Skyvern/docker-compose.yml
Suchintan 720d47d754
SKY-11678 Add local credential vault persistence to OSS Docker (#7003)
Co-authored-by: Codex <codex@openai.com>
2026-07-02 21:24:17 +00:00

243 lines
10 KiB
YAML

services:
postgres:
image: postgres:14-alpine
restart: always
# comment out if you want to externally connect DB
# ports:
# - 5432:5432
volumes:
- ./postgres-data:/var/lib/postgresql/data
environment:
- PGDATA=/var/lib/postgresql/data/pgdata
- POSTGRES_USER=skyvern
- POSTGRES_PASSWORD=skyvern
- POSTGRES_DB=skyvern
healthcheck:
test: ["CMD-SHELL", "pg_isready -U skyvern"]
interval: 5s
timeout: 5s
retries: 5
skyvern:
image: public.ecr.aws/skyvern/skyvern:latest
# For local backend development, replace the image line above with:
# build:
# context: .
# dockerfile: Dockerfile
# Or keep the public image and uncomment the source mounts below.
restart: on-failure
extra_hosts:
- "host.docker.internal:host-gateway"
env_file:
- .env
# comment out if you want to externally call skyvern API
ports:
- 8000:8000
- 6080:6080 # for VNC WebSocket streaming
volumes:
- ./artifacts:/data/artifacts
- ./videos:/data/videos
- ./har:/data/har
- ./log:/data/log
- ./downloads:/data/downloads
- ./browser_sessions:/data/browser_sessions
- ./credential_vault:/data/credential_vault
# Generated credentials allow the UI to pick up the local API key on first startup.
- ./.skyvern:/app/.skyvern
# Uncomment the following two lines if you want to connect to any local changes
# - ./skyvern:/app/skyvern
# - ./alembic:/app/alembic
environment:
# ─────────────────────────────────────────────────────────────────
# Compose-network values live here. These are infrastructure values
# tied to the docker compose network (e.g. the `postgres` hostname
# only resolves inside this compose stack). DO NOT move these into
# .env — `.env.example` uses a `localhost` host that points at the
# backend container itself inside compose, which would break the DB
# connection.
#
# User secrets (LLM API keys, etc.) go in `.env` (loaded above via
# env_file). The split is intentional: compose owns infrastructure;
# .env owns secrets.
# ─────────────────────────────────────────────────────────────────
- DATABASE_STRING=postgresql+psycopg://skyvern:skyvern@postgres:5432/skyvern
- BROWSER_STREAMING_MODE=${BROWSER_STREAMING_MODE:-cdp}
- BROWSER_TYPE=${BROWSER_TYPE:-chromium-headful}
- BROWSER_REMOTE_DEBUGGING_URL=${BROWSER_REMOTE_DEBUGGING_URL:-http://127.0.0.1:9222}
- BROWSER_REMOTE_DEBUGGING_HOST_HEADER=${BROWSER_REMOTE_DEBUGGING_HOST_HEADER:-}
- BROWSER_CDP_CONNECT_TIMEOUT_MS=${BROWSER_CDP_CONNECT_TIMEOUT_MS:-120000}
- DOWNLOAD_PATH=/data/downloads
- BROWSER_SESSION_BASE_PATH=/data/browser_sessions
- CREDENTIAL_VAULT_TYPE=${CREDENTIAL_VAULT_TYPE:-skyvern}
- ENABLE_LOCAL_CREDENTIAL_VAULT=${ENABLE_LOCAL_CREDENTIAL_VAULT:-true}
- LOCAL_CREDENTIAL_VAULT_PATH=/data/credential_vault
- ENABLE_CODE_BLOCK=true
# --- Control your own browser (Chrome/Chromium) ---
# Prefer Chrome's chrome://inspect/#remote-debugging flow for an existing profile.
# On Windows, scripts/windows_chrome_inspect_cdp.ps1 can bridge a
# chrome://inspect/#remote-debugging listener and write the full ws:// URL.
# If Docker cannot reach that listener, start an isolated Chrome profile
# with --remote-debugging-address=0.0.0.0 and a non-default --user-data-dir.
# Then set:
# - BROWSER_TYPE=cdp-connect
# - BROWSER_REMOTE_DEBUGGING_URL=http://host.docker.internal:9222/
# See docs/developers/self-hosted/browser.mdx for Windows/Docker Desktop notes.
# =========================
# LLM Settings - Use `skyvern init llm` for interactive setup
# =========================
# Docs: https://www.skyvern.com/docs/self-hosted/llm-configuration
#
# OpenAI:
# - ENABLE_OPENAI=true
# - LLM_KEY=OPENAI_GPT5_5
# - OPENAI_API_KEY=<your_openai_key>
#
# Anthropic:
# - ENABLE_ANTHROPIC=true
# - LLM_KEY=ANTHROPIC_CLAUDE4.7_OPUS
# - ANTHROPIC_API_KEY=<your_anthropic_key>
#
# Gemini:
# - ENABLE_GEMINI=true
# - LLM_KEY=GEMINI_3.0_FLASH
# - GEMINI_API_KEY=<your_gemini_key>
#
# Azure OpenAI:
# - ENABLE_AZURE=true
# - LLM_KEY=AZURE_OPENAI
# - AZURE_DEPLOYMENT=<your_deployment>
# - AZURE_API_KEY=<your_key>
# - AZURE_API_BASE=<your_endpoint>
# - AZURE_API_VERSION=2024-08-01-preview
#
# AWS Bedrock:
# - ENABLE_BEDROCK=true
# - LLM_KEY=BEDROCK_ANTHROPIC_CLAUDE4.7_OPUS_INFERENCE_PROFILE
# - AWS_REGION=us-west-2
# - AWS_ACCESS_KEY_ID=<your_key>
# - AWS_SECRET_ACCESS_KEY=<your_secret>
#
# Ollama (local models):
# - ENABLE_OLLAMA=true
# - LLM_KEY=OLLAMA
# - OLLAMA_MODEL=gemma4:e4b
# - OLLAMA_SERVER_URL=http://host.docker.internal:11434
# - OLLAMA_SUPPORTS_VISION=false
#
# OpenRouter:
# - ENABLE_OPENROUTER=true
# - LLM_KEY=OPENROUTER
# - OPENROUTER_API_KEY=<your_key>
# - OPENROUTER_MODEL=mistralai/mistral-small-3.1-24b-instruct
#
# Groq:
# - ENABLE_GROQ=true
# - LLM_KEY=GROQ
# - GROQ_API_KEY=<your_key>
# - GROQ_MODEL=openai/gpt-oss-120b
# Bitwarden Settings
# If you are looking to integrate Skyvern with a password manager (eg Bitwarden), you can use the following environment variables.
# - BITWARDEN_SERVER=http://localhost # OPTIONAL IF YOU ARE SELF HOSTING BITWARDEN
# - BITWARDEN_SERVER_PORT=8002 # IF YOU ARE SELF HOSTING BITWARDEN AND USE THIS COMPOSE FILE, PORT IS 8002 UNLESS CHANGED
# - SKYVERN_AUTH_BITWARDEN_ORGANIZATION_ID=your-org-id-here
# - SKYVERN_AUTH_BITWARDEN_CLIENT_ID=user.your-client-id-here
# - SKYVERN_AUTH_BITWARDEN_CLIENT_SECRET=your-client-secret-here
# - SKYVERN_AUTH_BITWARDEN_MASTER_PASSWORD=your-master-password-here
# 1Password Integration
# If you are looking to integrate Skyvern with 1Password, you can use the following environment variables.
# OP_SERVICE_ACCOUNT_TOKEN=""
depends_on:
postgres:
condition: service_healthy
healthcheck:
test: ["CMD", "python", "-c", "import urllib.request; urllib.request.urlopen('http://127.0.0.1:8000/api/v1/heartbeat', timeout=5)"]
interval: 5s
timeout: 5s
retries: 24
start_period: 180s
skyvern-ui:
image: public.ecr.aws/skyvern/skyvern-ui:latest
# For local UI development/testing, replace the image line above with:
# build:
# context: .
# dockerfile: Dockerfile.ui
restart: on-failure
ports:
- 8080:8080
- 9090:9090
volumes:
- ./artifacts:/data/artifacts
- ./videos:/data/videos
- ./har:/data/har
# Generated credentials allow the UI to pick up the local API key on first startup.
- ./.skyvern:/app/.skyvern
# User secrets and most frontend config live in skyvern-frontend/.env
# (loaded via env_file). CDP streaming is inline so local livestreaming is
# enabled even if an older frontend .env is present.
env_file:
- skyvern-frontend/.env
environment:
- VITE_BROWSER_STREAMING_MODE=${VITE_BROWSER_STREAMING_MODE:-cdp}
# - VITE_ENABLE_CODE_BLOCK=true
# if you want to run skyvern on a remote server,
# you need to change the host in VITE_WSS_BASE_URL and VITE_API_BASE_URL to match your server ip
# If you're self-hosting this behind a dns, you'll want to set:
# A route for the API: api.yourdomain.com -> localhost:8000
# A route for the UI: yourdomain.com -> localhost:8080
# A route for the artifact API: artifact.yourdomain.com -> localhost:9090 (maybe not needed)
# - VITE_WSS_BASE_URL=ws://localhost:8000/api/v1
# - VITE_ARTIFACT_API_BASE_URL=http://localhost:9090
# - VITE_API_BASE_URL=http://localhost:8000/api/v1
# - VITE_SKYVERN_API_KEY=<get this from "settings" in the Skyvern UI>
depends_on:
skyvern:
condition: service_healthy
# uncomment for local usage of `vaultwarden` & bitwarden-cli - see more at: https://github.com/dani-garcia/vaultwarden
# First this container needs to be started and configured to sign up, create master password and organization
# Once created, under SETTINGS/SECURITY/KEYS/API you should be able to get client id and secret for CLI & Skyvern integrations
# vaultwarden:
# image: vaultwarden/server:latest-alpine
# container_name: vaultwarden
# restart: unless-stopped
# environment:
# # DOMAIN: "https://vaultwarden.example.com" # required when using a reverse proxy; your domain; vaultwarden needs to know it's https to work properly with attachments
# SIGNUPS_ALLOWED: "true" # Deactivate this with "false" after you have created your account so that no strangers can register
# volumes:
# - ~/vw-data/:/data/ # the path before the : can be changed
# ports:
# - 127.0.0.1:11002:80 # you can replace the 11002 with your preferred port
# Bitwarden CLI Server (provides REST API endpoints for Skyvern)
# Once you have master password and api credentials, you can set them below and this CLI should start providing secure access for Skyvern to Vaultwarden
# bitwarden-cli:
# build:
# context: ./bitwarden-cli-server
# dockerfile: Dockerfile
# environment:
# # Vaultwarden server URL
# BW_HOST: "http://vaultwarden"
# # API credentials for vaultwarden
# BW_CLIENTID: "user.your-client-id-here"
# BW_CLIENTSECRET: "your-client-secret-here"
# # Master password for unlocking vault
# BW_PASSWORD: "your-master-password-here"
# ports:
# # Bind to localhost only for security
# - "127.0.0.1:8002:8087"
# restart: unless-stopped
# healthcheck:
# test: [ "CMD", "curl", "-f", "http://localhost:8087/status" ]
# interval: 30s
# timeout: 10s
# retries: 5
# start_period: 30s
# depends_on:
# vaultwarden:
# condition: service_healthy
# volumes:
# # Optional: persist Bitwarden CLI config
# - ~/bitwarden-cli-config:/app/.config
# labels:
# - "traefik.enable=false" # Don't expose via reverse proxy