kiwi/compose.cloud.yml

# Kiwi — cloud managed instance
# Project: kiwi-cloud  (docker compose -f compose.cloud.yml -p kiwi-cloud ...)
# Web:     http://127.0.0.1:8515 → menagerie.circuitforge.tech/kiwi (via Caddy + JWT auth)
# API:     internal only on kiwi-cloud-net (nginx proxies /api/ → api:8512)

services:
  api:
    build:
      context: ..
      dockerfile: kiwi/Dockerfile
    restart: unless-stopped
    env_file: .env
    environment:
      CLOUD_MODE: "true"
      CLOUD_DATA_ROOT: /devl/kiwi-cloud-data
      # DIRECTUS_JWT_SECRET, HEIMDALL_URL, HEIMDALL_ADMIN_TOKEN — set in .env
      # DEV ONLY: comma-separated IPs that bypass JWT auth (LAN testing without Caddy).
      # Production deployments must NOT set this. Leave blank or omit entirely.
      CLOUD_AUTH_BYPASS_IPS: ${CLOUD_AUTH_BYPASS_IPS:-}
    volumes:
      - /devl/kiwi-cloud-data:/devl/kiwi-cloud-data
      # LLM config — shared with other CF products; read-only in container
      - ${HOME}/.config/circuitforge:/root/.config/circuitforge:ro
    networks:
      - kiwi-cloud-net

  web:
    build:
      context: .
      dockerfile: docker/web/Dockerfile
      args:
        VITE_BASE_URL: /kiwi
        VITE_API_BASE: /kiwi
    restart: unless-stopped
    ports:
      - "8515:80"
    volumes:
      - ./docker/web/nginx.cloud.conf:/etc/nginx/conf.d/default.conf:ro
    networks:
      - kiwi-cloud-net
    depends_on:
      - api

networks:
  kiwi-cloud-net:
    driver: bridge