88805a3c24
Replace node:20-slim/ubuntu:22.04 with node:20-alpine/alpine:3.21. Switch package management from apt to apk (--no-cache, no cleanup layer). Use Alpine addgroup/adduser in claude/Dockerfile. Update proxy to use squid user (Alpine convention) and /var/cache/squid cache path. Fix proxy/Dockerfile COPY path now that context is proxy/. Move webui-entrypoint.sh into claude/ to match its build context. Fix docker-compose.yml webui context to claude/, update proxy tmpfs path.
97 lines
3.2 KiB
YAML
97 lines
3.2 KiB
YAML
services:
|
|
# ─── Proxy sidecar ─────────────────────────────────────────────────────────
|
|
# Bridges the isolated internal network to the internet.
|
|
# Enforces an egress allowlist — see proxy/squid.conf.
|
|
proxy:
|
|
build:
|
|
context: proxy
|
|
dockerfile: Dockerfile
|
|
networks:
|
|
- claude-internal # reachable by claude and webui containers
|
|
- proxy-external # has outbound internet access
|
|
restart: unless-stopped
|
|
security_opt:
|
|
- no-new-privileges:true
|
|
cap_drop:
|
|
- ALL
|
|
read_only: true
|
|
tmpfs:
|
|
- /tmp
|
|
- /var/cache/squid
|
|
- /var/log/squid
|
|
|
|
# ─── Claude Code CLI container ─────────────────────────────────────────────
|
|
# No direct internet access. All egress routes through the proxy sidecar.
|
|
# Run via "docker compose run --rm claude" (managed by claude.sh).
|
|
claude:
|
|
build:
|
|
context: claude/
|
|
dockerfile: Dockerfile
|
|
depends_on:
|
|
proxy:
|
|
condition: service_healthy
|
|
networks:
|
|
- claude-internal # only — no route to the internet
|
|
environment:
|
|
- ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY}
|
|
- HTTP_PROXY=http://proxy:3128
|
|
- HTTPS_PROXY=http://proxy:3128
|
|
- ALL_PROXY=http://proxy:3128
|
|
- NO_PROXY=localhost,127.0.0.1
|
|
security_opt:
|
|
- no-new-privileges:true
|
|
cap_drop:
|
|
- ALL
|
|
stdin_open: true
|
|
tty: true
|
|
# Workspace is injected by claude.sh via --volume flag at run time.
|
|
# Default: named Docker volume. Override: set WORKSPACE_DIR on the host.
|
|
|
|
# ─── Claude Code web interface ─────────────────────────────────────────────
|
|
# Serves Claude Code as a browser terminal via ttyd (port 7681).
|
|
# Protected by HTTP basic auth — set WEBUI_USER / WEBUI_PASSWORD in .env.
|
|
# Network isolation is identical to the CLI container.
|
|
webui:
|
|
build:
|
|
context: claude/
|
|
dockerfile: Dockerfile
|
|
entrypoint: ["/usr/local/bin/webui-entrypoint.sh"]
|
|
depends_on:
|
|
proxy:
|
|
condition: service_healthy
|
|
networks:
|
|
- claude-internal # only — no route to the internet
|
|
environment:
|
|
- ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY}
|
|
- HTTP_PROXY=http://proxy:3128
|
|
- HTTPS_PROXY=http://proxy:3128
|
|
- ALL_PROXY=http://proxy:3128
|
|
- NO_PROXY=localhost,127.0.0.1
|
|
- WEBUI_USER=${WEBUI_USER:-claude}
|
|
- WEBUI_PASSWORD=${WEBUI_PASSWORD:-}
|
|
- WEBUI_PORT=7681
|
|
ports:
|
|
- "0.0.0.0:7681:7681"
|
|
volumes:
|
|
- claude-web-workspace:/workspace
|
|
security_opt:
|
|
- no-new-privileges:true
|
|
cap_drop:
|
|
- ALL
|
|
stdin_open: true
|
|
tty: true
|
|
restart: unless-stopped
|
|
|
|
networks:
|
|
# Internal-only: Docker adds no default gateway → no direct internet route
|
|
claude-internal:
|
|
driver: bridge
|
|
internal: true
|
|
|
|
# External: standard bridge with internet access (proxy only)
|
|
proxy-external:
|
|
driver: bridge
|
|
|
|
volumes:
|
|
# Persistent workspace for the web interface
|
|
claude-web-workspace:
|