Add CI workflow to verify Docker Compose file integrity

.env

@@ -1,8 +1,14 @@
-# stack identity
+# -------------------------------------------------------------------
+# Project
+# -------------------------------------------------------------------
+
 COMPOSE_PROJECT_NAME=ai-docker-stack
 TZ=America/New_York
 
-# versions / images
+# -------------------------------------------------------------------
+# Images
+# -------------------------------------------------------------------
+
 OLLAMA_IMAGE=ollama/ollama:latest
 OPEN_WEBUI_IMAGE=ghcr.io/open-webui/open-webui:main
 JUPYTER_IMAGE=quay.io/jupyter/pytorch-notebook:latest
@@ -28,59 +34,41 @@ MINIO_IMAGE=minio/minio
 INFINITY_IMAGE=infiniflow/infinity:nightly
 OBSIDIAN_REMOTE_IMAGE=sytone/obsidian-remote:latest
 COUCHDB_IMAGE=couchdb:3.3
+OPENCLAW_IMAGE=ghcr.io/openclaw/openclaw:latest
+
+# -------------------------------------------------------------------
+# Published ports
+# -------------------------------------------------------------------
 
-# ports
 OPEN_WEBUI_PORT=3000
-GITEA_HTTP_PORT=3001
-GITEA_SSH_PORT=222
-N8N_PORT=5678
+JUPYTER_PORT=8888
+OPEN_NOTEBOOKLM_PORT=8502
+OPEN_NOTEBOOKLM_API_PORT=5055
+DIFY_WEB_PORT=80
 FLOWISE_PORT=3003
 OPENHANDS_PORT=3004
+N8N_PORT=5678
+MERCURE_PORT=8084
+GITEA_HTTP_PORT=3001
+GITEA_SSH_PORT=222
 SEARXNG_PORT=8082
 ANYTHINGLLM_PORT=3002
 RAGFLOW_PORT=8083
 UNSTRUCTURED_API_PORT=8021
-MERCURE_PORT=8084
-JUPYTER_PORT=8888
-OPEN_NOTEBOOKLM_PORT=8502
-OPEN_NOTEBOOKLM_API_PORT=5055
-OBSIDIAN_REMOTE_PORT=8081
+MONGODB_PORT=27017
 QDRANT_PORT=6333
 SURREALDB_PORT=8000
-MONGODB_PORT=27017
 MINIO_API_PORT=9000
 MINIO_CONSOLE_PORT=9001
+OBSIDIAN_REMOTE_PORT=8081
 COUCHDB_PORT=5984
-DIFY_WEB_PORT=80
-
-# core credentials
-POSTGRES_USER=admin
-POSTGRES_PASSWORD=change-me
-POSTGRES_DB_N8N=n8n
-POSTGRES_DB_DIFY=dify
-POSTGRES_DB_FLOWISE=flowise
-
-MYSQL_ROOT_PASSWORD=change-me
-MYSQL_DATABASE_RAGFLOW=ragflow
-MYSQL_USER_RAGFLOW=ragflow
-MYSQL_PASSWORD_RAGFLOW=change-me
-
-COUCHDB_USER=admin
-COUCHDB_PASSWORD=change-me
+OPENCLAW_PORT=3400
 
-MINIO_ROOT_USER=minio
-MINIO_ROOT_PASSWORD=change-me
+# -------------------------------------------------------------------
+# Internal hosts
+# -------------------------------------------------------------------
 
-SURREALDB_USER=root
-SURREALDB_PASS=change-me
-
-MERCURE_PUBLISHER_JWT_KEY=change-me-secret
-MERCURE_SUBSCRIBER_JWT_KEY=change-me-secret
-SERVER_NAME=:80
-
-# service hosts
 OLLAMA_HOST=ollama
-OPEN_WEBUI_HOST=open-webui
 POSTGRES_HOST=postgres
 MONGODB_HOST=mongodb
 QDRANT_HOST=qdrant
@@ -95,13 +83,21 @@ N8N_HOST=n8n
 MERCURE_HOST=mercure
 SEARXNG_HOST=searxng
 
-# service internal ports
+# -------------------------------------------------------------------
+# Internal ports
+# -------------------------------------------------------------------
+
 OLLAMA_PORT=11434
 POSTGRES_PORT=5432
 REDIS_PORT=6379
 MYSQL_PORT=3306
+GITEA_PORT=3000
+SEARXNG_INTERNAL_PORT=8080
+
+# -------------------------------------------------------------------
+# Derived internal URLs
+# -------------------------------------------------------------------
 
-# derived internal URLs
 OLLAMA_BASE_URL=http://ollama:11434
 QDRANT_URL=http://qdrant:6333
 QDRANT_ENDPOINT=http://qdrant:6333
@@ -112,11 +108,87 @@ GITEA_BASE_URL=http://gitea:3000
 N8N_BASE_URL=http://n8n:5678
 MERCURE_URL=http://mercure/.well-known/mercure
 SEARXNG_URL=http://searxng:8080
+MONGODB_URL=mongodb://mongodb:27017
 COUCHDB_URL=http://admin:change-me@couchdb:5984
 
-# bootstrap / feature toggles
-OLLAMA_BOOTSTRAP_MODEL=qwen3.5:current
+# -------------------------------------------------------------------
+# Credentials
+# -------------------------------------------------------------------
+
+POSTGRES_USER=admin
+POSTGRES_PASSWORD=change-me
+POSTGRES_DB_N8N=n8n
+POSTGRES_DB_DIFY=dify
+POSTGRES_DB_FLOWISE=flowise
+
+MYSQL_ROOT_PASSWORD=change-me
+MYSQL_DATABASE_RAGFLOW=ragflow
+MYSQL_USER_RAGFLOW=ragflow
+MYSQL_PASSWORD_RAGFLOW=change-me
+
+MINIO_ROOT_USER=minio
+MINIO_ROOT_PASSWORD=change-me
+
+COUCHDB_USER=admin
+COUCHDB_PASSWORD=change-me
+
+SURREALDB_USER=root
+SURREALDB_PASS=change-me
+
+MERCURE_PUBLISHER_JWT_KEY=change-me-secret
+MERCURE_SUBSCRIBER_JWT_KEY=change-me-secret
+SERVER_NAME=:80
+
 JUPYTER_TOKEN=change-me
+
+# Redis has no authentication by default; set a password here to enable it
+REDIS_PASSWORD=
+
+# Generic connection variables used by agent services (e.g. security overlay)
+POSTGRES_DB=n8n
+
+MYSQL_USER=ragflow
+MYSQL_PASSWORD=change-me
+MYSQL_DATABASE=ragflow
+
+# -------------------------------------------------------------------
+# App-specific convenience values
+# -------------------------------------------------------------------
+
+DIFY_DB_USERNAME=${POSTGRES_USER}
+DIFY_DB_PASSWORD=${POSTGRES_PASSWORD}
+DIFY_DB_HOST=${POSTGRES_HOST}
+DIFY_DB_DATABASE=${POSTGRES_DB_DIFY}
+DIFY_REDIS_HOST=${REDIS_HOST}
+DIFY_VECTOR_STORE=qdrant
+DIFY_QDRANT_HOST=${QDRANT_HOST}
+
+FLOWISE_DATABASE_TYPE=postgres
+FLOWISE_DATABASE_HOST=${POSTGRES_HOST}
+FLOWISE_DATABASE_PORT=${POSTGRES_PORT}
+FLOWISE_DATABASE_USER=${POSTGRES_USER}
+FLOWISE_DATABASE_PASSWORD=${POSTGRES_PASSWORD}
+FLOWISE_DATABASE_NAME=${POSTGRES_DB_FLOWISE}
+
+N8N_DB_TYPE=postgresdb
+N8N_DB_POSTGRESDB_HOST=${POSTGRES_HOST}
+N8N_DB_POSTGRESDB_DATABASE=${POSTGRES_DB_N8N}
+N8N_DB_POSTGRESDB_USER=${POSTGRES_USER}
+N8N_DB_POSTGRESDB_PASSWORD=${POSTGRES_PASSWORD}
+
+ANYTHINGLLM_STORAGE_DIR=/app/server/storage
+ANYTHINGLLM_VECTOR_DB=qdrant
+
+RAGFLOW_MYSQL_PASSWORD=${MYSQL_ROOT_PASSWORD}
+
 OBSIDIAN_PUID=1000
 OBSIDIAN_PGID=1000
-OPENHANDS_ENABLE_DOCKER_SOCKET=false
+
+# -------------------------------------------------------------------
+# Bootstrap / features
+# -------------------------------------------------------------------
+
+OLLAMA_BOOTSTRAP_MODEL=qwen3.5:current
+OPENHANDS_ENABLE_DOCKER_SOCKET=false
+OPENCLAW_EGRESS_MODE=allowlist
+OPENCLAW_SANDBOX_MODE=docker-sandbox

.env.example

@@ -109,6 +109,7 @@ N8N_BASE_URL=http://n8n:5678
 MERCURE_URL=http://mercure/.well-known/mercure
 SEARXNG_URL=http://searxng:8080
 MONGODB_URL=mongodb://mongodb:27017
+COUCHDB_URL=http://admin:change-me@couchdb:5984
 
 # -------------------------------------------------------------------
 # Credentials
@@ -140,6 +141,16 @@ SERVER_NAME=:80
 
 JUPYTER_TOKEN=change-me
 
+# Redis has no authentication by default; set a password here to enable it
+REDIS_PASSWORD=
+
+# Generic connection variables used by agent services (e.g. security overlay)
+POSTGRES_DB=n8n
+
+MYSQL_USER=ragflow
+MYSQL_PASSWORD=change-me
+MYSQL_DATABASE=ragflow
+
 # -------------------------------------------------------------------
 # App-specific convenience values
 # -------------------------------------------------------------------

.github/workflows/verify-compose.yml

@@ -0,0 +1,46 @@
+name: Verify Compose Integrity
+
+on:
+  push:
+    paths:
+      - 'compose*.yaml'
+      - 'env/**'
+      - '.env.example'
+      - '.github/workflows/verify-compose.yml'
+  pull_request:
+    paths:
+      - 'compose*.yaml'
+      - 'env/**'
+      - '.env.example'
+      - '.github/workflows/verify-compose.yml'
+
+jobs:
+  verify:
+    name: Validate Docker Compose Files
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up environment
+        run: cp .env.example .env
+
+      - name: Validate base compose
+        run: docker compose -f compose.yaml config --quiet
+
+      - name: Validate apps compose
+        run: docker compose -f compose.yaml -f compose.apps.yaml config --quiet
+
+      - name: Validate dev compose
+        run: docker compose -f compose.yaml -f compose.dev.yaml config --quiet
+
+      - name: Validate openclaw compose
+        run: docker compose -f compose.yaml -f compose.openclaw.yaml config --quiet
+
+      - name: Validate security compose
+        run: docker compose -f compose.yaml -f compose.openclaw.yaml -f compose.security.yaml config --quiet
+
+      - name: Validate agent-access compose
+        run: docker compose -f compose.yaml -f compose.apps.yaml -f compose.openclaw.yaml -f compose.agent-access.yaml config --quiet

compose.apps.yaml

@@ -129,4 +129,13 @@ services:
     container_name: unstructured-api
     restart: always
     ports:
-      - "${UNSTRUCTURED_API_PORT}:8000"
+      - "${UNSTRUCTURED_API_PORT}:8000"
+
+  openhands:
+    image: ${OPENHANDS_IMAGE}
+    container_name: openhands
+    restart: always
+    environment:
+      OPENHANDS_ENABLE_DOCKER_SOCKET: ${OPENHANDS_ENABLE_DOCKER_SOCKET}
+    ports:
+      - "${OPENHANDS_PORT}:3000"

compose.yaml

@@ -59,11 +59,36 @@ services:
       - ./env/base.env
     command: start --user ${SURREALDB_USER} --pass ${SURREALDB_PASS} rocksdb:/mydata/mydatabase.db
 
+  qdrant:
+    image: ${QDRANT_IMAGE}
+    container_name: qdrant
+    restart: always
+    volumes:
+      - qdrant-data:/qdrant/storage
+
+  mongodb:
+    image: ${MONGODB_IMAGE}
+    container_name: mongodb
+    restart: always
+    volumes:
+      - mongodb-data:/data/db
+
+  infinity:
+    image: ${INFINITY_IMAGE}
+    container_name: infinity
+    restart: always
+    volumes:
+      - infinity-data:/var/infinity
+
   mercure:
     image: ${MERCURE_IMAGE}
     container_name: mercure
     restart: always
     env_file:
       - ./env/base.env
     ports:
-      - "${MERCURE_PORT}:80"
+      - "${MERCURE_PORT}:80"
+volumes:
+  qdrant-data:
+  mongodb-data:
+  infinity-data: