-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathdeploy.example.env
More file actions
90 lines (80 loc) · 5.2 KB
/
Copy pathdeploy.example.env
File metadata and controls
90 lines (80 loc) · 5.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
# Deployment settings — copy to deploy.env (gitignored) and fill in.
# Sourced by scripts/deploy-local.sh + deploy-remote.sh + teardown-remote.sh, and
# used for compose ${VAR} interpolation in the reverse-proxy overlay.
# This file is for REMOTE deploys (scripts/deploy-remote.sh). For a local box use
# deploy.local.env (see deploy.local.example.env) — keeping them separate stops
# remote-only settings (host Redis, split dispatch, SSH host) leaking into a
# single-host local run.
# --- Deployment shape (which services run) ---------------------------------
# Preset: full = the whole stack (default); light = web + one SAQ worker
# (+ redis/qdrant per the toggles below). The deploy script turns this into
# COMPOSE_PROFILES. Override per-run with --preset / --profiles.
AGENTFORGE_PRESET=full
# Raw profile list — overrides the preset mapping when set. Known profiles:
# redis qdrant api sidecar dashboard full (split is added automatically for
# split dispatch). e.g., AGENTFORGE_PROFILES=full,qdrant
# AGENTFORGE_PROFILES=
# Dependency reuse — container = start the bundled service; host = reuse a
# service already running on the host; off (Qdrant only) = neither, let RAG/
# memory degrade. Reusing a host service simply omits its compose profile.
# host Redis is the remote default (matches the old --scale redis=0 behavior;
# the containers reach it via REMOTE_REDIS_URL below).
AGENTFORGE_REDIS=host # container | host
AGENTFORGE_QDRANT=container # container | host | off
HOST_QDRANT_HOST=host.docker.internal
HOST_QDRANT_PORT=6333
# --- Remote host (where the stack's containers run) ------------------------
REMOTE_SSH_HOST=my-server # ssh alias/host for the deploy target
REMOTE_DIR=/opt/agentforge # directory on the remote to deploy into
# IP or hostname the NATIVE LOCAL worker uses to reach the remote's
# Redis / Qdrant / Ollama / web (must be reachable from your machine).
REMOTE_HOST=192.168.1.10
# --- Reverse proxy (Traefik) — for the overlay -----------------------------
PUBLIC_DOMAIN=agent.example.com # Host rule for the web service (:8200, agent WS + REST)
API_DOMAIN=agent-web.example.com # Host rule for the RAG API / indexer (:8100, LAN-only by default)
QDRANT_DOMAIN=qdrant.example.com # Host rule for the Qdrant dashboard
SAQ_DOMAIN=saq.example.com # Host rule for the SAQ dashboard
PROXY_NETWORK=proxy # external Docker network Traefik watches
# --- Redis on the remote ---------------------------------------------------
# The deployed containers use this when AGENTFORGE_REDIS=host (the remote
# default). Which Redis runs is now controlled by AGENTFORGE_REDIS above (host
# omits the bundled redis profile; container starts it) — there is no more
# --scale redis=0. For a fully bundled remote stack, set AGENTFORGE_REDIS=container.
REMOTE_REDIS_URL=redis://host.docker.internal:6379
# --- Tool dispatch ---------------------------------------------------------
# split — multi-host: host-access tools (shell/SSH/Docker) run on a native
# "local" worker on your machine; the box runs the rest. Needs the
# native worker (scripts/setup-local-worker.sh). Adds the tools-worker
# container automatically.
# in_process — everything runs on the deployed box; no native worker needed.
# Leave unset to derive from the preset (full -> split, light -> in_process).
# Set explicitly to force a single-box remote onto in_process.
# AGENTFORGE_DISPATCH_MODE=split
# --- Browser sidecar -------------------------------------------------------
# Shared secret the web/workers send as X-Sidecar-Token; the sidecar rejects
# extraction requests without it. Empty = auth disabled (only safe when the
# sidecar port stays off the LAN). Generate one: `openssl rand -hex 32`.
SIDECAR_AUTH_TOKEN=
# Set to 1 only if you need the sidecar to extract from internal/LAN URLs
# (otherwise it refuses private/link-local/loopback targets as an SSRF guard).
SIDECAR_ALLOW_PRIVATE_URLS=
# --- API authentication ----------------------------------------------------
# Comma-separated API keys required on the HTTP/WebSocket surface. STRONGLY
# recommended for any internet-exposed deploy (the agent can run shell/SSH/
# Docker/SQL). Wins over config.yaml security.api_keys.
AGENTFORGE_API_KEYS=
# Set to 1 to make the app REFUSE to boot without API keys — use on public
# deploys so an unauthenticated surface can never start by accident. (The app
# already fails closed when the Docker socket is mounted with no keys.)
AGENTFORGE_REQUIRE_AUTH=
# Escape hatch: set to 1 to boot OPEN even when the socket is mounted /
# REQUIRE_AUTH is set and no keys exist. Use ONLY on a trusted network during a
# transition (e.g., before all clients send keys). Remove once keys are set.
AGENTFORGE_ALLOW_INSECURE=
# --- Internal worker<->web callbacks ---------------------------------------
# Shared secret the SAQ workers send as X-Internal-Token; the web service
# rejects /internal/* requests without it. Defence-in-depth on top of Traefik's
# path-exclusion. Empty = disabled (relies on network isolation only).
# Generate one: `openssl rand -hex 32`. Must be set in the shared env so both
# the web and worker containers see the same value.
AGENTFORGE_INTERNAL_TOKEN=