Self-host Auxot stage by stage

Move from the official Docker Compose bring-up through production-shaped choices — managed Postgres and Redis, pinned images, TLS, and systemd or Kubernetes — without pretending air-gapped labs are the same job as a single laptop experiment.

Plus: three Admin-Agent briefings — paste infra constraints and get a staged checklist; reconcile port and URL docs across compose vs IDE samples; draft a handoff note for security review against the published checklist.

Audience	Admins · Developers
Time	~10 min
Prerequisites	Org accountability for where Auxot runs (even if you only sketch the plan). Comfort editing env files or manifests. Helpful: [View and manage your License](/tutorials/view-and-manage-your-license) (tier + key placement); [Run the open-source inference router](/tutorials/run-the-open-source-inference-router) when contrasting OSS `auxot-router` vs Auxot Server.
You'll end up with	A clear stage 0 → stage 3 plan mapped to [Deployment](/docs/self-hosting/deployment), [Configuration](/docs/getting-started/configuration), and [Security](/docs/self-hosting/security) — plus explicit pointers for workers ([Connect a GPU worker](/tutorials/connect-a-gpu-worker), [Run the tools worker (auxot-tools)](/tutorials/run-the-tools-worker)) that stay outside the server binary.

When a tutorial shows italic text in quotation marks, it usually mirrors a label or helper string inside Auxot. Product copy changes between releases — if something reads differently in your workspace, trust what you see on screen.

Callouts with a Worth knowing gold accent are meant as must-read context before you move on. Blockquotes that open with Tip are lighter, optional depth.

Why this matters

Self-hosting isn’t one checkbox. It’s staged:

Prove the binary: Postgres + Redis + AUXOT_SECRET_KEY, migrations on startup, first admin in the browser (Deployment, Configuration).
Make it boring: TLS, real AUXOT_BASE_URL, secrets manager, pinned image tags, managed databases (Deployment, Security).
Operate like a product: replicas where supported, health probes, egress rules for workers, license via env when IaC demands it (Deployment, Configuration, View and manage your License).

The OSS auxot-router path (Run the open-source inference router) stays deliberately tiny (no Postgres agents). Auxot Server is the Go binary + data stores in the architecture diagram (What is Auxot?). Same word Auxot, different surface area: pick on purpose before you paste YAML into prod.

Nothing promotes itself: you pin versions, you rotate AUXOT_SECRET_KEY with eyes open (encrypted credentials depend on it; see Configuration).

Quick start

Stage 0: Compose smoke — curl the published Compose file, export AUXOT_SECRET_KEY, docker compose up -d, open the URL your bundle prints (often http://localhost:8080 for that flow) (Deployment).
Stage 1: Required env contract — DATABASE_URL, REDIS_URL, AUXOT_SECRET_KEY (+ AUXOT_BASE_URL before links lie) (Configuration).
Stage 2: Production hardening — managed Postgres/Redis, reverse-proxy TLS, no :latest tag in prod (Deployment).
Stage 3: Orchestration fit — systemd on a VM or Kubernetes Deployment + probes: server stateless; state in Postgres/Redis (Deployment).
Workers stay satellite — GPU / CLI / tools workers connect outbound; don’t collapse them into the server container mentally (Security, Connect a GPU worker, Run the tools worker (auxot-tools)).

Done? Written stage plan your team can annotate: who owns DB backups, who patches the proxy, and where worker logs land.

The agent can do that?

1. Stage plan from constraints

Chat → Admin Agent:

We're self-hosting Auxot Server on [cloud | on-prem K8s | single VM]. Constraints: [managed DB y/n], [air-gap y/n], [GPU workers same VPC y/n]. Using only published Deployment + Configuration pages, list stages 0–3 with exit criteria we can tick in a runbook.

Why it’s non-obvious: Marketing says self-hosted once; engineering needs ordered gates: Admin Agent compresses docs because you pasted topology, not because it audits prod silently.

2. URL + port coherence

Our compose README says :8080; API tutorials sometimes sample :8420; OSS router docs use :8080 too. When we're behind nginx TLS terminating at 443, what should `AUXOT_BASE_URL` be and what breaks if it's wrong? Short bullet answer.

Why it’s non-obvious: Wrong AUXOT_BASE_URL ships bad invite links and OAuth redirects (Security): paste confusion early.

3. Security checklist handoff

Draft a one-page “ready for security review” memo mapped to the Self-Hosting Security checklist — tick boxes we must evidence vs boxes that are policy-only. We'll attach infra diagrams separately.

Why it’s non-obvious: Checklists without owners become theater: Admin Agent formats rows you still prove with tickets.

Go deeper

License keys in IaC

AUXOT_LICENSE_KEY before process start: plus UI / Admin Agent paths (Configuration, View and manage your License). Offline Ed25519 verification: no license callback phone-home (Security).

Air-gapped

Image tar + worker binaries + pre-pulled models: transfer story in Deployment. Expect your registry discipline; Helm chart called roadmap-only there.

Kubernetes

Replicas safe: stateless server; scale DB/Redis per your platform rules (Deployment). GPU nodes remain a different scheduling concern than the Auxot Deployment.

HTTP APIs after bring-up

Same OpenAI / Anthropic-compatible routes as cloud: base URL is yours (Call the OpenAI-compatible Chat Completions API, Call the Anthropic-compatible Messages API).

Security checklist (condensed from manual)

Strong AUXOT_SECRET_KEY in a secrets manager · TLS · strong admin password · correct AUXOT_BASE_URL · restrict DB to Auxot · worker egress limits · Postgres SSL · rotate worker keys · monitor auth failures (Security).

Walkthrough

Step 1: Run stage 0 locally or on a sandbox host

Follow Docker Compose in Deployment. Confirm you can create the first admin (Configuration).

Step 2: Promote secrets

Move AUXOT_SECRET_KEY (and DB passwords) into your vault pattern: .env permissions alone aren’t the finish line (Deployment).

Step 3: Swap in managed data stores

Point DATABASE_URL / REDIS_URL at managed endpoints; require TLS on Postgres (sslmode=require appears in examples: align with your provider) (Deployment, Security).

Step 4: Front with TLS

Terminate HTTPS at nginx/Caddy/your LB; set AUXOT_BASE_URL to the public origin users type (Security).

Step 5: Choose systemd vs Kubernetes

Lift the unit file or manifests from Deployment; pin image: tags for prod.

Step 6: Attach workers deliberately

Configure GPU / CLI / tools workers against this deployment’s URL: outbound-only expectation unchanged (Security).

What’s next

→ Trigger a workflow from GitHub Actions. Intake workflow_dispatch against the same https:// origin once CI should own recurring jobs.
→ Finish first-run onboarding. Browser welcome wizard after Server responds: owner /app/onboarding, teammates wait behind onboarding-blocked until it clears.
→ View and manage your License. Tier truth and AUXOT_LICENSE_KEY placement after the binary stays up.
→ Connect a GPU worker. Commercial worker path once Server listens on your URL.
→ Run the tools worker (auxot-tools). Tool execution beside Server or OSS stacks.
→ Run the open-source inference router. Use it when Postgres agents are explicitly not in scope.
→ Back up and export your Auxot data. Postgres/Redis backup ownership, audit API egress, and what secrets need re-entry after restore.
→ Deployment. Compose, systemd, Kubernetes, air-gap detail pages.

Reference

Manual: Deployment, Configuration, Security, What is Auxot?
Licensing: Licensing
See also: Call the OpenAI-compatible Chat Completions API, Trigger a workflow from GitHub Actions, Finish first-run onboarding, Harden your intake webhooks, Take Auxot’s pulse in 10 seconds