SurfSense/docker-compose.yml

version: "3.8"

services:
  db:
    image: ankane/pgvector:latest
    ports:
      - "${POSTGRES_PORT:-5432}:5432"
    volumes:
      - postgres_data:/var/lib/postgresql/data
      - ./scripts/docker/postgresql.conf:/etc/postgresql/postgresql.conf:ro
      - ./scripts/docker/init-electric-user.sh:/docker-entrypoint-initdb.d/init-electric-user.sh:ro
    environment:
      - POSTGRES_USER=${POSTGRES_USER:-postgres}
      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD:-postgres}
      - POSTGRES_DB=${POSTGRES_DB:-surfsense}
      - ELECTRIC_DB_USER=${ELECTRIC_DB_USER:-electric}
      - ELECTRIC_DB_PASSWORD=${ELECTRIC_DB_PASSWORD:-electric_password}
    command: postgres -c config_file=/etc/postgresql/postgresql.conf

  pgadmin:
    image: dpage/pgadmin4
    ports:
      - "${PGADMIN_PORT:-5050}:80"
    environment:
      - PGADMIN_DEFAULT_EMAIL=${PGADMIN_DEFAULT_EMAIL:-admin@surfsense.com}
      - PGADMIN_DEFAULT_PASSWORD=${PGADMIN_DEFAULT_PASSWORD:-surfsense}
    volumes:
      - pgadmin_data:/var/lib/pgadmin
    depends_on:
      - db

  redis:
    image: redis:7-alpine
    ports:
      - "${REDIS_PORT:-6379}:6379"
    volumes:
      - redis_data:/data
    command: redis-server --appendonly yes

  backend:
    build: ./surfsense_backend
    # image: ghcr.io/modsetter/surfsense_backend:latest
    ports:
      - "${BACKEND_PORT:-8000}:8000"
    volumes:
      - ./surfsense_backend/app:/app/app
      - shared_temp:/tmp
      # Uncomment and edit the line below to enable Obsidian vault indexing
      # - /path/to/your/obsidian/vault:/obsidian-vault:ro
    env_file:
      - ./surfsense_backend/.env
    environment:
      - DATABASE_URL=postgresql+asyncpg://${POSTGRES_USER:-postgres}:${POSTGRES_PASSWORD:-postgres}@db:5432/${POSTGRES_DB:-surfsense}
      - CELERY_BROKER_URL=redis://redis:${REDIS_PORT:-6379}/0
      - CELERY_RESULT_BACKEND=redis://redis:${REDIS_PORT:-6379}/0
      - REDIS_APP_URL=redis://redis:${REDIS_PORT:-6379}/0
      # Queue name isolation - prevents task collision if Redis is shared with other apps
      - CELERY_TASK_DEFAULT_QUEUE=surfsense
      - PYTHONPATH=/app
      - UVICORN_LOOP=asyncio
      - UNSTRUCTURED_HAS_PATCHED_LOOP=1
      - LANGCHAIN_TRACING_V2=false
      - LANGSMITH_TRACING=false
      - ELECTRIC_DB_USER=${ELECTRIC_DB_USER:-electric}
      - ELECTRIC_DB_PASSWORD=${ELECTRIC_DB_PASSWORD:-electric_password}
      - AUTH_TYPE=${AUTH_TYPE:-LOCAL}
      - NEXT_FRONTEND_URL=${NEXT_FRONTEND_URL:-http://localhost:3000}
      # Microsandbox – uncomment when microsandbox service is enabled
      # - MICROSANDBOX_ENABLED=TRUE
      # - MICROSANDBOX_SERVER_URL=http://microsandbox:5555
      # - MICROSANDBOX_API_KEY=${MICROSANDBOX_API_KEY:-}
    depends_on:
      - db
      - redis
      # - microsandbox

  # Run these services separately in production
  # celery_worker:
  #   build: ./surfsense_backend
  #   # image: ghcr.io/modsetter/surfsense_backend:latest
  #   command: celery -A app.celery_app worker --loglevel=info --concurrency=1 --pool=solo
  #   volumes:
  #     - ./surfsense_backend:/app
  #     - shared_temp:/tmp
  #   env_file:
  #     - ./surfsense_backend/.env
  #   environment:
  #     - DATABASE_URL=postgresql+asyncpg://${POSTGRES_USER:-postgres}:${POSTGRES_PASSWORD:-postgres}@db:5432/${POSTGRES_DB:-surfsense}
  #     - CELERY_BROKER_URL=redis://redis:${REDIS_PORT:-6379}/0
  #     - CELERY_RESULT_BACKEND=redis://redis:${REDIS_PORT:-6379}/0
  #     - PYTHONPATH=/app
  #   depends_on:
  #     - db
  #     - redis
  #     - backend

  # celery_beat:
  #   build: ./surfsense_backend
  #   # image: ghcr.io/modsetter/surfsense_backend:latest
  #   command: celery -A app.celery_app beat --loglevel=info
  #   volumes:
  #     - ./surfsense_backend:/app
  #     - shared_temp:/tmp
  #   env_file:
  #     - ./surfsense_backend/.env
  #   environment:
  #     - DATABASE_URL=postgresql+asyncpg://${POSTGRES_USER:-postgres}:${POSTGRES_PASSWORD:-postgres}@db:5432/${POSTGRES_DB:-surfsense}
  #     - CELERY_BROKER_URL=redis://redis:${REDIS_PORT:-6379}/0
  #     - CELERY_RESULT_BACKEND=redis://redis:${REDIS_PORT:-6379}/0
  #     - PYTHONPATH=/app
  #   depends_on:
  #     - db
  #     - redis
  #     - celery_worker

  # flower:
  #   build: ./surfsense_backend
  #   # image: ghcr.io/modsetter/surfsense_backend:latest
  #   command: celery -A app.celery_app flower --port=5555
  #   ports:
  #     - "${FLOWER_PORT:-5555}:5555"
  #   env_file:
  #     - ./surfsense_backend/.env
  #   environment:
  #     - CELERY_BROKER_URL=redis://redis:${REDIS_PORT:-6379}/0
  #     - CELERY_RESULT_BACKEND=redis://redis:${REDIS_PORT:-6379}/0
  #     - PYTHONPATH=/app
  #   depends_on:
  #     - redis
  #     - celery_worker

  # ============================================================
  # Microsandbox (optional - secure code execution for deep agent)
  # ============================================================
  # Requires a Linux host with KVM support (/dev/kvm).
  # To enable:
  #   1. Uncomment this service
  #   2. Set MICROSANDBOX_ENABLED=TRUE in surfsense_backend/.env
  #   3. Run with: docker compose up -d
  # The first sandbox creation will pull the OCI image (e.g. microsandbox/python),
  # so the initial run takes a bit longer.
  #
  microsandbox:
    image: ubuntu:22.04
    ports:
      - "${MICROSANDBOX_PORT:-5555}:5555"
    volumes:
      - microsandbox_data:/root/.microsandbox
    privileged: true
    devices:
      - /dev/kvm:/dev/kvm
    entrypoint: ["/bin/bash", "-c"]
    command:
      - |
        set -e
        export PATH="$$HOME/.local/bin:$$PATH"
        if ! command -v msb &>/dev/null; then
          apt-get update && apt-get install -y --no-install-recommends curl ca-certificates libdigest-sha-perl
          curl -sSL https://get.microsandbox.dev | sh
        fi
        exec msb server start --dev
    restart: unless-stopped
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:5555/health"]
      interval: 10s
      timeout: 5s
      retries: 5

  electric:
    image: electricsql/electric:latest
    ports:
      - "${ELECTRIC_PORT:-5133}:3000"
    environment:
      - DATABASE_URL=${ELECTRIC_DATABASE_URL:-postgresql://${ELECTRIC_DB_USER:-electric}:${ELECTRIC_DB_PASSWORD:-electric_password}@${POSTGRES_HOST:-db}:${POSTGRES_PORT:-5432}/${POSTGRES_DB:-surfsense}?sslmode=disable}
      - ELECTRIC_INSECURE=true
      - ELECTRIC_WRITE_TO_PG_MODE=direct
    restart: unless-stopped
    # depends_on:
    #   - db
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:3000/v1/health"]
      interval: 10s
      timeout: 5s
      retries: 5

  frontend:
    build:
      context: ./surfsense_web
      # image: ghcr.io/modsetter/surfsense_ui:latest
      args:
        NEXT_PUBLIC_FASTAPI_BACKEND_URL: ${NEXT_PUBLIC_FASTAPI_BACKEND_URL:-http://localhost:8000}
        NEXT_PUBLIC_FASTAPI_BACKEND_AUTH_TYPE: ${NEXT_PUBLIC_FASTAPI_BACKEND_AUTH_TYPE:-LOCAL}
        NEXT_PUBLIC_ETL_SERVICE: ${NEXT_PUBLIC_ETL_SERVICE:-DOCLING}
    ports:
      - "${FRONTEND_PORT:-3000}:3000"
    env_file:
      - ./surfsense_web/.env
    environment:
      - NEXT_PUBLIC_ELECTRIC_URL=${NEXT_PUBLIC_ELECTRIC_URL:-http://localhost:5133}
      - NEXT_PUBLIC_ELECTRIC_AUTH_MODE=insecure
    depends_on:
      - backend
      - electric

volumes:
  postgres_data:
  pgadmin_data:
  redis_data:
  shared_temp:
  microsandbox_data: