# phase-6.md — Deploy: steveternet compose + Traefik, env, docs, model script Re-ground: `CLAUDE.md` + ADR-0002 (placement), 0010 (security). Plan, get approval, implement. This phase touches **two repos** and must mirror existing steveternet conventions — read them, don't invent. ## Objective Make foreman deployable on orgrimmar via Komodo, exposed through Traefik, with its model roster and operational notes documented. ## Tasks — read first (gitea MCP, steve/steveternet) Study these for the exact conventions (network name, entrypoint, certresolver, router/service label format, restart policy, `.env` usage): `kalimdor/orgrimmar/warhol-queue/{docker-compose.yml,.env.example}`, `kalimdor/orgrimmar/ratchet/docker-compose.yml`, `kalimdor/orgrimmar/mort/docker-compose.yml`, and `kalimdor/orgrimmar/traefik/` (incl. `custom/`). ## Tasks — foreman repo - Finalize the `Dockerfile` from Phase 1 (label image, pin base digests if that's the house style). - `.env.example`: every config key with safe placeholder values, including `FOREMAN_OLLAMA_URL` (the Mac's Tailscale address) and `FOREMAN_TOKEN`. - `scripts/pull-models.sh`: the roster pulls (`qwen3:14b`, `qwen3:30b`, `nomic-embed-text`, with the optional ones commented) plus the Mac-side `launchctl setenv OLLAMA_MAX_LOADED_MODELS 2 / OLLAMA_KEEP_ALIVE -1 / OLLAMA_CONTEXT_LENGTH 8192` lines as comments. - `docs/deploy.md`: how it deploys (Komodo + compose), the security model (Traefik internal-only or Tailscale; **not** a public entrypoint; Ollama target firewalled to foreman), and the Mac prerequisites (Ollama bound to the tailnet, `caffeinate`/`pmset`). ## Tasks — steveternet repo (gitea MCP; branch/PR, not main) - Create `kalimdor/orgrimmar/foreman/docker-compose.yml` mirroring the analogs: pull the foreman image from the gitea registry, the standard Traefik network + router/service labels, `restart` policy, env from `.env`, and a named volume for the SQLite DB. Decide (and note) whether the router is internal-only. - Add `kalimdor/orgrimmar/foreman/.env.example`. - If host-level routing belongs in `traefik/custom/` (as some services do), add the file there instead/as-well, following those examples. ## Definition of done - `docker build .` clean; compose validates (`docker compose config`). - Labels/network/entrypoint match a sibling service exactly (diff against `ratchet`/`warhol-queue` and confirm). - `docs/deploy.md` is enough for a cold deploy. steveternet changes are on a branch/PR for review. Wrap up: `progress.md` (mark the project deployable), commit foreman docs/scripts on `phase-6-deploy`; report the steveternet branch/PR. Then give me a short end-to-end smoke-test checklist (pull models on the Mac → deploy foreman → go-llm chat → `POST /jobs` with a webhook).