devbox/docker-compose.yml at main · d0cd/devbox · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
# devbox container stack — agent + proxy sidecar.
#
# PROJECT_PATH and PROJECT_HASH are set by the devbox CLI before invoking
# docker compose. Do not run this file directly.

services:
  agent:
    image: devbox-agent:latest
    build:
      context: .
      dockerfile: Dockerfile
    depends_on:
      proxy:
        condition: service_healthy
    environment:
      HTTP_PROXY: http://proxy:8080
      HTTPS_PROXY: http://proxy:8080
      http_proxy: http://proxy:8080
      https_proxy: http://proxy:8080
      NO_PROXY: localhost,127.0.0.1,proxy
      no_proxy: localhost,127.0.0.1,proxy
      NODE_EXTRA_CA_CERTS: /usr/local/share/ca-certificates/mitmproxy-ca.crt
      DEVBOX_PROJECT: ${DEVBOX_PROJECT_NAME:-workspace}
      CLAUDE_CONFIG_DIR: /home/devbox/.claude
      DEVBOX_CMUX_PROXY_PORT: ${DEVBOX_CMUX_PROXY_PORT:-}
    env_file:
      # Global secrets, then per-project overrides, then phantom overrides.
      # When credential injection is active, .phantom.env replaces real API
      # keys with placeholder tokens (real keys live only in the proxy).
      # Later files override earlier ones in Docker Compose.
      - ${DEVBOX_SECRETS_FILE:?DEVBOX_SECRETS_FILE must be set by devbox CLI}
      - ${DEVBOX_PROJECT_SECRETS_FILE:?DEVBOX_PROJECT_SECRETS_FILE must be set by devbox CLI}
      - ${DEVBOX_PHANTOM_FILE:-/dev/null}
    volumes:
      - "${PROJECT_PATH:-.}:/workspace:rw"
      - "${DEVBOX_CONFIG:?DEVBOX_CONFIG must be set by devbox CLI}:/devbox:ro"
      - "${DEVBOX_PRIVATE_DIR:?DEVBOX_PRIVATE_DIR must be set by devbox CLI}:/devbox/.private:ro"
      - "${DEVBOX_HISTORY_DIR:-./history}:/data/history"
      - "${DEVBOX_CLAUDE_DIR}:/home/devbox/.claude:rw"
      - "${DEVBOX_MEMORY_DIR:-./memory}:/home/devbox/.opencode-mem/project"
      - devbox-shared-memory:/home/devbox/.opencode-mem/shared
      - proxy-ca-cert:/run/proxy-ca:ro
    networks:
      - sandbox
    read_only: true
    cap_drop:
      - ALL
    cap_add:
      - NET_ADMIN
      - SETUID
      - SETGID
      - SETPCAP
    security_opt:
      - no-new-privileges:true
    tmpfs:
      - /tmp:size=256M
      # User home is tmpfs — populated from /etc/skel by user-setup.sh at startup.
      # Oh My Zsh lives on the read-only rootfs at /opt/oh-my-zsh.
      - /home/devbox:size=512M,uid=1000,gid=1000
      # Entrypoint writes CA cert and runs update-ca-certificates here.
      - /usr/local/share/ca-certificates:size=1M
      - /etc/ssl/certs:size=2M
      # Runtime directories that need write access.
      - /run:size=16M
      - /var/log:size=16M
    healthcheck:
      # Verify firewall is active by checking a specific rule exists.
      test: ["CMD", "bash", "-c", "iptables -C OUTPUT -d 127.0.0.11 -p udp --dport 53 -j ACCEPT 2>/dev/null"]
      interval: 10s
      timeout: 5s
      retries: 6
      start_period: 30s
    deploy:
      resources:
        limits:
          memory: ${DEVBOX_MEMORY:-8G}
          cpus: ${DEVBOX_CPUS:-4.0}
          pids: 4096
    stdin_open: true
    tty: true
    restart: unless-stopped

  proxy:
    image: devbox-proxy:latest
    build:
      context: ./proxy
      dockerfile: Dockerfile
    environment:
      DEVBOX_CMUX_PROXY_PORT: ${DEVBOX_CMUX_PROXY_PORT:-}
      # Bound to the cmux workspace the user was in at `devbox start` time.
      # Used by notifier.py to tag outgoing cmux commands with the session's
      # workspace — not the (possibly stale) workspace the host proxy knows.
      CMUX_WORKSPACE_ID: ${CMUX_WORKSPACE_ID:-}
    extra_hosts:
      - "host.docker.internal:host-gateway"
    env_file:
      # Proxy-only credentials for injection (DEVBOX_INJECT_* variables).
      # Generated by container.sh from the user's secrets files.
      # Empty when credential injection is not active.
      - ${DEVBOX_PROXY_SECRETS_FILE:-/dev/null}
    cap_drop:
      - ALL
    security_opt:
      - no-new-privileges:true
    tmpfs:
      - /tmp:size=64M
    volumes:
      - "${DEVBOX_POLICY_FILE:-./templates/policy.yml}:/proxy/policy.yml:ro"
      - "${DEVBOX_LOG_DIR:-./logs}:/data"
      - proxy-ca-keypair:/ca
      - proxy-ca-cert:/ca-cert
    networks:
      - sandbox
      - external
    deploy:
      resources:
        limits:
          memory: 1G
          cpus: '1.0'
          pids: 128
    healthcheck:
      # Verify proxy is accepting connections. Addon loading is validated at startup.
      test: ["CMD", "python3", "-c", "import socket; s=socket.create_connection(('localhost', 8080), timeout=2); s.close()"]
      interval: 5s
      timeout: 3s
      retries: 10
      start_period: 15s
    restart: unless-stopped

volumes:
  # CA keypair: proxy-only volume for private key persistence across restarts.
  proxy-ca-keypair:
  # CA public cert: shared read-only with agent for TLS trust.
  proxy-ca-cert:
  devbox-shared-memory:

networks:
  # Internal network — agent can only reach proxy, not the internet directly.
  sandbox:
    driver: bridge
    internal: true
  # External network — only the proxy joins this, for internet access.
  external:
    driver: bridge