kua-deploy/docker-compose.yml

# kua-deploy — extracted from coder-core/services/kua-services/docker-compose.yml on 2026-05-21.
# Run as its own compose project on Bruno, decoupled from coder-core's deploy lifecycle.
#
# Network attachments:
#   - kua-services: reach kua-vault, kua-db, kua-mcp-core, etc.
#   - production_proxy: reach forgejo (git operations) + Caddy edge labels
#
# Registry: ENGINE-OWNED at /app/data/registry.json (on the kua-deploy-data volume),
# mutated only via the authenticated API (PUT/PATCH/DELETE /api/v1/apps/:app). The old
# git bind-mount was removed 2026-05-26 — git is no longer in the registry path. On a
# fresh volume the engine seeds from KUA_REGISTRY_SEED (default /app/deploy-registry.json)
# if present; the cutover pre-seeds /app/data/registry.json from the live registry first.
services:
  kua-deploy:
    build:
      context: .
      dockerfile: Dockerfile
    container_name: kua-deploy
    restart: always
    environment:
      - HOSTNAME=bruno
      - NODE_ENV=production
      - KUA_VAULT_URL=http://kua-vault:3000
      - KUA_DB_URL=http://kua-db:3100
      - KUA_DB_ADMIN_TOKEN=${KUA_ADMIN_TOKEN:-}
      - KUA_ALLOWED_NODES=${KUA_ALLOWED_NODES:-gal,bruno,genesis}
      - KUA_DEPLOY_WEBHOOK_SECRET=${KUA_DEPLOY_WEBHOOK_SECRET:-}
      - KUA_DEPLOY_ADMIN_TOKEN=${KUA_ADMIN_TOKEN:-}
    ports:
      - "100.74.17.6:3200:3200"
    volumes:
      - /var/run/tailscale/tailscaled.sock:/var/run/tailscale/tailscaled.sock:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - kua-deploy-data:/app/data
      - /root/.ssh:/root/.ssh:ro
      - /root/apps:/root/apps
      - /usr/local/bin/kua-vault:/usr/local/bin/kua-vault:ro
      - /root/.config/kua-vault:/root/.config/kua-vault:ro
    networks:
      - kua-services
      - production_proxy
    labels:
      - "caddy=deploy.kua.cl"
      - "caddy.reverse_proxy={{upstreams 3200}}"
    healthcheck:
      test: ["CMD", "curl", "-sf", "http://localhost:3200/health"]
      interval: 30s
      timeout: 5s
      retries: 3
      start_period: 10s

volumes:
  kua-deploy-data:
    name: kua-services_kua-deploy-data
    external: true

networks:
  kua-services:
    name: kua-services
    external: true
  production_proxy:
    name: production_proxy
    external: true