Add langfuse

docker/langfuse/compose.yaml

@@ -0,0 +1,218 @@
+# Langfuse – production stack for langfuse.ld50.xyz
+# Deployed on Unraid behind SWAG (linuxserver/swag) via Dockhand.
+#
+# Network layout:
+#   - All services share the internal `default` bridge network.
+#   - langfuse-web is also attached to the external `swag` network so SWAG
+#     can resolve it by container name on port 3000. Its host port binding
+#     is removed; all public access goes through SWAG.
+#   - minio is bound to 127.0.0.1 only; it is not reachable from the LAN.
+#     If you want browser-accessible media previews, expose MinIO via a
+#     second SWAG subdomain and update LANGFUSE_S3_MEDIA_UPLOAD_ENDPOINT.
+#   - All other services (postgres, redis, clickhouse) are loopback-only.
+#
+# Secrets: copy .env.example to .env and fill in every CHANGEME value.
+services:
+    langfuse-worker:
+        image: docker.io/langfuse/langfuse-worker:3
+        restart: always
+        depends_on: &langfuse-depends-on
+            postgres:
+                condition: service_healthy
+            minio:
+                condition: service_healthy
+            redis:
+                condition: service_healthy
+            clickhouse:
+                condition: service_healthy
+        environment: &langfuse-worker-env
+            NEXTAUTH_URL: ${NEXTAUTH_URL:-http://localhost:3000}
+            DATABASE_URL: ${DATABASE_URL:-postgresql://postgres:postgres@postgres:5432/postgres} # CHANGEME
+            SALT: ${SALT:-mysalt} # CHANGEME
+            ENCRYPTION_KEY: ${ENCRYPTION_KEY:-0000000000000000000000000000000000000000000000000000000000000000} # CHANGEME: generate via `openssl rand -hex 32`
+            TELEMETRY_ENABLED: ${TELEMETRY_ENABLED:-true}
+            LANGFUSE_ENABLE_EXPERIMENTAL_FEATURES: ${LANGFUSE_ENABLE_EXPERIMENTAL_FEATURES:-false}
+            CLICKHOUSE_MIGRATION_URL: ${CLICKHOUSE_MIGRATION_URL:-clickhouse://clickhouse:9000}
+            CLICKHOUSE_URL: ${CLICKHOUSE_URL:-http://clickhouse:8123}
+            CLICKHOUSE_USER: ${CLICKHOUSE_USER:-clickhouse}
+            CLICKHOUSE_PASSWORD: ${CLICKHOUSE_PASSWORD:-clickhouse} # CHANGEME
+            CLICKHOUSE_CLUSTER_ENABLED: ${CLICKHOUSE_CLUSTER_ENABLED:-false}
+            LANGFUSE_USE_AZURE_BLOB: ${LANGFUSE_USE_AZURE_BLOB:-false}
+            LANGFUSE_USE_OCI_NATIVE_OBJECT_STORAGE: ${LANGFUSE_USE_OCI_NATIVE_OBJECT_STORAGE:-false}
+            LANGFUSE_OCI_AUTH_TYPE: ${LANGFUSE_OCI_AUTH_TYPE:-workload_identity}
+            LANGFUSE_S3_EVENT_UPLOAD_BUCKET: ${LANGFUSE_S3_EVENT_UPLOAD_BUCKET:-langfuse}
+            LANGFUSE_S3_EVENT_UPLOAD_REGION: ${LANGFUSE_S3_EVENT_UPLOAD_REGION:-auto}
+            LANGFUSE_S3_EVENT_UPLOAD_ACCESS_KEY_ID: ${LANGFUSE_S3_EVENT_UPLOAD_ACCESS_KEY_ID:-minio}
+            LANGFUSE_S3_EVENT_UPLOAD_SECRET_ACCESS_KEY: ${LANGFUSE_S3_EVENT_UPLOAD_SECRET_ACCESS_KEY:-miniosecret} # CHANGEME
+            LANGFUSE_S3_EVENT_UPLOAD_ENDPOINT: ${LANGFUSE_S3_EVENT_UPLOAD_ENDPOINT:-http://minio:9000}
+            LANGFUSE_S3_EVENT_UPLOAD_FORCE_PATH_STYLE: ${LANGFUSE_S3_EVENT_UPLOAD_FORCE_PATH_STYLE:-true}
+            LANGFUSE_S3_EVENT_UPLOAD_PREFIX: ${LANGFUSE_S3_EVENT_UPLOAD_PREFIX:-events/}
+            LANGFUSE_S3_MEDIA_UPLOAD_BUCKET: ${LANGFUSE_S3_MEDIA_UPLOAD_BUCKET:-langfuse}
+            LANGFUSE_S3_MEDIA_UPLOAD_REGION: ${LANGFUSE_S3_MEDIA_UPLOAD_REGION:-auto}
+            LANGFUSE_S3_MEDIA_UPLOAD_ACCESS_KEY_ID: ${LANGFUSE_S3_MEDIA_UPLOAD_ACCESS_KEY_ID:-minio}
+            LANGFUSE_S3_MEDIA_UPLOAD_SECRET_ACCESS_KEY: ${LANGFUSE_S3_MEDIA_UPLOAD_SECRET_ACCESS_KEY:-miniosecret} # CHANGEME
+            LANGFUSE_S3_MEDIA_UPLOAD_ENDPOINT: ${LANGFUSE_S3_MEDIA_UPLOAD_ENDPOINT:-http://localhost:9090}
+            LANGFUSE_S3_MEDIA_UPLOAD_FORCE_PATH_STYLE: ${LANGFUSE_S3_MEDIA_UPLOAD_FORCE_PATH_STYLE:-true}
+            LANGFUSE_S3_MEDIA_UPLOAD_PREFIX: ${LANGFUSE_S3_MEDIA_UPLOAD_PREFIX:-media/}
+            LANGFUSE_S3_BATCH_EXPORT_ENABLED: ${LANGFUSE_S3_BATCH_EXPORT_ENABLED:-false}
+            LANGFUSE_S3_BATCH_EXPORT_BUCKET: ${LANGFUSE_S3_BATCH_EXPORT_BUCKET:-langfuse}
+            LANGFUSE_S3_BATCH_EXPORT_PREFIX: ${LANGFUSE_S3_BATCH_EXPORT_PREFIX:-exports/}
+            LANGFUSE_S3_BATCH_EXPORT_REGION: ${LANGFUSE_S3_BATCH_EXPORT_REGION:-auto}
+            LANGFUSE_S3_BATCH_EXPORT_ENDPOINT: ${LANGFUSE_S3_BATCH_EXPORT_ENDPOINT:-http://minio:9000}
+            LANGFUSE_S3_BATCH_EXPORT_EXTERNAL_ENDPOINT: ${LANGFUSE_S3_BATCH_EXPORT_EXTERNAL_ENDPOINT:-http://localhost:9090}
+            LANGFUSE_S3_BATCH_EXPORT_ACCESS_KEY_ID: ${LANGFUSE_S3_BATCH_EXPORT_ACCESS_KEY_ID:-minio}
+            LANGFUSE_S3_BATCH_EXPORT_SECRET_ACCESS_KEY: ${LANGFUSE_S3_BATCH_EXPORT_SECRET_ACCESS_KEY:-miniosecret} # CHANGEME
+            LANGFUSE_S3_BATCH_EXPORT_FORCE_PATH_STYLE: ${LANGFUSE_S3_BATCH_EXPORT_FORCE_PATH_STYLE:-true}
+            LANGFUSE_INGESTION_QUEUE_DELAY_MS: ${LANGFUSE_INGESTION_QUEUE_DELAY_MS:-}
+            LANGFUSE_INGESTION_CLICKHOUSE_WRITE_INTERVAL_MS: ${LANGFUSE_INGESTION_CLICKHOUSE_WRITE_INTERVAL_MS:-}
+            REDIS_HOST: ${REDIS_HOST:-redis}
+            REDIS_PORT: ${REDIS_PORT:-6379}
+            REDIS_AUTH: ${REDIS_AUTH:-myredissecret} # CHANGEME
+            REDIS_TLS_ENABLED: ${REDIS_TLS_ENABLED:-false}
+            REDIS_TLS_CA: ${REDIS_TLS_CA:-/certs/ca.crt}
+            REDIS_TLS_CERT: ${REDIS_TLS_CERT:-/certs/redis.crt}
+            REDIS_TLS_KEY: ${REDIS_TLS_KEY:-/certs/redis.key}
+            EMAIL_FROM_ADDRESS: ${EMAIL_FROM_ADDRESS:-}
+            SMTP_CONNECTION_URL: ${SMTP_CONNECTION_URL:-}
+
+            # OpenTelemetry — export Langfuse's own traces to the otel-lgtm pipeline
+            OTEL_EXPORTER_OTLP_ENDPOINT: ${OTEL_EXPORTER_OTLP_ENDPOINT:-http://lgtm:4318}
+            OTEL_EXPORTER_OTLP_PROTOCOL: ${OTEL_EXPORTER_OTLP_PROTOCOL:-http/protobuf}
+            OTEL_SERVICE_NAME: ${OTEL_SERVICE_NAME:-langfuse}
+            OTEL_RESOURCE_ATTRIBUTES: ${OTEL_RESOURCE_ATTRIBUTES:-deployment.environment=production}
+        networks:
+            - langfuse
+            - pipeline
+
+    langfuse-web:
+        image: docker.io/langfuse/langfuse:3
+        restart: always
+        depends_on: *langfuse-depends-on
+        # Port 3000 is not published to the host; SWAG reaches it via the
+        # shared `swag` Docker network using the container name `langfuse-web`.
+        networks:
+            langfuse: {}
+            swag:
+                aliases:
+                    - langfuse-web
+            pipeline:
+                aliases:
+                    - langfuse-web
+        environment:
+            <<: *langfuse-worker-env
+            # Next.js uses HOSTNAME to decide what interface to bind to.
+            # Docker auto-sets this to the container ID, which resolves to the
+            # internal langfuse network only. Force 0.0.0.0 so SWAG can reach
+            # port 3000 over the swag network as well.
+            HOSTNAME: 0.0.0.0
+            NEXTAUTH_SECRET: ${NEXTAUTH_SECRET:-mysecret} # CHANGEME
+            LANGFUSE_INIT_ORG_ID: ${LANGFUSE_INIT_ORG_ID:-}
+            LANGFUSE_INIT_ORG_NAME: ${LANGFUSE_INIT_ORG_NAME:-}
+            LANGFUSE_INIT_PROJECT_ID: ${LANGFUSE_INIT_PROJECT_ID:-}
+            LANGFUSE_INIT_PROJECT_NAME: ${LANGFUSE_INIT_PROJECT_NAME:-}
+            LANGFUSE_INIT_PROJECT_PUBLIC_KEY: ${LANGFUSE_INIT_PROJECT_PUBLIC_KEY:-}
+            LANGFUSE_INIT_PROJECT_SECRET_KEY: ${LANGFUSE_INIT_PROJECT_SECRET_KEY:-}
+            LANGFUSE_INIT_USER_EMAIL: ${LANGFUSE_INIT_USER_EMAIL:-}
+            LANGFUSE_INIT_USER_NAME: ${LANGFUSE_INIT_USER_NAME:-}
+            LANGFUSE_INIT_USER_PASSWORD: ${LANGFUSE_INIT_USER_PASSWORD:-}
+
+    clickhouse:
+        image: docker.io/clickhouse/clickhouse-server
+        restart: always
+        user: "101:101"
+        environment:
+            CLICKHOUSE_DB: default
+            CLICKHOUSE_USER: ${CLICKHOUSE_USER:-clickhouse}
+            CLICKHOUSE_PASSWORD: ${CLICKHOUSE_PASSWORD:-clickhouse} # CHANGEME
+        volumes:
+            - langfuse_clickhouse_data:/var/lib/clickhouse
+            - langfuse_clickhouse_logs:/var/log/clickhouse-server
+        healthcheck:
+            test: wget --no-verbose --tries=1 --spider http://localhost:8123/ping || exit 1
+            interval: 5s
+            timeout: 5s
+            retries: 10
+            start_period: 1s
+        networks:
+            - langfuse
+
+    minio:
+        image: cgr.dev/chainguard/minio
+        restart: always
+        entrypoint: sh
+        # create the 'langfuse' bucket before starting the service
+        command: -c 'mkdir -p /data/langfuse && minio server --address ":9000" --console-address ":9001" /data'
+        environment:
+            MINIO_ROOT_USER: ${MINIO_ROOT_USER:-minio}
+            MINIO_ROOT_PASSWORD: ${MINIO_ROOT_PASSWORD:-miniosecret} # CHANGEME
+        volumes:
+            - langfuse_minio_data:/data
+        healthcheck:
+            test: ["CMD", "mc", "ready", "local"]
+            interval: 1s
+            timeout: 5s
+            retries: 5
+            start_period: 1s
+        networks:
+            - langfuse
+
+    redis:
+        image: docker.io/redis:7
+        restart: always
+        # CHANGEME: row below to secure redis password
+        command: >
+            --requirepass ${REDIS_AUTH:-myredissecret}
+            --maxmemory-policy noeviction
+        volumes:
+            - langfuse_redis_data:/data
+        healthcheck:
+            test: ["CMD", "redis-cli", "ping"]
+            interval: 3s
+            timeout: 10s
+            retries: 10
+        networks:
+            - langfuse
+
+    postgres:
+        image: docker.io/postgres:${POSTGRES_VERSION:-17}
+        restart: always
+        healthcheck:
+            test: ["CMD-SHELL", "pg_isready -U postgres"]
+            interval: 3s
+            timeout: 3s
+            retries: 10
+        environment:
+            POSTGRES_USER: ${POSTGRES_USER:-postgres}
+            POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-postgres} # CHANGEME
+            POSTGRES_DB: ${POSTGRES_DB:-postgres}
+            TZ: UTC
+            PGTZ: UTC
+        volumes:
+            - langfuse_postgres_data:/var/lib/postgresql/data
+        networks:
+            - langfuse
+volumes:
+    langfuse_postgres_data:
+        driver: local
+    langfuse_clickhouse_data:
+        driver: local
+    langfuse_clickhouse_logs:
+        driver: local
+    langfuse_minio_data:
+        driver: local
+    langfuse_redis_data:
+        driver: local
+
+networks:
+    # `default` is the internal-only bridge network (auto-created by Compose).
+    # All services are on it. No declaration needed; listed here for clarity.
+    langfuse: {}
+    pipeline:
+        name: pipeline
+        external: true
+
+    # `swag` is the pre-existing external network created by the SWAG container.
+    # Only langfuse-web joins it so SWAG can proxy to port 3000.
+    swag:
+        external: true
+