218 lines
10 KiB
YAML
218 lines
10 KiB
YAML
# Langfuse – production stack for langfuse.ld50.xyz
|
||
# Deployed on Unraid behind SWAG (linuxserver/swag) via Dockhand.
|
||
#
|
||
# Network layout:
|
||
# - All services share the internal `default` bridge network.
|
||
# - langfuse-web is also attached to the external `swag` network so SWAG
|
||
# can resolve it by container name on port 3000. Its host port binding
|
||
# is removed; all public access goes through SWAG.
|
||
# - minio is bound to 127.0.0.1 only; it is not reachable from the LAN.
|
||
# If you want browser-accessible media previews, expose MinIO via a
|
||
# second SWAG subdomain and update LANGFUSE_S3_MEDIA_UPLOAD_ENDPOINT.
|
||
# - All other services (postgres, redis, clickhouse) are loopback-only.
|
||
#
|
||
# Secrets: copy .env.example to .env and fill in every CHANGEME value.
|
||
services:
|
||
langfuse-worker:
|
||
image: docker.io/langfuse/langfuse-worker:3
|
||
restart: always
|
||
depends_on: &langfuse-depends-on
|
||
postgres:
|
||
condition: service_healthy
|
||
minio:
|
||
condition: service_healthy
|
||
redis:
|
||
condition: service_healthy
|
||
clickhouse:
|
||
condition: service_healthy
|
||
environment: &langfuse-worker-env
|
||
NEXTAUTH_URL: ${NEXTAUTH_URL:-http://localhost:3000}
|
||
DATABASE_URL: ${DATABASE_URL:-postgresql://postgres:postgres@postgres:5432/postgres} # CHANGEME
|
||
SALT: ${SALT:-mysalt} # CHANGEME
|
||
ENCRYPTION_KEY: ${ENCRYPTION_KEY:-0000000000000000000000000000000000000000000000000000000000000000} # CHANGEME: generate via `openssl rand -hex 32`
|
||
TELEMETRY_ENABLED: ${TELEMETRY_ENABLED:-true}
|
||
LANGFUSE_ENABLE_EXPERIMENTAL_FEATURES: ${LANGFUSE_ENABLE_EXPERIMENTAL_FEATURES:-false}
|
||
CLICKHOUSE_MIGRATION_URL: ${CLICKHOUSE_MIGRATION_URL:-clickhouse://clickhouse:9000}
|
||
CLICKHOUSE_URL: ${CLICKHOUSE_URL:-http://clickhouse:8123}
|
||
CLICKHOUSE_USER: ${CLICKHOUSE_USER:-clickhouse}
|
||
CLICKHOUSE_PASSWORD: ${CLICKHOUSE_PASSWORD:-clickhouse} # CHANGEME
|
||
CLICKHOUSE_CLUSTER_ENABLED: ${CLICKHOUSE_CLUSTER_ENABLED:-false}
|
||
LANGFUSE_USE_AZURE_BLOB: ${LANGFUSE_USE_AZURE_BLOB:-false}
|
||
LANGFUSE_USE_OCI_NATIVE_OBJECT_STORAGE: ${LANGFUSE_USE_OCI_NATIVE_OBJECT_STORAGE:-false}
|
||
LANGFUSE_OCI_AUTH_TYPE: ${LANGFUSE_OCI_AUTH_TYPE:-workload_identity}
|
||
LANGFUSE_S3_EVENT_UPLOAD_BUCKET: ${LANGFUSE_S3_EVENT_UPLOAD_BUCKET:-langfuse}
|
||
LANGFUSE_S3_EVENT_UPLOAD_REGION: ${LANGFUSE_S3_EVENT_UPLOAD_REGION:-auto}
|
||
LANGFUSE_S3_EVENT_UPLOAD_ACCESS_KEY_ID: ${LANGFUSE_S3_EVENT_UPLOAD_ACCESS_KEY_ID:-minio}
|
||
LANGFUSE_S3_EVENT_UPLOAD_SECRET_ACCESS_KEY: ${LANGFUSE_S3_EVENT_UPLOAD_SECRET_ACCESS_KEY:-miniosecret} # CHANGEME
|
||
LANGFUSE_S3_EVENT_UPLOAD_ENDPOINT: ${LANGFUSE_S3_EVENT_UPLOAD_ENDPOINT:-http://minio:9000}
|
||
LANGFUSE_S3_EVENT_UPLOAD_FORCE_PATH_STYLE: ${LANGFUSE_S3_EVENT_UPLOAD_FORCE_PATH_STYLE:-true}
|
||
LANGFUSE_S3_EVENT_UPLOAD_PREFIX: ${LANGFUSE_S3_EVENT_UPLOAD_PREFIX:-events/}
|
||
LANGFUSE_S3_MEDIA_UPLOAD_BUCKET: ${LANGFUSE_S3_MEDIA_UPLOAD_BUCKET:-langfuse}
|
||
LANGFUSE_S3_MEDIA_UPLOAD_REGION: ${LANGFUSE_S3_MEDIA_UPLOAD_REGION:-auto}
|
||
LANGFUSE_S3_MEDIA_UPLOAD_ACCESS_KEY_ID: ${LANGFUSE_S3_MEDIA_UPLOAD_ACCESS_KEY_ID:-minio}
|
||
LANGFUSE_S3_MEDIA_UPLOAD_SECRET_ACCESS_KEY: ${LANGFUSE_S3_MEDIA_UPLOAD_SECRET_ACCESS_KEY:-miniosecret} # CHANGEME
|
||
LANGFUSE_S3_MEDIA_UPLOAD_ENDPOINT: ${LANGFUSE_S3_MEDIA_UPLOAD_ENDPOINT:-http://localhost:9090}
|
||
LANGFUSE_S3_MEDIA_UPLOAD_FORCE_PATH_STYLE: ${LANGFUSE_S3_MEDIA_UPLOAD_FORCE_PATH_STYLE:-true}
|
||
LANGFUSE_S3_MEDIA_UPLOAD_PREFIX: ${LANGFUSE_S3_MEDIA_UPLOAD_PREFIX:-media/}
|
||
LANGFUSE_S3_BATCH_EXPORT_ENABLED: ${LANGFUSE_S3_BATCH_EXPORT_ENABLED:-false}
|
||
LANGFUSE_S3_BATCH_EXPORT_BUCKET: ${LANGFUSE_S3_BATCH_EXPORT_BUCKET:-langfuse}
|
||
LANGFUSE_S3_BATCH_EXPORT_PREFIX: ${LANGFUSE_S3_BATCH_EXPORT_PREFIX:-exports/}
|
||
LANGFUSE_S3_BATCH_EXPORT_REGION: ${LANGFUSE_S3_BATCH_EXPORT_REGION:-auto}
|
||
LANGFUSE_S3_BATCH_EXPORT_ENDPOINT: ${LANGFUSE_S3_BATCH_EXPORT_ENDPOINT:-http://minio:9000}
|
||
LANGFUSE_S3_BATCH_EXPORT_EXTERNAL_ENDPOINT: ${LANGFUSE_S3_BATCH_EXPORT_EXTERNAL_ENDPOINT:-http://localhost:9090}
|
||
LANGFUSE_S3_BATCH_EXPORT_ACCESS_KEY_ID: ${LANGFUSE_S3_BATCH_EXPORT_ACCESS_KEY_ID:-minio}
|
||
LANGFUSE_S3_BATCH_EXPORT_SECRET_ACCESS_KEY: ${LANGFUSE_S3_BATCH_EXPORT_SECRET_ACCESS_KEY:-miniosecret} # CHANGEME
|
||
LANGFUSE_S3_BATCH_EXPORT_FORCE_PATH_STYLE: ${LANGFUSE_S3_BATCH_EXPORT_FORCE_PATH_STYLE:-true}
|
||
LANGFUSE_INGESTION_QUEUE_DELAY_MS: ${LANGFUSE_INGESTION_QUEUE_DELAY_MS:-}
|
||
LANGFUSE_INGESTION_CLICKHOUSE_WRITE_INTERVAL_MS: ${LANGFUSE_INGESTION_CLICKHOUSE_WRITE_INTERVAL_MS:-}
|
||
REDIS_HOST: ${REDIS_HOST:-redis}
|
||
REDIS_PORT: ${REDIS_PORT:-6379}
|
||
REDIS_AUTH: ${REDIS_AUTH:-myredissecret} # CHANGEME
|
||
REDIS_TLS_ENABLED: ${REDIS_TLS_ENABLED:-false}
|
||
REDIS_TLS_CA: ${REDIS_TLS_CA:-/certs/ca.crt}
|
||
REDIS_TLS_CERT: ${REDIS_TLS_CERT:-/certs/redis.crt}
|
||
REDIS_TLS_KEY: ${REDIS_TLS_KEY:-/certs/redis.key}
|
||
EMAIL_FROM_ADDRESS: ${EMAIL_FROM_ADDRESS:-}
|
||
SMTP_CONNECTION_URL: ${SMTP_CONNECTION_URL:-}
|
||
|
||
# OpenTelemetry — export Langfuse's own traces to the otel-lgtm pipeline
|
||
OTEL_EXPORTER_OTLP_ENDPOINT: ${OTEL_EXPORTER_OTLP_ENDPOINT:-http://lgtm:4318}
|
||
OTEL_EXPORTER_OTLP_PROTOCOL: ${OTEL_EXPORTER_OTLP_PROTOCOL:-http/protobuf}
|
||
OTEL_SERVICE_NAME: ${OTEL_SERVICE_NAME:-langfuse}
|
||
OTEL_RESOURCE_ATTRIBUTES: ${OTEL_RESOURCE_ATTRIBUTES:-deployment.environment=production}
|
||
networks:
|
||
- langfuse
|
||
- pipeline
|
||
|
||
langfuse-web:
|
||
image: docker.io/langfuse/langfuse:3
|
||
restart: always
|
||
depends_on: *langfuse-depends-on
|
||
# Port 3000 is not published to the host; SWAG reaches it via the
|
||
# shared `swag` Docker network using the container name `langfuse-web`.
|
||
networks:
|
||
langfuse: {}
|
||
swag:
|
||
aliases:
|
||
- langfuse-web
|
||
pipeline:
|
||
aliases:
|
||
- langfuse-web
|
||
environment:
|
||
<<: *langfuse-worker-env
|
||
# Next.js uses HOSTNAME to decide what interface to bind to.
|
||
# Docker auto-sets this to the container ID, which resolves to the
|
||
# internal langfuse network only. Force 0.0.0.0 so SWAG can reach
|
||
# port 3000 over the swag network as well.
|
||
HOSTNAME: 0.0.0.0
|
||
NEXTAUTH_SECRET: ${NEXTAUTH_SECRET:-mysecret} # CHANGEME
|
||
LANGFUSE_INIT_ORG_ID: ${LANGFUSE_INIT_ORG_ID:-}
|
||
LANGFUSE_INIT_ORG_NAME: ${LANGFUSE_INIT_ORG_NAME:-}
|
||
LANGFUSE_INIT_PROJECT_ID: ${LANGFUSE_INIT_PROJECT_ID:-}
|
||
LANGFUSE_INIT_PROJECT_NAME: ${LANGFUSE_INIT_PROJECT_NAME:-}
|
||
LANGFUSE_INIT_PROJECT_PUBLIC_KEY: ${LANGFUSE_INIT_PROJECT_PUBLIC_KEY:-}
|
||
LANGFUSE_INIT_PROJECT_SECRET_KEY: ${LANGFUSE_INIT_PROJECT_SECRET_KEY:-}
|
||
LANGFUSE_INIT_USER_EMAIL: ${LANGFUSE_INIT_USER_EMAIL:-}
|
||
LANGFUSE_INIT_USER_NAME: ${LANGFUSE_INIT_USER_NAME:-}
|
||
LANGFUSE_INIT_USER_PASSWORD: ${LANGFUSE_INIT_USER_PASSWORD:-}
|
||
|
||
clickhouse:
|
||
image: docker.io/clickhouse/clickhouse-server
|
||
restart: always
|
||
user: "101:101"
|
||
environment:
|
||
CLICKHOUSE_DB: default
|
||
CLICKHOUSE_USER: ${CLICKHOUSE_USER:-clickhouse}
|
||
CLICKHOUSE_PASSWORD: ${CLICKHOUSE_PASSWORD:-clickhouse} # CHANGEME
|
||
volumes:
|
||
- langfuse_clickhouse_data:/var/lib/clickhouse
|
||
- langfuse_clickhouse_logs:/var/log/clickhouse-server
|
||
healthcheck:
|
||
test: wget --no-verbose --tries=1 --spider http://localhost:8123/ping || exit 1
|
||
interval: 5s
|
||
timeout: 5s
|
||
retries: 10
|
||
start_period: 1s
|
||
networks:
|
||
- langfuse
|
||
|
||
minio:
|
||
image: cgr.dev/chainguard/minio
|
||
restart: always
|
||
entrypoint: sh
|
||
# create the 'langfuse' bucket before starting the service
|
||
command: -c 'mkdir -p /data/langfuse && minio server --address ":9000" --console-address ":9001" /data'
|
||
environment:
|
||
MINIO_ROOT_USER: ${MINIO_ROOT_USER:-minio}
|
||
MINIO_ROOT_PASSWORD: ${MINIO_ROOT_PASSWORD:-miniosecret} # CHANGEME
|
||
volumes:
|
||
- langfuse_minio_data:/data
|
||
healthcheck:
|
||
test: ["CMD", "mc", "ready", "local"]
|
||
interval: 1s
|
||
timeout: 5s
|
||
retries: 5
|
||
start_period: 1s
|
||
networks:
|
||
- langfuse
|
||
|
||
redis:
|
||
image: docker.io/redis:7
|
||
restart: always
|
||
# CHANGEME: row below to secure redis password
|
||
command: >
|
||
--requirepass ${REDIS_AUTH:-myredissecret}
|
||
--maxmemory-policy noeviction
|
||
volumes:
|
||
- langfuse_redis_data:/data
|
||
healthcheck:
|
||
test: ["CMD", "redis-cli", "ping"]
|
||
interval: 3s
|
||
timeout: 10s
|
||
retries: 10
|
||
networks:
|
||
- langfuse
|
||
|
||
postgres:
|
||
image: docker.io/postgres:${POSTGRES_VERSION:-17}
|
||
restart: always
|
||
healthcheck:
|
||
test: ["CMD-SHELL", "pg_isready -U postgres"]
|
||
interval: 3s
|
||
timeout: 3s
|
||
retries: 10
|
||
environment:
|
||
POSTGRES_USER: ${POSTGRES_USER:-postgres}
|
||
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-postgres} # CHANGEME
|
||
POSTGRES_DB: ${POSTGRES_DB:-postgres}
|
||
TZ: UTC
|
||
PGTZ: UTC
|
||
volumes:
|
||
- langfuse_postgres_data:/var/lib/postgresql/data
|
||
networks:
|
||
- langfuse
|
||
volumes:
|
||
langfuse_postgres_data:
|
||
driver: local
|
||
langfuse_clickhouse_data:
|
||
driver: local
|
||
langfuse_clickhouse_logs:
|
||
driver: local
|
||
langfuse_minio_data:
|
||
driver: local
|
||
langfuse_redis_data:
|
||
driver: local
|
||
|
||
networks:
|
||
# `default` is the internal-only bridge network (auto-created by Compose).
|
||
# All services are on it. No declaration needed; listed here for clarity.
|
||
langfuse: {}
|
||
pipeline:
|
||
name: pipeline
|
||
external: true
|
||
|
||
# `swag` is the pre-existing external network created by the SWAG container.
|
||
# Only langfuse-web joins it so SWAG can proxy to port 3000.
|
||
swag:
|
||
external: true
|
||
|