Docker Compose Deployment¶

The docker-compose.yml at the repository root defines the complete Verity development environment. It orchestrates all infrastructure dependencies and application services with health checks, shared configuration, and proper startup ordering.

Service Architecture¶

graph TB
    subgraph Infrastructure
        PG["PostgreSQL<br/>(TimescaleDB)<br/>:5432"]
        CH["ClickHouse<br/>:8123 / :9000"]
        KAFKA["Apache Kafka<br/>:9092"]
        REDIS["Redis<br/>:6379"]
        TEMPORAL["Temporal Server<br/>:7233"]
        TEMPORAL_UI["Temporal UI<br/>:8233"]
    end

    subgraph Init
        INIT_DB["init-db"]
        SEED["seed-data<br/><i>(tools profile)</i>"]
    end

    subgraph Connectors["Connectors (connectors profile)"]
        C_AAD["connector-aad"]
        C_FABRIC["connector-fabric"]
        C_SYNAPSE["connector-synapse"]
        C_DATABRICKS["connector-databricks"]
        C_POSTGRES["connector-postgres"]
        C_HR["connector-hr"]
    end

    subgraph Ingestion
        ID_RESOLVER["identity-resolver<br/>:8001"]
        ASSET_CLASS["asset-classifier<br/>:8002"]
        ENRICHER["event-enricher"]
    end

    subgraph Analytics
        DECAY["decay-engine"]
        PEER["peer-analyser"]
        ANOMALY["anomaly-detector"]
    end

    subgraph Decision
        REVIEW_GEN["review-generator"]
        WORKFLOW["workflow-engine"]
    end

    subgraph Remediation
        REMEDIATION_EXEC["remediation-executor<br/>:8005"]
    end

    subgraph Audit
        AUDIT_WRITER["audit-writer"]
        COMPLIANCE["compliance-reporter<br/>:8006"]
    end

    subgraph Frontend
        API["api-gateway<br/>:8000"]
        UI["frontend<br/>:3000"]
    end

    INIT_DB --> PG
    INIT_DB --> CH
    C_AAD & C_FABRIC --> KAFKA
    C_AAD & C_FABRIC --> PG
    ENRICHER --> KAFKA
    ENRICHER --> ID_RESOLVER
    ENRICHER --> ASSET_CLASS
    DECAY --> PG & KAFKA & REDIS
    REVIEW_GEN --> PG & TEMPORAL & KAFKA
    WORKFLOW --> PG & TEMPORAL & KAFKA
    REMEDIATION_EXEC --> PG & KAFKA
    AUDIT_WRITER --> KAFKA & CH
    COMPLIANCE --> CH
    API --> PG & REDIS & TEMPORAL & CH
    UI --> API

Containers¶

The compose file defines the following containers across infrastructure, init, and application layers:

Infrastructure Services¶

Service	Image	Port(s)	Description
`postgres`	`timescale/timescaledb:latest-pg16`	`5432`	TimescaleDB (PostgreSQL 16 + hypertables)
`clickhouse`	`clickhouse/clickhouse-server:latest`	`8123`, `9000`	Analytics OLAP database
`kafka`	`apache/kafka:latest`	`9092`	Event streaming (KRaft mode, no ZooKeeper)
`redis`	`redis:7.2-alpine`	`6379`	Caching and rate limiting
`temporal`	`temporalio/auto-setup:latest`	`7233`	Workflow orchestration
`temporal-ui`	`temporalio/ui:latest`	`8233`	Temporal web dashboard

Init / Seed Services¶

Service	Description
`init-db`	Runs `db/init.py` to create schemas in PostgreSQL and ClickHouse
`seed-data`	Loads sample data (profile: `tools`)

Application Services¶

Service	Port	Description
`connector-aad`	—	Azure AD / Entra ID connector (profile: `connectors`)
`connector-fabric`	—	Microsoft Fabric connector (profile: `connectors`)
`connector-synapse`	—	Azure Synapse connector (profile: `connectors`)
`connector-databricks`	—	Databricks connector (profile: `connectors`)
`connector-postgres`	—	PostgreSQL audit connector (profile: `connectors`)
`connector-hr`	—	HR system connector (profile: `connectors`)
`identity-resolver`	`8001`	Resolves external identity references to Verity principals
`asset-classifier`	`8002`	Classifies and registers discovered data assets
`event-enricher`	—	Enriches raw events with resolved IDs
`decay-engine`	—	Computes access decay scores
`peer-analyser`	—	Analyses peer group access patterns
`anomaly-detector`	—	Detects anomalous access patterns
`review-generator`	—	Generates review packets for decayed access
`workflow-engine`	—	Temporal worker for review/remediation workflows
`remediation-executor`	`8005`	Executes access revocation on source platforms
`audit-writer`	—	Writes audit trail events to ClickHouse
`compliance-reporter`	`8006`	Generates compliance reports from ClickHouse
`api-gateway`	`8000`	FastAPI REST API
`frontend`	`3000`	React dashboard UI

Shared Configuration¶

All application services share environment variables through a YAML anchor:

x-app-env: &app-env
  VERITY_PG_HOST: postgres
  VERITY_PG_PORT: "5432"
  VERITY_PG_USER: verity
  VERITY_PG_PASSWORD: verity_dev
  VERITY_PG_DATABASE: verity
  DB_HOST: postgres
  DB_PORT: "5432"
  DB_USER: verity
  DB_PASSWORD: verity_dev
  DB_DATABASE: verity
  KAFKA_BOOTSTRAP_SERVERS: kafka:9092
  REDIS_URL: redis://redis:6379
  TEMPORAL_HOST: temporal:7233
  CLICKHOUSE_HOST: clickhouse
  CLICKHOUSE_PORT: "8123"

Services reference this anchor with <<: *app-env and override as needed:

api-gateway:
  environment:
    <<: *app-env
    API_DEV_MODE: "true"

Health Checks¶

Every infrastructure service defines a health check for reliable startup ordering:

Service	Health Check	Interval
PostgreSQL	`pg_isready -U verity`	5s
ClickHouse	`clickhouse-client --query "SELECT 1"`	5s
Kafka	`kafka-broker-api-versions.sh`	10s (30s start period)
Redis	`redis-cli ping`	5s
Temporal	`temporal operator cluster health`	10s (60s start period)

Application services use depends_on with condition: service_healthy to ensure infrastructure is ready before starting.

Volumes¶

Persistent data volumes:

Volume	Service	Mount Point
`postgres-data`	PostgreSQL	`/var/lib/postgresql/data`
`clickhouse-data`	ClickHouse	`/var/lib/clickhouse`
`kafka-data`	Kafka	`/var/lib/kafka/data`
`redis-data`	Redis	`/data`

Port Summary¶

Port	Service	Protocol
`3000`	Dashboard UI	HTTP
`5432`	PostgreSQL	PostgreSQL
`6379`	Redis	Redis
`7233`	Temporal	gRPC
`8000`	API Gateway	HTTP
`8001`	Identity Resolver	HTTP
`8002`	Asset Classifier	HTTP
`8005`	Remediation Executor	HTTP
`8006`	Compliance Reporter	HTTP
`8123`	ClickHouse	HTTP
`8233`	Temporal UI	HTTP
`9000`	ClickHouse	Native
`9092`	Kafka	Kafka

Docker Compose Profiles¶

Some services are gated behind profiles to keep the default startup lightweight:

Profile	Services	Use Case
(default)	Infrastructure + core services	Standard development
`connectors`	All connector services	Testing with real Azure/cloud connectors
`tools`	`seed-data`	Loading sample/demo data

Quick Start¶

# Start core infrastructure and services
docker compose up -d

# Wait for health checks
docker compose up -d --wait

# Initialise database schemas (runs automatically via init-db)
# To load seed data:
docker compose --profile tools run --rm seed-data

# Start connectors (requires Azure credentials in .env)
docker compose --profile connectors up -d

# View logs
docker compose logs -f api-gateway

# Tear down
docker compose down

# Tear down and remove volumes
docker compose down -v

Seed Data¶

To load sample data for development and demo purposes:

docker compose --profile tools run --rm seed-data

This runs db/seed.py which populates PostgreSQL with sample principals, assets, access grants, and review packets.