Eliminates the ~1.3 GB cold-start download on the first conversion. The new BAKE_MODELS build-arg defaults to true; pass --build-arg BAKE_MODELS=false to skip and keep the smaller 1.9 GB image when the deployment can tolerate a slow first run. Drop the hf_cache volume from compose — a named-volume mount on top of the baked path would mask the prefetched models with an empty volume on first 'docker compose up'. The image is now self-contained. Measured on arm64: - latest-local without bake : 1.89 GB - latest-local WITH bake : 3.19 GB (still -48% vs 6.09 GB baseline)
135 lines
4.8 KiB
YAML
135 lines
4.8 KiB
YAML
# =============================================================================
|
|
# Docling Studio — local development / quick-start compose.
|
|
#
|
|
# DEV DEFAULTS — NOT PRODUCTION-READY.
|
|
# This file ships sensible defaults for `docker compose up` to "just work" on
|
|
# a developer laptop. It is NOT a production deployment template:
|
|
# - Neo4j boots with `NEO4J_PASSWORD=changeme` if the env var is unset.
|
|
# - OpenSearch runs single-node with `DISABLE_SECURITY_PLUGIN=true`
|
|
# (no TLS, no auth). Fine for local indexing experiments, never for
|
|
# anything reachable from outside `localhost`.
|
|
# - No HTTPS termination, no reverse-proxy hardening, no rate limit on
|
|
# the embedding/OpenSearch services, ports bound to all interfaces.
|
|
#
|
|
# Operators running their own Docling Studio instance MUST:
|
|
# 1. Override `NEO4J_PASSWORD` (and rotate it) — see `.env.example`.
|
|
# 2. Re-enable the OpenSearch security plugin and configure TLS/users —
|
|
# see https://opensearch.org/docs/latest/security/.
|
|
# 3. Bind sensitive services to internal networks only, terminate TLS at
|
|
# a reverse proxy, and align CORS_ORIGINS / RATE_LIMIT_RPM with the
|
|
# deployment surface.
|
|
#
|
|
# The audit pipeline expects this file to flag the dev defaults as such —
|
|
# don't silently strengthen them here without also updating the dev DX.
|
|
# =============================================================================
|
|
|
|
services:
|
|
# --- Neo4j (graph-native document structure) ---
|
|
# Dev-only auth: NEO4J_PASSWORD defaults to "changeme". Override in
|
|
# `.env` (or any orchestrator secret store) before exposing this stack.
|
|
neo4j:
|
|
profiles: ["ingestion"]
|
|
image: neo4j:5.15-community
|
|
environment:
|
|
NEO4J_AUTH: ${NEO4J_USER:-neo4j}/${NEO4J_PASSWORD:-changeme}
|
|
NEO4J_server_memory_heap_initial__size: 512m
|
|
NEO4J_server_memory_heap_max__size: 1g
|
|
volumes:
|
|
- neo4j_data:/data
|
|
- neo4j_logs:/logs
|
|
healthcheck:
|
|
test: ["CMD-SHELL", "cypher-shell -u $${NEO4J_USER:-neo4j} -p $${NEO4J_PASSWORD:-changeme} 'RETURN 1' || exit 1"]
|
|
interval: 10s
|
|
timeout: 5s
|
|
retries: 10
|
|
start_period: 30s
|
|
|
|
# --- OpenSearch (single-node, security DISABLED — DEV ONLY) ---
|
|
# `DISABLE_SECURITY_PLUGIN: "true"` removes auth, TLS, and audit logging.
|
|
# This is fine for a local dev cluster bound to 127.0.0.1; it is NOT safe
|
|
# for anything reachable from another host. For production, drop this
|
|
# var, switch to a hardened image, and configure users + TLS:
|
|
# https://opensearch.org/docs/latest/security/configuration/
|
|
opensearch:
|
|
profiles: ["ingestion"]
|
|
image: opensearchproject/opensearch:2
|
|
environment:
|
|
discovery.type: single-node
|
|
DISABLE_SECURITY_PLUGIN: "true"
|
|
OPENSEARCH_JAVA_OPTS: "-Xms512m -Xmx512m"
|
|
volumes:
|
|
- opensearch_data:/usr/share/opensearch/data
|
|
healthcheck:
|
|
test: ["CMD-SHELL", "curl -sf http://localhost:9200/_cluster/health || exit 1"]
|
|
interval: 10s
|
|
timeout: 5s
|
|
retries: 10
|
|
|
|
# --- Embedding service (sentence-transformers) ---
|
|
embedding:
|
|
profiles: ["ingestion"]
|
|
build:
|
|
context: ./embedding-service
|
|
environment:
|
|
EMBEDDING_MODEL: ${EMBEDDING_MODEL:-all-MiniLM-L6-v2}
|
|
EMBEDDING_BATCH_SIZE: ${EMBEDDING_BATCH_SIZE:-64}
|
|
healthcheck:
|
|
test: ["CMD-SHELL", "curl -sf http://localhost:8001/health || exit 1"]
|
|
interval: 15s
|
|
timeout: 10s
|
|
retries: 20
|
|
start_period: 120s
|
|
deploy:
|
|
resources:
|
|
limits:
|
|
memory: 2g
|
|
|
|
# --- Backend (FastAPI) ---
|
|
document-parser:
|
|
build:
|
|
context: ./document-parser
|
|
target: ${CONVERSION_MODE:-local}
|
|
args:
|
|
# Opt in to the R&D reasoning-trace deps (docling-agent + mellea).
|
|
# Off by default — keeps the standard `local` image lean. See
|
|
# docs/design/254-optim-taille-image-latest-local.md.
|
|
WITH_REASONING: ${WITH_REASONING:-false}
|
|
expose:
|
|
- "8000"
|
|
volumes:
|
|
- uploads_data:/app/uploads
|
|
- db_data:/app/data
|
|
environment:
|
|
CORS_ORIGINS: ${CORS_ORIGINS:-http://localhost:3000,http://localhost:5173}
|
|
DOCLING_SERVE_URL: ${DOCLING_SERVE_URL:-}
|
|
DOCLING_SERVE_API_KEY: ${DOCLING_SERVE_API_KEY:-}
|
|
RATE_LIMIT_RPM: ${RATE_LIMIT_RPM:-100}
|
|
MAX_FILE_SIZE_MB: ${MAX_FILE_SIZE_MB:-50}
|
|
BATCH_PAGE_SIZE: ${BATCH_PAGE_SIZE:-10}
|
|
OPENSEARCH_URL: ${OPENSEARCH_URL:-}
|
|
EMBEDDING_URL: ${EMBEDDING_URL:-}
|
|
NEO4J_URI: ${NEO4J_URI:-}
|
|
NEO4J_USER: ${NEO4J_USER:-neo4j}
|
|
NEO4J_PASSWORD: ${NEO4J_PASSWORD:-changeme}
|
|
deploy:
|
|
resources:
|
|
limits:
|
|
memory: 4g
|
|
|
|
# --- Frontend (nginx) ---
|
|
frontend:
|
|
build:
|
|
context: ./frontend
|
|
ports:
|
|
- "3000:80"
|
|
environment:
|
|
NGINX_MAX_BODY_SIZE: ${NGINX_MAX_BODY_SIZE:-200M}
|
|
depends_on:
|
|
- document-parser
|
|
|
|
volumes:
|
|
opensearch_data:
|
|
neo4j_data:
|
|
neo4j_logs:
|
|
uploads_data:
|
|
db_data:
|