- Forward WITH_REASONING from the host environment to the document-parser build args so `WITH_REASONING=true docker compose up --build` produces the reasoning-enabled local image without editing the compose file. - Mount a named hf_cache volume at /home/appuser/.cache/huggingface so Docling / HF model checkpoints survive container restarts and the first conversion does not re-download every cold start.
139 lines
5 KiB
YAML
139 lines
5 KiB
YAML
# =============================================================================
|
|
# Docling Studio — local development / quick-start compose.
|
|
#
|
|
# DEV DEFAULTS — NOT PRODUCTION-READY.
|
|
# This file ships sensible defaults for `docker compose up` to "just work" on
|
|
# a developer laptop. It is NOT a production deployment template:
|
|
# - Neo4j boots with `NEO4J_PASSWORD=changeme` if the env var is unset.
|
|
# - OpenSearch runs single-node with `DISABLE_SECURITY_PLUGIN=true`
|
|
# (no TLS, no auth). Fine for local indexing experiments, never for
|
|
# anything reachable from outside `localhost`.
|
|
# - No HTTPS termination, no reverse-proxy hardening, no rate limit on
|
|
# the embedding/OpenSearch services, ports bound to all interfaces.
|
|
#
|
|
# Operators running their own Docling Studio instance MUST:
|
|
# 1. Override `NEO4J_PASSWORD` (and rotate it) — see `.env.example`.
|
|
# 2. Re-enable the OpenSearch security plugin and configure TLS/users —
|
|
# see https://opensearch.org/docs/latest/security/.
|
|
# 3. Bind sensitive services to internal networks only, terminate TLS at
|
|
# a reverse proxy, and align CORS_ORIGINS / RATE_LIMIT_RPM with the
|
|
# deployment surface.
|
|
#
|
|
# The audit pipeline expects this file to flag the dev defaults as such —
|
|
# don't silently strengthen them here without also updating the dev DX.
|
|
# =============================================================================
|
|
|
|
services:
|
|
# --- Neo4j (graph-native document structure) ---
|
|
# Dev-only auth: NEO4J_PASSWORD defaults to "changeme". Override in
|
|
# `.env` (or any orchestrator secret store) before exposing this stack.
|
|
neo4j:
|
|
profiles: ["ingestion"]
|
|
image: neo4j:5.15-community
|
|
environment:
|
|
NEO4J_AUTH: ${NEO4J_USER:-neo4j}/${NEO4J_PASSWORD:-changeme}
|
|
NEO4J_server_memory_heap_initial__size: 512m
|
|
NEO4J_server_memory_heap_max__size: 1g
|
|
volumes:
|
|
- neo4j_data:/data
|
|
- neo4j_logs:/logs
|
|
healthcheck:
|
|
test: ["CMD-SHELL", "cypher-shell -u $${NEO4J_USER:-neo4j} -p $${NEO4J_PASSWORD:-changeme} 'RETURN 1' || exit 1"]
|
|
interval: 10s
|
|
timeout: 5s
|
|
retries: 10
|
|
start_period: 30s
|
|
|
|
# --- OpenSearch (single-node, security DISABLED — DEV ONLY) ---
|
|
# `DISABLE_SECURITY_PLUGIN: "true"` removes auth, TLS, and audit logging.
|
|
# This is fine for a local dev cluster bound to 127.0.0.1; it is NOT safe
|
|
# for anything reachable from another host. For production, drop this
|
|
# var, switch to a hardened image, and configure users + TLS:
|
|
# https://opensearch.org/docs/latest/security/configuration/
|
|
opensearch:
|
|
profiles: ["ingestion"]
|
|
image: opensearchproject/opensearch:2
|
|
environment:
|
|
discovery.type: single-node
|
|
DISABLE_SECURITY_PLUGIN: "true"
|
|
OPENSEARCH_JAVA_OPTS: "-Xms512m -Xmx512m"
|
|
volumes:
|
|
- opensearch_data:/usr/share/opensearch/data
|
|
healthcheck:
|
|
test: ["CMD-SHELL", "curl -sf http://localhost:9200/_cluster/health || exit 1"]
|
|
interval: 10s
|
|
timeout: 5s
|
|
retries: 10
|
|
|
|
# --- Embedding service (sentence-transformers) ---
|
|
embedding:
|
|
profiles: ["ingestion"]
|
|
build:
|
|
context: ./embedding-service
|
|
environment:
|
|
EMBEDDING_MODEL: ${EMBEDDING_MODEL:-all-MiniLM-L6-v2}
|
|
EMBEDDING_BATCH_SIZE: ${EMBEDDING_BATCH_SIZE:-64}
|
|
healthcheck:
|
|
test: ["CMD-SHELL", "curl -sf http://localhost:8001/health || exit 1"]
|
|
interval: 15s
|
|
timeout: 10s
|
|
retries: 20
|
|
start_period: 120s
|
|
deploy:
|
|
resources:
|
|
limits:
|
|
memory: 2g
|
|
|
|
# --- Backend (FastAPI) ---
|
|
document-parser:
|
|
build:
|
|
context: ./document-parser
|
|
target: ${CONVERSION_MODE:-local}
|
|
args:
|
|
# Opt in to the R&D reasoning-trace deps (docling-agent + mellea).
|
|
# Off by default — keeps the standard `local` image lean. See
|
|
# docs/design/254-optim-taille-image-latest-local.md.
|
|
WITH_REASONING: ${WITH_REASONING:-false}
|
|
expose:
|
|
- "8000"
|
|
volumes:
|
|
- uploads_data:/app/uploads
|
|
- db_data:/app/data
|
|
# Persists Docling / HF model checkpoints across container restarts so
|
|
# the first conversion does not re-download every cold start.
|
|
- hf_cache:/home/appuser/.cache/huggingface
|
|
environment:
|
|
CORS_ORIGINS: ${CORS_ORIGINS:-http://localhost:3000,http://localhost:5173}
|
|
DOCLING_SERVE_URL: ${DOCLING_SERVE_URL:-}
|
|
DOCLING_SERVE_API_KEY: ${DOCLING_SERVE_API_KEY:-}
|
|
RATE_LIMIT_RPM: ${RATE_LIMIT_RPM:-100}
|
|
MAX_FILE_SIZE_MB: ${MAX_FILE_SIZE_MB:-50}
|
|
BATCH_PAGE_SIZE: ${BATCH_PAGE_SIZE:-10}
|
|
OPENSEARCH_URL: ${OPENSEARCH_URL:-}
|
|
EMBEDDING_URL: ${EMBEDDING_URL:-}
|
|
NEO4J_URI: ${NEO4J_URI:-}
|
|
NEO4J_USER: ${NEO4J_USER:-neo4j}
|
|
NEO4J_PASSWORD: ${NEO4J_PASSWORD:-changeme}
|
|
deploy:
|
|
resources:
|
|
limits:
|
|
memory: 4g
|
|
|
|
# --- Frontend (nginx) ---
|
|
frontend:
|
|
build:
|
|
context: ./frontend
|
|
ports:
|
|
- "3000:80"
|
|
environment:
|
|
NGINX_MAX_BODY_SIZE: ${NGINX_MAX_BODY_SIZE:-200M}
|
|
depends_on:
|
|
- document-parser
|
|
|
|
volumes:
|
|
opensearch_data:
|
|
neo4j_data:
|
|
neo4j_logs:
|
|
uploads_data:
|
|
db_data:
|
|
hf_cache:
|