Spaces:
Running
Running
| # agentmemory first-boot entrypoint. | |
| # | |
| # Runs as root so it can: | |
| # 1. Overwrite the npm-bundled iii-config.yaml (which binds 127.0.0.1 | |
| # and uses relative ./data paths) with a deploy-tuned version that | |
| # binds 0.0.0.0 and uses absolute /data paths. | |
| # 2. chown the platform-mounted /data volume to the runtime user | |
| # (managed platforms mount volumes root-owned 755 by default). | |
| # 3. Generate the HMAC secret on first boot and persist it to | |
| # /data/.hmac (chmod 600) so the secret survives restarts. | |
| # | |
| # Then it execs the agentmemory CLI under gosu as the unprivileged | |
| # `node` user. | |
| set -eu | |
| DATA_DIR="${AGENTMEMORY_DATA_DIR:-/data}" | |
| HMAC_FILE="${AGENTMEMORY_HMAC_FILE:-/data/.hmac}" | |
| RUN_AS="node:node" | |
| III_CONFIG="/opt/agentmemory/node_modules/@agentmemory/agentmemory/dist/iii-config.yaml" | |
| mkdir -p "$DATA_DIR" | |
| chown -R "$RUN_AS" "$DATA_DIR" | |
| cat > "$III_CONFIG" <<'EOF' | |
| workers: | |
| - name: iii-http | |
| config: | |
| port: 3111 | |
| host: 0.0.0.0 | |
| default_timeout: 180000 | |
| cors: | |
| allowed_origins: | |
| - "http://localhost:3111" | |
| - "http://localhost:3113" | |
| - "http://127.0.0.1:3111" | |
| - "http://127.0.0.1:3113" | |
| allowed_methods: [GET, POST, PUT, DELETE, OPTIONS] | |
| - name: iii-state | |
| config: | |
| adapter: | |
| name: kv | |
| config: | |
| store_method: file_based | |
| file_path: /data/state_store.db | |
| - name: iii-queue | |
| config: | |
| adapter: | |
| name: builtin | |
| - name: iii-pubsub | |
| config: | |
| adapter: | |
| name: local | |
| - name: iii-cron | |
| config: | |
| adapter: | |
| name: kv | |
| - name: iii-stream | |
| config: | |
| port: 3112 | |
| host: 0.0.0.0 | |
| adapter: | |
| name: kv | |
| config: | |
| store_method: file_based | |
| file_path: /data/stream_store | |
| - name: iii-observability | |
| config: | |
| enabled: true | |
| service_name: agentmemory | |
| exporter: memory | |
| sampling_ratio: 1.0 | |
| metrics_enabled: true | |
| logs_enabled: true | |
| logs_console_output: true | |
| EOF | |
| chown "$RUN_AS" "$III_CONFIG" | |
| if [ ! -s "$HMAC_FILE" ]; then | |
| SECRET="$(openssl rand -hex 32)" | |
| umask 077 | |
| printf '%s\n' "$SECRET" > "$HMAC_FILE" | |
| chmod 600 "$HMAC_FILE" | |
| chown "$RUN_AS" "$HMAC_FILE" | |
| echo "================================================================" | |
| echo "agentmemory: generated HMAC secret on first boot" | |
| echo "AGENTMEMORY_SECRET=$SECRET" | |
| echo "Copy this value now. It will not be printed again." | |
| echo "Stored at: $HMAC_FILE (chmod 600)" | |
| echo "To rotate: delete $HMAC_FILE on the persistent volume and restart." | |
| echo "================================================================" | |
| fi | |
| AGENTMEMORY_SECRET="$(cat "$HMAC_FILE")" | |
| export AGENTMEMORY_SECRET | |
| # The viewer's default 127.0.0.1 bind is unreachable through fly proxy, | |
| # which enters the machine via fly-local-6pn (IPv6). Opt into a | |
| # non-loopback bind ONLY when we're actually inside Fly (detected via | |
| # Fly's runtime variables). A plain `docker run` of this image will not | |
| # see these variables and will keep the safe-by-default loopback bind, | |
| # so it can't silently expose the viewer's bearer-authorized proxy to | |
| # the LAN. VIEWER_ALLOWED_HOSTS is preseeded to the Host headers that | |
| # `fly proxy 3113:3113` actually produces on the operator's laptop. | |
| if [ -n "${FLY_APP_NAME:-}" ] || [ -n "${FLY_ALLOC_ID:-}" ]; then | |
| : "${AGENTMEMORY_VIEWER_HOST:=::}" | |
| : "${VIEWER_ALLOWED_HOSTS:=localhost:3113,127.0.0.1:3113,[::1]:3113}" | |
| export AGENTMEMORY_VIEWER_HOST VIEWER_ALLOWED_HOSTS | |
| fi | |
| exec gosu "$RUN_AS" agentmemory "$@" | |