Docker Compose deployment (self-hosted)¶
Vex Raptor is deployed as a set of containers you host. This is the standard self-hosted / sovereign deployment.
Services¶
| Service | Role |
|---|---|
vex-raptor |
API + web console |
worker |
Background scan execution (ARQ) |
postgres |
Persistent database |
redis |
Queue, rate-limit/quota counters, shared scan state |
website |
Marketing site (optional; vexraptor.com stack only) |
Minimum resources¶
A small deployment fits on ~2 vCPU / 2 GB RAM. Scans (especially with a browser
phase) are memory-sensitive, so tune worker concurrency with ARQ_MAX_JOBS.
Deploy¶
# 1. Configure
cp .env.example .env
python -c "import secrets; print(secrets.token_hex(64))" # → SECRET_KEY
# set POSTGRES_PASSWORD, DATABASE_URL, REDIS_URL, ENVIRONMENT=prod
# 2. Start
docker compose up -d
docker compose ps # all services healthy
# 3. First admin
docker compose exec vex-raptor python scripts/create_admin.py --role admin
# 4. Verify
curl -s http://localhost:8000/health
Reverse proxy & TLS¶
Run a reverse proxy (nginx, Caddy, Traefik) in front of the API and terminate TLS there. Forward the real client IP to the app. Restrict any metrics endpoint to your internal network.
Upgrades¶
git pull
docker compose build vex-raptor worker
docker compose up -d vex-raptor worker
curl -s http://localhost:8000/health
Do not destroy volumes
docker compose down -v deletes the PostgreSQL volume — i.e. all your data.
Use docker compose up -d / restart for normal operations.
Backups¶
Back up the PostgreSQL volume (or pg_dump) on a schedule. Redis holds
ephemeral state and does not need backup.
Air-gapped notes¶
- Use a local LLM (
OLLAMA_MODEL) so no scan data leaves the host. - Leave third-party enrichment keys unset.
- Product docs (
docs-site/): build offline withmkdocs buildand serve thesite/folder from your reverse proxy (for exampledocs.internal.example.com). They are not yet copied into the application Docker image by default.