Skip to content

feat: docker-compose.yml full stack definition #148

Open
Open
feat: docker-compose.yml full stack definition#148
@raykao

Description

@raykao
raykao
opened on Mar 25, 2026

feat: docker-compose.yml full stack definition

Overview

Tracked under epic #145.

This issue covers the official docker-compose.yml that brings up the full copilot-bridge stack in a single command: Mattermost, the docker-socket-proxy, and the copilot-bridge admin container - all wired together with correct networking, secret injection, and health dependencies.

Motivation

Without an official compose file, users must manually wire together all the moving parts described in the broader Docker architecture (see #145). A well-structured docker-compose.yml lowers the barrier to a production-grade deployment significantly and serves as the canonical reference for how the stack fits together.

Proposed Solution

Services

mattermost

  • Official Mattermost Team Edition image
  • Healthcheck via GET /api/v4/system/ping
  • Persistent volumes for data, logs, config, and plugins
  • Connected to mattermost-net

docker-socket-proxy

  • tecnativa/docker-socket-proxy image
  • Mounts /var/run/docker.sock from host (read-only)
  • Exposes only the Docker API calls needed by the admin bridge:
    • CONTAINERS=1, NETWORKS=1, IMAGES=1, POST=1
  • Connected to socket-proxy-net (internal only - not reachable by agent containers)

copilot-bridge

Networks

networks:
  mattermost-net:
  socket-proxy-net:
    internal: true

socket-proxy-net is marked internal: true - no external routing, only the admin bridge and proxy can talk on it. Agent containers spawned dynamically are connected to mattermost-net only.

Secrets

secrets:
  op-sa-token:
    external: true

The 1Password service account token is a pre-created Docker secret (created once on the host via echo "ops_..." | docker secret create op-sa-token -). Not stored in the compose file.

Example skeleton

services:
  mattermost:
    image: mattermost/mattermost-team-edition:latest
    networks: [mattermost-net]
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8065/api/v4/system/ping"]
      interval: 10s
      timeout: 5s
      retries: 10
    volumes:
      - mattermost-data:/mattermost/data
      - mattermost-logs:/mattermost/logs
      - mattermost-config:/mattermost/config
      - mattermost-plugins:/mattermost/plugins

  docker-socket-proxy:
    image: tecnativa/docker-socket-proxy
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    environment:
      CONTAINERS: 1
      NETWORKS: 1
      IMAGES: 1
      POST: 1
    networks: [socket-proxy-net]

  copilot-bridge:
    build:
      context: .
      args:
        BRIDGE_VERSION: ${BRIDGE_VERSION:-latest}
    depends_on:
      mattermost:
        condition: service_healthy
    environment:
      DOCKER_HOST: tcp://docker-socket-proxy:2375
    secrets: [op-sa-token]
    volumes:
      - ./config.json.tpl:/config/config.json.tpl:ro
      - ./workspaces:/workspaces
    networks: [mattermost-net, socket-proxy-net]

networks:
  mattermost-net:
  socket-proxy-net:
    internal: true

volumes:
  mattermost-data:
  mattermost-logs:
  mattermost-config:
  mattermost-plugins:

secrets:
  op-sa-token:
    external: true

Deliverables

  • docker-compose.yml in repo root
  • .env.example documenting required environment variables (e.g. BRIDGE_VERSION, Mattermost config)
  • Documentation: quick-start guide for spinning up the full stack
  • Documentation: how to pre-create the op-sa-token Docker secret on first run

Dependencies

Reported By

Agent (automated) - drafted collaboratively with user raykao

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions