cleanup and remote only

deploy/unraid/docker-compose.yml

@@ -0,0 +1,82 @@
+# MemPalace Unraid Compose
+# -----------------------------------------------------------------------------
+# Two-container stack: mempalace (MCP-over-SSE on 8765 + HTTP ingest on 8766,
+# both bound to localhost only) plus a Caddy sidecar that terminates TLS,
+# enforces a bearer token, and reverse-proxies both endpoints on :8443.
+#
+# Use this with the Unraid Compose Manager plugin. Build context is the
+# repo root (../..); on Unraid, sync the repo to /mnt/user/<somewhere>/mempalace
+# and from this directory run:
+#
+#     # 1. Generate a token (do this once, keep it secret):
+#     openssl rand -hex 32 > .env.token
+#     echo "MEMPAL_TOKEN=$(cat .env.token)" > .env
+#     rm .env.token
+#
+#     # 2. Build and start:
+#     docker compose up -d --build
+#
+# Endpoints (after start):
+#     https://<unraid-ip>:8443/sse           — MCP for AI clients
+#     https://<unraid-ip>:8443/ingest/...    — transcript uploads from hooks
+#     https://<unraid-ip>:8443/healthz       — liveness, no auth
+#
+# Caddy uses a self-signed cert (`tls internal`); clients must accept it,
+# typically via a `--insecure`-style flag or by trusting the Caddy root CA.
+# -----------------------------------------------------------------------------
+
+services:
+  mempalace:
+    build:
+      context: ../..
+      dockerfile: Dockerfile
+    image: mempalace-server:latest
+    container_name: mempalace
+    restart: unless-stopped
+    # Not published on the host — only Caddy reaches these ports over the
+    # internal compose network. This is the auth boundary.
+    expose:
+      - "8765"
+      - "8766"
+    volumes:
+      - /mnt/user/appdata/mempalace:/data
+    environment:
+      MEMPALACE_PALACE_PATH: /data/palace
+      MEMPALACE_INGEST_PORT: "8766"
+      MEMPALACE_INGEST_HOST: "0.0.0.0"
+      # Defense-in-depth — Caddy is the primary gate, but if it's bypassed
+      # (e.g. someone exec'd into the container's network), the ingest
+      # server still requires the token.
+      MEMPALACE_INGEST_TOKEN: "${MEMPAL_TOKEN}"
+      # Languages for entity detection (comma-separated):
+      # MEMPALACE_ENTITY_LANGUAGES: en
+    user: "99:100"
+    networks:
+      - mempal
+    # Override the image CMD: bind mcp-proxy to all interfaces inside the
+    # container network so Caddy can reach it. The ingest server thread
+    # spawns from MEMPALACE_INGEST_PORT.
+    command: >
+      mcp-proxy --sse-host 0.0.0.0 --sse-port 8765
+      --pass-environment -- mempalace-mcp
+
+  caddy:
+    image: caddy:2-alpine
+    container_name: mempalace-caddy
+    restart: unless-stopped
+    depends_on:
+      - mempalace
+    ports:
+      - "8443:8443"
+    volumes:
+      - ./Caddyfile:/etc/caddy/Caddyfile:ro
+      - /mnt/user/appdata/mempalace-caddy/data:/data
+      - /mnt/user/appdata/mempalace-caddy/config:/config
+    environment:
+      MEMPAL_TOKEN: "${MEMPAL_TOKEN}"
+    networks:
+      - mempal
+
+networks:
+  mempal:
+    driver: bridge