Deploy
:::info Stub
This is a starter outline. The full deployment guide is being ported from the
layer8-proxy-site repo. The quickstart below is the working shape; the
per-step detail will be filled in.
:::
Layer8 Proxy deploys as a Docker Compose bundle driven from a per-host site repo that pins a version, holds sealed credentials, and declares per-agent ACLs.
Prerequisites
- Docker (or Podman —
export COMPOSE="podman compose"). - A
layer8-proxy-siteclone for the target host. - Provider API keys and the lf-scan internal token.
Quickstart
# 1. Configure .env (provider keys + LF_SCAN_INTERNAL_TOKEN + backup creds).
cp .env.example .env
nano .env
# 2. Pin the layer8-proxy version.
nano site.cfg # set layer8_version=vX.Y.Z
# 3. Bootstrap sealed secrets that locksmith reads at startup.
echo -n "$LF_SCAN_INTERNAL_TOKEN" | ./secrets.bootstrap.sh lf_scan_token --from-stdin
echo -n "your-restic-passphrase" | ./secrets.bootstrap.sh restic_password --from-stdin
# 4. Generate the operator credential.
LOCKSMITH_CREDS_PASSPHRASE="..." ./scripts/bootstrap-operator.py
# 5. Deploy the proxy stack (render + verify + docker compose up).
./deploy.sh
# 6. Smoke test.
curl http://127.0.0.1:9200/livez
# 7. Declare agents and register them.
cp agents.yaml.example agents.yaml
nano agents.yaml
./scripts/register-agents.sh
# Each agent gets a bearer; copy each ONCE to the corresponding agent host.
OAuth providers
To enable OAuth providers (codex, copilot, anthropic-oauth, gemini-cli, qwen-cli), supply a 32-byte sealing key and bootstrap each session once:
LOCKSMITH_OAUTH_SEALING_KEY="$(openssl rand -base64 32)"
echo -n "$LOCKSMITH_OAUTH_SEALING_KEY" \
| ./secrets.bootstrap.sh oauth_sealing_key --from-stdin
docker exec layer8-locksmith /usr/local/bin/locksmith oauth bootstrap codex \
--refresh-token "<refresh-token-from-providers-flow>"
To be documented
- Rendering + verification (
render_configs.py,verify_configs.py) and drift refusal. - Sealed-cred mechanics (systemd-creds on Linux, openssl-AES on macOS dev).
- Backup automation (restic snapshot of locksmith state + sealed creds).
- Per-host override files (
docker-compose.override.yml). - Podman notes.
See also
- Architecture — the broker/ACL/egress model and
kindtaxonomy. - Agent Locksmith getting started — the standalone (no-bundle) developer path.