed
      - REGISTRATION_TOKEN=${REGISTRATION_TOKEN:-}

      # Credentials path - must match the volume mount for persistence across restarts
      # Agent runs as root, so ~ expands to /root, but volume is at /home/agent/.letsbe-agent
      - CREDENTIALS_PATH=/home/agent/.letsbe-agent/credentials.json

      # Legacy auth (deprecated - use REGISTRATION_TOKEN instead)
      - AGENT_TOKEN=${AGENT_TOKEN:-}

      # Tenant assignment (set automatically after registration via token)
      - TENANT_ID=${TENANT_ID:-}

      # Timing (seconds)
      - HEARTBEAT_INTERVAL=${HEARTBEAT_INTERVAL:-30}
      - POLL_INTERVAL=${POLL_INTERVAL:-5}

      # Logging
      - LOG_LEVEL=${LOG_LEVEL:-DEBUG}
      - LOG_JSON=${LOG_JSON:-false}

      # Resilience
      - MAX_CONCURRENT_TASKS=${MAX_CONCURRENT_TASKS:-3}
      - BACKOFF_BASE=${BACKOFF_BASE:-1.0}
      - BACKOFF_MAX=${BACKOFF_MAX:-60.0}
      - CIRCUIT_BREAKER_THRESHOLD=${CIRCUIT_BREAKER_THRESHOLD:-5}
      - CIRCUIT_BREAKER_COOLDOWN=${CIRCUIT_BREAKER_COOLDOWN:-30}

      # Security
      - ALLOWED_FILE_ROOT=${ALLOWED_FILE_ROOT:-/opt/letsbe}
      - MAX_FILE_SIZE=${MAX_FILE_SIZE:-10485760}
      - SHELL_TIMEOUT=${SHELL_TIMEOUT:-60}

      # Playwright browser automation
      - PLAYWRIGHT_ARTIFACTS_DIR=${PLAYWRIGHT_ARTIFACTS_DIR:-/opt/letsbe/playwright-artifacts}
      - PLAYWRIGHT_DEFAULT_TIMEOUT_MS=${PLAYWRIGHT_DEFAULT_TIMEOUT_MS:-60000}
      - PLAYWRIGHT_NAVIGATION_TIMEOUT_MS=${PLAYWRIGHT_NAVIGATION_TIMEOUT_MS:-120000}

    volumes:
      # Docker socket for docker executor
      - /var/run/docker.sock:/var/run/docker.sock

      # Hot reload in development
      - ./app:/app/app:ro
      - ./tests:/app/tests:ro
      - ./pytest.ini:/app/pytest.ini:ro

      # Host directory mounts for real infrastructure access
      - /opt/letsbe/env:/opt/letsbe/env
      - /opt/letsbe/stacks:/opt/letsbe/stacks
      - /opt/letsbe/nginx:/opt/letsbe/nginx

      # Credentials and pending results persistence
      - agent_home:/home/agent/.letsbe-agent

      # Playwright artifacts storage
      - playwright_artifacts:/opt/letsbe/playwright-artifacts

    # Security options for Chromium sandboxing
    security_opt:
      - seccomp=unconfined

    # Run as root for Docker socket access in dev
    # In production, use Docker group membership instead
    user: root

    restart: unless-stopped

    # Resource limits (increased for Playwright browser automation)
    deploy:
      resources:
        limits:
          cpus: '1.5'
          memory: 1G
        reservations:
          cpus: '0.25'
          memory: 256M

volumes:
  agent_home:
    name: letsbe-agent-home
  playwright_artifacts:
    name: letsbe-playwright-artifacts