Saltar a contenido

Docker Compose deployment (self-hosted)

Vex Raptor is deployed as a set of containers you host. This is the standard self-hosted / sovereign deployment.

Services

Service Role
vex-raptor API + web console
worker Background scan execution (ARQ)
postgres Persistent database
redis Queue, rate-limit/quota counters, shared scan state
website Marketing site (optional; vexraptor.com stack only)

Minimum resources

A small deployment fits on ~2 vCPU / 2 GB RAM. Scans (especially with a browser phase) are memory-sensitive, so tune worker concurrency with ARQ_MAX_JOBS.

Deploy

# 1. Configure
cp .env.example .env
python -c "import secrets; print(secrets.token_hex(64))"   # → SECRET_KEY
# set POSTGRES_PASSWORD, DATABASE_URL, REDIS_URL, ENVIRONMENT=prod

# 2. Start
docker compose up -d
docker compose ps                 # all services healthy

# 3. First admin
docker compose exec vex-raptor python scripts/create_admin.py --role admin

# 4. Verify
curl -s http://localhost:8000/health

Reverse proxy & TLS

Run a reverse proxy (nginx, Caddy, Traefik) in front of the API and terminate TLS there. Forward the real client IP to the app. Restrict any metrics endpoint to your internal network.

Upgrades

git pull
docker compose build vex-raptor worker
docker compose up -d vex-raptor worker
curl -s http://localhost:8000/health

Do not destroy volumes

docker compose down -v deletes the PostgreSQL volume — i.e. all your data. Use docker compose up -d / restart for normal operations.

Backups

Back up the PostgreSQL volume (or pg_dump) on a schedule. Redis holds ephemeral state and does not need backup.

Air-gapped notes

  • Use a local LLM (OLLAMA_MODEL) so no scan data leaves the host.
  • Leave third-party enrichment keys unset.
  • Product docs (docs-site/): build offline with mkdocs build and serve the site/ folder from your reverse proxy (for example docs.internal.example.com). They are not yet copied into the application Docker image by default.