diff --git a/obsidian-sync/docker-compose.yml b/obsidian-sync/docker-compose.yml
new file mode 100644
index 0000000..2521b2e
--- /dev/null
+++ b/obsidian-sync/docker-compose.yml
@@ -0,0 +1,64 @@
+# =============================================================================
+# obsidian-sync : CouchDB hub for Obsidian Self-hosted LiveSync
+# Deploy as a Dokploy "Compose" app. Image is pulled (no build).
+# Public endpoint: https://couchdb.manohargupta.com  (CouchDB-native auth only)
+# =============================================================================
+services:
+  couchdb:
+    # Pin a known-good 3.x line. LiveSync needs >=3.2; 3.3 is well-tested.
+    image: couchdb:3.3
+    container_name: obsidian-couchdb
+    restart: unless-stopped
+
+    # Admin credentials come from Dokploy's Environment tab (NOT hard-coded here,
+    # so they never land in git). Set COUCHDB_USER / COUCHDB_PASSWORD in the UI.
+    environment:
+      - COUCHDB_USER=${COUCHDB_USER}
+      - COUCHDB_PASSWORD=${COUCHDB_PASSWORD}
+
+    volumes:
+      # Persistent database files (named volume, survives redeploys).
+      - couchdb-data:/opt/couchdb/data
+      # LiveSync-tuned config. Mounted into the *.d override dir so it layers on
+      # top of CouchDB's defaults without us editing the base file.
+      - ./couchdb/local.ini:/opt/couchdb/etc/local.d/10-livesync.ini:ro
+
+    # Guardrail on a RAM-tight box. CouchDB idles ~150-300MB; cap keeps a runaway
+    # query from eating your headroom. Swap still absorbs brief spikes.
+    mem_limit: 768m
+
+    healthcheck:
+      # _up is CouchDB's lightweight liveness endpoint (no auth needed).
+      test: ["CMD", "curl", "-f", "http://localhost:5984/_up"]
+      interval: 30s
+      timeout: 10s
+      retries: 5
+      start_period: 30s
+
+    networks:
+      - dokploy-network
+
+    labels:
+      - traefik.enable=true
+      # --- HTTP router on :80 (serves the ACME challenge; matches your Dokploy
+      #     convention seen on position-tracker). CouchDB 401s unauth requests
+      #     itself, so no auth middleware needed here. ---
+      - traefik.http.routers.obsidian-couchdb-http.rule=Host(`couchdb.manohargupta.com`)
+      - traefik.http.routers.obsidian-couchdb-http.entrypoints=web
+      # --- HTTPS router on :443 ---
+      - traefik.http.routers.obsidian-couchdb.rule=Host(`couchdb.manohargupta.com`)
+      - traefik.http.routers.obsidian-couchdb.entrypoints=websecure
+      - traefik.http.routers.obsidian-couchdb.tls=true
+      - traefik.http.routers.obsidian-couchdb.tls.certresolver=letsencrypt
+      # --- Service: CouchDB listens on 5984 ---
+      - traefik.http.services.obsidian-couchdb.loadbalancer.server.port=5984
+      # Tell Traefik which network to reach the container on (overlay).
+      - traefik.docker.network=dokploy-network
+      # NOTE: deliberately NO basicauth middleware here. CouchDB does its own auth.
+
+networks:
+  dokploy-network:
+    external: true
+
+volumes:
+  couchdb-data: