# ============================================================================= # Docling Studio — local development / quick-start compose. # # DEV DEFAULTS — NOT PRODUCTION-READY. # This file ships sensible defaults for `docker compose up` to "just work" on # a developer laptop. It is NOT a production deployment template: # - Neo4j boots with `NEO4J_PASSWORD=changeme` if the env var is unset. # - OpenSearch runs single-node with `DISABLE_SECURITY_PLUGIN=true` # (no TLS, no auth). Fine for local indexing experiments, never for # anything reachable from outside `localhost`. # - No HTTPS termination, no reverse-proxy hardening, no rate limit on # the embedding/OpenSearch services, ports bound to all interfaces. # # Operators running their own Docling Studio instance MUST: # 1. Override `NEO4J_PASSWORD` (and rotate it) — see `.env.example`. # 2. Re-enable the OpenSearch security plugin and configure TLS/users — # see https://opensearch.org/docs/latest/security/. # 3. Bind sensitive services to internal networks only, terminate TLS at # a reverse proxy, and align CORS_ORIGINS / RATE_LIMIT_RPM with the # deployment surface. # # The audit pipeline expects this file to flag the dev defaults as such — # don't silently strengthen them here without also updating the dev DX. # ============================================================================= services: # --- Neo4j (graph-native document structure) --- # Dev-only auth: NEO4J_PASSWORD defaults to "changeme". Override in # `.env` (or any orchestrator secret store) before exposing this stack. neo4j: profiles: ["ingestion"] image: neo4j:5.15-community environment: NEO4J_AUTH: ${NEO4J_USER:-neo4j}/${NEO4J_PASSWORD:-changeme} NEO4J_server_memory_heap_initial__size: 512m NEO4J_server_memory_heap_max__size: 1g volumes: - neo4j_data:/data - neo4j_logs:/logs healthcheck: test: ["CMD-SHELL", "cypher-shell -u $${NEO4J_USER:-neo4j} -p $${NEO4J_PASSWORD:-changeme} 'RETURN 1' || exit 1"] interval: 10s timeout: 5s retries: 10 start_period: 30s # --- OpenSearch (single-node, security DISABLED — DEV ONLY) --- # `DISABLE_SECURITY_PLUGIN: "true"` removes auth, TLS, and audit logging. # This is fine for a local dev cluster bound to 127.0.0.1; it is NOT safe # for anything reachable from another host. For production, drop this # var, switch to a hardened image, and configure users + TLS: # https://opensearch.org/docs/latest/security/configuration/ opensearch: profiles: ["ingestion"] image: opensearchproject/opensearch:2 environment: discovery.type: single-node DISABLE_SECURITY_PLUGIN: "true" OPENSEARCH_JAVA_OPTS: "-Xms512m -Xmx512m" volumes: - opensearch_data:/usr/share/opensearch/data healthcheck: test: ["CMD-SHELL", "curl -sf http://localhost:9200/_cluster/health || exit 1"] interval: 10s timeout: 5s retries: 10 # --- Embedding service (sentence-transformers) --- embedding: profiles: ["ingestion"] build: context: ./embedding-service environment: EMBEDDING_MODEL: ${EMBEDDING_MODEL:-all-MiniLM-L6-v2} EMBEDDING_BATCH_SIZE: ${EMBEDDING_BATCH_SIZE:-64} healthcheck: test: ["CMD-SHELL", "curl -sf http://localhost:8001/health || exit 1"] interval: 15s timeout: 10s retries: 20 start_period: 120s deploy: resources: limits: memory: 2g # --- Backend (FastAPI) --- document-parser: build: context: ./document-parser target: ${CONVERSION_MODE:-local} expose: - "8000" volumes: - uploads_data:/app/uploads - db_data:/app/data environment: CORS_ORIGINS: ${CORS_ORIGINS:-http://localhost:3000,http://localhost:5173} DOCLING_SERVE_URL: ${DOCLING_SERVE_URL:-} DOCLING_SERVE_API_KEY: ${DOCLING_SERVE_API_KEY:-} RATE_LIMIT_RPM: ${RATE_LIMIT_RPM:-100} MAX_FILE_SIZE_MB: ${MAX_FILE_SIZE_MB:-50} BATCH_PAGE_SIZE: ${BATCH_PAGE_SIZE:-10} OPENSEARCH_URL: ${OPENSEARCH_URL:-} EMBEDDING_URL: ${EMBEDDING_URL:-} NEO4J_URI: ${NEO4J_URI:-} NEO4J_USER: ${NEO4J_USER:-neo4j} NEO4J_PASSWORD: ${NEO4J_PASSWORD:-changeme} deploy: resources: limits: memory: 4g # --- Frontend (nginx) --- frontend: build: context: ./frontend ports: - "3000:80" environment: NGINX_MAX_BODY_SIZE: ${NGINX_MAX_BODY_SIZE:-200M} depends_on: - document-parser volumes: opensearch_data: neo4j_data: neo4j_logs: uploads_data: db_data: