OPS - GATEWAY: bind Synology service to NAS address

2026-05-15 10:21:16 +03:00 · 2026-05-15 10:21:16 +03:00 · 19d5f18bf5
parent 9677c455b3
commit 19d5f18bf5
4 changed files with 17 additions and 14 deletions
--- a/.env.synology.example
+++ b/.env.synology.example
@ -1,13 +1,14 @@
 NODE_ENV=production
 HOST=0.0.0.0
 PORT=4100
 HOST_BIND=172.22.0.222
 HOST_PORT=18190
 LOG_LEVEL=info
 NODEDC_AGENT_GATEWAY_PUBLIC_URL=https://ops-agents.nodedc.ru
 NODEDC_AGENT_GATEWAY_INTERNAL_TOKEN=replace-with-strong-gateway-internal-token
-NODEDC_LAUNCHER_INTERNAL_URL=http://127.0.0.1:18080
+NODEDC_LAUNCHER_INTERNAL_URL=http://172.22.0.222:18080
-NODEDC_TASKER_INTERNAL_URL=http://127.0.0.1:18090
+NODEDC_TASKER_INTERNAL_URL=http://172.22.0.222:18090
 NODEDC_INTERNAL_ACCESS_TOKEN=replace-with-platform-internal-access-token
 POSTGRES_DB=nodedc_agent_gateway
--- a/README.md
+++ b/README.md
@ -45,7 +45,7 @@ docker compose --env-file .env -f docker-compose.local.yml up -d --build
 curl http://127.0.0.1:4100/readyz
 ```
-The `agent-gateway` container waits for local Postgres, runs migrations on startup, and exposes the same `:4100` internal endpoint used by Tasker (`PLANE_NODEDC_AGENT_GATEWAY_URL=http://host.docker.internal:4100`). `HOST_PORT` controls the host-side port for reverse proxy deployments; Synology should use `docker-compose.synology.yml` with `127.0.0.1:18190:4100` because `18090` is reserved for Tasker. The user-facing setup packet uses `NODEDC_AGENT_GATEWAY_PUBLIC_URL`; product defaults point to `https://ops-agents.nodedc.ru`, not localhost.
+The `agent-gateway` container waits for local Postgres, runs migrations on startup, and exposes the same `:4100` internal endpoint used by Tasker (`PLANE_NODEDC_AGENT_GATEWAY_URL=http://host.docker.internal:4100` in local development). `HOST_BIND` and `HOST_PORT` control the host-side port for reverse proxy deployments; Synology should use `docker-compose.synology.yml` with `172.22.0.222:18190:4100` because `18090` is reserved for Tasker. The user-facing setup packet uses `NODEDC_AGENT_GATEWAY_PUBLIC_URL`; product defaults point to `https://ops-agents.nodedc.ru`, not localhost.
 Synology deployment notes live in `docs/SYNOLOGY_DEPLOY.md`.
--- a/docker-compose.synology.yml
+++ b/docker-compose.synology.yml
@ -25,14 +25,14 @@ services:
      DATABASE_URL: postgres://${POSTGRES_USER:-nodedc_agent_gateway}:${POSTGRES_PASSWORD:-replace-with-strong-postgres-password}@postgres:5432/${POSTGRES_DB:-nodedc_agent_gateway}
      NODEDC_AGENT_GATEWAY_PUBLIC_URL: ${NODEDC_AGENT_GATEWAY_PUBLIC_URL:-https://ops-agents.nodedc.ru}
      NODEDC_AGENT_GATEWAY_INTERNAL_TOKEN: ${NODEDC_AGENT_GATEWAY_INTERNAL_TOKEN}
-      NODEDC_LAUNCHER_INTERNAL_URL: ${NODEDC_LAUNCHER_INTERNAL_URL:-http://127.0.0.1:18080}
+      NODEDC_LAUNCHER_INTERNAL_URL: ${NODEDC_LAUNCHER_INTERNAL_URL:-http://172.22.0.222:18080}
-      NODEDC_TASKER_INTERNAL_URL: ${NODEDC_TASKER_INTERNAL_URL:-http://127.0.0.1:18090}
+      NODEDC_TASKER_INTERNAL_URL: ${NODEDC_TASKER_INTERNAL_URL:-http://172.22.0.222:18090}
      NODEDC_INTERNAL_ACCESS_TOKEN: ${NODEDC_INTERNAL_ACCESS_TOKEN}
    depends_on:
      postgres:
        condition: service_healthy
    ports:
-      - "127.0.0.1:${HOST_PORT:-18190}:${PORT:-4100}"
+      - "${HOST_BIND:-172.22.0.222}:${HOST_PORT:-18190}:${PORT:-4100}"
    healthcheck:
      test:
        [
--- a/docs/SYNOLOGY_DEPLOY.md
+++ b/docs/SYNOLOGY_DEPLOY.md
@ -5,8 +5,9 @@ This service is the NODE.DC Operational Agents Gateway for Tasker/Operational Co
 ## Network model
 - Public URL: `https://ops-agents.nodedc.ru`.
- Synology reverse proxy: `HTTPS 443` → `HTTP 127.0.0.1:18190`.
+- Synology reverse proxy: `HTTPS 443` → `HTTP 172.22.0.222:18190`.
 - Container app port stays `4100`.
 - Docker host bind address is controlled by `HOST_BIND=172.22.0.222`.
 - Docker host port is controlled by `HOST_PORT=18190`.
 - Do not use `18090` for this module: that host port is reserved by Tasker / Operational Core.
 - No router changes are required if `443` already reaches Synology and Synology owns the reverse proxy rule.
@ -19,13 +20,14 @@ Create `.env` from `.env.synology.example` and replace every `replace-with-*` va
 NODE_ENV=production
 HOST=0.0.0.0
 PORT=4100
 HOST_BIND=172.22.0.222
 HOST_PORT=18190
 LOG_LEVEL=info
 NODEDC_AGENT_GATEWAY_PUBLIC_URL=https://ops-agents.nodedc.ru
 NODEDC_AGENT_GATEWAY_INTERNAL_TOKEN=<strong-random-secret>
-NODEDC_LAUNCHER_INTERNAL_URL=<launcher-url-reachable-from-synology>
+NODEDC_LAUNCHER_INTERNAL_URL=http://172.22.0.222:18080
-NODEDC_TASKER_INTERNAL_URL=<tasker-url-reachable-from-synology>
+NODEDC_TASKER_INTERNAL_URL=http://172.22.0.222:18090
 NODEDC_INTERNAL_ACCESS_TOKEN=<tasker-internal-access-token>
 POSTGRES_DB=nodedc_agent_gateway
@ -66,16 +68,16 @@ docker compose --env-file .env -f docker-compose.synology.yml pull
 docker compose --env-file .env -f docker-compose.synology.yml up -d --build
 ```
-If the repository is deployed from source and not from a registry image, `up -d --build` is enough. The production compose does not publish Postgres and binds the gateway to `127.0.0.1:18190`; DSM reverse proxy should target that local address.
+If the repository is deployed from source and not from a registry image, `up -d --build` is enough. The production compose does not publish Postgres and binds the gateway to `${HOST_BIND}:${HOST_PORT}`; DSM reverse proxy must target the same address.
 ## Verification
 Local host checks:
 ```bash
-curl -fsS http://127.0.0.1:18190/healthz
+curl -fsS http://172.22.0.222:18190/healthz
-curl -fsS http://127.0.0.1:18190/readyz
+curl -fsS http://172.22.0.222:18190/readyz
-curl -fsS -i http://127.0.0.1:18190/mcp | head
+curl -fsS -i http://172.22.0.222:18190/mcp | head
 ```
 Public checks after DNS/reverse proxy:
@ -98,7 +100,7 @@ Expected behavior:
 Tasker must call the gateway by internal URL:
 ```env
-PLANE_NODEDC_AGENT_GATEWAY_URL=http://<synology-or-gateway-host>:18190
+PLANE_NODEDC_AGENT_GATEWAY_URL=http://172.22.0.222:18190
 PLANE_NODEDC_AGENT_GATEWAY_TOKEN=<same value as NODEDC_AGENT_GATEWAY_INTERNAL_TOKEN>
 ```