1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
networks:
# Caddy-to-kx internal traffic only — no host port binding on kx
kx_net:
driver: bridge
volumes:
kx_data: # persistent job data and runtime state
caddy_data: # TLS certificates (Let's Encrypt)
caddy_config: # Caddy runtime config
services:
# ── kx serve ────────────────────────────────────────────────────────────────
kx:
build:
context: ..
dockerfile: deploy/Dockerfile
image: kernex-agent:latest
networks:
- kx_net
# No ports exposed to host — only Caddy can reach kx
env_file: .env
environment:
KERNEX_PROVIDER: ${KERNEX_PROVIDER:-claude-code}
KERNEX_MODEL: ${KERNEX_MODEL:-}
command:
- serve
- --host
- "0.0.0.0"
- --port
- "8080"
- --workers
- "${KX_WORKERS:-8}"
volumes:
# Persistent data directory
- kx_data:/home/kx/.kx
# Skills for headless serve-mode workflows — read-only, mounted at runtime
- type: bind
source: ../deploy/skills
target: /home/kx/.kx/skills
read_only: true
bind:
create_host_path: false
# Named workflow TOML files — read-only, mounted at runtime
- type: bind
source: ../deploy/workflows
target: /home/kx/.kx/workflows
read_only: true
bind:
create_host_path: false
# Claude subscription credentials — read-only, never modified by container
- type: bind
source: ${CLAUDE_CREDENTIALS_PATH}
target: /home/kx/.claude/.credentials.json
read_only: true
bind:
create_host_path: false
restart: unless-stopped
# ── Container hardening ──────────────────────────────────────────────────
security_opt:
- no-new-privileges:true # prevent privilege escalation via setuid
cap_drop:
- ALL # drop every Linux capability
read_only: true # root filesystem is read-only
tmpfs:
- /tmp:noexec,nosuid,size=64m # writable temp, no executables
mem_limit: 1g
memswap_limit: 1g # disable swap (avoids credential paging to disk)
cpus: "2.0"
pids_limit: 512 # prevent fork bombs
ulimits:
nofile:
soft: 65536
hard: 65536
logging:
driver: json-file
options:
max-size: "20m"
max-file: "10"
healthcheck:
test:
interval: 30s
timeout: 5s
retries: 3
start_period: 15s
# ── Caddy (TLS termination + reverse proxy) ──────────────────────────────────
caddy:
build:
context: .
dockerfile: Dockerfile.caddy
image: kernex-caddy:latest
networks:
- kx_net
ports:
- "80:80" # HTTP redirect to HTTPS
- "443:443" # HTTPS
- "443:443/udp" # HTTP/3
env_file: .env
volumes:
- ./Caddyfile:/etc/caddy/Caddyfile:ro
- caddy_data:/data
- caddy_config:/config
restart: unless-stopped
depends_on:
kx:
condition: service_healthy
security_opt:
- no-new-privileges:true
cap_drop:
- ALL
cap_add:
- NET_BIND_SERVICE # required to bind ports 80/443
read_only: true
tmpfs:
- /tmp:noexec,nosuid,size=32m
logging:
driver: json-file
options:
max-size: "10m"
max-file: "5"