tony/CHORUS
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases Wiki Activity

feat(chorus): run chorus-agent (replace deprecated wrapper); deterministic council role-claim shuffle; compose: WHOOSH UI env + Traefik label fixes + rotated JWT secret

Browse Source
This commit is contained in:
anthonyrawlins
2025-10-08 23:52:06 +11:00
parent 9f480986fa
commit 7381137db5
3 changed files with 482 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
docker/docker-compose.yml
View File

@@ -29,8 +29,8 @@ services:
- CHORUS_MAX_CONCURRENT_DHT=16 # Limit concurrent DHT queries
# Election stability windows (Medium-risk fix 2.1)
- CHORUS_ELECTION_MIN_TERM=30s # Minimum time between elections to prevent churn
- CHORUS_LEADER_MIN_TERM=45s # Minimum time before challenging healthy leader
- CHORUS_ELECTION_MIN_TERM=120s # Minimum time between elections to prevent churn
- CHORUS_LEADER_MIN_TERM=240s # Minimum time before challenging healthy leader
# Assignment system for runtime configuration (Medium-risk fix 2.2)
- ASSIGN_URL=${ASSIGN_URL:-} # Optional: WHOOSH assignment endpoint
@@ -61,7 +61,7 @@ services:
- CHORUS_LIGHTRAG_ENABLED=${CHORUS_LIGHTRAG_ENABLED:-false}
- CHORUS_LIGHTRAG_BASE_URL=${CHORUS_LIGHTRAG_BASE_URL:-http://lightrag:9621}
- CHORUS_LIGHTRAG_TIMEOUT=${CHORUS_LIGHTRAG_TIMEOUT:-30s}
- CHORUS_LIGHTRAG_API_KEY=${CHORUS_LIGHTRAG_API_KEY:-}
- CHORUS_LIGHTRAG_API_KEY=${CHORUS_LIGHTRAG_API_KEY:-your-secure-api-key-here}
- CHORUS_LIGHTRAG_DEFAULT_MODE=${CHORUS_LIGHTRAG_DEFAULT_MODE:-hybrid}
# Logging configuration
@@ -102,7 +102,7 @@ services:
# Container resource limits
deploy:
mode: replicated
replicas: ${CHORUS_REPLICAS:-9}
replicas: ${CHORUS_REPLICAS:-20}
update_config:
parallelism: 1
delay: 10s
@@ -173,6 +173,8 @@ services:
WHOOSH_SERVER_READ_TIMEOUT: "30s"
WHOOSH_SERVER_WRITE_TIMEOUT: "30s"
WHOOSH_SERVER_SHUTDOWN_TIMEOUT: "30s"
# UI static directory (served at site root by WHOOSH)
WHOOSH_UI_DIR: "/app/ui"
# GITEA configuration
WHOOSH_GITEA_BASE_URL: https://gitea.chorus.services
@@ -217,7 +219,8 @@ services:
- jwt_secret
- service_tokens
- redis_password
# volumes:
volumes:
- whoosh_ui:/app/ui:ro
# - /var/run/docker.sock:/var/run/docker.sock # Disabled for agent assignment architecture
deploy:
replicas: 2
@@ -254,11 +257,11 @@ services:
- traefik.enable=true
- traefik.docker.network=tengig
- traefik.http.routers.whoosh.rule=Host(`whoosh.chorus.services`)
- traefik.http.routers.whoosh.entrypoints=web,web-secured
- traefik.http.routers.whoosh.tls=true
- traefik.http.routers.whoosh.tls.certresolver=letsencryptresolver
- traefik.http.routers.photoprism.entrypoints=web,web-secured
- traefik.http.services.whoosh.loadbalancer.server.port=8080
- traefik.http.services.photoprism.loadbalancer.passhostheader=true
- traefik.http.services.whoosh.loadbalancer.passhostheader=true
- traefik.http.middlewares.whoosh-auth.basicauth.users=admin:$2y$10$example_hash
networks:
- tengig
@@ -414,7 +417,7 @@ services:
# REQ: BACKBEAT-REQ-001 - Single BeatFrame publisher per cluster
# REQ: BACKBEAT-OPS-001 - One replica prefers leadership
backbeat-pulse:
image: anthonyrawlins/backbeat-pulse:v1.0.5
image: anthonyrawlins/backbeat-pulse:v1.0.6
command: >
./pulse
-cluster=chorus-production
@@ -581,6 +584,14 @@ services:
max-file: "3"
tag: "nats/{{.Name}}/{{.ID}}"
watchtower:
image: containrrr/watchtower
volumes:
- /var/run/docker.sock:/var/run/docker.sock
command: --interval 300 --cleanup --revive-stopped --include-stopped
restart: always
# KACHING services are deployed separately in their own stack
# License validation will access https://kaching.chorus.services/api
@@ -618,6 +629,12 @@ volumes:
type: none
o: bind
device: /rust/containers/WHOOSH/redis
whoosh_ui:
driver: local
driver_opts:
type: none
o: bind
device: /rust/containers/WHOOSH/ui
# Networks for CHORUS communication
@@ -652,7 +669,7 @@ secrets:
name: whoosh_webhook_token
jwt_secret:
external: true
name: whoosh_jwt_secret
name: whoosh_jwt_secret_v4
service_tokens:
external: true
name: whoosh_service_tokens