Dirk Riemann
c7dc40c51e
The shared postgis container is bound to 127.0.0.1 on the host (security hardening, infrastructure §T12). Ollama is similarly LAN-hardened. The previous `host.docker.internal + extra_hosts: host-gateway` approach points at the bridge gateway IP, not loopback, so the container couldn't reach either service. Switch to `network_mode: host` (same pattern goldstein uses) and update the default IX_POSTGRES_URL / IX_OLLAMA_URL to 127.0.0.1. Keep the GPU reservation block; drop the now-meaningless ports: declaration (host mode publishes directly). AppConfig defaults + .env.example + test_config assertions + inline docstring examples all follow. Caught on fourth deploy attempt. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
31 lines
968 B
YAML
31 lines
968 B
YAML
# InfoXtractor Docker Compose stack.
|
|
#
|
|
# Single service. Uses host networking so the container can reach:
|
|
# - Ollama at 127.0.0.1:11434
|
|
# - postgis at 127.0.0.1:5431 (bound to loopback only; security hardening)
|
|
# Both services are LAN-hardened on the host and never exposed publicly,
|
|
# so host-network access stays on-prem. This matches the `goldstein`
|
|
# container pattern on the same server.
|
|
#
|
|
# The GPU reservation block matches immich-ml / the shape Docker Compose
|
|
# expects for GPU allocation on this host.
|
|
|
|
services:
|
|
infoxtractor:
|
|
build: .
|
|
container_name: infoxtractor
|
|
network_mode: host
|
|
restart: always
|
|
env_file: .env
|
|
deploy:
|
|
resources:
|
|
reservations:
|
|
devices:
|
|
- driver: nvidia
|
|
count: 1
|
|
capabilities: [gpu]
|
|
labels:
|
|
infrastructure.web_url: "http://192.168.68.42:8994"
|
|
backup.enable: "true"
|
|
backup.type: "postgres"
|
|
backup.name: "infoxtractor"
|