certifai/docker-compose.yml

version: '3.8'

services:
  keycloak:
    image: quay.io/keycloak/keycloak:26.0
    container_name: certifai-keycloak
    environment:
      KEYCLOAK_ADMIN: admin
      KEYCLOAK_ADMIN_PASSWORD: admin
      KC_DB: dev-mem
    ports:
      - "8080:8080"
    command:
      - start-dev
      - --import-realm
    volumes:
      - ./keycloak/realm-export.json:/opt/keycloak/data/import/realm-export.json:ro
      - ./keycloak/themes/certifai:/opt/keycloak/themes/certifai:ro
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8080/health/ready"]
      interval: 10s
      timeout: 5s
      retries: 5

  mongo:
    image: mongo:latest
    restart: unless-stopped
    ports:
      - 27017:27017
    environment:
      MONGO_INITDB_ROOT_USERNAME: root
      MONGO_INITDB_ROOT_PASSWORD: example

  searxng:
    image: searxng/searxng:latest
    container_name: certifai-searxng
    restart: unless-stopped
    ports:
      - "8888:8080"
    environment:
      - SEARXNG_BASE_URL=http://localhost:8888
    volumes:
      - ./searxng:/etc/searxng:rw

  librechat:
    image: ghcr.io/danny-avila/librechat:latest
    container_name: certifai-librechat
    restart: unless-stopped
    ports:
      - "3080:3080"
    depends_on:
      keycloak:
        condition: service_healthy
      mongo:
        condition: service_started
    environment:
      # MongoDB (shared instance, separate database)
      MONGO_URI: mongodb://root:example@mongo:27017/librechat?authSource=admin
      # Keycloak OIDC SSO
      OPENID_ISSUER: http://localhost:8080/realms/certifai
      OPENID_CLIENT_ID: certifai-librechat
      OPENID_CLIENT_SECRET: certifai-librechat-secret
      OPENID_CALLBACK_URL: /oauth/openid/callback
      OPENID_SCOPE: openid profile email
      OPENID_BUTTON_LABEL: Login with CERTifAI
      OPENID_AUTH_EXTRA_PARAMS: prompt=none
      # Disable local auth (SSO only)
      ALLOW_EMAIL_LOGIN: "false"
      ALLOW_REGISTRATION: "false"
      ALLOW_SOCIAL_LOGIN: "true"
      ALLOW_SOCIAL_REGISTRATION: "true"
      # App settings
      APP_TITLE: CERTifAI Chat
      CUSTOM_FOOTER: CERTifAI - Sovereign GenAI Infrastructure
      HOST: 0.0.0.0
      PORT: "3080"
      NO_INDEX: "true"
    volumes:
      - ./librechat/librechat.yaml:/app/librechat.yaml:ro
      - ./librechat/logo.svg:/app/client/public/assets/logo.svg:ro
      - librechat-data:/app/data

volumes:
  librechat-data: