deploy/unraid/docker-compose.yml

# MemPalace Unraid Compose
# -----------------------------------------------------------------------------
# Two-container stack: mempalace (MCP-over-SSE on 8765 + HTTP ingest on 8766,
# both bound to localhost only) plus a Caddy sidecar that terminates TLS,
# enforces a bearer token, and reverse-proxies both endpoints on :8443.
#
# Use this with the Unraid Compose Manager plugin. Build context is the
# repo root (../..); on Unraid, sync the repo to /mnt/user/<somewhere>/mempalace
# and from this directory run:
#
#     # 1. Generate a token (do this once, keep it secret):
#     openssl rand -hex 32 > .env.token
#     echo "MEMPAL_TOKEN=$(cat .env.token)" > .env
#     rm .env.token
#
#     # 2. Build and start:
#     docker compose up -d --build
#
# Endpoints (after start):
#     https://<unraid-ip>:8443/sse           — MCP for AI clients
#     https://<unraid-ip>:8443/ingest/...    — transcript uploads from hooks
#     https://<unraid-ip>:8443/healthz       — liveness, no auth
#
# Caddy uses a self-signed cert (`tls internal`); clients must accept it,
# typically via a `--insecure`-style flag or by trusting the Caddy root CA.
# -----------------------------------------------------------------------------

services:
  mempalace:
    build:
      context: ../..
      dockerfile: Dockerfile
    image: mempalace-server:latest
    container_name: mempalace
    restart: unless-stopped
    # Not published on the host — only Caddy reaches these ports over the
    # internal compose network. This is the auth boundary.
    expose:
      - "8765"
      - "8766"
    volumes:
      - /mnt/user/appdata/mempalace:/data
    environment:
      MEMPALACE_PALACE_PATH: /data/palace
      MEMPALACE_INGEST_PORT: "8766"
      MEMPALACE_INGEST_HOST: "0.0.0.0"
      # Defense-in-depth — Caddy is the primary gate, but if it's bypassed
      # (e.g. someone exec'd into the container's network), the ingest
      # server still requires the token.
      MEMPALACE_INGEST_TOKEN: "${MEMPAL_TOKEN}"
      # Languages for entity detection (comma-separated):
      # MEMPALACE_ENTITY_LANGUAGES: en
    user: "99:100"
    networks:
      - mempal
    # Override the image CMD: bind mcp-proxy to all interfaces inside the
    # container network so Caddy can reach it. The ingest server thread
    # spawns from MEMPALACE_INGEST_PORT.
    command: >
      mcp-proxy --sse-host 0.0.0.0 --sse-port 8765
      --pass-environment -- mempalace-mcp

  caddy:
    image: caddy:2-alpine
    container_name: mempalace-caddy
    restart: unless-stopped
    depends_on:
      - mempalace
    ports:
      - "8443:8443"
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile:ro
      - /mnt/user/appdata/mempalace-caddy/data:/data
      - /mnt/user/appdata/mempalace-caddy/config:/config
    environment:
      MEMPAL_TOKEN: "${MEMPAL_TOKEN}"
    networks:
      - mempal

networks:
  mempal:
    driver: bridge
cleanup and remote only 2026-05-09 10:52:25 -05:00			`# MemPalace Unraid Compose`
			`# -----------------------------------------------------------------------------`
			`# Two-container stack: mempalace (MCP-over-SSE on 8765 + HTTP ingest on 8766,`
			`# both bound to localhost only) plus a Caddy sidecar that terminates TLS,`
			`# enforces a bearer token, and reverse-proxies both endpoints on :8443.`
			`#`
			`# Use this with the Unraid Compose Manager plugin. Build context is the`
			`# repo root (../..); on Unraid, sync the repo to /mnt/user/<somewhere>/mempalace`
			`# and from this directory run:`
			`#`
			`# # 1. Generate a token (do this once, keep it secret):`
			`# openssl rand -hex 32 > .env.token`
			`# echo "MEMPAL_TOKEN=$(cat .env.token)" > .env`
			`# rm .env.token`
			`#`
			`# # 2. Build and start:`
			`# docker compose up -d --build`
			`#`
			`# Endpoints (after start):`
			`# https://<unraid-ip>:8443/sse — MCP for AI clients`
			`# https://<unraid-ip>:8443/ingest/... — transcript uploads from hooks`
			`# https://<unraid-ip>:8443/healthz — liveness, no auth`
			`#`
			# Caddy uses a self-signed cert (`tls internal`); clients must accept it,
			# typically via a `--insecure`-style flag or by trusting the Caddy root CA.
			`# -----------------------------------------------------------------------------`

			`services:`
			`mempalace:`
			`build:`
			`context: ../..`
			`dockerfile: Dockerfile`
			`image: mempalace-server:latest`
			`container_name: mempalace`
			`restart: unless-stopped`
			`# Not published on the host — only Caddy reaches these ports over the`
			`# internal compose network. This is the auth boundary.`
			`expose:`
			`- "8765"`
			`- "8766"`
			`volumes:`
			`- /mnt/user/appdata/mempalace:/data`
			`environment:`
			`MEMPALACE_PALACE_PATH: /data/palace`
			`MEMPALACE_INGEST_PORT: "8766"`
			`MEMPALACE_INGEST_HOST: "0.0.0.0"`
			`# Defense-in-depth — Caddy is the primary gate, but if it's bypassed`
			`# (e.g. someone exec'd into the container's network), the ingest`
			`# server still requires the token.`
			`MEMPALACE_INGEST_TOKEN: "${MEMPAL_TOKEN}"`
			`# Languages for entity detection (comma-separated):`
			`# MEMPALACE_ENTITY_LANGUAGES: en`
			`user: "99:100"`
			`networks:`
			`- mempal`
			`# Override the image CMD: bind mcp-proxy to all interfaces inside the`
			`# container network so Caddy can reach it. The ingest server thread`
			`# spawns from MEMPALACE_INGEST_PORT.`
			`command: >`
			`mcp-proxy --sse-host 0.0.0.0 --sse-port 8765`
			`--pass-environment -- mempalace-mcp`

			`caddy:`
			`image: caddy:2-alpine`
			`container_name: mempalace-caddy`
			`restart: unless-stopped`
			`depends_on:`
			`- mempalace`
			`ports:`
			`- "8443:8443"`
			`volumes:`
			`- ./Caddyfile:/etc/caddy/Caddyfile:ro`
			`- /mnt/user/appdata/mempalace-caddy/data:/data`
			`- /mnt/user/appdata/mempalace-caddy/config:/config`
			`environment:`
			`MEMPAL_TOKEN: "${MEMPAL_TOKEN}"`
			`networks:`
			`- mempal`

			`networks:`
			`mempal:`
			`driver: bridge`