diff --git a/.env.synology.example b/.env.synology.example index f1505ef..774982c 100644 --- a/.env.synology.example +++ b/.env.synology.example @@ -1,13 +1,14 @@ NODE_ENV=production HOST=0.0.0.0 PORT=4100 +HOST_BIND=172.22.0.222 HOST_PORT=18190 LOG_LEVEL=info NODEDC_AGENT_GATEWAY_PUBLIC_URL=https://ops-agents.nodedc.ru NODEDC_AGENT_GATEWAY_INTERNAL_TOKEN=replace-with-strong-gateway-internal-token -NODEDC_LAUNCHER_INTERNAL_URL=http://127.0.0.1:18080 -NODEDC_TASKER_INTERNAL_URL=http://127.0.0.1:18090 +NODEDC_LAUNCHER_INTERNAL_URL=http://172.22.0.222:18080 +NODEDC_TASKER_INTERNAL_URL=http://172.22.0.222:18090 NODEDC_INTERNAL_ACCESS_TOKEN=replace-with-platform-internal-access-token POSTGRES_DB=nodedc_agent_gateway diff --git a/README.md b/README.md index 7e99321..747b6c6 100644 --- a/README.md +++ b/README.md @@ -45,7 +45,7 @@ docker compose --env-file .env -f docker-compose.local.yml up -d --build curl http://127.0.0.1:4100/readyz ``` -The `agent-gateway` container waits for local Postgres, runs migrations on startup, and exposes the same `:4100` internal endpoint used by Tasker (`PLANE_NODEDC_AGENT_GATEWAY_URL=http://host.docker.internal:4100`). `HOST_PORT` controls the host-side port for reverse proxy deployments; Synology should use `docker-compose.synology.yml` with `127.0.0.1:18190:4100` because `18090` is reserved for Tasker. The user-facing setup packet uses `NODEDC_AGENT_GATEWAY_PUBLIC_URL`; product defaults point to `https://ops-agents.nodedc.ru`, not localhost. +The `agent-gateway` container waits for local Postgres, runs migrations on startup, and exposes the same `:4100` internal endpoint used by Tasker (`PLANE_NODEDC_AGENT_GATEWAY_URL=http://host.docker.internal:4100` in local development). `HOST_BIND` and `HOST_PORT` control the host-side port for reverse proxy deployments; Synology should use `docker-compose.synology.yml` with `172.22.0.222:18190:4100` because `18090` is reserved for Tasker. The user-facing setup packet uses `NODEDC_AGENT_GATEWAY_PUBLIC_URL`; product defaults point to `https://ops-agents.nodedc.ru`, not localhost. Synology deployment notes live in `docs/SYNOLOGY_DEPLOY.md`. diff --git a/docker-compose.synology.yml b/docker-compose.synology.yml index e2d7631..cec703d 100644 --- a/docker-compose.synology.yml +++ b/docker-compose.synology.yml @@ -25,14 +25,14 @@ services: DATABASE_URL: postgres://${POSTGRES_USER:-nodedc_agent_gateway}:${POSTGRES_PASSWORD:-replace-with-strong-postgres-password}@postgres:5432/${POSTGRES_DB:-nodedc_agent_gateway} NODEDC_AGENT_GATEWAY_PUBLIC_URL: ${NODEDC_AGENT_GATEWAY_PUBLIC_URL:-https://ops-agents.nodedc.ru} NODEDC_AGENT_GATEWAY_INTERNAL_TOKEN: ${NODEDC_AGENT_GATEWAY_INTERNAL_TOKEN} - NODEDC_LAUNCHER_INTERNAL_URL: ${NODEDC_LAUNCHER_INTERNAL_URL:-http://127.0.0.1:18080} - NODEDC_TASKER_INTERNAL_URL: ${NODEDC_TASKER_INTERNAL_URL:-http://127.0.0.1:18090} + NODEDC_LAUNCHER_INTERNAL_URL: ${NODEDC_LAUNCHER_INTERNAL_URL:-http://172.22.0.222:18080} + NODEDC_TASKER_INTERNAL_URL: ${NODEDC_TASKER_INTERNAL_URL:-http://172.22.0.222:18090} NODEDC_INTERNAL_ACCESS_TOKEN: ${NODEDC_INTERNAL_ACCESS_TOKEN} depends_on: postgres: condition: service_healthy ports: - - "127.0.0.1:${HOST_PORT:-18190}:${PORT:-4100}" + - "${HOST_BIND:-172.22.0.222}:${HOST_PORT:-18190}:${PORT:-4100}" healthcheck: test: [ diff --git a/docs/SYNOLOGY_DEPLOY.md b/docs/SYNOLOGY_DEPLOY.md index 9e7b648..df1c0d2 100644 --- a/docs/SYNOLOGY_DEPLOY.md +++ b/docs/SYNOLOGY_DEPLOY.md @@ -5,8 +5,9 @@ This service is the NODE.DC Operational Agents Gateway for Tasker/Operational Co ## Network model - Public URL: `https://ops-agents.nodedc.ru`. -- Synology reverse proxy: `HTTPS 443` → `HTTP 127.0.0.1:18190`. +- Synology reverse proxy: `HTTPS 443` → `HTTP 172.22.0.222:18190`. - Container app port stays `4100`. +- Docker host bind address is controlled by `HOST_BIND=172.22.0.222`. - Docker host port is controlled by `HOST_PORT=18190`. - Do not use `18090` for this module: that host port is reserved by Tasker / Operational Core. - No router changes are required if `443` already reaches Synology and Synology owns the reverse proxy rule. @@ -19,13 +20,14 @@ Create `.env` from `.env.synology.example` and replace every `replace-with-*` va NODE_ENV=production HOST=0.0.0.0 PORT=4100 +HOST_BIND=172.22.0.222 HOST_PORT=18190 LOG_LEVEL=info NODEDC_AGENT_GATEWAY_PUBLIC_URL=https://ops-agents.nodedc.ru NODEDC_AGENT_GATEWAY_INTERNAL_TOKEN= -NODEDC_LAUNCHER_INTERNAL_URL= -NODEDC_TASKER_INTERNAL_URL= +NODEDC_LAUNCHER_INTERNAL_URL=http://172.22.0.222:18080 +NODEDC_TASKER_INTERNAL_URL=http://172.22.0.222:18090 NODEDC_INTERNAL_ACCESS_TOKEN= POSTGRES_DB=nodedc_agent_gateway @@ -66,16 +68,16 @@ docker compose --env-file .env -f docker-compose.synology.yml pull docker compose --env-file .env -f docker-compose.synology.yml up -d --build ``` -If the repository is deployed from source and not from a registry image, `up -d --build` is enough. The production compose does not publish Postgres and binds the gateway to `127.0.0.1:18190`; DSM reverse proxy should target that local address. +If the repository is deployed from source and not from a registry image, `up -d --build` is enough. The production compose does not publish Postgres and binds the gateway to `${HOST_BIND}:${HOST_PORT}`; DSM reverse proxy must target the same address. ## Verification Local host checks: ```bash -curl -fsS http://127.0.0.1:18190/healthz -curl -fsS http://127.0.0.1:18190/readyz -curl -fsS -i http://127.0.0.1:18190/mcp | head +curl -fsS http://172.22.0.222:18190/healthz +curl -fsS http://172.22.0.222:18190/readyz +curl -fsS -i http://172.22.0.222:18190/mcp | head ``` Public checks after DNS/reverse proxy: @@ -98,7 +100,7 @@ Expected behavior: Tasker must call the gateway by internal URL: ```env -PLANE_NODEDC_AGENT_GATEWAY_URL=http://:18190 +PLANE_NODEDC_AGENT_GATEWAY_URL=http://172.22.0.222:18190 PLANE_NODEDC_AGENT_GATEWAY_TOKEN= ```