Self-Hosted
Deploy QANATIX on your own infrastructure with Docker Compose.
Self-Hosted Deployment
Run QANATIX on your own infrastructure. Full control, air-gapped support, data never leaves your network.
Prerequisites
- Docker and Docker Compose v2
- 4 GB RAM minimum (8 GB recommended)
- CPU only — no GPU required
Docker Compose
See Installation for the full docker-compose.yml.
Production checklist
Before going live:
- Set
SECRET_KEYto a random 64-character string (openssl rand -hex 32) - Set strong passwords for Postgres and Redis
- Set
API_KEY_SALTto a random 32+ character string - Set
CONNECTOR_ENCRYPTION_KEYfor database connector credential encryption - Set
DEPLOYMENT_MODE=self_hosted - Set
FRONTEND_URLto your portal domain (e.g.https://portal.example.com) - Configure SMTP for email verification and password reset — or set
REQUIRE_EMAIL_VERIFICATION=falseto skip - (Optional) Configure OAuth for social login (Google, GitHub, GitLab)
- Set up backup for Postgres volumes
- Put a reverse proxy (nginx/Caddy) in front for TLS
- Set
CORS_ORIGINSto your domain(s)
Auth setup
QANATIX includes self-contained authentication — no external auth provider needed.
Minimum (no email)
If you don't have an SMTP server, disable email verification:
SECRET_KEY=your-random-64-char-secret
REQUIRE_EMAIL_VERIFICATION=false
FRONTEND_URL=https://your-portal-domain.comUsers can register and log in immediately without email verification.
With email verification
Configure SMTP to enable email verification and password reset:
SECRET_KEY=your-random-64-char-secret
FRONTEND_URL=https://your-portal-domain.com
SMTP_HOST=smtp.example.com
SMTP_PORT=587
SMTP_USER=your-smtp-user
SMTP_PASSWORD=your-smtp-passwordWith social login (optional)
Enable only the providers you need — each one is independent. If you only use GitHub, just set GitHub credentials and skip the rest.
| Provider | Variables |
|---|---|
OAUTH_GOOGLE_CLIENT_ID, OAUTH_GOOGLE_CLIENT_SECRET | |
| GitHub | OAUTH_GITHUB_CLIENT_ID, OAUTH_GITHUB_CLIENT_SECRET |
| GitLab | OAUTH_GITLAB_CLIENT_ID, OAUTH_GITLAB_CLIENT_SECRET |
Example — GitHub only:
OAUTH_GITHUB_CLIENT_ID=your-github-client-id
OAUTH_GITHUB_CLIENT_SECRET=your-github-client-secretThe login page automatically shows buttons only for configured providers.
Set the OAuth callback URL to https://your-api-domain/api/v1/auth/oauth/{provider}/callback when registering the OAuth application (e.g. https://api.example.com/api/v1/auth/oauth/github/callback for GitHub).
See Configuration for all auth-related environment variables.
Scaling
| Component | Scaling strategy |
|---|---|
| API | Horizontal — run multiple qanatix-api containers behind a load balancer |
| Postgres | Collection — single primary, add read replicas for search queries |
| Redis | Single instance is sufficient for most workloads |
Architecture
QANATIX uses Postgres for all data storage and search. Data is instantly queryable the moment it's uploaded — no async processing pipelines. Search uses Postgres full-text search (tsvector) and structured JSONB filters.
The Docker image is slim (~1GB). The container runs as a non-root app user for security.
Air-gapped
For classified environments with no internet:
- Pre-pull all Docker images to an internal registry
- No outbound network required after setup
See Air-gapped for detailed setup.
See Configuration for all environment variables.