version: '3.8' services: seqthink-wrapper: image: anthonyrawlins/seqthink-wrapper:latest networks: - chorus-overlay ports: - "8443:8443" environment: # Logging LOG_LEVEL: info # MCP server (internal loopback) MCP_LOCAL: http://127.0.0.1:8000 # Port configuration PORT: "8443" # Request limits MAX_BODY_MB: "4" # Age encryption (use secrets) AGE_IDENT_PATH: /run/secrets/seqthink_age_identity AGE_RECIPS_PATH: /run/secrets/seqthink_age_recipients # KACHING JWT policy KACHING_JWKS_URL: https://auth.kaching.services/jwks REQUIRED_SCOPE: sequentialthinking.run secrets: - seqthink_age_identity - seqthink_age_recipients deploy: mode: replicated replicas: 3 placement: constraints: - node.role == worker preferences: - spread: node.hostname resources: limits: cpus: '1.0' memory: 512M reservations: cpus: '0.5' memory: 256M restart_policy: condition: on-failure delay: 5s max_attempts: 3 window: 120s update_config: parallelism: 1 delay: 10s failure_action: rollback monitor: 30s max_failure_ratio: 0.3 rollback_config: parallelism: 1 delay: 5s failure_action: pause monitor: 30s labels: - "traefik.enable=true" - "traefik.http.routers.seqthink.rule=Host(`seqthink.chorus.services`)" - "traefik.http.routers.seqthink.entrypoints=websecure" - "traefik.http.routers.seqthink.tls=true" - "traefik.http.routers.seqthink.tls.certresolver=letsencrypt" - "traefik.http.services.seqthink.loadbalancer.server.port=8443" - "traefik.http.services.seqthink.loadbalancer.healthcheck.path=/health" - "traefik.http.services.seqthink.loadbalancer.healthcheck.interval=30s" healthcheck: test: ["CMD", "curl", "-f", "http://localhost:8443/health"] interval: 30s timeout: 10s retries: 3 start_period: 40s logging: driver: "json-file" options: max-size: "10m" max-file: "3" networks: chorus-overlay: external: true secrets: seqthink_age_identity: external: true seqthink_age_recipients: external: true