OPS - GATEWAY: bind Synology service to NAS address

.env.synology.example

@@ -1,13 +1,14 @@
 NODE_ENV=production
 HOST=0.0.0.0
 PORT=4100
+HOST_BIND=172.22.0.222
 HOST_PORT=18190
 LOG_LEVEL=info
 
 NODEDC_AGENT_GATEWAY_PUBLIC_URL=https://ops-agents.nodedc.ru
 NODEDC_AGENT_GATEWAY_INTERNAL_TOKEN=replace-with-strong-gateway-internal-token
-NODEDC_LAUNCHER_INTERNAL_URL=http://127.0.0.1:18080
-NODEDC_TASKER_INTERNAL_URL=http://127.0.0.1:18090
+NODEDC_LAUNCHER_INTERNAL_URL=http://172.22.0.222:18080
+NODEDC_TASKER_INTERNAL_URL=http://172.22.0.222:18090
 NODEDC_INTERNAL_ACCESS_TOKEN=replace-with-platform-internal-access-token
 
 POSTGRES_DB=nodedc_agent_gateway

README.md

@@ -45,7 +45,7 @@ docker compose --env-file .env -f docker-compose.local.yml up -d --build
 curl http://127.0.0.1:4100/readyz
 ```
 
-The `agent-gateway` container waits for local Postgres, runs migrations on startup, and exposes the same `:4100` internal endpoint used by Tasker (`PLANE_NODEDC_AGENT_GATEWAY_URL=http://host.docker.internal:4100`). `HOST_PORT` controls the host-side port for reverse proxy deployments; Synology should use `docker-compose.synology.yml` with `127.0.0.1:18190:4100` because `18090` is reserved for Tasker. The user-facing setup packet uses `NODEDC_AGENT_GATEWAY_PUBLIC_URL`; product defaults point to `https://ops-agents.nodedc.ru`, not localhost.
+The `agent-gateway` container waits for local Postgres, runs migrations on startup, and exposes the same `:4100` internal endpoint used by Tasker (`PLANE_NODEDC_AGENT_GATEWAY_URL=http://host.docker.internal:4100` in local development). `HOST_BIND` and `HOST_PORT` control the host-side port for reverse proxy deployments; Synology should use `docker-compose.synology.yml` with `172.22.0.222:18190:4100` because `18090` is reserved for Tasker. The user-facing setup packet uses `NODEDC_AGENT_GATEWAY_PUBLIC_URL`; product defaults point to `https://ops-agents.nodedc.ru`, not localhost.
 
 Synology deployment notes live in `docs/SYNOLOGY_DEPLOY.md`.
 

docker-compose.synology.yml

@@ -25,14 +25,14 @@ services:
       DATABASE_URL: postgres://${POSTGRES_USER:-nodedc_agent_gateway}:${POSTGRES_PASSWORD:-replace-with-strong-postgres-password}@postgres:5432/${POSTGRES_DB:-nodedc_agent_gateway}
       NODEDC_AGENT_GATEWAY_PUBLIC_URL: ${NODEDC_AGENT_GATEWAY_PUBLIC_URL:-https://ops-agents.nodedc.ru}
       NODEDC_AGENT_GATEWAY_INTERNAL_TOKEN: ${NODEDC_AGENT_GATEWAY_INTERNAL_TOKEN}
-      NODEDC_LAUNCHER_INTERNAL_URL: ${NODEDC_LAUNCHER_INTERNAL_URL:-http://127.0.0.1:18080}
-      NODEDC_TASKER_INTERNAL_URL: ${NODEDC_TASKER_INTERNAL_URL:-http://127.0.0.1:18090}
+      NODEDC_LAUNCHER_INTERNAL_URL: ${NODEDC_LAUNCHER_INTERNAL_URL:-http://172.22.0.222:18080}
+      NODEDC_TASKER_INTERNAL_URL: ${NODEDC_TASKER_INTERNAL_URL:-http://172.22.0.222:18090}
       NODEDC_INTERNAL_ACCESS_TOKEN: ${NODEDC_INTERNAL_ACCESS_TOKEN}
     depends_on:
       postgres:
         condition: service_healthy
     ports:
-      - "127.0.0.1:${HOST_PORT:-18190}:${PORT:-4100}"
+      - "${HOST_BIND:-172.22.0.222}:${HOST_PORT:-18190}:${PORT:-4100}"
     healthcheck:
       test:
         [

docs/SYNOLOGY_DEPLOY.md

@@ -5,8 +5,9 @@ This service is the NODE.DC Operational Agents Gateway for Tasker/Operational Co
 ## Network model
 
 - Public URL: `https://ops-agents.nodedc.ru`.
-- Synology reverse proxy: `HTTPS 443` → `HTTP 127.0.0.1:18190`.
+- Synology reverse proxy: `HTTPS 443` → `HTTP 172.22.0.222:18190`.
 - Container app port stays `4100`.
+- Docker host bind address is controlled by `HOST_BIND=172.22.0.222`.
 - Docker host port is controlled by `HOST_PORT=18190`.
 - Do not use `18090` for this module: that host port is reserved by Tasker / Operational Core.
 - No router changes are required if `443` already reaches Synology and Synology owns the reverse proxy rule.
@@ -19,13 +20,14 @@ Create `.env` from `.env.synology.example` and replace every `replace-with-*` va
 NODE_ENV=production
 HOST=0.0.0.0
 PORT=4100
+HOST_BIND=172.22.0.222
 HOST_PORT=18190
 LOG_LEVEL=info
 
 NODEDC_AGENT_GATEWAY_PUBLIC_URL=https://ops-agents.nodedc.ru
 NODEDC_AGENT_GATEWAY_INTERNAL_TOKEN=<strong-random-secret>
-NODEDC_LAUNCHER_INTERNAL_URL=<launcher-url-reachable-from-synology>
-NODEDC_TASKER_INTERNAL_URL=<tasker-url-reachable-from-synology>
+NODEDC_LAUNCHER_INTERNAL_URL=http://172.22.0.222:18080
+NODEDC_TASKER_INTERNAL_URL=http://172.22.0.222:18090
 NODEDC_INTERNAL_ACCESS_TOKEN=<tasker-internal-access-token>
 
 POSTGRES_DB=nodedc_agent_gateway
@@ -66,16 +68,16 @@ docker compose --env-file .env -f docker-compose.synology.yml pull
 docker compose --env-file .env -f docker-compose.synology.yml up -d --build
 ```
 
-If the repository is deployed from source and not from a registry image, `up -d --build` is enough. The production compose does not publish Postgres and binds the gateway to `127.0.0.1:18190`; DSM reverse proxy should target that local address.
+If the repository is deployed from source and not from a registry image, `up -d --build` is enough. The production compose does not publish Postgres and binds the gateway to `${HOST_BIND}:${HOST_PORT}`; DSM reverse proxy must target the same address.
 
 ## Verification
 
 Local host checks:
 
 ```bash
-curl -fsS http://127.0.0.1:18190/healthz
-curl -fsS http://127.0.0.1:18190/readyz
-curl -fsS -i http://127.0.0.1:18190/mcp | head
+curl -fsS http://172.22.0.222:18190/healthz
+curl -fsS http://172.22.0.222:18190/readyz
+curl -fsS -i http://172.22.0.222:18190/mcp | head
 ```
 
 Public checks after DNS/reverse proxy:
@@ -98,7 +100,7 @@ Expected behavior:
 Tasker must call the gateway by internal URL:
 
 ```env
-PLANE_NODEDC_AGENT_GATEWAY_URL=http://<synology-or-gateway-host>:18190
+PLANE_NODEDC_AGENT_GATEWAY_URL=http://172.22.0.222:18190
 PLANE_NODEDC_AGENT_GATEWAY_TOKEN=<same value as NODEDC_AGENT_GATEWAY_INTERNAL_TOKEN>
 ```