Self-host NexBasira
The same Docker stack that runs our managed SaaS is what we ship on-prem. Same Django backend, same React SPA, same audit chain. Available on the Enterprise tier with a DPA + InfoSec questionnaire pack.
Page summary.
This page mirrors the high-level shape of the on-prem deployment.
The authoritative, copy-pasteable runbook is
docs/SELF_HOST.md
in the source repo — we ship it to Enterprise customers with their
install package. Reach out via Contact (Enterprise)
to start the conversation.
Why self-host
- Regulatory mandate — your sector or jurisdiction requires evidence to live on your infrastructure.
- Network isolation — your inspectors operate inside a VPN; outbound to a SaaS isn't an option.
- Custom data residency — you need to land data in a specific region or sovereign cloud.
- Cost predictability at scale — at >5k inspections/month, dedicated infra is often cheaper than the per-inspection tier.
Architecture
Six services (plus your existing identity-provider for SSO):
| Service | What it does | Image |
|---|---|---|
| caddy | TLS termination, HTTP routing, static asset serving | caddy:2 |
| backend | Django app — REST API, audit chain, SCIM, signing | ghcr.io/codelounge-io/certivisiopro/api (your tag) |
| frontend | Nginx serving the built SPA + marketing static | ghcr.io/codelounge-io/certivisiopro/web |
| postgres | Primary data store, RLS-enforced tenant isolation | postgres:16 |
| redis | Celery broker + cache + session store | redis:7 |
| celery-worker + celery-beat | Background tasks (TSA polling, recording post-process, retention sweep) | same as backend |
| livekit | WebRTC SFU for the live video plane | livekit/livekit-server |
| minio (optional) | S3-compatible object storage for evidence + recordings | minio/minio |
For object storage, you can also point at any S3-compatible service (AWS S3, Wasabi, OVH Object Storage, your existing on-prem Ceph cluster). MinIO is included as a default for true air-gap installs.
Minimum requirements
| Concern | Minimum | Comfortable |
|---|---|---|
| OS | Linux x86_64 (Ubuntu 22.04 LTS or Debian 12) | same |
| Docker / Compose | Docker 24 + Compose v2 | same |
| CPU | 4 vCPU | 8 vCPU |
| RAM | 8 GB | 16 GB |
| Disk | 200 GB SSD (DB + initial evidence) | 500 GB + S3-compatible object storage for recordings |
| Network | Static IP, ports 443 + WebRTC (LiveKit) reachable | same |
| TLS | Caddy auto-provisions via Let's Encrypt | BYO-cert for closed networks |
Bootstrap
Roughly the shape the install script automates:
# 1. Clone the released bundle
git clone --depth 1 https://github.com/codelounge-io/nexbasira-onprem.git
cd nexbasira-onprem
# 2. Fill in env from the example
cp .env.example .env
$EDITOR .env # set DOMAIN, SECRET_KEY, DB password, S3 creds, LiveKit keys
# 3. Pull pinned images
docker compose pull
# 4. Run migrations + create the platform superuser
docker compose run --rm backend python manage.py migrate
docker compose run --rm backend python manage.py createsuperuser
# 5. Start everything
docker compose up -d
# 6. Tail the logs until you see the audit-chain self-test pass
docker compose logs -f backend | grep "audit chain self-test"On a clean Ubuntu 22.04 VPS the whole sequence runs in about 5 minutes.
What you get out of the box
- Both
app.<your-domain>(SPA) +<your-domain>(marketing site, optional) on a single Caddy. - Automatic TLS via Let's Encrypt — or pin to a private CA on closed networks.
- Postgres RLS migrations + the four system roles seeded.
- Audit-chain Postgres trigger (append-only).
- Demo session seeder so first-time admins can poke around with realistic data.
Day-2 ops
- Backups — Postgres logical dump nightly + S3 lifecycle for objects. The
docs/SELF_HOST.mdrunbook includes restore-from-backup smoke tests includingaudit-chain verify. - Upgrades — pull the new image tag,
docker compose up -d. Schema migrations are forward-only + tested in CI; rollback is documented for last-resort use. - Observability — Django emits structured JSON logs with
tenant_id+session_idlabels; route to your existing log aggregator. - Metrics — Prometheus exporter endpoint on the backend; scrape from your monitoring stack.
What's different from managed SaaS
| Concern | Managed SaaS | Self-host |
|---|---|---|
| TSA backends | YodaLedger + FreeTSA + OpenTimestamps configured by default | Configurable. You can disable any; you can plug in a paid QTSP (DataSure) directly. |
| Recording storage | EU S3 with lifecycle to Glacier | Your S3-compatible bucket; lifecycle is on you. |
| Email delivery | Sendgrid in our infra | Configure SMTP env vars to your own relay. |
| SMS delivery | Twilio in our infra (opt-in) | Twilio with your own account, or null backend if not used. |
| Stripe billing | Built-in | Disabled by default — self-host implies your own billing contract. |
| Updates | We deploy | You pull image tags on your cadence. |
Support
Enterprise self-host customers get a dedicated Slack + Connect channel, 1-hour SLA, scheduled upgrade walkthroughs, and direct access to our on-call rotation for production incidents.
What's next
- Start an Enterprise conversation
- Security posture — what's in the InfoSec questionnaire pack
- DPA — what's in the contract package