> ## Documentation Index
> Fetch the complete documentation index at: https://docs.interaone.app/llms.txt
> Use this file to discover all available pages before exploring further.

# Self-hosting overview

> Plan a secure InteraOne deployment, understand supported deployment shapes, and follow the production readiness checklist.

InteraOne ships a production Docker Compose stack with Caddy, the five application services, MongoDB, Redis, MinIO, Qdrant, and Dozzle. You bring DNS, TLS-reachable hosts, persistent storage, provider credentials, and an operational backup plan.

<CardGroup cols={2}>
  <Card title="Deployment architecture" icon="network" href="/self-hosting/architecture">
    Understand public entry points, private dependencies, and stateful volumes.
  </Card>

  <Card title="Installation" icon="download" href="/self-hosting/installation">
    Prepare a Linux host and launch the published images.
  </Card>

  <Card title="Environment variables" icon="key-round" href="/self-hosting/environment-variables">
    Configure shared secrets, URLs, providers, storage, and runtime behavior.
  </Card>

  <Card title="Caddy" icon="shield-check" href="/self-hosting/reverse-proxy-caddy">
    Route API, web, CDN, logs, WebSockets, and automatic TLS.
  </Card>
</CardGroup>

## Supported deployment shapes

<Tabs>
  <Tab title="Single host">
    Run the provided Compose stack on one VM. This is the documented baseline and the simplest way to keep service discovery, secrets, and upgrades consistent.
  </Tab>

  <Tab title="Managed data services">
    Keep application containers on your host while pointing MongoDB, Redis, object storage, or Qdrant at managed equivalents. Validate protocol compatibility and network latency before production use.
  </Tab>

  <Tab title="Orchestrated">
    Translate services, health checks, volumes, and dependencies into your orchestrator. The repository does not currently ship first-party Kubernetes manifests, so your platform team owns that translation.
  </Tab>
</Tabs>

## Public and private surfaces

| Surface                | Exposure         | Notes                                                                             |
| ---------------------- | ---------------- | --------------------------------------------------------------------------------- |
| Caddy `80/443`         | Public           | Redirects HTTP, terminates TLS, and proxies web/API/CDN/log hosts                 |
| Console                | Through Caddy    | Container port `3000`; bound to loopback by the production Compose file           |
| Gateway                | Through Caddy    | Container port `3002`; includes REST and Socket.IO                                |
| MinIO assets           | Through CDN host | Object storage itself remains private; expose only the required public asset path |
| Dozzle                 | Restricted       | Protect the log host and its credentials; logs can contain operational metadata   |
| MongoDB, Redis, Qdrant | Private          | Never expose these ports publicly                                                 |
| Agent and worker       | Private          | Background processes with no customer-facing ingress                              |

## Production readiness

* [ ] Public traffic terminates over HTTPS at Caddy or another trusted proxy.
* [ ] MongoDB, Redis, Qdrant, and MinIO are not directly reachable from the internet.
* [ ] Every example credential and signing secret has been replaced.
* [ ] Persistent volumes are backed up and a restore has been tested.
* [ ] Gateway, agent, worker, database, queue, and storage health are monitored.
* [ ] Container images are pinned to a reviewed release for repeatable deployments.
* [ ] CORS, allowed domains, email delivery, widget origin checks, and rate limits match production policy.

<Warning>
  Never commit `.env` files, provider keys, JWT secrets, database credentials, or
  `AI_TOOL_SECRET`. Use different credentials in every environment and keep
  MongoDB, Redis, Qdrant, and MinIO private behind the application network.
</Warning>

## Recommended reading order

<Steps>
  <Step title="Understand the topology">
    Read [deployment architecture](/self-hosting/architecture) and identify every stateful component.
  </Step>

  <Step title="Install and configure">
    Follow [installation](/self-hosting/installation), then complete the [environment reference](/self-hosting/environment-variables).
  </Step>

  <Step title="Expose it safely">
    Configure [Docker Compose](/self-hosting/docker-compose) and [Caddy](/self-hosting/reverse-proxy-caddy) with real domains and HTTPS.
  </Step>

  <Step title="Operate and upgrade">
    Establish backups, monitoring, and a tested procedure from [updating and upgrading](/self-hosting/updating-and-upgrading).
  </Step>
</Steps>

<Warning>
  The development Compose file contains intentionally simple local credentials and broad development access. It is not a production template.
</Warning>
