-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathdocker-compose.yml
More file actions
101 lines (85 loc) · 3.71 KB
/
docker-compose.yml
File metadata and controls
101 lines (85 loc) · 3.71 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
services:
claude-code:
build:
context: .
dockerfile: Dockerfile
args:
# Pass host user/group IDs to match file ownership
# These are set in .env file (auto-detected by setup-and-run.sh)
USER_ID: ${USER_ID:-1000}
GROUP_ID: ${GROUP_ID:-1000}
USERNAME: ${USERNAME:-node}
container_name: claude-code-${PROJECT_NAME:-default}
# Interactive terminal
stdin_open: true
tty: true
# Port forwarding for OAuth callback
# OAUTH_MODE controls port binding:
# - With OAUTH_MODE=":8338" → binds to fixed port 8338:8338 (for OAuth setup)
# - Without OAUTH_MODE (or empty) → binds to random host port (normal use, no conflicts)
#
# OAuth setup (initial authentication):
# OAUTH_MODE=":8338" docker compose up -d
# Normal use (after authentication, allows multiple projects):
# docker compose up -d
ports:
- "8338${OAUTH_MODE:-}"
# Volume mounts
volumes:
# Mount your project directory (set in .env file)
# Files created here will be owned by your host user (same UID/GID)
- ${PROJECT_DIR}:/workspace
# SHARED: OAuth credentials (authenticate once, use across all projects)
# All containers share the same credentials volume
- claude-credentials:/home/${USERNAME:-node}/.claude-shared
# PER-PROJECT: Settings, history, todos (isolated by PROJECT_NAME)
# Each project gets its own volume for project-specific data
# The entrypoint script creates a symlink from .claude/.credentials.json to .claude-shared/.credentials.json
- claude-settings:/home/${USERNAME:-node}/.claude
working_dir: /workspace
# Run container as host user (not root) to preserve file ownership
# This ensures files created by Claude Code are owned by your host user
user: "${USER_ID:-1000}:${GROUP_ID:-1000}"
# Environment variables
environment:
# Anthropic API key (optional - leave empty to use OAuth)
- ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY:-}
# Claude model to use
- ANTHROPIC_MODEL=${ANTHROPIC_MODEL:-claude-sonnet-4-5-20250929}
# Disable auto-updates in container (recommended for reproducibility)
- DISABLE_AUTOUPDATER=1
# Set HOME to non-root user's home directory
# This ensures Claude Code stores settings in the correct location
- HOME=/home/${USERNAME:-node}
# Security options
security_opt:
- no-new-privileges:true
# Resource limits (adjust based on your needs)
deploy:
resources:
limits:
cpus: '4'
memory: 6G
reservations:
memory: 1G
# Network configuration
# Note: Comment out 'ports' and uncomment 'network_mode: none' below
# for complete network isolation (disables OAuth but maximum security)
# network_mode: none
# Named volumes for Claude Code data
# Both volumes are marked as 'external' and must be created before docker compose runs
# The setup-and-run.sh script creates these volumes automatically
volumes:
# Shared credentials volume (used by ALL projects)
# Stores OAuth tokens - authenticate once, use everywhere
# Created once: docker volume create claude-credentials
claude-credentials:
external: true
name: claude-credentials
# Per-project settings volume (isolated by PROJECT_NAME)
# Stores project-specific data: history, todos, session state
# Variable expansion in 'name' parameter creates: claude-settings-projectA, claude-settings-projectB, etc.
# The entrypoint script symlinks credentials from claude-credentials to each project's .claude directory
claude-settings:
external: true
name: claude-settings-${PROJECT_NAME:-default}