Expand compute worker documentation to explain NATS authentication using either a credentials file or raw credentials string, including Synadia Cloud integration steps. Update environment variable examples and server connection logic to support both `NATS_CREDS_FILE` and `NATS_CREDS`. Add `.creds` to .gitignore to avoid accidental credential leaks. This improves deployment flexibility for cloud and on-prem environments by supporting multiple authentication methods for NATS JetStream.
3.6 KiB
title: Compute Worker (NATS JetStream)
Use this guide for COMPUTE_MODE=worker deployments where heavy compute runs outside the Next.js app server.
Overview
The compute worker handles:
- Whisper word alignment (
/align/whisper/jobs) - PDF layout parsing (
/layout/pdf/jobs)
The app server enqueues jobs and polls status. Queue durability and retries are backed by NATS JetStream WorkQueue consumers and NATS KV.
Published image
- App server image:
ghcr.io/richardr1126/openreader - Compute worker image:
ghcr.io/richardr1126/openreader-compute-worker
Worker environment variables
Required:
COMPUTE_WORKER_TOKEN: bearer token expected by worker routesNATS_URL: NATS server connection string (JetStream enabled)S3_BUCKETS3_REGIONS3_ACCESS_KEY_IDS3_SECRET_ACCESS_KEY
Important
S3 credentials cannot be left blank/empty when running in worker mode. While the main Next.js server can generate random, dynamic S3 keys on-the-fly when
USE_EMBEDDED_WEED_MINI=trueandS3_*vars are blank, the compute worker runs in a separate process and cannot connect to SeaweedFS using those dynamically generated keys. To use the compute worker with the embedded SeaweedFS, you must configure identical, stable S3 credentials (e.g.S3_ACCESS_KEY_IDandS3_SECRET_ACCESS_KEY) in both the root.envand the compute worker.envfiles.
Common optional:
NATS_CREDS: raw user credentials file content (JWT + private key), ideal for cloud container environments where mounting files is difficult.NATS_CREDS_FILE: path to a.credsfile on the server.S3_ENDPOINT(for non-AWS S3-compatible storage)S3_FORCE_PATH_STYLE=true(for many S3-compatible providers)S3_PREFIX=openreaderCOMPUTE_WORKER_HOST=0.0.0.0COMPUTE_WORKER_PORT=8081COMPUTE_LOG_FORMAT=pretty(default) orjsonCOMPUTE_PREWARM_MODELS=true
App server environment variables (worker mode)
Set on the Next.js app server:
COMPUTE_MODE=worker
COMPUTE_WORKER_URL=http://<worker-host>:8081
COMPUTE_WORKER_TOKEN=<same-token-as-worker>
COMPUTE_MODE=worker has no local fallback. If worker is unavailable, affected requests fail.
Production notes
- Worker mode assumes shared object storage is reachable by both app server and worker.
- Non-exposed embedded
weed miniis not supported with external worker mode. - Protect
COMPUTE_WORKER_TOKENand avoid exposing worker routes publicly without auth.
Health endpoints
GET /health/liveGET /health/ready
Authenticating with Synadia Cloud (NGS)
If you are using a free Synadia Cloud account to back your compute queue in production:
- Obtain your credentials file: When creating a user or a service account on Synadia Cloud, download your credentials file (usually named
<something>.creds). - Configure NATS URL: Synadia Cloud's server address is
tls://connect.ngs.global:4222. Set this as yourNATS_URL. - Configure Authentication:
- Using a local file path: Set
NATS_CREDS_FILEto the path of your.credsfile:NATS_URL=tls://connect.ngs.global:4222 NATS_CREDS_FILE=/app/secrets/NGS-Default-compute-worker.creds - Using raw content (Recommended for Railway, Fly.io, etc.): Set
NATS_CREDSto the exact content of your.credsfile (including the begin/end banners for JWT and NKEY seed). Since.credscontains newlines, wrap the entire value in quotes or paste it directly into your cloud provider's Secrets/Environment settings:NATS_URL=tls://connect.ngs.global:4222 NATS_CREDS="-----BEGIN NATS USER JWT-----\neyJ0...------END USER NKEY SEED------"
- Using a local file path: Set